From Out-Law.com:
EU member states cannot generally prohibit organisations’ legitimate and necessary but unauthorised processing of personal data where the information is not stored in specified public sources, the European Court of Justice (ECJ) has said.
The ECJ said that national rules that broadly exclude data processing in non-specified public sources in those circumstances are precluded under EU data protection laws.
“[The EU’s Data Protection Directive] must be interpreted as precluding national rules which, in the absence of the data subject’s consent, and in order to allow such processing of that data subject’s personal data as is necessary to pursue a legitimate interest of the data controller or of the third party or parties to whom those data are disclosed, require not only that the fundamental rights and freedoms of the data subject be respected, but also that those data should appear in public sources, thereby excluding, in a categorical and generalised way, any processing of data not appearing in such sources,” the ECJ said in its ruling.
Read more on Out-Law.com while I go put up another pot of coffee to see if I can understand this. If I’m understanding it, a member state cannot enact a national law that would give greater protection to data held in non-public databases than that provided in the EU directive. And if I’m understanding it correctly, it makes some sense in terms of having a common set of rules for data that crosses borders, but it does limit a country’s ability to provide its own citizens greater privacy protections, no?
Maybe some kind EU reader will comment or explain this to me if I’ve got it wrong.