Until 6 October, there was little to prevent the personal data of EU citizens flowing freely across the Atlantic and into the U.S. Then in Schrems, the Court of Justice of the European Union (CJEU) held that the European Commission’s Safe Harbor decision was invalid. That decision had provided an exception to the prohibition on “Trans-border data flows” imposed by the EU’s Data Protection Directive. Fevered discussions of other exceptions, such as binding corporate rules (BCRs) and contracts, has followed. Some of Germany’s data protection authorities (DPAs) think that such exceptions may similarly fall foul of the CJEU’s reasoning in Schrems. Others, such as the European Commission, the European Data Protection Supervisor and other EU DPAs, think not—at least for now. Ultimately however, as the CJEU itself made clear in paragraphs 52 and 61 of Schrems, this is a matter for the CJEU to decide. Of course asking the CJEU to make such a decision will take time—a year, perhaps two. This may give the European Commission time to come to a new Safe Harbor agreement with the U.S., which may satisfy the CJEU.    

Missing from much of this debate is discussion of the Lindqvist Loophole. This peculiarity of the Data Protection Directive (Directive 95/46) dates back to 1998, to a world quite different from today.  The dot-com bubble was inflating; Mark Zuckerberg was still in school, smartphones were the stuff of science fiction and the Internet had 188 million users, little more than a 20th of its present size. Sweden was then one of the world’s best-connected countries, with more Internet users than almost anywhere else.  One of those well-connected Swedes was Bodil Lindqvist, a maintenance worker and catechist from Alseda, who went on a data processing course in 1998 and learned how to set up an Internet homepage. Her new skills enabled her to upload various pages to the Internet, some of which “contained information about Mrs. Lindqvist and 18 colleagues in the parish." Some pages described “in a mildly humorous manner, the jobs held by her colleagues and their hobbies.” Others referred to “family circumstances and telephone numbers,” whilst one stated that a “colleague had injured her foot and was on half-time on medical grounds.”

Unfortunately, Bodil Lindqvist had failed to obtain her colleagues’ consent before uploading their personal data. She took down the pages “as soon as she became aware that they were not appreciated by some of her colleagues,” but it was too late; Bodil Lindqvist was prosecuted for various offences under Swedish data protection law. These offences included transferring “personal data to a third country without authorisation.” She was convicted and appealed. The court hearing her appeal referred various questions to the CJEU, including, “whether there is any transfer (of data) to a third country (outside the EU) … where an individual in a member state loads personal data onto an Internet page … thereby making those data accessible to anyone who connects to the Internet, including people in a third country.”

The CJEU gave judgment in 2003, answering this question in the negative:

“Given, first, the state of development of the Internet at the time Directive 95/46 was drawn up and, second, the absence … of criteria applicable to use of the Internet, one cannot presume that the community legislature intended the expression transfer (of data) to a third country to cover the loading, by an individual in Mrs Lindqvist's position, of data onto an Internet page, even if those data are thereby made accessible to persons in third countries with the technical means to access them.”

The CJE went onto conclude that"there is no transfer (of data) to a third country within the meaning of Article 25 of Directive 95/46 where an individual in a member state loads personal data onto an Internet page which is stored with his hosting provider which is established in that state or in another member state, thereby making those data accessible to anyone who connects to the internet, including people in a third country."

And so the Lindqvist Loophole was opened—whether it is appropriate to describe such a significant gap in Directive 95/46’s prohibition on transfers of personal data outside the EU as a loophole is another matter. And Lindqvist is a judgment that the CJEU has not forgotten about. The CJEU referenced Lindqvist in both Weltimmo and Google Spain. In Weltimmo, the CJEU applied Directive 96/46 to a data processing operation in one EU Member State, which was directed at another. Most remarkably, in Google Spain, the CJEU effectively held that the Directive 95/46 could be applied to the operation of web-search engines in California which would be able to trawl through personal data in Spain. These later judgments may seem to contradict Lindqvist, but the CJEU has not considered the Lindqvist Loophole directly, so it may well be that the Lindqvist Loophole remains open.

This should not be read as suggesting that controllers with an appropriately high risk appetite can rely upon the Lindqvist Loophole to evade Directive 95/46’s prohibition on transfers of date outside the EU. Uploading data to the Internet with the intention that it may be accessed outside the EU could breach a subject’s fundamental right to data protection—though proving such intent may be difficult. And such a breach might give rise to an action for damages pursuant to Article 23 of Directive 95/46. However the Lindqvist Loophole may cause difficulties for any DPA that seeks to restrict the uploading of information to the internet on the grounds that it will then be accessed outside the EU. A DPA that sought to do so would have to anticipate that any such restrictions might well be referred back to the CJEU, which might well then declare that the Lindqvist Loophole is closed.  

However at present the judgments of the CJEU in Lindqvist, Google Spain and Weltimmo appear contradictory. The CJEU appears to think that the EU’s legislature did not anticipate that personal data uploaded to the internet inside the EU might be accessed outside (Lindqvist) but did anticipate that such data might be accessed inside (Weltimmo) or searched by a California-based search engine (Google Spain). It would be easy to criticise the CJEU for failing to resolve this contradiction, but that may be unfair. For the CJEU has been left in a most awkward position by the EU’s legislature’s failure to “lay down the rules relating to the protection of individuals with regard to the processing of personal … and the rules relating to the free movement of such data” as required by Article 16 of the Treaty on the Functioning of the European Union. Of course, laying down rules that set a balance between data protection and the free movement of data is difficult, which may explain why the EU is taking so long to legislate. But the CJEU can only review such legislation: it cannot make it.

The CJEU made clear in 2003 that the EU’s Directive 95/46 did not properly anticipate the global Internet. That may have been an oversight, as was failing to anticipate the World Wide Web—though Directive 95/46 did a good job of anticipating developments in artificial intelligence. But Directive 95/46 could not and did not anticipate social media, the Internet of Things and just about everything else that’s happened since 1995. The Lindqvist Loophole demonstrates just how out-of-date Directive 95/46 now is; that directive’s repeal and reform is long past due.

photo credit: 3D Scales of Justice via photopin (license)