法律翻译|Bodil Lindqvist案件:何为《95指令》的适用范围?
译者|巩海璐 华东政法大学 硕士
一审|曾梓栩 外交学院 法本
二审|何兰子夜 宾夕法尼亚大学 ML
编辑|杨玟萱 中南财经政法大学本科
李建云 湖南师范大学本科
责编|戚琳颖 大连海事大学本科
Bodil Lindqvist案件:
何为《95指令》的适用范围?
目录
1.案件事实
2.争议焦点
3.法院判决及主要法律依据
4.案件评析
1
案件事实
●
This case was referred by the Court of Appeal Gota (Sweden) to the ECJ for a preliminary ruling on questions concerning the interpretation of the Data Protection Directive. The questions arose from criminal proceedings against Mrs. Lindqvist who was charged with the breach of Swedish legislation on Protection of Personal Data (Personuppgiftslagen, PUL).
本案由瑞典国家上诉法院(Göta hovrätt)提交至欧洲法院(the European Court of Justice, ECJ),请求该院就欧盟《数据保护指令》[1](the Data Protection Directive,以下简称为《95指令》)的解释问题作出先行裁决。该等问题源自针对林德奎斯特女士(Lindqvist)的刑事诉讼。她被指控违反了瑞典《个人数据保护法案》(Personuppgiftslagen, PUL)。
Mrs. Lindqvist was a maintenance worker and a catechist in the parish of Alseda (Sweden). In 1998, she had set up internet pages on her personal computer with personal data of number of people working for her on a voluntary basis in the parish so that parishioners preparing for their confirmation could obtain the information that they required. At her request, the administrator of the Swedish Church's website set up a link between the pages containing the information and the website.
林德奎斯特女士是瑞典新教教区(Alseda)的一名维修工和传教士。1998年,她用个人电脑建立了涵盖教区中众多同事个人数据的互联网网页,以便教友可以获得其需要的信息。应林德奎斯特女士的请求,瑞典教堂网站的管理员将该等网页添加至教堂官网的链接。
The pages contained information about eighteen people, apart from Mrs. Lidqvist, including their telephone numbers, job description, hobbies, family circumstances, and on one instance-description of medical conditions. The pages in question were made without the knowledge or consent of her colleagues and without informing the supervisory authority for the protection of electronically transmitted data. Mrs. Lidqvist removed the pages in question as soon as she became aware that they were not appreciated by some of her colleagues.
这些网页所显示的个人信息包括林德奎斯特女士自己及教区内18名同事的电话号码、岗位职责、爱好、家庭情况以及其中一名同事的健康状况。但林德奎斯特女士在发布这些网页信息时并未征求其同事的意见,也未通知负责电子数据传输保护的瑞典监管机构。林德奎斯特女士了解到同事因这些网页信息而表示不满时,立即删除了这些页面。
(图片来源于网络)
Subsequently, the public prosecutor charged Mrs. Lindqvist with breach of the PUL for processing personal data by automatic means, without giving prior written notification to the Datainspektionen (“Supervisory Authority”), for processing sensitive personal data and for transferring processed personal data to a third country without authorization. While Mrs. Lindqvst agreed to the facts, she disputed the offense. She was found guilty by the Eksjö tingsrätt (District Court) and fined. The case was then appealed to the Court of Appeal of Gota (Sweden). As the Court of Appeal had doubts as to the interpretation of the applicable Community law, including scope and interpretation of the Data Protection Directive, it decided to stay the proceedings and refer 7 questions to the ECJ for a preliminary ruling.
随后,瑞典公诉检察机关指控林德奎斯特女士违反了《个人数据保护法案》,因其在未事先书面通知瑞典数据监管机构(Datainspektionen)的情况下,采用自动方式处理了个人数据(包括个人敏感数据在内),以及未经授权将处理后的个人数据传输给第三国。林德奎斯特女士同意(指控的)事实部分,但她对该指控本身提出了异议。地区法院(Eksjö tingsrätt)判其有罪并处以罚款。该案随后上诉至瑞典国家上诉法院。该上诉法院对适用的欧盟法律的解释问题(包括《95指令》的适用范围和解释问题在内)存在疑问,因此决定中止诉讼程序,并将7个问题提交至欧洲法院予以初步裁决。
2
争议焦点
●
A. Whether mentioning a name and telephone number on an internet homepage constituted an action within the scope of the Data Protection Directive and more specifically if it was the “processing of personal data wholly or partly by automatic means”.
在互联网主页上公开姓名和电话号码是否属于《95指令》中所规范的行为,更为具体地说,该行为是否构成“全部或部分采用自动化方式处理个人数据”。
B. Whether the act of setting up on an internet homepage, separate pages for about 15 people with links between them to enable search by first name be considered “processing otherwise than by automatic means of personal data which form part of a filing system [2] or are intended to form part of a filing system” within the meaning of Article 3(1) [3] of the Data Protection Directive.
在互联网主页上为大约15个人设置单独的网页,并在这些网页之间建立链接,使得能够按照名字进行搜索。该行为是否符合《95指令》第3(1)条所规定的数据处理行为的定义:“以非自动方式处理构成或有意构成归档系统一部分的个人数据”。
C. Whether the act of loading information, accessible to anyone who knew its address, was outside the scope of the Data Protection Directive as an exception in accordance with Article 3(2) [4].
根据《95指令》第3(2)条的规定,任何人访问该网站获取信息的行为是否属于该指令的豁免情况。
D. Whether information on a home page stating that a named colleague had injured her foot and was on half-time on medical grounds, constituted personal data concerning health, which according to Article 8(1) [5] of the Data Protection Directive, may not be processed.
互联网主页上实名公布同事因脚伤而半居家休养的信息是否构成与健康相关的个人数据。根据《95指令》第8(1)条的规定,不得对该类数据进行处理。
E. Whether the said act constituted transmission of data against the Data Protection Directive if someone from a third country accessed it.
如果第三国的人访问了该等信息,上述林德奎斯特女士的行为是否构成向第三国传输数据,从而违反了《95指令》的规定。
F. Whether provisions of the Data Protection Directive constituted a restriction which conflicted with the general principles of freedom of expression or other freedoms and rights under Article 10 [6] of the European Convention on the Protection of Human Rights and Fundamental Freedoms (ECHR).
《95指令》所规定的条款是否与《欧洲保护人权和基本自由公约》(European Convention on the Protection of Human Rights and Fundamental Freedoms, ECHR)第10条所规定的言论自由等其他自由权利的一般原则相冲突。
G. Whether a Member State, as regards the issues raised in the above questions, could provide more extensive protection for personal data or give it a wider scope than the Data Protection Directive, even if none of the circumstances described in Article 13 [7] existed.
就上述情况中提出的问题而言,即使《95指令》第13条所规定的情况不存在,欧盟成员国是否可以对个人数据予以更为广泛的保护或其予以的保护是否可以超过《95指令》所规定的范围。
(图片来源于网络)
3
法院判决及主要法律依据
●
The Court held that the act of referring names or telephone numbers or information regarding working conditions and hobbies of a person, on an internet page constituted the ‘processing of personal data wholly or partly by automatic means’ under Article 3(1) of the Data Protection Directive. The Court relied upon the definition of ‘personal data’ under Article 2(a) [8] which included ‘any information relating to an identified or identifiable natural person’. While examining the meaning of ‘wholly or partly by automatic means’, the Court held that placing information on an internet page by technical procedures entailed loading that page onto a server, and operations necessary to make the page accessible over the internet, which was at least in part automatic. Since the first question was answered in the affirmative, the Court did not dwell into the second question, relating to setting up individual pages for the members which could be searched by the first name of the individuals.
本院认为此行为——在网页上提及他人姓名、电话号码或其他与工作状况、爱好相关的信息——构成《95指令》第3(1)条规定的“全部或部分以自动化方式处理个人数据”。本院依据《95指令》第2(a)条对“个人数据”的定义,即“与已识别或可识别的自然人有关的任何信息”。在审视“全部或部分以自动化方式处理个人数据”这一定义时,本院认为,如果通过技术手段将信息发布在网页上,则需要将网页加载到服务器上,且有必要进行相应操作从而使网页能够通过互联网访问,这部分程序至少是自动化的。鉴于对第一个问题的回答是肯定的,因此本院并未深入探讨第二个问题——关于为同事建立可以按照名字进行搜索的个人网页的问题。
In relation to the third issue on exceptions under Article 3(2) of the Directive, the Court held that the acts of Mrs. Lindqvist were not commercial but charitable and religious. The first exception under Article 3(2) excluded activities such as those provided for by Titles V and VI of the Treaty on European Union, and processing operations concerning public security, defense, State security and the activities of the State in areas of criminal law. By applying ejusdem generis the Court stated that scope of the exception provided within Article 3(2) applied only to the activities which were expressly listed in the Article or which could be classified in the same category of such activities. Charitable or religious activities, such as those undertaken by Mrs. Lindqvist could not be considered equivalent to the activities listed and thus were not covered by the exception. As regards to the exception provided for in the 12th [9] recital to the preamble of the Data Protection Directive, relating to processing for home or domestic correspondence, the Court held that the exception applied only for processing of personal data and certainly not to processing data consisting of a publication on the internet to make it accessible to an indefinite number of people.
至于《95指令》第3(2)条所规定的豁免情况下的第三个问题,本院认为林德奎斯特女士的行为不具有商业性质,而是出于慈善和宗教目的。《95指令》第3(2)条所规定的第一个豁免情况排除了《欧盟条约》(the Treaty on European Union)第5章和第6章规定的活动,以及涉及公共安全、国防、国家安全和国家在刑法领域的数据处理活动。通过运用同类规则(ejusdem generis),本院指出,第3(2)条所规定豁免情况的范围仅适用于本条所明确列出的活动或可以按照同一范畴进行分类的该等活动。慈善或宗教活动,例如林德奎斯特女士所做的,不能视为等同于第3(2)条所列活动,因此不属于豁免情况。至于《95指令》序言第12条所规定的涉及家庭或国内通信数据处理的豁免情况,本院认为该豁免仅适用于个人数据处理,绝不适用于处理发布在互联网上的信息(使该信息可被不特定群体访问)的情况。
(图片来源于网络)
The Court held that the expression ‘data concerning health’ in Article 8(1) of the Data Protection Directive must be given a broad interpretation so as to include information concerning all aspects, both physical and mental health of an individual. Thus, reference to the fact that an individual had injured her foot, and was subsequently on half-time on medical grounds would constitute personal data concerning health within the meaning of Article 8 (1) of the Data Protection Directive. The Court examined the purpose and structure of Chapter IV of the Data Protection Directive, to determine whether the accessibility of a page from a third country would amount to transfer under Article 25 [10]. Here, the Court observed that the personal data appearing on the computer of a person in a third country, was not directly transferred by the person who had loaded them on an internet site, but was transferred between those two people through the computer infrastructure of the hosting provider [11] where the page was being stored. Computers which constituted the infrastructure with the necessary data, could be located, in one or more countries other than that where the hosting provider is established, without its clients being aware or being in a position to be aware of it.
本院认为,须对《95指令》第8(1)条中“与健康有关的数据”这一表述予以广泛的解释,以包括涉及个人身心健康等各方面信息。因此,所提到的同事因脚伤而半居家休养的事实构成了《95指令》第8(1)条中“与健康有关的数据”。本院审查了《95指令》第4章的目的和结构,以判断从第三国访问网页是否等同于第25条规定的数据传输。本院在此认为,出现在第三国人员电脑上的个人数据,并不是由在互联网网站上传这些数据的人直接转移的,而是通过存储该网页的托管服务供应商的计算机基础设施在国家之间转移的。托管服务供应商所使用的包含必要数据的计算机基础设施的可能分布于某一或某多个国家,而非其所在地,且其客户对此不知情或不可能知情。
The Court held that if Article 25 of the Data Protection Directive was interpreted to mean that there is “transfer [of data] to a third country” every time that personal data were loaded onto an internet page, that transfer would necessarily constitute a transfer to all the third countries which had technical means needed to access the internet making Chapter IV a regime which would have to be generally applied. Therefore, the Court held that the acts by Mrs. Lindqvist did not constitute transfer of data under Article 25.
本院认为,如果《95指令》第25条被解释为每次个人数据被加载到互联网页面时,都会构成"向第三国传输数据",则该传输行为必然将构成向所有能够采用技术手段访问互联网的第三国的数据传输,(《95指令》)第四章进而也会成为必须普遍适用的制度。因此,本院认为林德奎斯特女士的行为并不构成第25条规定的数据传输。
Relying on the 3rd [12] and 7th recital [13] to the preamble of the Data Protection Directive, the Court stated that while there could be differences in various national rules establishing the processing of data they must be harmonized to ensure free flow of data with adequate protection to fundamental rights. The Court observed that while the provisions of theData Protection Directive were relatively general, the rules included a degree of flexibility. While the Member States had a certain margin of manoeuvre in implementing the Data Protection Directive, the Directive itself was still predictable and harmonious to the general principles of Community law and fundamental rights protected by the Community legal order. Consequently, the authorities and courts of the Member States would have to interpret their national law in a manner consistent with theData Protection Directive and the fundamental rights protected by the Community. Therefore, the Court held that it was for the referring court to take account, according to the principle of proportionality [14], of all the circumstances of the case before it, to ensure a fair balance between the rights and interests in question, including the fundamental rights protected by the Community legal order.
根据《95指令》序言部分第3条和第7条的规定,本院认为,虽然各国在数据处理规则方面可能存在差异,但各国须相互协调,以确保在充分保护个人基本权利的情况下实现数据的自由流动。本院认为,虽然《95指令》的规定相对笼统,但这些规定在一定程度上也具备灵活性。虽然欧盟成员国在执行《95指令》时拥有一定的回旋余地,但该指令本身仍然具备可预测性,并与欧盟法律的一般原则以及与受欧盟法律秩序保护的基本权利相一致。因此,各成员国当局和法院必须以同与《95指令》和受欧盟保护的基本权利相符合的方式来解释其各自法律。本院进而认为,瑞典国家法院应根据“相称性原则”,考虑到该案件的所有情况,以确保在相关权益之间达到平衡,其中包括受欧盟法律秩序保护的基本权利。
Recitals 8 [15] and 10 [16] of the preamble to the Data Protection Directive seek to ensure the level of protection accorded in all Member States to be equal and that the national law ensuring such harmonization was to ensure a high level of protection in the Community. Therefore, the Court stated that the harmonisation of national laws was not limited to minimal harmonisation but to harmonisation which was generally complete. The Court further observed that although the Data Protection Directive allowed a margin of manoeuvre in certain areas, they were to be in accordance with its objective of maintaining a balance between the free movement of personal data and the protection of private life. It further held that the Member States were allowed to implement the provisions of the Data Protection Directive and expand it so long as Community law did not preclude the same.
《95指令》序言第8条和第10条试图保证各成员国所提供的数据保护水平是同等的,并且确保各国法律通过彼此间的协调来保证在欧盟实现更高水平的数据保护。因此,本院认为,各成员国法律之间不应局限于最低限度的协调,而是要在总体上实现完全协调。本院进一步表示,尽管《95指令》允许成员国在某些领域拥有回旋余地,但这些情况应在个人数据自由流动和个人生活保护之间保持平衡。本院进一步指出,只要欧盟法律对此表示不排斥,则成员国可以执行《95指令》的规定并扩大其范围。
4
案件评析
●
ECJ Case C-101/01 has important implications for the posting of personal data on the Internet. Through this case, the court has clarified that posting personal data on the Internet amounts to processing personal data for the purposes of the Data Protection Directive. The court's finding highlights the fact that Europe's data protection regime is extremely far reaching.
欧洲法院C-101/01号案对在互联网上发布个人数据的行为产生了重要影响。通过此案,本院阐明了在互联网上发布个人数据的行为就相当于《95指令》中所指的处理个人数据行为。该裁决突出了欧洲数据保护制度具有的实际深远意义。
(图片来源于网络)
The enforcement action that was launched against Lindqvist, and validated in large part, by the ECJ, is not likely to be the last of its kind. In fact, Norway's data protection authorities recently announced that they would be pursuing web site operators that display photos that were taken of individuals without their prior consent. Accordingly, the activity of the local data protection authorities, along with the ECJ's decision should serve as a wake-up call to all entities and individuals that process personal data in Europe and/or about Europeans, including by posting such data on an Internet website [17].
欧洲法院在很大程度上支持了针对林德奎斯特女士的执法行动,且此类支持不会是最后一次。事实上,挪威数据保护机构也宣布将追究未经个人事先同意就将其个人照片发布的网站运营商。因此,各地数据保护机构的行动以及欧洲法院的裁决应当给所有在欧洲的或涉及欧洲人的个人数据处理者敲响警钟,包括那些将该类数据发布至互联网网站的人。
判决书链接:
https://curia.europa.eu/juris/showPdf.jsf;jsessionid=460406347051870D2140CBFB0BE89687?text=&docid=48382&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=24181728
原文链接:
https://privacylibrary.ccgnlud.org/case/bodil-lindqvist
微信扫码关注该文公众号作者