Ms Lindqvist, a voluntary worker in a parish of the Protestant Church in Sweden, had set up, on her personal computer, internet pages on which she published personal data relating to a number of people working with her on a voluntary basis in the parish. Ms Lindqvist was fined, on the ground that she had used the personal data by automatic means without giving prior written notice to the Swedish Datainspektion (supervisory authority for the protection of electronically transmitted data), that she had transferred the data to a third country without authorisation and that she had processed sensitive personal data.
In the appeal brought before the Göta hovrätt (Court of Appeal, Sweden) by Ms Lindqvist against that decision, the national court referred questions to the Court of Justice for a preliminary ruling in order, in particular, to ascertain whether Ms Lindqvist had carried out ‘the processing of personal data wholly or partly by automatic means’ within the meaning of Directive 95/46/EC.
The Court held that the act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by stating their telephone number or information regarding their working conditions and hobbies, constitutes ‘the processing of personal data wholly or partly by automatic means’ within the meaning of that directive (paragraph 27, operative part 1). Such processing of personal data in the course of charitable or religious activities is not covered by any of the exceptions to the scope of the directive, in so far as it does not fall within the category of activities concerning public security, or the category of a purely personal or household activity, which are outside the scope of the directive (paragraphs 38, 43-48, operative part 2).
Transfer of personal data to third countries
In this case (see also Section II.3. ‘Concept of “processing of personal data”’), the referring court sought, in particular, to establish whether Ms Lindqvist had carried out a transfer of data to a third country within the meaning of that directive.
The Court held that there is no ‘transfer [of data] to a third country’ within the meaning of Article 25 of Directive 95/46/EC where an individual in a Member State loads personal data onto an internet page which is stored on an internet site on which the page can be consulted and which is hosted by a natural or legal person who is established in that State or in another Member State, thereby making those data accessible to anyone who connects to the internet, including people in a third country (paragraph 71, operative part 4).
Given, first, the state of development of the internet at the time Directive 95/46/EC was drawn up and, second, the absence of criteria applicable to use of the internet in Chapter IV in which Article 25 appears and which is intended to allow the Member States to monitor transfers of personal data to third countries and to prohibit such transfers where those countries do not offer an adequate level of protection, one cannot presume that the Community legislature intended the expression ‘transfer [of data] to a third country’ to cover such loading of data onto an internet page, even if those data are thereby made accessible to persons in third countries with the technical means to access them (paragraphs 63, 64, 68).