Data Protection: Case law of European Court of Justice – Part I: definitions and applicability

The Data Protection Directive 1995/46/EC (full text available here, referred as Directive) (still) represents the most important EU legal regulation in the area of data protection. The European Court of Justice (the Court) had several opportunities to interpret the provisions of the Directive.

The mini series of articles gives an overview of the most important of these decisions. It has two parts. In this article, the focus is on decisions dealing with definitions of basic terms and on the applicability of the Directive. The purpose of an article is to introduce the main issues of the decision, not to give full summaries.

Case law about definitions

The first group of decisions is about definitions and interpretations of basic terms used in data protection. It includes terms like “personal data”, “processing of personal data” and “interference with personal life”.

In Case C-342/12, the Court dealt with the definition of personal data under Article 2(a) of the Directive. It held that a record of working time, containing the indication of the times when working hours begin and end, as well as the corresponding breaks and intervals, constitutes personal data.

In Case C-73/07, the Court had to interpret the term processing of data under Article 3(1) of the Directive. It held that the activity, in which data on the earned and unearned income and assets of a natural persons are collected, published, transferred and processed in a specific way, must be considered as the processing of personal data. However, if the sole object of those activities is the disclosure to the public, the processing is carried out ‘solely for journalistic purposes’. These activities are not limited to media undertakings and may be undertaken for profit-making purposes.

Another decision about the definition of the processing of data is the Case C-101/01. The Court held that the act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes the processing of personal data. It had to deal with the issues whether processing for charitable or religious activities constitutes an exception under Article 3(2) of the Directive. Moreover, the Court analyzed the relationship between loading of personal data on the internet and “transfer [of data] to a third country” within the meaning of Article 25 of the Directive.

In Joined Cases C-468/10 and C-469/10, the Court interpreted Article 7(f) of the Directive, in which it set out two cumulative conditions that must be fulfilled, so that the processing of personal data is lawful, namely: first, the processing of the personal data must be necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed and, secondly, such interests must not be overridden by the fundamental rights and freedoms of the data subject.

In Joined Cases C-465/00, C-138/00 and C-139/01, the Court analyzed the term “interference with private life”. It held that while the mere recording by an employer of data by name relating to the remuneration paid to his employees cannot as such constitute an interference with private life, the communication of that data to third parties, including a public authority, infringes the right of the persons concerned to respect for private life. To establish the existence of such an interference, it does not matter whether the information communicated is of a sensitive character or whether the persons concerned have been inconvenienced in any way. It suffices to find that data relating to the remuneration received by an employee or pensioner have been communicated by the employer to a third party.

Finally, in Joined Cases C-92/09 a C-93/09, the Court addressed the issue of the range of persons protected by data protection laws. The basic issue was about the protection of legal persons. The right to respect a private life of an individual covers any information relating to an identified or identifiable individual. Therefore, the Court held that legal persons can claim the protection only in so far as the official title of the legal person identifies one or more natural persons. That is the case where the official title of a partnership directly identifies natural persons who are its partners.

Case law on direct applicability of the Directive

In several cases, the Court dealt with the issue of the direct applicability of the provisions from the Directive.

In Joined Cases C-465/00, C-138/00 and C-139/01, the Court noted that Articles 6(1)(c) and 7(c) and (e) of the Directive are directly applicable, in that they may be relied on by an individual before the national courts to oust the application of rules of national law which are contrary to those provisions. Those provisions are sufficiently precise to be relied on by individuals.

Similarly, the Court held in Joined Cases C-468/10 and C-469/10, that Article 7(f) of the Directive appears, so far as their subject-matter is concerned, to be unconditional and sufficiently precise. That´s why, it may be relied on before the national courts by individuals against the State, where the latter has failed to implement the Directive in domestic law by the end of the period prescribed or where it has failed to implement that directive correctly.

In the Part II

The next part focuses on the case law about the exceptions from the prohibition of personal data processing, time period required for data storage, legality of data processing or a cross-border transfer of data.