In the case of Case C-101/01 Criminal Proceedings against Bodil Lindqvist ("ECJ Case C-101/01") or as is otherwise referred to as Case C-101/01 Bodil Lindqvist EU:C:2003:596, the ECJ, i.e., the European Court of Justice handed down a major ruling through which clarity was brought to applicability of the European Data Protection Directive, regarding the personal data being posted over the internet websites. This ruling is quite significant not only for the individuals, but for the companies as well, particularly the ones who post data over the internet. This case is also a timely reminder on the directive relating to the data protection having a broad scope and the member states of European Union enforce these vigorously through the authorities of data protection. This discussion is focused on providing a case summary of the quoted case, where the factual background, the law, the decision given and the implications of it would be elucidated.
This case was initiated after a Swedish woman, Bodil Lindqvist, has posted a text relating to her volunteer work at the church in Sweden, on her website. The writings of Lindqvist included certain information which was identifiable, in terms of the names and the phone numbers of some of her co-workers. There was also an inclusion of some of the information related to the hobbies of her colleagues in the posted text, along with the health related information being posted at a minimum of one instance. Before posting this information, Lindqvist had not taken any permission from her colleagues and had also not informed about posting the information on her website before she did so.
Though, as soon as she got the request from her colleague of removing the web page, she did so. Nevertheless, proceedings were initiated against Lindqvist by the Swedish data protection authorities, which led to her being ordered to pay a fine owing to her having processed personal data through the automatic means, along with the transfer of this data lacking the relevant prior approval from the data protection authorities of the nation, along with the permission from the individuals whose information was posted.
The key issue of this case revolved around Lindqvist posting the information without taking the relevant permissions from the individuals and the authorities, which led to the breach of the legislation of Sweden on data protection and privacy, which was based on Directive 95/46 EC. It was stated by the prosecution that Lindqvist had been in contravention off the quoted legislation owing to the processing of the personal data without the permission required from the authority based on the nation legislation and the quoted directive. Sensitive data was processed by Lindqvist where she mentioned that one of her co-workers had a broken leg/ injured foot. The reference was made by the prosecutor on disclosing the personal medical information of another individual without the approval of such individual. The last issue was related to the transfer of personal data breaching the nation act and the directive.
Lindqvist in turn had appealed stating that the posting of information on the internet website did not result in the processing of personal data within the meaning covered under the directive on data protection. She further stated that the posting of information on the internet website also did not result in the data being transferred to a third nation. Lindqvist went on to contend that the directive on data protection was not applicable over the non profit activities. She further stated that the sanction which she had to face as a result of contravention of the requirements of the data protection were actually a violation of the free of expression which she had. Upon the appeal being made to the Sweden’s Gota Court of Appeal, matter was referred to ECJ for clarify on the clear interpretation of the directive on data protection.
The directive which is the focus of this discussion was passed on 24th October, 1995 and became effective from the very next day. This is a comprehensive legislation relating to the processing of personal data, which is broadly defined as any information which relates to the identifiable or identified natural person. The protection of personal data is addressed through this directive from varied perspectives. This directive, at its basic level, presents some conditions which have to be fulfilled for processing personal data. Apart from these general preconditions applicable on all sorts of personal data, the directive imposed stringent restrictions over the collection and usage of special categories of personal data, including the data on health.
This directive also covers major notice requirements. The entities which process the personal data, have to notify their operations under the terms of this directive to the data protection supervisory authority of the member state of European Union in which it operates. Through this directive, the individuals who are subjects of the personal data processing get major rights, which include the right of knowing who would process their personal data and also have a right to request the deletion or correction of the data. The processors and controllers of data also have to implement proper security measures for the protection of the personal data. Most importantly, this directive prohibits the personal data being transferred to any third nation, which is out of European Economic Area, where the adequate data protection is not provided to the personal information, save for limited exceptions.
Even though Lindqvist had accepted the facts after hearing the allegations, she refused to state that she had committed any kind of offence. The acceptance of facts was enough for the District Court to impose a fine of 450 EUR on Lindqvist. This led to Lindqvist making an appeal against the decision of the district court in Appeal Court. The Appeal Court made a decision of holding the procedure and letting the questions being addressed by the ECJ due to the fact that there was the applicability of community law in this case, in terms of the quoted directive.
The ECJ carefully analysed the questions which were put before it by the Gota Court of Appeal and determined that the posting of the telephone numbers, the names of the individuals, their hobbies and the working condition over the internet website was indeed a processing of the personal data, within the meaning of the directive on data protection. Once this initial determination was made, the matter of posting of personal information on website being deemed as transferring of the information to a third nation was considered by the ECJ. This point had the ECJ supporting the arguments put forth by Lindqvist and they provided that the operators of website, who post the private information over the internet were not subjected to the lawful regime which governed the transfer of personal information till such time that (a) the personal information is actually sent to the users on internet who had not intentionally sought to access the web-pages, or (b) where the server infrastructure is based in a non member state of European Union.
Even though the conclusion which the ECJ reached in this case is quite surprising due to the same being inconsistent with the views of commentators and also with that of the national data protection authorities, it does provide guidance to what can be deemed as transfer when it comes to the internet posts. The application of the directive on data protection over the non profit sector was also examined by the ECJ. They stated that this directive was applicable on the postings of Lindqvist even when she was engaged in the activities of non profit making. The claims of Lindqvist over the limiting of her freedom of expression due to the restrictions imposed through the directive on data protection were not addressed by the ECJ.
Impact and conclusion
This case has had an important impact over the postings on the internet of the personal data. This case led the court in brining clarity to the personal data postings on the internet amounting to the personal data being processed for the purpose of directive on data protection. The findings of the court in this case put emphasis over the fact that the data protection regime of Europe has quite far reaching consequences and also has a broader reach. Thus, this case effectively shows that the nations, instead of becoming political, adopt the EU directives in unity with their national laws. Further, the theme of social good, in terms of safeguarding the rights granted to the individuals, is upheld.
Through the enforcement action initiated against Lindqvist in this case by the CJ validated that this was not a matter which was to be last of its kind. An example of this can be cited in the data protection authorities of Norway stating that they would be pursing the operators of websites who display the photos of individuals without taking their permission beforehand. The activities of such local data protection authorities, in addition to the decision given by the ECJ acts as a wakeup call for the individuals and the entities that the processing of personal data in Europe is quite strict, and includes the posting of personal data on the websites.
Primary SourcesEU legislation and cases
Case C-101/01 Bodil Lindqvist EU:C:2003:596
Council Directive No. 95/46/EC of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, O.J. L 281/31 (1995)
Garcia FJ, ‘Bodil Lindqvist: A Swedish Churchgoer’s Violation of the European Union’s Data Protection Directive Should Be a Warning to U.S. Legislators’ (2005) 15(4) Fordham Intellectual Property, Media and Entertainment Law Journal
Curia, ‘Judgment of 6. 11. 2003 — Case C-101/01’ (2003) <https://curia.europa.eu/juris/showPdf.jsf?text=&docid=48382&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=218578> accessed 05 February 2018
Find Law, ‘European Court Establishes Broad Interpretation of Data Privacy Law’ (2018) <https://corporate.findlaw.com/law-library/european-court-establishes-broad-interpretation-of-data-privacy.html> accessed 05 February 2018
IIPT, ‘European Court of Justice, 6 November 2003, Lindqvist’ (2003) <https://www.ippt.eu/files/2003/IPPT20031106_ECJ_Lindqvist.pdf> accessed 05 February 2018
Klosek J, ‘European Court Establishes Broad Interpretation of Data Privacy Law’ (CCBJ, 01 March 2004) <https://ccbjournal.com/articles/3728/european-court-establishes-broad-interpretation-data-privacy-law> accessed 05 February 2018
Manolescu D, ‘Data protection Case law in EU: Bodil Lindqvist-part I.’ (E Crime Expert, 31 October 2011) <https://ecrimeexpertblog.wordpress.com/2011/10/31/data-protection-case-law-in-eu/> accessed 05 February 2018
Swarb, ‘Criminal proceedings against Lindqvist: ECJ 6 Nov 2003’ (28 August 2016) <https://swarb.co.uk/criminal-proceedings-against-lindqvist-ecj-6-nov-2003/> accessed 05 February 201