Решение C-101/01 (относно въпроса дали достъпа до лични данни чрез Интернет страница представлява трансфер на данни към трети страни) [english]

Текстът на решението е взет от страницата на Европейския съд в Люксембург (European Court of Justice) от следния адрес: http://curia.eu.int/jurisp/cgi-bin/form.pl?lang=en&Submit=Submit&docj=docj&numaff=C-101%2F01&datefs=&datefe=&nomusuel=&domaine=&mots=&resmax=100

------------------------------------------

JUDGMENT OF THE COURT

6 November 2003 (1)

(Directive 95/46/EC - Scope - Publication of personal data on the internet - Place of publication - Definition of transfer of personal data to third countries - Freedom of expression - Compatibility with Directive 95/46 of greater protection for personal data under the national legislation of a Member State)

In Case C-101/01,

REFERENCE to the Court under Article 234 EC by the Göta hovrätt (Sweden) for a preliminary ruling in the criminal proceedings before that court against

Bodil Lindqvist,

on, inter alia, the interpretation of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31),

THE COURT,

composed of: P. Jann, President of the First Chamber, acting for the President, C.W.A. Timmermans, C. Gulmann, J.N. Cunha Rodrigues and A. Rosas (Presidents of Chambers), D.A.O. Edward (Rapporteur), J.-P. Puissochet, F. Macken and S. von Bahr, Judges,

Advocate General: A. Tizzano,


...

gives the following

Judgment

1.
By order of 23 February 2001, received at the Court on 1 March 2001, the Göta hovrätt (Göta Court of Appeal) referred to the Court for a preliminary ruling under Article 234 EC seven questions concerning inter alia the interpretation of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).

2.
Those questions were raised in criminal proceedings before that court against Mrs Lindqvist, who was charged with breach of the Swedish legislation on the protection of personal data for publishing on her internet site personal data on a number of people working with her on a voluntary basis in a parish of the Swedish Protestant Church.

Legal background

Community legislation

3.
Directive 95/46 is intended, according to the terms of Article 1(1), to protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data.

4.
Article 3 of Directive 95/46 provides, regarding the scope of the directive:

1. This Directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.

2. This Directive shall not apply to the processing of personal data:

- in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law,

- by a natural person in the course of a purely personal or household activity.

5.
Article 8 of Directive 95/46, entitled The processing of special categories of data, provides:

1. Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.

2. Paragraph 1 shall not apply where:

(a) the data subject has given his explicit consent to the processing of those data, except where the laws of the Member State provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject's giving his consent; or

(b) processing is necessary for the purposes of carrying out the obligations and specific rights of the controller in the field of employment law in so far as it is authorised by national law providing for adequate safeguards; or

(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent; or

(d) processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; or

(e) the processing relates to data which are manifestly made public by the data subject or is necessary for the establishment, exercise or defence of legal claims.

3. Paragraph 1 shall not apply where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.

4. Subject to the provision of suitable safeguards, Member States may, for reasons of substantial public interest, lay down exemptions in addition to those laid down in paragraph 2 either by national law or by decision of the supervisory authority.

5. Processing of data relating to offences, criminal convictions or security measures may be carried out only under the control of official authority, or if suitable specific safeguards are provided under national law, subject to derogations which may be granted by the Member State under national provisions providing suitable specific safeguards. However, a complete register of criminal convictions may be kept only under the control of official authority.

Member States may provide that data relating to administrative sanctions or judgements in civil cases shall also be processed under the control of official authority.

6. Derogations from paragraph 1 provided for in paragraphs 4 and 5 shall be notified to the Commission.

7. Member States shall determine the conditions under which a national identification number or any other identifier of general application may be processed.

6.
Article 9 of Directive 95/46, entitled Processing of personal data and freedom of expression, provides:

Member States shall provide for exemptions or derogations from the provisions of this Chapter, Chapter IV and Chapter VI for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression.

7.
Article 13 of Directive 95/46, entitled Exemptions and restrictions, provides that Member States may adopt measures restricting the scope of some of the obligations imposed by the directive on the controller of the data, inter alia as regards information given to the persons concerned, where such a restriction is necessary to safeguard, for example, national security, defence, public security, an important economic or financial interest of a Member State or of the European Union, or the investigation and prosecution of criminal offences or of breaches of ethics for regulated professions.

8.
Article 25 of Directive 95/46, which is part of Chapter IV entitled Transfer of personal data to third countries, reads as follows:

1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.

2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.

3. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2.

4. Where the Commission finds, under the procedure provided for in Article 31(2), that a third country does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question.

5. At the appropriate time, the Commission shall enter into negotiations with a view to remedying the situation resulting from the finding made pursuant to paragraph 4.

6. The Commission may find, in accordance with the procedure referred to in Article 31(2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.

Member States shall take the measures necessary to comply with the Commission's decision.

9.
At the time of the adoption of Directive 95/46, the Kingdom of Sweden made the following statement on the subject of Article 9, which was entered in the Council minutes (document No 4649/95 of the Council, of 2 February 1995):

The Kingdom of Sweden considers that artistic and literary expression refers to the means of expression rather than to the contents of the communication or its quality.

10.
The European Convention for the Protection of Human Rights and Fundamental Freedoms signed at Rome on 4 November 1950 (the ECHR), provides, in Article 8, for a right to respect for private and family life and, in Article 10, contains provisions concerning freedom of expression.

The national legislation

11.
Directive 95/46 was implemented in Swedish law by the Personuppgiftslag (SFS 1998:204) (Swedish law on personal data, the PUL).

The main proceedings and the questions referred

12.
In addition to her job as a maintenance worker, Mrs Lindqvist worked as a catechist in the parish of Alseda (Sweden). She followed a data processing course on which she had inter alia to set up a home page on the internet. At the end of 1998, Mrs Lindqvist set up internet pages at home on her personal computer in order to allow parishioners preparing for their confirmation to obtain information they might need. At her request, the administrator of the Swedish Church's website set up a link between those pages and that site.

13.
The pages in question contained information about Mrs Lindqvist and 18 colleagues in the parish, sometimes including their full names and in other cases only their first names. Mrs Lindqvist also described, in a mildly humorous manner, the jobs held by her colleagues and their hobbies. In many cases family circumstances and telephone numbers and other matters were mentioned. She also stated that one colleague had injured her foot and was on half-time on medical grounds.

14.
Mrs Lindqvist had not informed her colleagues of the existence of those pages or obtained their consent, nor did she notify the Datainspektionen (supervisory authority for the protection of electronically transmitted data) of her activity. She removed the pages in question as soon as she became aware that they were not appreciated by some of her colleagues.

15.
The public prosecutor brought a prosecution against Mrs Lindqvist charging her with breach of the PUL on the grounds that she had:

- processed personal data by automatic means without giving prior written notification to the Datainspektionen (Paragraph 36 of the PUL);

- processed sensitive personal data (injured foot and half-time on medical grounds) without authorisation (Paragraph 13 of the PUL);

- transferred processed personal data to a third country without authorisation (Paragraph 33 of the PUL).

16.
Mrs Lindqvist accepted the facts but disputed that she was guilty of an offence. Mrs Lindqvist was fined by the Eksjö tingsrätt (District Court) (Sweden) and appealed against that sentence to the referring court.

17.
The amount of the fine was SEK 4 000, which was arrived at by multiplying the sum of SEK 100, representing Mrs Lindqvist's financial position, by a factor of 40, reflecting the severity of the offence. Mrs Lindqvist was also sentenced to pay SEK 300 to a Swedish fund to assist victims of crimes.

18.
As it had doubts as to the interpretation of the Community law applicable in this area, inter alia Directive 95/46, the Göta hovrätt decided to stay proceedings and refer the following questions to the Court for a preliminary ruling:

(1) Is the mention of a person - by name or with name and telephone number - on an internet home page an action which falls within the scope of [Directive 95/46]? Does it constitute the processing of personal data wholly or partly by automatic means to list on a self-made internet home page a number of persons with comments and statements about their jobs and hobbies etc.?

(2) If the answer to the first question is no, can the act of setting up on an internet home page separate pages for about 15 people with links between the pages which make it possible to search by first name be considered to constitute the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system within the meaning of Article 3(1)?

If the answer to either of those questions is yes, the hovrätt also asks the following questions:

(3) Can the act of loading information of the type described about work colleagues onto a private home page which is none the less accessible to anyone who knows its address be regarded as outside the scope of [Directive 95/46] on the ground that it is covered by one of the exceptions in Article 3(2)?

(4) Is information on a home page stating that a named colleague has injured her foot and is on half-time on medical grounds personal data concerning health which, according to Article 8(1), may not be processed?

(5) [Directive 95/46] prohibits the transfer of personal data to third countries in certain cases. If a person in Sweden uses a computer to load personal data onto a home page stored on a server in Sweden - with the result that personal data become accessible to people in third countries - does that constitute a transfer of data to a third country within the meaning of the directive? Would the answer be the same even if, as far as known, no one from the third country had in fact accessed the data or if the server in question was actually physically in a third country?

(6) Can the provisions of [Directive 95/46], in a case such as the above, be regarded as bringing about a restriction which conflicts with the general principles of freedom of expression or other freedoms and rights, which are applicable within the EU and are enshrined in inter alia Article 10 of the European Convention on the Protection of Human Rights and Fundamental Freedoms?

Finally, the hovrätt asks the following question:

(7) Can a Member State, as regards the issues raised in the above questions, provide more extensive protection for personal data or give it a wider scope than the directive, even if none of the circumstances described in Article 13 exists?

The first question

19.
By its first question, the referring court asks whether the act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes the processing of personal data wholly or partly by automatic means within the meaning of Article 3(1) of Directive 95/46.

Observations submitted to the Court

20.
Mrs Lindqvist submits that it is unreasonable to take the view that the mere mention by name of a person or of personal data in a document contained on an internet page constitutes automatic processing of data. On the other hand, reference to such data in a keyword in the meta tags of an internet page, which makes it possible to create an index and find that page using a search engine, might constitute such processing.

21.
The Swedish Government submits that the term the processing of personal data wholly or partly by automatic means in Article 3(1) of Directive 95/46, covers all processing in computer format, in other words, in binary format. Consequently, as soon as personal data are processed by computer, whether using a word processing programme or in order to put them on an internet page, they have been the subject of processing within the meaning of Directive 95/46.

22.
The Netherlands Government submits that personal data are loaded onto an internet page using a computer and a server, which are essential elements of automation, so that it must be considered that such data are subject to automatic processing.

23.
The Commission submits that Directive 95/46 applies to all processing of personal data referred to in Article 3 thereof, regardless of the technical means used. Accordingly, making personal data available on the internet constitutes processing wholly or partly by automatic means, provided that there are no technical limitations which restrict the processing to a purely manual operation. Thus, by its very nature, an internet page falls within the scope of Directive 95/46.

Reply of the Court

24.
The term personal data used in Article 3(1) of Directive 95/46 covers, according to the definition in Article 2(a) thereof, any information relating to an identified or identifiable natural person. The term undoubtedly covers the name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies.

25.
According to the definition in Article 2(b) of Directive 95/46, the term processing of such data used in Article 3(1) covers any operation or set of operations which is performed upon personal data, whether or not by automatic means. That provision gives several examples of such operations, including disclosure by transmission, dissemination or otherwise making data available. It follows that the operation of loading personal data on an internet page must be considered to be such processing.

26.
It remains to be determined whether such processing is wholly or partly by automatic means. In that connection, placing information on an internet page entails, under current technical and computer procedures, the operation of loading that page onto a server and the operations necessary to make that page accessible to people who are connected to the internet. Such operations are performed, at least in part, automatically.

27.
The answer to the first question must therefore be that the act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes the processing of personal data wholly or partly by automatic means within the meaning of Article 3(1) of Directive 95/46.

The second question

28.
As the first question has been answered in the affirmative, there is no need to reply to the second question, which arises only in the event that the first question is answered in the negative.

The third question

29.
By its third question, the national court essentially seeks to know whether processing of personal data such as that described in the first question is covered by one of the exceptions in Article 3(2) of Directive 95/46.

Observations submitted to the Court

30.
Mrs Lindqvist submits that private individuals who make use of their freedom of expression to create internet pages in the course of a non-profit-making or leisure activity are not carrying out an economic activity and are thus not subject to Community law. If the Court were to hold otherwise, the question of the validity of Directive 95/46 would arise, as, in adopting it, the Community legislature would have exceeded the powers conferred on it by Article 100a of the EC Treaty (now, after amendment, Article 95 EC). The approximation of laws, which concerns the establishment and functioning of the common market, cannot serve as a legal basis for Community measures regulating the right of private individuals to freedom of expression on the internet.

31.
The Swedish Government submits that, when Directive 95/46 was implemented in national law, the Swedish legislature took the view that processing of personal data by a natural person which consisted in publishing those data to an indeterminate number of people, for example through the internet, could not be described as a purely personal or household activity within the meaning of the second indent of Article 3(2) of Directive 95/46. However, that Government does not rule out that the exception provided for in the first indent of that paragraph might cover cases in which a natural person publishes personal data on an internet page solely in the exercise of his freedom of expression and without any connection with a professional or commercial activity.

32.
According to the Netherlands Government, automatic processing of data such as that at issue in the main proceedings does not fall within any of the exceptions in Article 3(2) of Directive 95/46. As regards the exception in the second indent of that paragraph in particular, it observes that the creator of an internet page brings the data placed on it to the knowledge of a generally indeterminate group of people.

33.
The Commission submits that an internet page such as that at issue in the main proceedings cannot be considered to fall outside the scope of Directive 95/46 by virtue of Article 3(2) thereof, but constitutes, given the purpose of the internet page at issue in the main proceedings, an artistic and literary creation within the meaning of Article 9 of that Directive.

34.
It takes the view that the first indent of Article 3(2) of Directive 95/46 lends itself to two different interpretations. The first consists in limiting the scope of that provision to the areas cited as examples, in other words, to activities which essentially fall within what are generally called the second and third pillars. The other interpretation consists in excluding from the scope of Directive 95/46 the exercise of any activity which is not covered by Community law.

35.
The Commission argues that Community law is not limited to economic activities connected with the four fundamental freedoms. Referring to the legal basis of Directive 95/46, to its objective, to Article 6 EU, to the Charter of fundamental rights of the European Union proclaimed in Nice on 18 December 2000 (OJ 2000 C 364, p. 1), and to the Council of Europe Convention of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data, it concludes that that directive is intended to regulate the free movement of personal data in the exercise not only of an economic activity, but also of social activity in the course of the integration and functioning of the common market.

36.
It adds that to exclude generally from the scope of Directive 95/46 internet pages which contain no element of commerce or of provision of services might entail serious problems of demarcation. A large number of internet pages containing personal data intended to disparage certain persons with a particular end in view might then be excluded from the scope of that directive.

Reply of the Court

37.
Article 3(2) of Directive 95/46 provides for two exceptions to its scope.

38.
The first exception concerns the processing of personal data in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union, and in any case processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law.

39.
As the activities of Mrs Lindqvist which are at issue in the main proceedings are essentially not economic but charitable and religious, it is necessary to consider whether they constitute the processing of personal data in the course of an activity which falls outside the scope of Community law within the meaning of the first indent of Article 3(2) of Directive 95/46.

40.
The Court has held, on the subject of Directive 95/46, which is based on Article 100a of the Treaty, that recourse to that legal basis does not presuppose the existence of an actual link with free movement between Member States in every situation referred to by the measure founded on that basis (see Joined Cases C-465/00, C-138/01 and C-139/01 Österreichischer Rundfunk and Others [2003] ECR I-0000, paragraph 41, and the case-law cited therein).

41.
A contrary interpretation could make the limits of the field of application of the directive particularly unsure and uncertain, which would be contrary to its essential objective of approximating the laws, regulations and administrative provisions of the Member States in order to eliminate obstacles to the functioning of the internal market deriving precisely from disparities between national legislations (Österreichischer Rundfunk and Others, cited above, paragraph 42).

42.
Against that background, it would not be appropriate to interpret the expression activity which falls outside the scope of Community law as having a scope which would require it to be determined in each individual case whether the specific activity at issue directly affected freedom of movement between Member States.

43.
The activities mentioned by way of example in the first indent of Article 3(2) of Directive 95/46 (in other words, the activities provided for by Titles V and VI of the Treaty on European Union and processing operations concerning public security, defence, State security and activities in areas of criminal law) are, in any event, activities of the State or of State authorities and unrelated to the fields of activity of individuals.

44.
It must therefore be considered that the activities mentioned by way of example in the first indent of Article 3(2) of Directive 95/46 are intended to define the scope of the exception provided for there, with the result that that exception applies only to the activities which are expressly listed there or which can be classified in the same category (ejusdem generis).

45.
Charitable or religious activities such as those carried out by Mrs Lindqvist cannot be considered equivalent to the activities listed in the first indent of Article 3(2) of Directive 95/46 and are thus not covered by that exception.

46.
As regards the exception provided for in the second indent of Article 3(2) of Directive 95/46, the 12th recital in the preamble to that directive, which concerns that exception, cites, as examples of the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, correspondence and the holding of records of addresses.

47.
That exception must therefore be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people.

48.
The answer to the third question must therefore be that processing of personal data such as that described in the reply to the first question is not covered by any of the exceptions in Article 3(2) of Directive 95/46.

The fourth question

49.
By its fourth question, the referring court seeks to know whether reference to the fact that an individual has injured her foot and is on half-time on medical grounds constitutes personal data concerning health within the meaning of Article 8(1) of Directive 95/46.

50.
In the light of the purpose of the directive, the expression data concerning health used in Article 8(1) thereof must be given a wide interpretation so as to include information concerning all aspects, both physical and mental, of the health of an individual.

51.
The answer to the fourth question must therefore be that reference to the fact that an individual has injured her foot and is on half-time on medical grounds constitutes personal data concerning health within the meaning of Article 8(1) of Directive 95/46.

The fifth question

52.
By its fifth question the referring court seeks essentially to know whether there is any transfer [of data] to a third country within the meaning of Article 25 of Directive 95/46 where an individual in a Member State loads personal data onto an internet page which is stored on an internet site on which the page can be consulted and which is hosted by a natural or legal person (the hosting provider) who is established in that State or in another Member State, thereby making those data accessible to anyone who connects to the internet, including people in a third country. The referring court also asks whether the reply to that question would be the same if no one from the third country had in fact accessed the data or if the server where the page was stored was physically in a third country.

Observations submitted to the Court

53.
The Commission and the Swedish Government consider that the loading, using a computer, of personal data onto an internet page, so that they become accessible to nationals of third countries, constitutes a transfer of data to third countries within the meaning of Directive 95/46. The answer would be the same if no one from the third country had in fact accessed the data or if the server where it was stored was physically in a third country.

54.
The Netherlands Government points out that the term transfer is not defined by Directive 95/46. It takes the view, first, that that term must be understood to refer to the act of intentionally transferring personal data from the territory of a Member State to a third country and, second, that no distinction can be made between the different ways in which data are made accessible to third parties. It concludes that loading personal data onto an internet page using a computer cannot be considered to be a transfer of personal data to a third country within the meaning of Article 25 of Directive 95/46.

55.
The United Kingdom Government submits that Article 25 of Directive 95/46 concerns the transfer of data to third countries and not their accessibility from third countries. The term transfer connotes the transmission of personal data from one place and person to another place and person. It is only in the event of such a transfer that Article 25 of Directive 95/46 requires Member States to ensure an adequate level of protection of personal data in a third country.

Reply of the Court

56.
Directive 95/46 does not define the expression transfer to a third country in Article 25 or any other provision, including Article 2.

57.
In order to determine whether loading personal data onto an internet page constitutes a transfer of those data to a third country within the meaning of Article 25 of Directive 95/46 merely because it makes them accessible to people in a third country, it is necessary to take account both of the technical nature of the operations thus carried out and of the purpose and structure of Chapter IV of that directive where Article 25 appears.

58.
Information on the internet can be consulted by an indefinite number of people living in many places at almost any time. The ubiquitous nature of that information is a result inter alia of the fact that the technical means used in connection with the internet are relatively simple and becoming less and less expensive.

59.
Under the procedures for use of the internet available to individuals like Mrs Lindqvist during the 1990s, the author of a page intended for publication on the internet transmits the data making up that page to his hosting provider. That provider manages the computer infrastructure needed to store those data and connect the server hosting the site to the internet. That allows the subsequent transmission of those data to anyone who connects to the internet and seeks access to it. The computers which constitute that infrastructure may be located, and indeed often are located, in one or more countries other than that where the hosting provider is established, without its clients being aware or being in a position to be aware of it.

60.
It appears from the court file that, in order to obtain the information appearing on the internet pages on which Mrs Lindqvist had included information about her colleagues, an internet user would not only have to connect to the internet but also personally carry out the necessary actions to consult those pages. In other words, Mrs Lindqvist's internet pages did not contain the technical means to send that information automatically to people who did not intentionally seek access to those pages.

61.
It follows that, in circumstances such as those in the case in the main proceedings, personal data which appear on the computer of a person in a third country, coming from a person who has loaded them onto an internet site, were not directly transferred between those two people but through the computer infrastructure of the hosting provider where the page is stored.

62.
It is in that light that it must be examined whether the Community legislature intended, for the purposes of the application of Chapter IV of Directive 95/46, to include within the expression transfer [of data] to a third country within the meaning of Article 25 of that directive activities such as those carried out by Mrs Lindqvist. It must be stressed that the fifth question asked by the referring court concerns only those activities and not those carried out by the hosting providers.

63.
Chapter IV of Directive 95/46, in which Article 25 appears, sets up a special regime, with specific rules, intended to allow the Member States to monitor transfers of personal data to third countries. That Chapter sets up a complementary regime to the general regime set up by Chapter II of that directive concerning the lawfulness of processing of personal data.

64.
The objective of Chapter IV is defined in the 56th to 60th recitals in the preamble to Directive 95/46, which state inter alia that, although the protection of individuals guaranteed in the Community by that Directive does not stand in the way of transfers of personal data to third countries which ensure an adequate level of protection, the adequacy of such protection must be assessed in the light of all the circumstances surrounding the transfer operation or set of transfer operations. Where a third country does not ensure an adequate level of protection the transfer of personal data to that country must be prohibited.

65.
For its part, Article 25 of Directive 95/46 imposes a series of obligations on Member States and on the Commission for the purposes of monitoring transfers of personal data to third countries in the light of the level of protection afforded to such data in each of those countries.

66.
In particular, Article 25(4) of Directive 95/46 provides that, where the Commission finds that a third country does not ensure an adequate level of protection, Member States are to take the measures necessary to prevent any transfer of personal data to the third country in question.

67.
Chapter IV of Directive 95/46 contains no provision concerning use of the internet. In particular, it does not lay down criteria for deciding whether operations carried out by hosting providers should be deemed to occur in the place of establishment of the service or at its business address or in the place where the computer or computers constituting the service's infrastructure are located.

68.
Given, first, the state of development of the internet at the time Directive 95/46 was drawn up and, second, the absence, in Chapter IV, of criteria applicable to use of the internet, one cannot presume that the Community legislature intended the expression transfer [of data] to a third country to cover the loading, by an individual in Mrs Lindqvist's position, of data onto an internet page, even if those data are thereby made accessible to persons in third countries with the technical means to access them.

69.
If Article 25 of Directive 95/46 were interpreted to mean that there is transfer [of data] to a third country every time that personal data are loaded onto an internet page, that transfer would necessarily be a transfer to all the third countries where there are the technical means needed to access the internet. The special regime provided for by Chapter IV of the directive would thus necessarily become a regime of general application, as regards operations on the internet. Thus, if the Commission found, pursuant to Article 25(4) of Directive 95/46, that even one third country did not ensure adequate protection, the Member States would be obliged to prevent any personal data being placed on the internet.

70.
Accordingly, it must be concluded that Article 25 of Directive 95/46 is to be interpreted as meaning that operations such as those carried out by Mrs Lindqvist do not as such constitute a transfer [of data] to a third country. It is thus unnecessary to investigate whether an individual from a third country has accessed the internet page concerned or whether the server of that hosting service is physically in a third country.

71.
The reply to the fifth question must therefore be that there is no transfer [of data] to a third country within the meaning of Article 25 of Directive 95/46 where an individual in a Member State loads personal data onto an internet page which is stored with his hosting provider which is established in that State or in another Member State, thereby making those data accessible to anyone who connects to the internet, including people in a third country.

The sixth question

72.
By its sixth question the referring court seeks to know whether the provisions of Directive 95/46, in a case such as that in the main proceedings, bring about a restriction which conflicts with the general principles of freedom of expression or other freedoms and rights, which are applicable within the European Union and are enshrined in inter alia Article 10 of the ECHR.

Observations submitted to the Court

73.
Citing inter alia Case C-274/99 P Connolly v Commission [2001] ECR I-1611, Mrs Lindqvist submits that Directive 95/46 and the PUL, in so far as they lay down requirements of prior consent and prior notification of a supervisory authority and a principle of prohibiting processing of personal data of a sensitive nature, are contrary to the general principle of freedom of expression enshrined in Community law. More particularly, she argues that the definition of processing of personal data wholly or partly by automatic means does not fulfil the criteria of predictability and accuracy.

74.
She argues further that merely mentioning a natural person by name, revealing their telephone details and working conditions and giving information about their state of health and hobbies, information which is in the public domain, well-known or trivial, does not constitute a significant breach of the right to respect for private life. Mrs Lindqvist considers that, in any event, the constraints imposed by Directive 95/46 are disproportionate to the objective of protecting the reputation and private life of others.

75.
The Swedish Government considers that Directive 95/46 allows the interests at stake to be weighed against each other and freedom of expression and protection of private life to be thereby safeguarded. It adds that only the national court can assess, in the light of the facts of each individual case, whether the restriction on the exercise of the right to freedom of expression entailed by the application of the rules on the protection of the rights of others is proportionate.

76.
The Netherlands Government points out that both freedom of expression and the right to respect for private life are among the general principles of law for which the Court ensures respect and that the ECHR does not establish any hierarchy between the various fundamental rights. It therefore considers that the national court must endeavour to balance the various fundamental rights at issue by taking account of the circumstances of the individual case.

77.
The United Kingdom Government points out that its proposed reply to the fifth question, set out in paragraph 55 of this judgment, is wholly in accordance with fundamental rights and avoids any disproportionate restriction on freedom of expression. It adds that it is difficult to justify an interpretation which would mean that the publication of personal data in a particular form, that is to say, on an internet page, is subject to far greater restrictions than those applicable to publication in other forms, such as on paper.

78.
The Commission also submits that Directive 95/46 does not entail any restriction contrary to the general principle of freedom of expression or other rights and freedoms applicable in the European Union corresponding inter alia to the right provided for in Article 10 of the ECHR.

Reply of the Court

79.
According to the seventh recital in the preamble to Directive 95/46, the establishment and functioning of the common market are liable to be seriously affected by differences in national rules applicable to the processing of personal data. According to the third recital of that directive the harmonisation of those national rules must seek to ensure not only the free flow of such data between Member States but also the safeguarding of the fundamental rights of individuals. Those objectives may of course be inconsistent with one another.

80.
On the one hand, the economic and social integration resulting from the establishment and functioning of the internal market will necessarily lead to a substantial increase in cross-border flows of personal data between all those involved in a private or public capacity in economic and social activity in the Member States, whether businesses or public authorities of the Member States. Those so involved will, to a certain extent, need to have access to personal data to perform their transactions or carry out their tasks within the area without internal frontiers which the internal market constitutes.

81.
On the other hand, those affected by the processing of personal data understandably require those data to be effectively protected.

82.
The mechanisms allowing those different rights and interests to be balanced are contained, first, in Directive 95/46 itself, in that it provides for rules which determine in what circumstances and to what extent the processing of personal data is lawful and what safeguards must be provided for. Second, they result from the adoption, by the Member States, of national provisions implementing that directive and their application by the national authorities.

83.
As regards Directive 95/46 itself, its provisions are necessarily relatively general since it has to be applied to a large number of very different situations. Contrary to Mrs Lindqvist's contentions, the directive quite properly includes rules with a degree of flexibility and, in many instances, leaves to the Member States the task of deciding the details or choosing between options.

84.
It is true that, in many respects, the Member States have a margin for manoeuvre in implementing Directive 95/46. However, there is nothing to suggest that the regime it provides for lacks predictability or that its provisions are, as such, contrary to the general principles of Community law and, in particular, to the fundamental rights protected by the Community legal order.

85.
Thus, it is, rather, at the stage of the application at national level of the legislation implementing Directive 95/46 in individual cases that a balance must be found between the rights and interests involved.

86.
In that context, fundamental rights have a particular importance, as demonstrated by the case in the main proceedings, in which, in essence, Mrs Lindqvist's freedom of expression in her work preparing people for Communion and her freedom to carry out activities contributing to religious life have to be weighed against the protection of the private life of the individuals about whom Mrs Lindqvist has placed data on her internet site.

87.
Consequently, it is for the authorities and courts of the Member States not only to interpret their national law in a manner consistent with Directive 95/46 but also to make sure they do not rely on an interpretation of it which would be in conflict with the fundamental rights protected by the Community legal order or with the other general principles of Community law, such as inter alia the principle of proportionality.

88.
Whilst it is true that the protection of private life requires the application of effective sanctions against people processing personal data in ways inconsistent with Directive 95/46, such sanctions must always respect the principle of proportionality. That is so a fortiori since the scope of Directive 95/46 is very wide and the obligations of those who process personal data are many and significant.

89.
It is for the referring court to take account, in accordance with the principle of proportionality, of all the circumstances of the case before it, in particular the duration of the breach of the rules implementing Directive 95/46 and the importance, for the persons concerned, of the protection of the data disclosed.

90.
The answer to the sixth question must therefore be that the provisions of Directive 95/46 do not, in themselves, bring about a restriction which conflicts with the general principles of freedom of expression or other freedoms and rights, which are applicable within the European Union and are enshrined inter alia in Article 10 of the ECHR. It is for the national authorities and courts responsible for applying the national legislation implementing Directive 95/46 to ensure a fair balance between the rights and interests in question, including the fundamental rights protected by the Community legal order.

The seventh question

91.
By its seventh question, the referring court essentially seeks to know whether it is permissible for the Member States to provide for greater protection for personal data or a wider scope than are required under Directive 95/46.

Observations submitted to the Court

92.
The Swedish Government states that Directive 95/46 is not confined to fixing minimum conditions for the protection of personal data. Member States are obliged, in the course of implementing that directive, to attain the level of protection dictated by it and are not empowered to provide for greater or less protection. However, account must be taken of the discretion which the Member States have in implementing the directive to lay down in their domestic law the general conditions for the lawfulness of the processing of personal data.

93.
The Netherlands Government submits that Directive 95/46 does not preclude Member States from providing for greater protection in certain areas. It is clear, for example, from Article 10, Article 11(1), subparagraph (a) of the first paragraph of Article 14, Article 17(3), Article 18(5) and Article 19(1) of that directive that the Member States may make provision for wider protection. Moreover, the Member States are free to apply the principles of Directive 95/46 also to activities which do not fall within its scope.

94.
The Commission submits that Directive 95/46 is based on Article 100a of the Treaty and that, if a Member State wishes to maintain or introduce legislation which derogates from such a harmonising directive, it is obliged to notify the Commission pursuant to Article 95(4) or 95(5) EC. The Commission therefore submits that a Member State cannot make provision for more extensive protection for personal data or a wider scope than are required under the directive.

Reply of the Court

95.
Directive 95/46 is intended, as appears from the eighth recital in the preamble thereto, to ensure that the level of protection of the rights and freedoms of individuals with regard to the processing of personal data is equivalent in all Member States. The tenth recital adds that the approximation of the national laws applicable in this area must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community.

96.
The harmonisation of those national laws is therefore not limited to minimal harmonisation but amounts to harmonisation which is generally complete. It is upon that view that Directive 95/46 is intended to ensure free movement of personal data while guaranteeing a high level of protection for the rights and interests of the individuals to whom such data relate.

97.
It is true that Directive 95/46 allows the Member States a margin for manoeuvre in certain areas and authorises them to maintain or introduce particular rules for specific situations as a large number of its provisions demonstrate. However, such possibilities must be made use of in the manner provided for by Directive 95/46 and in accordance with its objective of maintaining a balance between the free movement of personal data and the protection of private life.

98.
On the other hand, nothing prevents a Member State from extending the scope of the national legislation implementing the provisions of Directive 95/46 to areas not included within the scope thereof, provided that no other provision of Community law precludes it.

99.
In the light of those considerations, the answer to the seventh question must be that measures taken by the Member States to ensure the protection of personal data must be consistent both with the provisions of Directive 95/46 and with its objective of maintaining a balance between freedom of movement of personal data and the protection of private life. However, nothing prevents a Member State from extending the scope of the national legislation implementing the provisions of Directive 95/46 to areas not included in the scope thereof provided that no other provision of Community law precludes it.

Costs

100.
The costs incurred by the Swedish, Netherlands and United Kingdom Governments and by the Commission and the EFTA Surveillance Authority, which have submitted observations to the Court, are not recoverable. Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court.

On those grounds,

THE COURT,

in answer to the questions referred to it by the Göta hovrätt by order of 23 February 2001, hereby rules:

1. The act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes the processing of personal data wholly or partly by automatic means within the meaning of Article 3(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

2. Such processing of personal data is not covered by any of the exceptions in Article 3(2) of Directive 95/46.

3. Reference to the fact that an individual has injured her foot and is on half-time on medical grounds constitutes personal data concerning health within the meaning of Article 8(1) of Directive 95/46.

4. There is no transfer [of data] to a third country within the meaning of Article 25 of Directive 95/46 where an individual in a Member State loads personal data onto an internet page which is stored on an internet site on which the page can be consulted and which is hosted by a natural or legal person who is established in that State or in another Member State, thereby making those data accessible to anyone who connects to the internet, including people in a third country.

5. The provisions of Directive 95/46 do not, in themselves, bring about a restriction which conflicts with the general principles of freedom of expression or other freedoms and rights, which are applicable within the European Union and are enshrined inter alia in Article 10 of the European Convention for the Protection of Human Rights and Fundamental Freedoms signed at Rome on 4 November 1950. It is for the national authorities and courts responsible for applying the national legislation implementing Directive 95/46 to ensure a fair balance between the rights and interests in question, including the fundamental rights protected by the Community legal order.

6. Measures taken by the Member States to ensure the protection of personal data must be consistent both with the provisions of Directive 95/46 and with its objective of maintaining a balance between freedom of movement of personal data and the protection of private life. However, nothing prevents a Member State from extending the scope of the national legislation implementing the provisions of Directive 95/46 to areas not included in the scope thereof provided that no other provision of Community law precludes it.