From: Bloomberg BNA

By Stephen Gardner

European Union member statesaren’t obliged to allow exceptions to the requirement that data processors inform data subjects about the processing of their personal data, notwithstanding a list of circumstances in the EU Data Protection Directive (95/46/EC) in which exceptions can be permitted, according to a ruling of the European Union Court of Justice (Institut professionnel des agents immobiliers (IPI) v. Englebert, E.C.J., No. C-473/12, 11/07/13)

In a judgment handed down Nov. 7, the  Luxembourg-based court ruled that EU countries “have no obligation, but have the  option” to transpose into their national codes of law exceptions listed in  Article 13(1) of the directive, under which the collection and processing of  personal data might be allowed without notifying the data subject.

The  exceptions include data processing related to national security, defense, the  investigation of crime and the protection of the financial interests of  states.

The Belgian Constitutional Court sought a ruling of the ECJ in a  case concerning the use of private detectives by the Belgian Professional  Institute of Estate Agents (Institut professionnel des agents immobiliers, or  IPI). IPI used private detectives to collect information on a real estate  company alleged to be breaching IPI rules.

The ECJ ruled that, although  EU countries weren’t obliged to adopt it, the use of private detectives was in  principle covered by an exception listed in Article 13(1) of the Data Protection  Directive that permits data to be collected without informing the data subject  in cases of “breaches of ethics for regulated professions.”

Impact of Ruling

Berend van der Eijk, a lawyer with Bird & Bird LLP, in the Hague, the Netherlands, told Bloomberg BNA Nov. 12 that the ruling was “mostly relevant for legislators.”

“In general,” van der Eijk said, the “directive is supposed to provide for full harmonisation” of data protection laws in EU countries. But the ruling had shown  where member states have leeway and “what can be harmonised and what not,” he  said.

Monika Kuschewsky, special counsel with Covington & Burling LLP  in Brussels, told Bloomberg BNA Nov. 12 that the ruling was a clarification that  would have limited impact, in particular because the Data Protection Directive  is expected to be replaced by an EU data protection regulation, or a single law  for the EU bloc.

The European Commission, the EU’s executive arm,  proposed the data protection regulation in January 2012 . It is being discussed  by the European Parliament and the EU Council, which represents the governments  of EU member states.

“The new regulation if it is adopted would of course  supersede whatever the court says now about the directive,” Kuschewsky said.