Processing is given a wide definition by the Directive and this is again, followed by other EU Member States. Perhaps, a belated response on one's part, but given the UK's implementation of the Data Protection Directive 95/46/EC, the discussion by the Courts to the Lindqvist decision was not helpful. The Lindqvist judgment provides that:
25. According to the definition in Article 2(b) of Directive 95/46, the term processing of such data used in Article 3(1) covers any operation or set of operations which is performed upon personal data, whether or not by automatic means. That provision gives several examples of such operations, including disclosure by transmission, dissemination or otherwise making data available. It follows that the operation of loading personal data on an internet page must be considered to be such processing.
26. It remains to be determined whether such processing is wholly or partly by automatic means. In that connection, placing information on an internet page entails, under current technical and computer procedures, the operation of loading that page onto a server and the operations necessary to make that page accessible to people who are connected to the internet. Such operations are performed, at least in part, automatically.
27. The answer to the first question must therefore be that the act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes the processing of personal data wholly orpartly by automatic means within the meaning of Article 3(1) of Directive 95/46.
The UK Court of Appeal in MDU v Johnson at paras. 33-34 stated that:
I should also note that reference was made to the decision of the European Court of Justice [ECJ] in Case C-101/01 [2004] QB 1014 (Lindqvist). A web page containing personal information about L and some of her fellow parishioners was composed by L on her home computer and placed on the internet. She was prosecuted for processing personal data by automatic means. The national court referred to the ECJ the question:
Does it constitute 'the processing of personal data wholly or partly by automatic means' to list on a self-made internet home page a number of persons with comments and statements about their jobs and hobbies etc?
The ECJ held that the listing of the parishioners was the processing of their personal data, and that the process had been "performed, at least in part, automatically" because of the loading of the page on to the server. The selection of the data had been purely manual, yet there was no suggestion that the processing taken as a whole was not automatic. It is, however, important to remind ourselves of the terms of the question that was asked in Lindqvist, which was limited to whether using the computer to place the list on the net was processing. Plainly it was, for the reason given by the ECJ. By the same token, when Dr Roberts caused the computer to transmit her conclusions to the RAG data was being processed. But it does not help [J] to establish the latter point, because what he complains of is unfair conduct in the reaching of those conclusions, before that processing of the conclusions took place. I think that in the end it was agreed by the appellant that Lindqvist does not assist in our present concerns. But [Counsel] has more formidable support from authority nearer home, the decision of this court in Campbell v MGN Ltd [2003] QB 633.
That case was regarded by the Judge as conclusive in [J's] favour on the processing issue, and it must therefore be analysed in some detail.
The judgment is slightly lengthy and warrants another article to be written. At this stage, however, much work is still needed (whether by academics, policy makers, lawyers etc) to inform not only the public about the European Data Protection Directive 95/46/EC and what it is intended (see also the UK Information Commissioner's Website), but that if the UK Data Protection Act 1998 continues to be narrowly construed (in the light of cases such as Durant and Johnson), data protection laws in the UK may, in all but name, be considered weak!
No comments:
Post a Comment