1 Bender on Privacy and Data Protection § 32.04 (2020)
Personal information posted on a website resident on a server located in the EU and accessible worldwide does not “transfer” that information outside the EU.
Articles 25 and 26 of the Directive require that restrictions be applied to “transfer to a third country of personal data that are undergoing processing or are intended for processing.” Just what is “transfer to a third country?” In particular, if personal information is displayed on a website available worldwide and maintained on a server in the EU, has there been a “transfer” of that information? This was one of the issues posed in the
Lindqvist case
1 decided in 2003 the European Court of Justice (the “ECJ”), the EU’s highest court.
2The case involved a woman who established a website on her computer in Sweden and posted on it some personal information (names, work conditions, hobbies, family circumstances, telephone numbers and other information) regarding about 18 parishioners at her church. Her purpose was to allow parishioners preparing for their confirmation to obtain information they might need. The website was accessible worldwide. She did not notify the site to the Swedish data protection authority, and she removed it when she became aware that some of her colleagues did not appreciate it. The Swedish government brought a criminal action against her, charging, inter alia, that posting the information on a website available worldwide and maintained on a host computer located in the EU, constituted transfer outside the EU. The Swedish tribunal held against the defendant on this and the other counts alleged, and fined her SEK 4,300 (roughly US$700). She appealed to a Swedish court, which referred the matter to the ECJ for an interpretation of the Data Protection Directive.
On the transfer point the ECJ differed with the Swedish tribunal. Noting that the Directive does not define “transfer to a third country,” the court believed it was necessary in interpreting this term to consider both the technical nature of the operations and the purpose and structure of Chapter IV of the Directive (“Transfer of Personal Data to Third Countries”). Acknowledging the ubiquitous nature of data on the Internet, the court nevertheless focused on the fact that this website lacked the capacity to send information automatically to those who did not intentionally seek it out. Thus,
“personal data which appear on the computer of a person in a third country, coming from a person who has loaded them onto an internet website, were not directly transferred between those two people but through the computer infrastructure of the hosting provider where the page is stored.”
3Accordingly:
“there is no transfer [of data] to a third country within the meaning of Article 25 of Directive 95/46 where an individual in a Member State loads personal data onto an internet page which is stored with his hosting provider which is established in that State or in another Member State, thereby making those data accessible to anyone who connects to the internet, including people in a third country.”
The court emphasized that it considered here only the activities carried out by the defendant, and not those carried out by the hosts.
The court also dealt with an additional question posed by the referring court: was it permissible for a Member State to provide for greater protection for personal data or a wider scope than is required under Directive 95/46? In other words, as applied to this situation, even if the Directive did not prohibit this broadcast, consistent with the Directive could Swedish law prohibit it? The court held that, while nothing prevented a Member State from extending the scope of its implementing legislation “to areas not included within the scope [of the Directive], provided that no other provision of Community law precludes it,” Member State measures taken to ensure protection of personal data must be consistent with both the Directive’s provisions and objective (i.e., maintaining a balance between freedom of movement of personal data and protecting private life).
Thus, until EU law changes, it is not a violation of the Directive’s transfer restrictions to establish a generally available website and post personal information on it. However, the ECJ was opining solely about the Directive. The law of a Member State may go beyond the Directive and may, unless deemed incompatible with the Directive or some other law, define transfer so as to include such activity.
Footnotes — § 32.04:
2 Formally known as the Court of Justice of the European Communities.
3 The court reasoned:
“Given, first, the state of development of the internet at the time Directive 96/46 was drawn up and, second, the absence, in Chapter IV, of criteria applicable to use of the internet, one cannot presume that the Community legislature intended the expression transfer [of data] to a third country to cover the loading, by an individual in [defendant’s] position, of data onto an internet page, even if those data are thereby made accessible to persons in third countries with the technical means to access them.”
“If Article 25 were interpreted to mean that there is a transfer [of data] to a third country every time that personal data are loaded onto an internet page, that transfer would necessarily be a transfer to all the third countries where there are technical means needed to access the internet … . Thus, if the Commission found, pursuant to Article 25(4) of Directive 95/46, that even one third country did not ensure protection, the Member States would be obliged to prevent any personal data being placed on the internet.”