The Article is a second part of an overview of the case-law of European Court of Justice in the area of data protection. These cases interpret the provisions of the Directive 1995/46/EC (full text available here, referred as Directive). In the first part, the article introduced the decisions about definitions and applicability. In this part, the focus is on the exceptions from the prohibition of personal data processing, the time period required for data storage, legality of data processing or a cross-border transfer of data.
Case law about exceptions
A group of decisions deals with the exceptions in the protection of personal data.
In Joined Cases C-468/10 and C-469/10, the Court dealt with the situation, when the Spanish Act enabled a processing of personal data without subject´s consent pursuant to an additional reason, not included in the Article 7 of the Directive. It related to data public accessibility.
The Court held that Article 7 of the Directive sets out an exhaustive, restrictive list of cases in which the processing of personal data may be regarded as being lawful. This must be distinguished from the power of Member states to specify conditions under which the processing of personal data is lawful. However, Member States cannot add new principles relating to the lawfulness of the processing of personal data to Article 7 of that Directive or impose additional requirements that have the effect of altering the scope of one of the principles provided for in Article 7.
In Case C-524/06, the Court had to analyze a processing of personal data by a central register of foreign nationals. The decision addresses an important concept of necessity as a principle of data protection law. The concept should have its own independent meaning in Community law. The Court held that the use of a central register of foreign nationals does not satisfy the requirement of necessity, unless it meets certain characteristics, described in the decision.
The concept of necessity is also analyzed in Joined Cases C-465/00, C-138/00 and C-139/01. The Court held that wide disclosure, not merely of the amounts of the annual income above a certain threshold of persons employed by the bodies subject to control by public authority, but also of the names of the recipients of that income, must satisfy the criteria of the necessity and it must be appropriate. Otherwise, it represents an interference with personal life.
In Joined Cases C-92/09 and C-93/09, the Court dealt with the legal clash between data protection law and common agricultural policy. EU regulation of agricultural policy required certain personal data about beneficiaries to be published. However, it represented an interference with their private life. In answering this problem, the Court held that there is no definite answer. In analyses of the possible violation of data protection, the national authorities should draw a distinction based on relevant criteria such as the periods during which those persons have received such aid, the frequency of such aid or the nature and amount thereof.
Case law on time period required for data storage
In Case C-553/07, the Court dealt with the time period required for the storage of information, including personal data. The goal is to find a fair balance between the interest of the data subject in protecting his privacy, in particular his rights to object and to bring legal proceedings and the burden which the obligation to store that information represents for the controller. The Court held that Member States have a right to specify a time-limit for storage of information and to provide for access to the information to satisfy the requirement of a fair balance. However, the period of one year did not constitute a fair balance, unless it can be shown that longer storage would constitute an excessive burden on the controller.
Case law on the obligations to collect data
In Case C-342/12, the Court analyzed the legality of a national legislation, which required an employer to give the national authority responsible for monitoring working conditions an access to records of working time. It held that this activity does not violate Articles 6 and 7 of the Directive, provided that this obligation is necessary for the purposes of the performance of the authority.
Case law on the cross-border transfer of data
In Case C-101/01, the Court addressed the nature of the publication of personal data on the internet. It held that it is not possible to presume that the Community legislature intended the expression “transfer [of data] to a third country” to cover the loading of data by an individual onto an internet page, even if those data are thereby made accessible to persons in third countries with the technical means to access them. Therefore, the publication of personal data does not represent a cross-border transfer of data.
These two articles represent an overview of the case law of the European Court of Justice related to the Directive. They should introduce anyone interested in this topic into the relevant case law. We would also try to focus on the national legislation, interpreting the data protection principles and procedures. That’s why, feel free to suggest such national decisions or comment on the cited decisions.
Note: This article is intended as a summary of issues. Its purpose is not a to provide legal advice or create an attorney-client relationship between you and the author of this article.