You
are here:
AustLII >>
Australia >> Journals >> MurUEJL >> 2005 >> [2005]
MurUEJL 4
[Global
Search]
[MurUEJL
Search]
[Help]
Discretion of the EU Member State
When Implementing the Data Protection Directive 95/46/EC
Boštjan Koritnik
University of Ljubljana
Link to End Notes
With the aim of promoting the law of the European Union (EU)
there is a competition held every year under the auspices of the Court
of Justice to the European Communities (ECJ) and the University of
Cambridge. Consequently, in April 2004 the 10th annual Central and
Eastern European Moot Court Competition[1] was organized by the British Centre
for English and European Legal Studies in the capital of Latvia, Riga.
The representatives[2] of the Faculty of law at the
University of Ljubljana, Slovenia, achieved one first and two second
places. The competition is based on the preliminary questions[3] about a previously prepared case
which was supposed to be set by the national court of an EU Member
State to the ECJ.[4] In 2004 case one half of the
preliminary questions were related to the Directive 95/46/EC of the
European Parliament and of the Council[5] of 24th October 1995 on the
protection of individuals with regard to the processing of personal
data and on the free movement of such data (hereinafter: the Data
Directive or the Directive). Especially interesting was the question of
whether the Member State is entitled unilaterally to impose a higher
standard of protection of processing of data than that provided for by
the Data Directive, when the data in question has been provided with
the full consent of the individual concerned.
This question was,
however, strongly connected with another one, ie whether the provisions
of the Data Directive can be regarded as bringing about a conflict with
the general principles of freedom of expression or other freedoms and
rights, which are applicable within the EU and are enshrined inter alia
in Article 10[6] of the European Convention on the
Protection of Human Rights and Fundamental Freedoms[7] (hereinafter: ECHR). Before trying
to come to an answer to those questions, some facts on the Community
legislation, especially the directives, should be provided. According
to Article 249[8] of the Consolidated version of the
Treaty establishing the European Community[9] (hereinafter: the Treaty) the
European Parliament acting jointly with the Council, the Council and
the Commission shall make regulations and issue directives, take
decisions, make recommendations or deliver opinions.
Furthermore, a
directive shall be binding, as to the result to be achieved, upon each
Member State to which it is addressed, but shall leave to the national
authorities the choice of form and methods.[10] Directives need to be incorporated
into national law and are a more flexible instrument of Community law
than, for instance, regulations, which leave no discretion for any
consideration of national differences and needs.[11] As follows, directives are a
particularly useful device when the aim is to harmonize the laws within
a certain area, rather than produce strict uniformity.[12] However, the described nature of
the directives may give rise to problems when they are implemented,
since a Member State may, not necessary intentionally, misinterpret the
directive or the amount of discretion it has been given by the
directive.[13] And it is exactly this
‘margin for manoeuvre’,[14] which the Member States due to the
directives’ characteristics have, that caused the emergence
of the questions this paper is to explain and to which answers are
sought.
When we deal with the issue of the protection of individual
with regard to the processing of personal data, we should primarily
define the conduct in question, that is whether the discussed conduct
falls within the scope of the Data Directive. Namely, Article 3 of the
Data Directive provides an exception to its scope of application,[15] where for instance in the second
paragraph[16] it states that the Directive shall
not apply to the processing of personal data in the course of an
activity which falls outside the scope of Community law. According to
this provision, the ECJ has in the Lindqvist case[17] correctly decided that nothing
prevents a Member State from extending the scope of the national
legislation implementing the provisions of the Data Directive to areas
not included in the scope thereof,[18] provided that no other provision
of Community law precludes it.[19]
Rather more difficult is the
question, whether a Member State may unilaterally impose a higher
standard of protection of the ‘data individual’.[20] In the previously mentioned
Lindqvist[21] case almost an identical question
to the one at hand was raised, ie whether a Member State may provide a
more extensive protection for personal data or give it a wider scope
than the Directive. Substantially identical that is, up to the point,
where there was an addendum of: ‘even if none of the
circumstances described in Article 13 exists’.[22] And the wording of this question
by the mere logical conclusion implies that the existence of such
circumstances enables a Member State to provide a more extensive
protection. Moreover, the title of the Directive’s section,
under which Article 13 is to be found, is ‘Exemptions and
Restrictions', and the first paragraph of Article 13 allows the Member
States to adopt legislative measures to restrict the scope of the
obligations and rights provided for in certain Articles,[23] when such a restriction
constitutes necessary measures to safeguard, for example, national
and/or public security, an important economic or financial interest of
a Member State or of the European Union, for the prevention,
investigation, detection and prosecution of criminal offences and last,
but not least, also for the protection of the data subject or of the
rights and freedoms of others.[24] On the other hand, when the
individual in question allows its personal data to be processed and
with the absence of other circumstances listed in the first paragraph
of Article 13, the question is whether it is at all appropriate for a
state to protect such individual regardless of its consent to the
processing.[25] But unfortunately, an answer to
that is well beyond the scope of the Directive itself.
Problems
could also occur with the possibility of a rather wide interpretation
of the circumstances allowing the widening of the protection by the
Member States. In addition, Article 5 provides that the Member States
shall, within the limits of the provisions of the chapter on the
general rules on the lawfulness of the processing of personal data,
determine more precisely the conditions under which the processing of
personal data is lawful.[26] There are several more provisions,
as ascertained by the ECJ[27] and also the Swedish[28] and Dutch[29] governments, who submitted their
observations in the Lindqvist case, which imply a certain level of the
Member States' discretion.[30] Just the opposite was the opinion
of the European Commission, who considered the Data Directive to be
based on Article 100a of the Treaty and that, if a Member State wishes
to maintain or introduce legislation which derogates from such a
harmonising directive, it is obliged to notify the Commission pursuant
to Article 95/IV. or 95/V. EC.[31] As follows, the Commission
submitted that the Member State cannot make provisions for more
extensive protection of personal data of the one provided for by the
Directive.[32] As seen, the intertwining parties
differed in opinion, but the Court has, in my view, chosen the only
correct path to solve the problem, since it emphasized the objective
and the idea of the Directive itself.[33]
Namely, the Directive was adopted
to encourage the free movement,[34] ie to remove the obstacles to
flows of personal data[35] by harmonising the laws,
regulations and administrative provisions of the Member States on the
protection of individuals with respect to the processing of such data.[36] The idea behind it was that the
difference in levels of protection of the rights and freedoms of
individuals, notably the right to privacy, with regard to the
processing of personal data afforded in the Member States may prevent
the transmission of such data from the territory of one Member State to
that of another Member State.[37] This difference could therefore
constitute an obstacle to the pursuit of a number of economic
activities at Community level, distort competition and impede
authorities in the discharge of their responsibilities under Community
law.[38] Consequently, if it would be
possible for a Member State to impose a higher standard, there would
again appear differences in the levels of protection and a situation
would occur, as if there had been no Data Directive at all. As follows,
the Directive is intended to ensure, that the level of protection of
the rights and freedoms of individuals with regard to the processing of
personal data is equivalent in all Member States.[39]
Accordingly, the ECJ decided that
the measures taken by the Member States to ensure the protection of
personal data must be consistent both with the provisions of the Data
Directive and with its objective of maintaining a balance between
freedom of movement of personal data and the protection of private life.[40] Consequently, the core of the Data
Directive is, in my opinion, the balance between the flow of personal
data, being as free as possible, and the protection of the same data,
which defines and limits the term ‘free as
possible’.[41] Moreover, the Directive describes
its object in Article 1, and in the first paragraph of the mentioned
Article it provides the Member States with the duty to protect, in
accordance with the Directive, the fundamental rights and freedoms of
natural persons, and in particular their right to privacy with respect
to the processing of personal data. As important, if not even more, is
the provision of the second paragraph of the same Article, which
prevents Member States to restrict or prohibit the free flow of
personal data between Member States for reasons connected with the
protection afforded under paragraph 1.[42] As follows, the aim behind the
Directive is the throughout implementation of the balance between both
valuables, ie between the free movement of personal data and the
protection of private life,[43] whereas a Member State may not go
beyond what is necessary to attain this objective.[44]
If we now, in the light of the
previous findings, ask the question of a possible conflict between the
provisions of the Data Directive and the general principles of freedom
of expression or other freedoms and rights, which are applicable within
the EU, we must ascertain that the ECHR does not establish any
hierarchy between the various fundamental rights,[45] ie none of the fundamental
freedoms and rights is considered to be absolute, since all are
indispensable for a human worth existence. On the other hand, life
brings with itself situations in which executing one freedom or right
causes encroachment upon the same or other freedoms or rights of
another person. And it is the task of the law to provide instruments,
which are to ensure coexistence, a symbiosis among different rights,
and consequently among people. This is also expressed by the second
paragraph of Article 10 of the ECHR,[46] which inter alia states that the
exercise of the freedom of expression may be subject to formalities,
conditions, restrictions or penalties necessary in a democratic
society. However, in order to form an adequate legal mechanism for such
coexistence, the principle of proportionality is to be considered. In
my opinion, the Directive has not only managed to create a balance
between the freedom of expression and the right to privacy when
personal data are processed, in addition it has also provided
appropriate restrictions and limitations to the freedom of expression
in the areas envisaged in and in accordance with the second paragraph
of Article 10 of the ECHR.[47]
Notwithstanding, it is for the
authorities and courts of the Member States not only to interpret their
national law in a manner consistent with the Data Directive but also to
make sure they do not rely on an interpretation of it which would be in
conflict with the fundamental rights protected by the Community legal
order or with the other general principles of Community law, such as
inter alia the principle of proportionality.[48] In accordance with such view the
ECJ has in the Lindqvist case decided that the provisions of Directive
95/46/EC do not, in themselves, bring about a restriction which
conflicts with the general principles of freedom of expression or other
freedoms and rights, which are applicable within the European Union and
are enshrined inter alia in Article 10 of the ECHR.[49]
To conclude this paper, which was
intended to provide a solution to the dilemma of the Member States
about their possibilities of reduction or extension of the protection
of individuals with regard to the processing of personal data, let me
be allowed to quote the Court of Justice to the European Communities,[50]
which introduced a solid
foundation for answering the question at hand: ‘As regards
Directive 95/46 itself, its provisions are necessarily relatively
general since it has to be applied to a large number of very different
situations… the directive quite properly includes rules with
a degree of flexibility and, in many instances, leaves to the Member
States the task of deciding the details or choosing between
options.’ And the courts are, as already stated above, faced
with a thankless task of controlling the efficiency and suitability of
such decisions.
Notes
[1] All about the competition at http://www.law.cam.ac.uk/Moot/indexpge.htm.
[2] Živa Filipic, Katarina Kus,
Saša Sodja and the author.
[3] Preliminary questions 2004: http://www.law.cam.ac.uk/moot/doc/Web_moot_question.doc.
[4] The jurisdiction of the ECJ is
twofold: it has jurisdiction to give preliminary rulings concerning
interpretation and validity. In its interpretative role, the Court may
rule on the interpretation of the Treaty, of acts of the institutions,
and of statues of bodies established by an act of the Council, where
those statutes so provide. 'Acts of the institutions' covers binding
acts in the form of Regulations, Directives and Decisions and even
non-binding acts such as Recommendations and Opinions, since they may
be relevant to the interpretation of domestic implementing measures.
– Resumed from J Steiner & L Woods Textbook on EC Law
(Blackstone London 2000), 461-463.
[5] OJ 1995L281,31; Available at:http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEX
numdoc&lg=EN&numdoc=31995L0046&model=guichett.
In detail about the directive: Duji?, Slobodan: The Directive of the
European Union on the Protection of Individual regarding the processing
of Personal Data, published in, Public service, Year 32 (1996), No. 1,
51-74.
[6] Article 10 of ECHR (Freedom of
Expression): ‘Everyone has the right to freedom of
expression. This right shall include freedom to hold opinions and to
receive and impart information and ideas without interference by public
authority and regardless of frontiers. …’.
[7] Available at: http://conventions.coe.int/treaty/en/Treaties/Html/005.htm.
[8] Article 249 of the Treaty:
‘In order to carry out their task and in accordance with the
provisions of this Treaty, the European Parliament acting jointly with
the Council, the Council and the Commission shall make regulations and
issue directives, take decisions, make recommendations or deliver
opinions. A regulation shall have general application. It shall be
binding in its entirety and directly applicable in all Member States. A
directive shall be binding, as to the result to be achieved, upon each
Member State to which it is addressed, but shall leave to the national
authorities the choice of form and methods. A decision shall be binding
in its entirety upon those to whom it is addressed. Recommendations and
opinions shall have no binding force.’
[9] Available at: http://www.dostopdoinformacij.si/fileadmin/user_upload/EC_consol_Treaty_of_EC.pdf.
[10] Supra, footnote No. 8.
[11] M Horspool European Union Law (3rd
edition, London: LexisNexis 2003), § 4.15.
[12] Craig, Paul & de
Búrca, Gráinne: EC law: text, cases and materials
(7th edition, Oxford: Clarendon Press, 1995), 100.
[13] Supra, footnote No. 10.
[14] Phrase used in, Reply of the Court
in the Case C-101 Bodil Lindqvist v Åklagarkammaren i
Jönköping, ¶97. Available at http://www.law.cam.ac.uk/moot/doc/Bundle.doc
(hereinafter: Bundle).
[15] Similarly in, Reply of the Court
in the Case C-101/01, ¶37 (Bundle 187).
[16] 3/II. of Directive 95/46/EC:
‘… 2. This Directive shall not apply to the
processing of personal data: - in the course of an activity which falls
outside the scope of Community law, such as those provided for by
Titles V and VI of the Treaty on European Union and in any case to
processing operations concerning public security, defence, State
security (including the economic well-being of the State when the
processing operation relates to State security matters) and the
activities of the State in areas of criminal law, - by a natural person
in the course of a purely personal or household activity.’
[17] Case C-101/01 Bodil Lindqvist v
Åklagarkammaren i Jönköping –
reference to the ECJ under Article 234 of the Treaty by Götta
Hovrätten (Sweden) for a preliminary ruling in the criminal
proceedings before that court against Bodil Lidqvist. In addition to
her job as a maintenance worker, Mrs. Lindqvist worked as a catechist
in the parish of Alseda (Sweden). Mrs. Lindqvist set up internet pages
at home on her personal computer in order to allow parishioners
preparing for their confirmation to obtain information they might need.
The pages in question contained information about Mrs. Lindqvist and 18
colleagues in the parish, sometimes including their full names and in
other cases only their first names. She had not informed her colleagues
about the existence of those pages or obtained their consent, nor did
she notify the Datainspektionen (supervisory authority for the
protection of electronically transmitted data) of her activity. She
removed the pages in question as soon as she became aware that they
were aware that they were not appreciated by some of her colleagues.
The public prosecutor brought a prosecution against Mrs. Lindqvist
charging her, among other things, for the unauthorized processing of
personal data. – Resumed from: Bundle p 181,185.
[18] Decision of the Court in the Case
C-101/01, ¶6 (Bundle 192).
[19] By analogy with the opinion of AG
Cosmas in the Case C-223/98 Adidas AG v Arlanda Tullmyndighet, in
footnote No. 6. Available at: http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEX
numdoc&lg=EN&numdoc=61998C0223&model=guichett.
[20] Fourth preliminary question
(Bundle 6).
[21] Supra, footnote No. 17.
[22] AG Tizzano in the Case C-101/01,
¶21. Available at: http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!
celexapi!prod!CELEXnumdoc&lg=EN&numdoc=62001C0101&model=guichett.
[23] Among others also the first
paragraph of Article 6, which defines and limits the measures of the
Member States when the quality of the personal data to be processed is
in question.
[24] Supra, footnote No. 5; see also:
?ebulj, Janez: Adapting the normative regulation of the personal data
protection to the requirements of the European Community, 453,
¶5, published in, Public service, Year 32 (1996), No. 4, p
447-456.
[25] This possibility is, for instance,
given to the Member State with the provision of fist indent of the
second paragraph of Article 8 of the Data Directive, which reads:
‘[Paragraph 1 shall not apply where:] (a) the data subject
has given his explicit consent to the processing of those data, except
where the laws of the Member State provide that the prohibition
referred to in paragraph 1 may not be lifted by the data subject's
giving his consent; or’ (marked by B.K.)
[26] Ibidem.
[27] Reply of the Court in the Case
C-101/01, ¶97 (Bundle 192).
[28] Observations submitted to the
Court in the Case C-101/01, ¶92 (Bundle 191).
[29] Observations submitted to the
Court in the Case C-101/01, ¶93 (Bundle 191).
[30] For example, provisions of
Articles 10., 11/I., 14/I.(a), 17/III., 18/V. in 19/I. of the Directive
95/46/EC.
[31] Observations submitted to the
Court in the Case C-101/01, ¶94 (Bundle 191).
[32] Ibidem.
[33] Reply of the Court in the Case
C-101/01, ¶95-97 (Bundle 192).
[34] Opinion of AG Tizzano in the Case
C-101/01, ¶5, similarly also ¶39.
[35] Eight recital in the preamble of
the Directive 95/46/EC.
[36] Supra, footnote No. 25.
[37] Opinion of AG Tizzano in the Case
C-101/01, ¶6.
[38] Ibidem, according to the seventh
recital in the preamble of the Directive 95/46/EC.
[39] Eighth recital in the preamble of
the Directive 95/46/EC; also in, Reply of the Court in Case C-101/01,
¶95 (Bundle 192).
[40] Ruling of the Court in the Case
C-101/01 (Bundle 192).
[41] Similarly in, Reply of the Court
in the Case C-101/01, ¶96 (Bundle 192).
[42] Similarly AG Tizzano in its
opinion to the Case C-101/01, ¶6.
[43] Reply of the Court in the Case
C-101/01, ¶97 (Bundle 192).
[44] AG Alber in the Case C-369/98 The
Queen v Minister of Agriculture, Fisheries and Food, ex parte Trevor
Robert Fisher and Penny Fisher, ¶44. Available at: http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!
prod!CELEXnumdoc&lg=EN&numdoc=61998C0369&model=guichett.
[45] Observations submitted to the
Court in the Case C-101/01, ¶76 (Bundle 190).
[46] 10/II. ECHR: ‘The
exercise of these freedoms, since it carries with it duties and
responsibilities, may be subject to such formalities, conditions,
restrictions or penalties as are prescribed by law and are necessary in
a democratic society, in the interests of national security,
territorial integrity or public safety, for the prevention of disorder
or crime, for the protection of health or morals, for the protection of
the reputation or rights of others, for preventing the disclosure of
information received in confidence, or for maintaining the authority
and impartiality of the judiciary.’
[47] Supra, footnote No. 46.
[48] Reply of the Court in the Case
C-101/01, ¶87; similarly also ¶90 (Bundle 191);
opinion of the Swedish government in, Observations submitted to the
Court in Case C-101/01, ¶75 (Bundle 190).
[49] Ruling of the Court in Case
C-101/01, ¶75 (Bundle 190).
[50] Reply of the Court in Case
C-101/01, ¶83 (Bundle 191).
AustLII:
Feedback |
Privacy Policy |
Disclaimers
URL: http://www.austlii.edu.au/au/journals/MurUEJL/2005/4.html
