Daniel Davies lives in the south east of England and likes Brahms.
There, I’ve said it.
Now, how much could I be fined for breaking data protection law? If I also mention that, perhaps, one of Daniel’s legs is longer than the other, or that he’s a poor sleeper (invoking protections for sensitive medical data), I may be liable for a 450 euro fine.
Sounds crazy? Well, the European Court of Justice handed down last week a ruling about a Swedish parish council that should put the fear of god into bloggers who make comments about us Europeans and our hobbies.
In 1998, Mrs. Bodil Lindqvist of Alseda in Sweden put up a web page that included information about people in her parish. It included variously information about people’s jobs, hobbies, and in one case the fact that one person had injured her foot and was working part-time as a result. She was then fined 450 euro for failing to notify the data protection authority that she was processing personal data, and also for transferring said data to third countries by putting it on the world wide web. Mrs. Lindqvist’s appeal went all the way to the ECJ and a ruling was issued last week, partly upholding the original finding.
The law in question is the European general data protection Directive 95/46. The Directive defines ‘data processing’ very broadly to mean ‘anything anyone has ever thought to do to personal data, or ever might’, or words to that effect. So, putting people’s personal data on a web page would count as processing. But if the processing was done as a purely personal or domestic activity, it would not be captured by the Directive. The ECJ found that something Mrs. Lindqvist did clearly as a hobby, and with no commercial motive, did not count as being purely personal or domestic.*
This is extremely troubling. The implication of the ruling seems to be that if you refer in a published website to an EU citizen by name (or by using other data which reasonably infer who the person is), you should register as a ‘data controller’ and be prepared to have your data processing controls found wanting. While people who blog generally do so as a personal hobby, this seems to be no protection against being fully responsible for complying with data protection obligations. (the question of extra-territoriality is much contested and way beyond the scope of this post…)
Now, I think it’s fair to say that the original drafters back in 1995 did not mean to capture enthusiastic church members or bloggers who link to each other and discuss each others’ political beliefs (also ‘sensitive’ data). And one bright spot in the ECJ ruling was the observation that the Community legislature would not have intended to apply the expression ‘transfer of data to a third country’ to the publication of websites. The ECJ’s remit here, as I understand it (and pointers are welcome) was simply to make sure the Directive is properly implemented and enforced. But a first principles approach to Mrs. Lindqvist’s case might sensibly have asked, ‘what data protection goals or values can possibly be upheld by requiring online referers to individuals to register as data controllers?’ Surely, if people don’t like what is said about them, they have recourse to libel or slander laws. Or does data protection now mean that even mentioning someone online is to be a controlled activity?
The directive was up for its scheduled review this year, and many of the people and organisations who provided input asked that the directive be brought up to date to deal with the realities of the internet. Another criticism made by many was that notification requirements create administrative burdens while doing nothing to actually protect privacy. But the European Commission walked through the consultation process and did just as the Commission wanted - i.e. allowed for no amendments. In fact, the ‘for and against the amendment of the directive’ section of the Commission’s report is almost laughable in that it contains no reasons ‘for’ and a page and a half of ‘against’. So, no chance of any sensible changes there.
What’s needed now is for the Article 29 Working Party, a committee of all the European data protection authorities, to come out and clarify what people publishing websites are and are not required to do. But the chances of this are slim. WP 29 seem to exist on a separate plane from the rest of us and engage in closed, theological discussions that have little relevance to common sense and day to day life. I exoect it will be a long time before we see the white smoke rising on this issue.
So how would you differentiate between this “innocent” description of unconsulted third parties and the charmers from redwatch.com or noncewatch.com?
I suppose you wouldn’t, and likewise permit posting details of, say, policemen’s addresses, families etc which have got people into jail in the US. In fact it seems that only the red & nonce watchers can freely post other people’s private details.
I’d say allow the lot to be posted, but someone being genuinely stalked via this - perhaps someone who’s opposed to Scientology? - might have a case for the opposite.
Dave, I’m not sure what you’re saying I would or wouldn’t agree with. But my post on obligations to publish people’s names, addresses and phone numbers in ICANN’s WHOIS database may offer some indication of my views.
At issue here is the publication of someone’s name (perhaps first name only or even a pseudonym) and information about their interests. It’s not at all the same as publishing a policeman’s address. The data-set itself (e.g. hobbies versus phone numbers and addresses) is the distinguishing feature.
The real problem probably unravels all the way back to the directive’s definition of personal data. It includes “any information relating to an identified or indentifiable person” and goes on to include any factors “specific to his physical, physiological, mental, economic, cultural or social identity”.
So, as I see it, there are two problems for bloggers. First, that ‘personal data’ is defined so broadly as to include a lot of the things we say about eachother. There’s nothing to be done abut that, although it’s a shame the original directive didn’t do more to distinguish between making an offhand comment about someone and publishing their mobile number for the world to see. Secondly, that the activity of blogging falls between two categories of derogation from the data protection obligations; domestic/personal activities, and journalistic/literary ones. Being neither fish nor fowl, we may be fall into the compliance net in a way that was surely never intended.
Can the European Parliament legislate on this topic? Or is it purely WP29 and/or the Commission that would have the right to originate legislation on the question?
“There oughta be a law!!”
I suppose you wouldn’t, and likewise permit posting details of, say, policemen’s addresses, families etc which have got people into jail in the US.
Can you give any more details on this?
Hi Doug.
As far as I understand the process, because it was a scheduled review by the Commission(should actually have happened in 2002), it’s up to the Commission to judge whether amendments are required. I don’t think the EP has any official role in suggesting amendments if the legislation hasn’t been brought back before it.
As to WP 29, they don’t have a statutory role in proposing amendments. But if amendments were proposed, i.e. if the directive was opened for amendments following a review, then the WP 29 would be required to give its opinion. Unofficially, I am sure they had plenty of input into the question of whether to amend the thing or not. Probably, like a lot of parties (with opposing interests) they surmised that opening it up would risk losing more than they might gain. There’s another review scheduled for 3-5 years time.
But there are a couple of really sticky issues - the article on applicable law is one of them - that are very troublesome, unresolved, and won’t just go away if we all wait around for another few years.
someone ought to do something…
À Gauche
Jeremy Alder
Amaravati
Anggarrgoon
Audhumlan Conspiracy
H.E. Baber
Philip Blosser
Paul Broderick
Matt Brown
Diana Buccafurni
Brandon Butler
Keith Burgess-Jackson
Certain Doubts
David Chalmers
Noam Chomsky
The Conservative Philosopher
Desert Landscapes
Denis Dutton
David Efird
Karl Elliott
David Estlund
Experimental Philosophy
Fake Barn County
Kai von Fintel
Russell Arben Fox
Garden of Forking Paths
Roger Gathman
Michael Green
Scott Hagaman
Helen Habermann
David Hildebrand
John Holbo
Christopher Grau
Jonathan Ichikawa
Tom Irish
Michelle Jenkins
Adam Kotsko
Barry Lam
Language Hat
Language Log
Christian Lee
Brian Leiter
Stephen Lenhart
Clayton Littlejohn
Roderick T. Long
Joshua Macy
Mad Grad
Jonathan Martin
Matthew McGrattan
Marc Moffett
Geoffrey Nunberg
Orange Philosophy
Philosophy Carnival
Philosophy, et cetera
Philosophy of Art
Douglas Portmore
Philosophy from the 617 (moribund)
Jeremy Pierce
Punishment Theory
Geoff Pynn
Timothy Quigley (moribund?)
Conor Roddy
Sappho's Breathing
Anders Schoubye
Wolfgang Schwartz
Scribo
Michael Sevel
Tom Stoneham (moribund)
Adam Swenson
Peter Suber
Eddie Thomas
Joe Ulatowski
Bruce Umbaugh
What is the name ...
Matt Weiner
Will Wilkinson
Jessica Wilson
Young Hegelian
Richard Zach
Psychology
Donyell Coleman
Deborah Frisch
Milt Rosenberg
Tom Stafford
Law
Ann Althouse
Stephen Bainbridge
Jack Balkin
Douglass A. Berman
Francesca Bignami
BlunkettWatch
Jack Bogdanski
Paul L. Caron
Conglomerate
Jeff Cooper
Disability Law
Displacement of Concepts
Wayne Eastman
Eric Fink
Victor Fleischer (on hiatus)
Peter Friedman
Michael Froomkin
Bernard Hibbitts
Walter Hutchens
InstaPundit
Andis Kaulins
Lawmeme
Edward Lee
Karl-Friedrich Lenz
Larry Lessig
Mirror of Justice
Eric Muller
Nathan Oman
Opinio Juris
John Palfrey
Ken Parish
Punishment Theory
Larry Ribstein
The Right Coast
D. Gordon Smith
Lawrence Solum
Peter Tillers
Transatlantic Assembly
Lawrence Velvel
David Wagner
Kim Weatherall
Yale Constitution Society
Tun Yin
History
Blogenspiel
Timothy Burke
Rebunk
Naomi Chana
Chapati Mystery
Cliopatria
Juan Cole
Cranky Professor
Greg Daly
James Davila
Sherman Dorn
Michael Drout
Frog in a Well
Frogs and Ravens
Early Modern Notes
Evan Garcia
George Mason History bloggers
Ghost in the Machine
Rebecca Goetz
Invisible Adjunct (inactive)
Jason Kuznicki
Konrad Mitchell Lawson
Danny Loss
Liberty and Power
Danny Loss
Ether MacAllum Stewart
Pam Mack
Heather Mathews
James Meadway
Medieval Studies
H.D. Miller
Caleb McDaniel
Marc Mulholland
Received Ideas
Renaissance Weblog
Nathaniel Robinson
Jacob Remes (moribund?)
Christopher Sheil
Red Ted
Time Travelling Is Easy
Brian Ulrich
Shana Worthen
Computers/media/communication
Lauren Andreacchi (moribund)
Eric Behrens
Joseph Bosco
Danah Boyd
David Brake
Collin Brooke
Maximilian Dornseif (moribund)
Jeff Erickson
Ed Felten
Lance Fortnow
Louise Ferguson
Anne Galloway
Jason Gallo
Josh Greenberg
Alex Halavais
Sariel Har-Peled
Tracy Kennedy
Tim Lambert
Liz Lawley
Michael O'Foghlu
Jose Luis Orihuela (moribund)
Alex Pang
Sebastian Paquet
Fernando Pereira
Pink Bunny of Battle
Ranting Professors
Jay Rosen
Ken Rufo
Douglas Rushkoff
Vika Safrin
Rob Schaap (Blogorrhoea)
Frank Schaap
Robert A. Stewart
Suresh Venkatasubramanian
Ray Trygstad
Jill Walker
Phil Windley
Siva Vaidahyanathan
Anthropology
Kerim Friedman
Alex Golub
Martijn de Koning
Nicholas Packwood
Geography
Stentor Danielson
Benjamin Heumann
Scott Whitlock
Education
Edward Bilodeau
Jenny D.
Richard Kahn
Progressive Teachers
Kelvin Thompson (defunct?)
Mark Byron
Business administration
Michael Watkins (moribund)
Literature, language, culture
Mike Arnzen
Brandon Barr
Michael Berube
The Blogora
Colin Brayton
John Bruce
Miriam Burstein
Chris Cagle
Jean Chu
Hans Coppens
Tyler Curtain
Cultural Revolution
Terry Dean
Joseph Duemer
Flaschenpost
Kathleen Fitzpatrick
Jonathan Goodwin
Rachael Groner
Alison Hale
Household Opera
Dennis Jerz
Jason Jones
Miriam Jones
Matthew Kirschenbaum
Steven Krause
Lilliputian Lilith
Catherine Liu
John Lovas
Gerald Lucas
Making Contact
Barry Mauer
Erin O'Connor
Print Culture
Clancy Ratcliff
Matthias Rip
A.G. Rud
Amardeep Singh
Steve Shaviro
Thanks ... Zombie
Vera Tobin
Chuck Tryon
University Diaries
Classics
Michael Hendry
David Meadows
Religion
AKM Adam
Ryan Overbey
Telford Work (moribund)
Library Science
Norma Bruce
Music
Kyle Gann
ionarts
Tim Rutherford-Johnson
Greg Sandow
Scott Spiegelberg
Biology/Medicine
Pradeep Atluri
Bloviator
Anthony Cox
Susan Ferrari (moribund)
Amy Greenwood
La Di Da
John M. Lynch
Charles Murtaugh (moribund)
Paul Z. Myers
Respectful of Otters
Josh Rosenau
Universal Acid
Amity Wilczek (moribund)
Theodore Wong (moribund)
Physics/Applied Physics
Trish Amuntrud
Sean Carroll
Jacques Distler
Stephen Hsu
Irascible Professor
Andrew Jaffe
Michael Nielsen
Chad Orzel
String Coffee Table
Math/Statistics
Dead Parrots
Andrew Gelman
Christopher Genovese
Moment, Linger on
Jason Rosenhouse
Vlorbik
Peter Woit
Complex Systems
Petter Holme
Luis Rocha
Cosma Shalizi
Bill Tozier
Chemistry
"Keneth Miles"
Engineering
Zack Amjal
Chris Hall
University Administration
Frank Admissions (moribund?)
Architecture/Urban development
City Comforts (urban planning)
Unfolio
Panchromatica
Earth Sciences
Our Take
Who Knows?
Bitch Ph.D.
Just Tenured
Playing School
Professor Goose
This Academic Life
Other sources of information
Arts and Letters Daily
Boston Review
Imprints
Political Theory Daily Review
Science and Technology Daily Review