The European Court of Justice (ECJ) is challenging national legislators in the European Union who introduced privacy laws stricter than those provided for by the European Data Protection Directive (95/46/EC). In a decision issued on November 24, 2011, the ECJ declared a provision in the Spanish Organic Law 15/1999 invalid because it imposes additional requirements for data processing not contained in the Directive.

The decision supports the plans of the European Commission to enhance harmonization of privacy laws in the European Union. In a speech held on November 28, 2011, Viviane Reding, Vice President of the European Commission, confirmed that the planned reform of the Directive will lead to consistent rules across the European Union. The plans are in line with the direction taken by the ECJ. The proposal of the European Commission will be published by the end of January 2012, Reding said.

According to the ECJ, however, the existing legal framework addressed by Reding might not be as fragmented as suggested. A strict interpretation of the decision suggests that any data processing permitted under the Directive cannot be limited under national law. Consequently, the decision calls into question the validity of many provisions set out in the existing national privacy laws in the European Union. If all national laws that are stricter than the Directive are disregarded in accordance with the recent ECJ decision, privacy laws in Europe could already be more harmonized than previously thought.

Many member states of the European Union view the Directive as providing a pan-European “floor” of data protections, rather than ruling out more restrictive national laws or requirements.  They have relied on a provision stating that national legislators shall “determine more precisely the conditions under which the processing of data is lawful” (Article 5 of the Directive). The ECJ confirmed in an earlier decision (Lindqvist) that the Directive allows member states “a margin for manoeuvre in certain areas”, but the court already stressed that this margin is limited due to the overall objective of the Directive to allow free movement of data (Paragraph 97).

Over the past 15 years, many member states have taken the liberty of introducing stricter requirements for data processing than contemplated in the Directive. The ECJ evaluated the validity of a condition included in the Spanish Organic Law 15/1999 that allows the use of data for marketing purposes under the so-called balance of interest clause (Article 7 (f) of the Directive) only if the data are included in public sources (Article 6 (2) of Organic Law 15/1999). As the balance of interest clause in the Directive does not contain a limitation requiring data to be from public sources, the ECJ ruled that the provision in the Spanish law is in breach of the Directive.

If a member state is in breach of a European Directive, the European Commission can instigate proceedings, but it could take years before such proceedings have any practical effect. It is therefore important that the ECJ has not only confirmed the breach by the Spanish legislature as such but also has stated that Article 7 (f) of the Directive has “direct effect”. As a result, the Spanish court which put the questions before the ECJ may now disregard the wording of the existing Spanish provision and rule in favour of the two associations who initiated the case.

From a practical perspective, data controllers regulated by European privacy laws are left with a tricky issue. One could take the view that any data processing should be undertaken solely under the rules of the Directive and stricter provision under any national law could be ignored. On the other hand, it is unlikely that national authorities will give up that easily on the additional limitations imposed by national law. Therefore, it will take some gumption to oppose the authorities based on the new ECJ decision. Finally, it should be noted that additional restrictions imposed by other European Directives (for example the Cookie consent rules under the ePrivacy Directive) remain valid.