ECJ Rules Exceptions to Obligation to Notify Data Subjects of Processing Are Optional

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner  

Nov. 12 --European Union member statesaren't obliged to allow exceptions to the requirement that data processors inform data subjects about the processing of their personal data, notwithstanding a list of circumstances in the EU Data Protection Directive (95/46/EC) in which exceptions can be permitted, according to a ruling of the European Union Court of Justice (Institut professionnel des agents immobiliers (IPI) v. Englebert, E.C.J., No. C-473/12, 11/07/13)

In a judgment handed down Nov. 7, the Luxembourg-based court ruled that EU countries “have no obligation, but have the option” to transpose into their national codes of law exceptions listed in Article 13(1) of the directive, under which the collection and processing of personal data might be allowed without notifying the data subject.

The exceptions include data processing related to national security, defense, the investigation of crime and the protection of the financial interests of states.

The Belgian Constitutional Court sought a ruling of the ECJ in a case concerning the use of private detectives by the Belgian Professional Institute of Estate Agents (Institut professionnel des agents immobiliers, or IPI). IPI used private detectives to collect information on a real estate company alleged to be breaching IPI rules.

The ECJ ruled that, although EU countries weren't obliged to adopt it, the use of private detectives was in principle covered by an exception listed in Article 13(1) of the Data Protection Directive that permits data to be collected without informing the data subject in cases of “breaches of ethics for regulated professions.”

Impact of Ruling

Berend van der Eijk, a lawyer with Bird & Bird LLP, in the Hague, the Netherlands, told Bloomberg BNA Nov. 12 that the ruling was “mostly relevant for legislators.”

“In general,” van der Eijk said, the “directive is supposed to provide for full harmonisation” of data protection laws in EU countries. But the ruling had shown where member states have leeway and “what can be harmonised and what not,” he said.

Monika Kuschewsky, special counsel with Covington & Burling LLP in Brussels, told Bloomberg BNA Nov. 12 that the ruling was a clarification that would have limited impact, in particular because the Data Protection Directive is expected to be replaced by an EU data protection regulation, or a single law for the EU bloc.

The European Commission, the EU's executive arm, proposed the data protection regulation in January 2012 . It is being discussed by the European Parliament and the EU Council, which represents the governments of EU member states.

“The new regulation if it is adopted would of course supersede whatever the court says now about the directive,” Kuschewsky said.


To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Katie W. Johnson at

Full text of the court's opinion is available at

Request Bloomberg Law: Privacy & Data Security