Websites and Data Protection

16 December 2003

Ruth Boardman, Elizabeth Brownsdon

New European Decision

A European Court of Justice decision has recently been made which will be of significance to organisations who use global intranet systems (such as global email address lists) or who rely on a website to promote their business (which may include details about employees). This case reverses previous thinking in this area and establishes that loading personal data onto an Internet page which is stored by a hosting provider established in Europe does not breach the Data Protection Directive.

According to data protection authorities in the EEA (the EU, Iceland, Norway and Liechtenstein), any organisation that placed personal data on an Internet page used to be in breach of EEA data protection law. This was because such data could be accessed from outside the EEA and therefore in breach of a prohibition under the EEA Data Protection Directive on transferring data to non-EEA countries.

This thinking has been reversed by a recent European Court of Justice decision, Bodil Lindqvist [1]. This case establishes that loading personal data onto an Internet page which is stored by a hosting provider established in Europe does not breach the Data Protection Directive.

This decision will be of significance to organisations who use global intranet systems (such as global email address lists) or who rely on a website to promote their business (which may include details about employees). Previously such organisations may not have met the requirements of the Data Protection Directive.

Facts of the case

Mrs Lindqvist was involved with her local parish. She set up an Internet page containing information about Confirmations, including the names of many local parishioners, a description of the work they carried out, hobbies and telephone numbers. She also mentioned that one of her colleagues had injured her foot and was working part time on medical grounds. Mrs Lindqvist had not told her colleagues about these pages nor obtained their consent, nor had she notified the Swedish Data Protection Authority about the processing of this personal data. Mrs Lindqvist was fined approximately EUR450 for processing personal data in breach of Swedish data protection legislation - in particular not notifying the processing to the Swedish Data Protection Authority, transferring data to countries outside Europe (i.e. loading the data onto an Internet page) and for processing sensitive medical data. She appealed to a higher Swedish Court which asked the ECJ whether Mrs Lindqvist’s activities had breached the Data Protection Directive.

The Law

Article 25 of the Data Protection Directive states that personal data can only be transferred to a country outside the EEA (called “third countries” under the Directive) if that country can offer an “adequate level of protection”.

Adequacy is to be assessed in light of all the circumstances; in particular this means looking at the nature of the data, the purpose and duration of the proposed processing operation, the country of origin and country of final destination, the rules of law in force in the country where the data is to be transferred to and the professional rules and security measures which are complied with in that country.

The Decision

The ECJ noted that the Directive did not define “transfer”. In order to determine whether the loading of personal data onto an Internet page constituted a transfer of data to a third country, the ECJ considered the technical nature of the Internet and the purpose and structure of this part of the Data Protection Directive.

The Court noted that in order to obtain the relevant information, an Internet user in a third country would, initially, have to connect to the Internet and then find the webpages. Mrs Lindqvist’s Internet pages would not automatically be sent to people who did not intentionally mean to access them, nor would they directly be transferred to an Internet user who requested them; rather they would be transferred through the infrastructure of the hosting provider where the page was stored.

The ECJ also noted that the Directive contains no provisions concerning use of the Internet. Given the state of development of the Internet at the time the Directive was drawn up, the ECJ concluded that it could not presume that the legislation intended the expression “transfer of data to a third country” to cover the loading by an individual of data onto an Internet page, even if those data are accessible by individuals in third countries. The Court concluded that activities such as those carried out by Mrs Lindqvist did not constitute a transfer of data to a third country provided the hosting provider was established in a European state (even if the provider uses a server outside the EC).

The decision is helpful, but leaves unanswered questions. Most notably, the ECJ did not consider the position of the hosting provider itself, only of the website owner. The prohibition on transfers of personal data outside the EEA could still apply to hosting providers who permit a website containing personal data to be accessed from a third country. Furthermore if an organisation is making sensitive personal data available on the Internet (and this may include photographs), it may still need to obtain the consent of the individuals in order to be able to justify the processing of the data.

This decision reverses guidance in the Information Commissioner Website Frequently Asked Questions, which states that “placing personal data on the Internet potentially involves a transfer to any country worldwide”.

Finally, the case also confirms that the details posted by Mrs Lindqvist would amount to personal data and that the medical details would be sensitive. It also considers the application of the Directive to churches and similar bodies and the interrelationship of data protection and freedom of expression.

For more information on data protection law, please contact Ruth Boardman or Elizabeth Brownsdon on +44 (0) 20 7415 6000.