ECJ rules that discrimination between public and private personal data contrary to balanced rights.

November 30, 2011 |

In Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF) (C?468/10) & Federación de Comercio Electrónico y Marketing Directo (FECEMD) (C?469/10) v Administración del Estado the ECJ ruled that EU member states cannot generally prohibit organisations’ legitimate and necessary but unauthorised processing of personal data where the information is not stored in specified public sources.  National rules that broadly exclude data processing in non-specified public sources in those circumstances are precluded under EU data protection laws.

The Court was ruling in a case involving a dispute about Spanish data protection laws and their compatibility with EU law and  assessing whether Spain could give extra protection to personal data stored in non-public sources. Spanish law classes personal data found in public sources as information stored on the electoral roll, in telephone directories and media publications as well as some details about professional association membership, according to the ruling.

Under the Data Protection Directive personal data can only be processed under strict conditions. Personal data must be “processed fairly and lawfully” and be collected for “specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes”. Organisations must then either obtain “unambiguous consent” from individuals before processing is lawful or satisfy one of a number of other conditions instead. If consent is not given personal data processing can still be lawful providing it is “necessary for the purposes of the legitimate interests” it, or third-parties to whom the information is disclosed, is pursuing, provided those interests are not “overridden by the interests for fundamental rights and freedoms of the data subject”.

Under the EU Charter of Fundamental Rights individuals generally have a right to privacy and protection of personal data.

Whilst Article 5 of the Directive allows EU member states to “determine more precisely the conditions under which the processing of personal data is lawful” that does not give member states the right to “impose additional requirements that have the effect of amending the scope” of lawful processing of personal data under the Directive, the ECJ said. There are separate rules around the processing of sensitive data, such as medical records, racial origin and religious beliefs.

“The margin of discretion which Member States have pursuant to Article 5 can therefore be used only in accordance with … maintaining a balance between the free movement of personal data and the protection of private life,” the ECJ said.

Leave a Reply