Daniel Davies lives in the south east of England and likes Brahms.
There, I’ve said it.
Now, how much could I be fined for breaking data protection law? If I also mention that, perhaps, one of Daniel’s legs is longer than the other, or that he’s a poor sleeper (invoking protections for sensitive medical data), I may be liable for a 450 euro fine.
Sounds crazy? Well, the European Court of Justice handed down last week a ruling about a Swedish parish council that should put the fear of god into bloggers who make comments about us Europeans and our hobbies.
In 1998, Mrs. Bodil Lindqvist of Alseda in Sweden put up a web page that included information about people in her parish. It included variously information about people’s jobs, hobbies, and in one case the fact that one person had injured her foot and was working part-time as a result. She was then fined 450 euro for failing to notify the data protection authority that she was processing personal data, and also for transferring said data to third countries by putting it on the world wide web. Mrs. Lindqvist’s appeal went all the way to the ECJ and a ruling was issued last week, partly upholding the original finding.
The law in question is the European general data protection Directive 95/46. The Directive defines ‘data processing’ very broadly to mean ‘anything anyone has ever thought to do to personal data, or ever might’, or words to that effect. So, putting people’s personal data on a web page would count as processing. But if the processing was done as a purely personal or domestic activity, it would not be captured by the Directive. The ECJ found that something Mrs. Lindqvist did clearly as a hobby, and with no commercial motive, did not count as being purely personal or domestic.*
This is extremely troubling. The implication of the ruling seems to be that if you refer in a published website to an EU citizen by name (or by using other data which reasonably infer who the person is), you should register as a ‘data controller’ and be prepared to have your data processing controls found wanting. While people who blog generally do so as a personal hobby, this seems to be no protection against being fully responsible for complying with data protection obligations. (the question of extra-territoriality is much contested and way beyond the scope of this post…)
Now, I think it’s fair to say that the original drafters back in 1995 did not mean to capture enthusiastic church members or bloggers who link to each other and discuss each others’ political beliefs (also ‘sensitive’ data). And one bright spot in the ECJ ruling was the observation that the Community legislature would not have intended to apply the expression ‘transfer of data to a third country’ to the publication of websites. The ECJ’s remit here, as I understand it (and pointers are welcome) was simply to make sure the Directive is properly implemented and enforced. But a first principles approach to Mrs. Lindqvist’s case might sensibly have asked, ‘what data protection goals or values can possibly be upheld by requiring online referers to individuals to register as data controllers?’ Surely, if people don’t like what is said about them, they have recourse to libel or slander laws. Or does data protection now mean that even mentioning someone online is to be a controlled activity?
The directive was up for its scheduled review this year, and many of the people and organisations who provided input asked that the directive be brought up to date to deal with the realities of the internet. Another criticism made by many was that notification requirements create administrative burdens while doing nothing to actually protect privacy. But the European Commission walked through the consultation process and did just as the Commission wanted – i.e. allowed for no amendments. In fact, the ‘for and against the amendment of the directive’ section of the Commission’s report is almost laughable in that it contains no reasons ‘for’ and a page and a half of ‘against’. So, no chance of any sensible changes there.
What’s needed now is for the Article 29 Working Party, a committee of all the European data protection authorities, to come out and clarify what people publishing websites are and are not required to do. But the chances of this are slim. WP 29 seem to exist on a separate plane from the rest of us and engage in closed, theological discussions that have little relevance to common sense and day to day life. I exoect it will be a long time before we see the white smoke rising on this issue.
* In fairness, the ‘personal and domestic activity’ carve-out was put in place so that people in homes with two telephones wouldn’t find themselves charged with unlawful interception if they happened to pick up the second receiver while someone was already on the first.
{ 5 comments }
dave heasman 11.12.03 at 1:26 pm
So how would you differentiate between this “innocent” description of unconsulted third parties and the charmers from redwatch.com or noncewatch.com?
I suppose you wouldn’t, and likewise permit posting details of, say, policemen’s addresses, families etc which have got people into jail in the US. In fact it seems that only the red & nonce watchers can freely post other people’s private details.
I’d say allow the lot to be posted, but someone being genuinely stalked via this – perhaps someone who’s opposed to Scientology? – might have a case for the opposite.
Maria 11.12.03 at 2:07 pm
Dave, I’m not sure what you’re saying I would or wouldn’t agree with. But my post on obligations to publish people’s names, addresses and phone numbers in ICANN’s WHOIS database may offer some indication of my views.
At issue here is the publication of someone’s name (perhaps first name only or even a pseudonym) and information about their interests. It’s not at all the same as publishing a policeman’s address. The data-set itself (e.g. hobbies versus phone numbers and addresses) is the distinguishing feature.
The real problem probably unravels all the way back to the directive’s definition of personal data. It includes “any information relating to an identified or indentifiable person” and goes on to include any factors “specific to his physical, physiological, mental, economic, cultural or social identity”.
So, as I see it, there are two problems for bloggers. First, that ‘personal data’ is defined so broadly as to include a lot of the things we say about eachother. There’s nothing to be done abut that, although it’s a shame the original directive didn’t do more to distinguish between making an offhand comment about someone and publishing their mobile number for the world to see. Secondly, that the activity of blogging falls between two categories of derogation from the data protection obligations; domestic/personal activities, and journalistic/literary ones. Being neither fish nor fowl, we may be fall into the compliance net in a way that was surely never intended.
Doug 11.12.03 at 2:56 pm
Can the European Parliament legislate on this topic? Or is it purely WP29 and/or the Commission that would have the right to originate legislation on the question?
“There oughta be a law!!”
drapetomaniac 11.12.03 at 5:21 pm
I suppose you wouldn’t, and likewise permit posting details of, say, policemen’s addresses, families etc which have got people into jail in the US.
Can you give any more details on this?
Maria 11.12.03 at 8:43 pm
Hi Doug.
As far as I understand the process, because it was a scheduled review by the Commission(should actually have happened in 2002), it’s up to the Commission to judge whether amendments are required. I don’t think the EP has any official role in suggesting amendments if the legislation hasn’t been brought back before it.
As to WP 29, they don’t have a statutory role in proposing amendments. But if amendments were proposed, i.e. if the directive was opened for amendments following a review, then the WP 29 would be required to give its opinion. Unofficially, I am sure they had plenty of input into the question of whether to amend the thing or not. Probably, like a lot of parties (with opposing interests) they surmised that opening it up would risk losing more than they might gain. There’s another review scheduled for 3-5 years time.
But there are a couple of really sticky issues – the article on applicable law is one of them – that are very troublesome, unresolved, and won’t just go away if we all wait around for another few years.
someone ought to do something…
Comments on this entry are closed.