Feeds

EU can't discriminate between public and private personal data

Organisations can lawfully process personal data without consent

Next gen security for virtualised datacentres

EU member states cannot generally prohibit organisations' legitimate and necessary but unauthorised processing of personal data where the information is not stored in specified public sources, the European Court of Justice (ECJ) has said.

The ECJ said that national rules that broadly exclude data processing in non-specified public sources in those circumstances are precluded under EU data protection laws.

"[The EU's Data Protection Directive] must be interpreted as precluding national rules which, in the absence of the data subject’s consent, and in order to allow such processing of that data subject’s personal data as is necessary to pursue a legitimate interest of the data controller or of the third party or parties to whom those data are disclosed, require not only that the fundamental rights and freedoms of the data subject be respected, but also that those data should appear in public sources, thereby excluding, in a categorical and generalised way, any processing of data not appearing in such sources," the ECJ said in its ruling.

The Court was ruling in a case involving a dispute about Spanish data protection laws and their compatibility with EU law. It was assessing whether Spain could give extra protection to personal data stored in non-public sources. Spanish law classes personal data found in public sources as information stored on the electoral roll, in telephone directories and media publications as well as some details about professional association membership, according to the ruling.

Under the Data Protection Directive, personal data can only be processed under strict conditions. Personal data must be "processed fairly and lawfully" and be collected for "specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes". Organisations must then either obtain "unambiguous consent" from individuals before processing is lawful or satisfy one of a number of other conditions instead. If consent is not given, personal data processing can still be lawful providing it is "necessary for the purposes of the legitimate interests" it, or third-parties to whom the information is disclosed, is pursuing, provided those interests are not "overridden by the interests for fundamental rights and freedoms of the data subject".

Under the EU Charter of Fundamental Rights individuals generally have a right to privacy and protection of personal data.

Whilst Article 5 of the Directive allows EU member states to "determine more precisely the conditions under which the processing of personal data is lawful" that does not give member states the right to "impose additional requirements that have the effect of amending the scope" of lawful processing of personal data under the Directive, the ECJ said. There are separate rules around the processing of sensitive data, such as medical records, racial origin and religious beliefs.

"The margin of discretion which Member States have pursuant to Article 5 can therefore be used only in accordance with ... maintaining a balance between the free movement of personal data and the protection of private life," the ECJ said.

The Court said that unauthorised processing of non-publicly sourced personal data by organisations could result in a "more serious infringement" of individuals' privacy rights than unauthorised processing of data from public sources. However, it said that it was not legitimate to broadly introduce greater protection over non-publicly sourced data in national law as to do so would result in an imbalance between the privacy rights of individuals and the right of free movement of data, the ECJ said.

"[Article 7(f) of the Data Protection Directive] precludes a Member State from excluding, in a categorical and generalised manner, the possibility of processing certain categories of personal data, without allowing the opposing rights and interests at issue to be balanced against each other in a particular case," the ECJ said.

"In light of those considerations ... Article 7(f) of [the] Directive must be interpreted as precluding national rules which, in the absence of the data subject’s consent, and in order to allow such processing of that data subject’s personal data as is necessary to pursue a legitimate interest of the data controller or of the third party or parties to whom those data are disclosed, require not only that the fundamental rights and freedoms of the data subject be respected, but also that those data should appear in public sources, thereby excluding, in a categorical and generalised way, any processing of data not appearing in such sources," it said.

Copyright © 2011, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

The essential guide to IT transformation

More from The Register

next story
The police are WRONG: Watching YouTube videos is NOT illegal
And our man Corfield is pretty bloody cross about it
China hopes home-grown OS will oust Microsoft
Doesn't much like Apple or Google, either
UK government accused of hiding TRUTH about Universal Credit fiasco
'Reset rating keeps secrets on one-dole-to-rule-them-all plan', say MPs
Fast And Furious 6 cammer thrown in slammer for nearly three years
Man jailed for dodgy cinema recording of Hollywood movie
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Don't even THINK about copyright violation, says Indian state
Pre-emptive arrest for pirates in Karnataka
Yes, but what are your plans if a DRAGON attacks?
Local UK gov outs most ridiculous FoI requests...
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?