In re: Bodil Lindqvist
What happened?
Churchgoer published private member information.
Tried by Swedish court, appealed. Swedish sought answers from European court.
Violation of data protection directive, protects the right to privacy with respect to the processing of personal data.
Article 3 provides
- It applies to processing of personal data wholly or partly by automatic means
Public prosecutor brought prosecution against Lindqvist for breach PUL (a Swedish law on personal data which extends the data protection directive).
- She processed personal data by automatic means without giving prior written notification
- She processed sensitive personal data (e.g: injured her foot on half time medical grounds) without authorization.
Who won?
The prosecutors
Why did they win?
European Court answered 7 questions that determined her guilt. She violated processing data wholly or partly by automatic means.
How did the witnesses play a role (how did they go back and forth in their argument)?
7 questions. So N/A.
====================================VERSION2============================================
Bodil Lindqvist v Åklagarkammaren i Jönköping (2003) is a decision by the Court of Justice of the European Communities (European Court of Justice). It held that referring to various persons on an internet page and identifying them either by name or by other means constitutes processing of personal data by automatic means within the meaning of Community law.[1]
It was the first time the Court ruled on the scope of Directive 95/46/EC (Data Protection Directive) and freedom of movement for such data on the internet.[2] It was cited in Costeja (2014), a controversial ruling that held an internet search engine operator established in the European Union (EU) is responsible for the processing that it carries out of personal information that appears on web pages published by third parties, confirming a right of erasure widely regarded as a so-called right to be forgotten.[3]
====================================VERSION3============================================
European Court Establishes Broad Interpretation Of Data Privacy Law
Case Summary
ECJ Case C-101/01 arose after Bodil Lindqvist, a Swedish woman, posted text concerning her volunteer work at a Swedish church on her own website. Lindqvist's writings included identifiable information, including names and phone numbers, about some of her colleagues. She also included some information about her co-worker's hobbies and, in at least one instance, even health-related information.
Lindqvist did not obtain her co-workers' permission to post information about them on her website. In fact, she did not even tell them about the postings beforehand. She did, however, remove the web pages as soon as she received a request from her colleague to do so.
Nonetheless, the Swedish data protection authorities commenced proceedings against her and she was eventually ordered to pay a fine for having had processed personal data by automatic means and transferred such data without having prior permission from the Swedish data protection authorities and the individuals concerned.
Lindqvist appealed. During her appeal, she contended that posting information on an Internet web site does not amount to "processing personal data" within the meaning of the Data Protection Directive and that posting information on a web site does not amount to a transfer of data to a third country. She also contended that the Data Protection Directive does not apply to non-profit activities and that the sanctions she was facing for violating the data protection requirements violated her freedom of expression. On appeal, the Gota Court of Appeal of Sweden referred several questions to the ECJ, requesting that the European court clarify the correct interpretation of the Data Protection Directive.
In considering the questions that were posed to it by the Gota Court of Appeal, the ECJ determined that posting individuals' names and telephone numbers (as well as information regarding their working conditions and hobbies) on a web site did indeed constitute the "processing" of personal data for the purposes of the Data Protection Directive.
Having made this initial determination, the ECJ then moved on to consider whether posting personal data on an Internet web site could be construed as "transferring" such data to a third country. On this point, the ECJ supported the arguments made by Lindqvist, concluding that web site operators posting personal data on line are not subject to the legal regime governing the transfer of personal data unless (i) they actually send the personal information to Internet users who did not intentionally seek access to the web pages, or (ii) the server infrastructure is located on a non-EU country.
While this conclusion is somewhat surprising since it is inconsistent with what many commentators - and even national data protection authorities - had previously concluded, it does offer very useful guidance as to what will be considered as a "transfer" within the context of Internet postings.
The ECJ then went on to examine the application of the Data Protection Directive to the non-profit sector. The court ruled that the Directive did apply to Lindqvist's postings even though she was engaged in non-profit making activities. The ECJ did not address Lindqvist's claims that the restrictions imposed by the Data Protection Directive limited her freedom of expression.
Implications
ECJ Case C-101/01 has important implications for the posting of personal data on the Internet. Through this case, the court has clarified that posting personal data on the Internet amounts to processing personal data for the purposes of the Data Protection Directive. The court's finding highlights the fact that Europe's data protection regime is extremely far reaching.
The enforcement action that was launched against Lindqvist, and validated in large part, by the ECJ, is not likely to be the last of its kind. In fact, Norway's data protection authorities recently announced that they would be pursuing web site operators that display photos that were taken of individuals without their prior consent. Accordingly, the activity of the local data protection authorities, along with the ECJ's decision should serve as a wake-up call to all entities and individuals that process personal data in Europe and/or about Europeans, including by posting such data on an Internet website.1 Council Directive No. 95/46/EC of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, O.J. L 281/31 (1995) [hereinafter "Directive"].
2 European Court of Justice, November 6, 2003.
3 Directive, supra note 1, at Art. 2(a).
4 Id. at Art. 8(1).
Published March 1, 2004.
