Feeds

EU can't discriminate between public and private personal data

Organisations can lawfully process personal data without consent

Secure remote control for conventional and virtual desktops

EU member states cannot generally prohibit organisations' legitimate and necessary but unauthorised processing of personal data where the information is not stored in specified public sources, the European Court of Justice (ECJ) has said.

The ECJ said that national rules that broadly exclude data processing in non-specified public sources in those circumstances are precluded under EU data protection laws.

"[The EU's Data Protection Directive] must be interpreted as precluding national rules which, in the absence of the data subject’s consent, and in order to allow such processing of that data subject’s personal data as is necessary to pursue a legitimate interest of the data controller or of the third party or parties to whom those data are disclosed, require not only that the fundamental rights and freedoms of the data subject be respected, but also that those data should appear in public sources, thereby excluding, in a categorical and generalised way, any processing of data not appearing in such sources," the ECJ said in its ruling.

The Court was ruling in a case involving a dispute about Spanish data protection laws and their compatibility with EU law. It was assessing whether Spain could give extra protection to personal data stored in non-public sources. Spanish law classes personal data found in public sources as information stored on the electoral roll, in telephone directories and media publications as well as some details about professional association membership, according to the ruling.

Under the Data Protection Directive, personal data can only be processed under strict conditions. Personal data must be "processed fairly and lawfully" and be collected for "specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes". Organisations must then either obtain "unambiguous consent" from individuals before processing is lawful or satisfy one of a number of other conditions instead. If consent is not given, personal data processing can still be lawful providing it is "necessary for the purposes of the legitimate interests" it, or third-parties to whom the information is disclosed, is pursuing, provided those interests are not "overridden by the interests for fundamental rights and freedoms of the data subject".

Under the EU Charter of Fundamental Rights individuals generally have a right to privacy and protection of personal data.

Whilst Article 5 of the Directive allows EU member states to "determine more precisely the conditions under which the processing of personal data is lawful" that does not give member states the right to "impose additional requirements that have the effect of amending the scope" of lawful processing of personal data under the Directive, the ECJ said. There are separate rules around the processing of sensitive data, such as medical records, racial origin and religious beliefs.

"The margin of discretion which Member States have pursuant to Article 5 can therefore be used only in accordance with ... maintaining a balance between the free movement of personal data and the protection of private life," the ECJ said.

The Court said that unauthorised processing of non-publicly sourced personal data by organisations could result in a "more serious infringement" of individuals' privacy rights than unauthorised processing of data from public sources. However, it said that it was not legitimate to broadly introduce greater protection over non-publicly sourced data in national law as to do so would result in an imbalance between the privacy rights of individuals and the right of free movement of data, the ECJ said.

"[Article 7(f) of the Data Protection Directive] precludes a Member State from excluding, in a categorical and generalised manner, the possibility of processing certain categories of personal data, without allowing the opposing rights and interests at issue to be balanced against each other in a particular case," the ECJ said.

"In light of those considerations ... Article 7(f) of [the] Directive must be interpreted as precluding national rules which, in the absence of the data subject’s consent, and in order to allow such processing of that data subject’s personal data as is necessary to pursue a legitimate interest of the data controller or of the third party or parties to whom those data are disclosed, require not only that the fundamental rights and freedoms of the data subject be respected, but also that those data should appear in public sources, thereby excluding, in a categorical and generalised way, any processing of data not appearing in such sources," it said.

Copyright © 2011, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Intelligent flash storage arrays

More from The Register

next story
Scrapping the Human Rights Act: What about privacy and freedom of expression?
Justice minister's attack to destroy ability to challenge state
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
DVLA website GOES TITSUP on day paper car tax discs retire
Welcome to GOV.UK - digital by de ... FAULT
Hey Brit taxpayers. You just spent £4m on Central London ‘innovation playground’
Catapult me a Mojito, I feel an Digital Innovation coming on
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
EU to accuse Ireland of giving Apple an overly peachy tax deal – report
Probe expected to say single-digit rate was unlawful
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
EU probes Google’s Android omerta again: Talk now, or else
Spill those Android secrets, or we’ll fine you
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.