Feeds

EU can't discriminate between public and private personal data

Organisations can lawfully process personal data without consent

Top 5 reasons to deploy VMware with Tegile

EU member states cannot generally prohibit organisations' legitimate and necessary but unauthorised processing of personal data where the information is not stored in specified public sources, the European Court of Justice (ECJ) has said.

The ECJ said that national rules that broadly exclude data processing in non-specified public sources in those circumstances are precluded under EU data protection laws.

"[The EU's Data Protection Directive] must be interpreted as precluding national rules which, in the absence of the data subject’s consent, and in order to allow such processing of that data subject’s personal data as is necessary to pursue a legitimate interest of the data controller or of the third party or parties to whom those data are disclosed, require not only that the fundamental rights and freedoms of the data subject be respected, but also that those data should appear in public sources, thereby excluding, in a categorical and generalised way, any processing of data not appearing in such sources," the ECJ said in its ruling.

The Court was ruling in a case involving a dispute about Spanish data protection laws and their compatibility with EU law. It was assessing whether Spain could give extra protection to personal data stored in non-public sources. Spanish law classes personal data found in public sources as information stored on the electoral roll, in telephone directories and media publications as well as some details about professional association membership, according to the ruling.

Under the Data Protection Directive, personal data can only be processed under strict conditions. Personal data must be "processed fairly and lawfully" and be collected for "specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes". Organisations must then either obtain "unambiguous consent" from individuals before processing is lawful or satisfy one of a number of other conditions instead. If consent is not given, personal data processing can still be lawful providing it is "necessary for the purposes of the legitimate interests" it, or third-parties to whom the information is disclosed, is pursuing, provided those interests are not "overridden by the interests for fundamental rights and freedoms of the data subject".

Under the EU Charter of Fundamental Rights individuals generally have a right to privacy and protection of personal data.

Whilst Article 5 of the Directive allows EU member states to "determine more precisely the conditions under which the processing of personal data is lawful" that does not give member states the right to "impose additional requirements that have the effect of amending the scope" of lawful processing of personal data under the Directive, the ECJ said. There are separate rules around the processing of sensitive data, such as medical records, racial origin and religious beliefs.

"The margin of discretion which Member States have pursuant to Article 5 can therefore be used only in accordance with ... maintaining a balance between the free movement of personal data and the protection of private life," the ECJ said.

The Court said that unauthorised processing of non-publicly sourced personal data by organisations could result in a "more serious infringement" of individuals' privacy rights than unauthorised processing of data from public sources. However, it said that it was not legitimate to broadly introduce greater protection over non-publicly sourced data in national law as to do so would result in an imbalance between the privacy rights of individuals and the right of free movement of data, the ECJ said.

"[Article 7(f) of the Data Protection Directive] precludes a Member State from excluding, in a categorical and generalised manner, the possibility of processing certain categories of personal data, without allowing the opposing rights and interests at issue to be balanced against each other in a particular case," the ECJ said.

"In light of those considerations ... Article 7(f) of [the] Directive must be interpreted as precluding national rules which, in the absence of the data subject’s consent, and in order to allow such processing of that data subject’s personal data as is necessary to pursue a legitimate interest of the data controller or of the third party or parties to whom those data are disclosed, require not only that the fundamental rights and freedoms of the data subject be respected, but also that those data should appear in public sources, thereby excluding, in a categorical and generalised way, any processing of data not appearing in such sources," it said.

Copyright © 2011, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Beginner's guide to SSL certificates

More from The Register

next story
Bladerunner sequel might actually be good. Harrison Ford is in it
Go ahead, you're all clear, kid... Sorry, wrong film
Musicians sue UK.gov over 'zero pay' copyright fix
Everyone else in Europe compensates us - why can't you?
I'll be back (and forward): Hollywood's time travel tribulations
Quick, call the Time Cops to sort out this paradox!
Megaupload overlord Kim Dotcom: The US HAS RADICALISED ME!
Now my lawyers have bailed 'cos I'm 'OFFICIALLY' BROKE
Euro Parliament VOTES to BREAK UP GOOGLE. Er, OK then
It CANNA do it, captain.They DON'T have the POWER!
Forget Hillary, HP's ex CARLY FIORINA 'wants to be next US Prez'
Former CEO has political ambitions again, according to Washington DC sources
prev story

Whitepapers

Seattle children’s accelerates Citrix login times by 500% with cross-tier insight
Seattle Children’s is a leading research hospital with a large and growing Citrix XenDesktop deployment. See how they used ExtraHop to accelerate launch times.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Business security measures using SSL
Examines the major types of threats to information security that businesses face today and the techniques for mitigating those threats.