The European Union (EU) Data Protection Directive 95/46/EC (DPD), article 3(1), states that this Directive applies to the processing of person al data wholly or partly by automatic means, and to other form of processing of personal data that forms- or intends to form- part of a filing system. An interesting question is whether personal information posted in a website is considered "processing of personal data” by “automatic means.” In other words, is the EU DPD applicable to personal data kept and posted in websites?
Join the Internet Law Forum (ILF)
to... discuss, share information and knowledge, questions and doubts... regarding the legal aspects of the Internet. The ILF is ALL about the INTERNET... business, laws and regulations, social media... Sign up to enjoy the benefits of the Free Global membership in the IBLS international community!
The European Union (EU) Data Protection Directive 95/46/EC (DPD), article 3(1), states that this Directive applies to the processing of person al data wholly or partly by automatic means, and to other form of processing of personal data that forms- or intends to form- part of a filing system. An interesting question is whether personal information posted in a website is considered "processing of personal data" by "automatic means." In other words, is the EU DPD applicable to personal data kept and posted in websites?
The European Court of Justice (ECJ) answered this question in a Swedish case referred by Gota hovratt (Court of Appeal). A Swedish lady was accused of criminal violation of data protection laws when she published the names and other information of a number of people working with her as volunteers for a parish of the Swedish Protestant Church.
The Swedish lady worked as catechist in a parish church. She took a data processing course in which she was required to set up an Internet page. The Swedish lady set up an internet page containing useful information for parishioners preparing for their confirmation. She set up this page at home on her personal computer and asked the parish website administrator to link her created page to the Swedish Church's website. The lady"s Internet page contained her name, the full name of 18 parishioners, the jobs held by these parishioners, the parishioners' hobbies, family circumstances and telephone numbers (about "some" of the parishioners); the Internet page even mentioned that one of the parishioners had an injured foot and was under medical leave. The Swedish lady did not inform the data protection supervisory authority nor notify the mentioned-parishioners about the existence of that webpage she created. The Swedish public prosecutor brought charges against this lady for breach of Swedish data protection laws that adopted the EU DPD, the DPD, and the directive on the transfer of personal data to third countries. The lady admitted having created the page but denied having committed any crime. She was fined ad forced to pay SEK$4,000. The lady appealed this ruling. The case was referred to the ECJ for clarification on the interpretation of DPD, article 3(1), when related to information published in a website and, accordingly, on interpretation of the EU law on data transferred to third countries.
The ECJ held that the act of posting people's names, phone numbers, working conditions, and hobbies constitutes "the processing of personal data wholly or partly by automatic means," under article 3(1) of the DPD. Additionally, the court held, such processing of personal data is not covered by any exceptions in article 3(2) of the same Directive. Likewise, posting information in a website about a person's health, such as the parishioner's injured foot, constitutes personal data within the meaning of article 8(1) of the DPD. Once the ECJ determined that the posting of personal information in a website constitutes "the processing of personal data;" the next question is to determine whether, under the same scenario, there is a "transfer of data to a third country" according to article 25 of the same DPD. The ECJ held that there is no transfer of personal data to a third country within the meaning of article 25 of the DPD when an individual residing in a Member State loads personal data onto an Internet webpage hosted by a natural or legal person established in the same state or another Member State; even if the data is accessible by third countries.
According to this decision, companies hosting websites that contain information about their employees or member must be vigilant of any data protection law violation when some of that information is considered personal data. Fines are high and, even criminal convictions, depending on the domestic legislation, may ensue.
Martha L. Arias, Immigration and Internet Law Attorney, Miami; IBLS Director