The impact of the EC Data Protection Directive
on Dutch Data Protection Law
Mr J P Bergfeld
- Brief Outline of the WPR
- Main Differences Between the Directive and the WPR
This is a Refereed Article published on 31 January 1996.
Citation: Bergfeld, J. P (1996) 'The impact of the EC Data Protection Directive on Dutch Data Protection Law', 1996 (1) The Journal of Information, Law and Technology (JILT). <http://elj.warwick.ac.uk/elj/jilt/dp/1dutch/>. New citation as at 1/1/04: <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1996_1/bergfeld/>
The adoption by the Council of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the Directive) on 24 October 1995 is launched at about the same time as a legal and a non-legal evaluation of the WPR (the Dutch Data Protection Act). The results of the evaluations can be used to create a new Act, necessary to comply with the Directive. According to article 32 of the Directive, Member States will have to comply with it in the next period of three years. In this text I will focus on the impact of the Directive on the WPR. After a historical overview and a brief outline of the WPR, I will focus on the main differences between the Directive and the WPR.
In the Netherlands the interest in the Directive has been considerable since the start, when the European Commission presented a first proposal, in july 1990. The proposal was heavily criticised. The European Parliament suggested a great number of changes which resulted in a second, revised, proposal by the European Commission in october 1992. The new proposal was subject of discussion in Dutch Parliament.
Members of the permanent commission of Justice asked the minister of Justice several questions regarding the draft Directive. The minister answered that the extension of the legislation to the automatic processing of data must be seen in relation to developments in information technology.
The European Council reached a common position on february 20th, 1995. The final version was adopted on 24 October 1995. The text of the final version of the Directive was published in the Official Journal (23rd Nov 1995 No L281 p31) and is available at the JILT server and at http://www.echo.lu/legal/en/dataprot/dataprot.html
In response to a question regarding the costs of the Directive the minister of Justice referred to a so-called business-effect report that was still in progress at that time. The outcome of this report from the EIMK (the Dutch Economic Institute for small and medium-sized businesses) by order of the minister of Economic Affairs, was that high costs of implementation and execution of the Directive could be expected. The Registration Chamber severely criticised this research.
Subsequently another enquiry, conducted by the IOO (the Dutch Institute for Research of Government Expenditure) by order of the minister of Justice led to the conclusion that the costs of implementation would be between NLG 25 and 50 million (approximately £ 10 - 20 million) for all government agencies together. The structural costs were estimated at NLG 1 million (£ 400.000) at the most for all government agencies, including the social security and health sector.
A comparative research by the Aston Business School and the universities of Leiden and Tilburg points out that there have been warnings against high costs of implementation and execution in the Netherlands as well as in the UK. In the research report to the European Commission it is stated that although there will of course be financial implications, they will not be as substantial as suggested.
Under the WPR controllers of personal data files containing data relating to more than one person are obliged to fill out a form (private sector) or make a regulation (public sector) and send it to the Registration Chamber in order to comply with notification requirements.
The WPR does not apply to certain types of personal data files.
A large number of personal data files meets the requirements stated in the BGV (Decree on Conditional Exemption). In that case the standard rules stated in this Decree must be followed and there is no need for notification.
The fear for high costs of implementation mentioned above can be explained by the information requirements in the Directive. Nevertheless the WPR also states that a controller has to notify the Registration Chamber through a form or a regulation. In this notification a number of questions regarding the personal data file have to be answered.
Other information requirements include information to be given to the data subject (articles 10, 11 Directive) and the data subject's right of access to data (art. 12 Directive). These obligations already exist in the WPR (articles 28, 29 WPR).
The WPR offers professional organisations or branch organisations the possibility to create a code of conduct. In consultation with the Registration Chamber certain clauses in the law can be specialized to the specific use of the processing of personal data in their sector. In the Netherlands, about ten codes of conduct have been approved by the Registration Chamber.
The WPR was enacted in 1989. In the Netherlands it's not uncommon to have legislation evaluated every five year period. At the time of adoption of the Directive, both the legal and non-legal impact of the WPR were under evaluation. The legal evaluation mainly focusses on definitions and structure of the law while the non-legal evaluation mainly focusses on the way the WPR is perceived in society and especially by controllers and data subjects
The non-legal evaluation of the WPR was still in progress when this article was being written. The results were made available on the 14 december 1995.
The legal evaluation of the WPR is available now. It was performed by mrs. G. Overkleeft-Verburg, a former member of the Dutch Registration Chamber. It specifically refers to the new privacy legislation that is needed in order to implement the Directive.
Overkleeft-Verburg looks upon the notification in the Netherlands partly as a form of self-regulation. She notes that in practice self-regulation through notification is often ignored or seen as a token obligation, a one-time obligation of a purely administrative nature.
She recommends to use the possibility of an optional procedure for the approval of codes of conduct, which is offered by the Directive. This kind of self-regulation has proven to be effective in the Netherlands.
She also recommends to regard any form of mandatory notification with reticence. In her opinion there is no legal basis in the (at that time draft) Directive for an obligation of self-regulation at the operational level.
The Directive can be seen as herald of a new generation of data protection legislation. In this new generation the static concept 'personal data file' will be replaced by the dynamic concept of 'processing personal data'. Because in a number of situations processing of personal data will take place without (the creation of) a personal data file, therefore the scope of the Directive is much wider.
The main difference between the Directive and the WPR is thus a difference in scope.
The Dutch WPR is only applicable to personal data files. It was argued in the Netherlands that the WPR did not apply for chipcards, because a personal data file is defined as a collection of personal data relating to different individuals, whereas a card mostly contains the personal data of just one person. (Of course, when data are copied to or from a central personal data file, existing rules apply to storage in and disclosure from these files.) This problem is solved by the Directive's approach. New problems are created since various normal activities may qualify as processing personal data with sometimes unwanted and unnecessary results. In general the Directive's approach is more flexible
Also non-electronic personal data filing systems which form a structured set of personal data, accessible by specific criteria (Art. 2 sub c Directive), fall within the scope of the Directive (art. 3). In the Netherlands this will not lead to any changes, since the WPR has a similar provision (art. 1 WPR)
The general rule in the Directive is simple. The processing of personal data must be fair and lawful. Of course, the term lawful refers to the text of the Directive. What is fair and lawful is determined by article 5 and 6 of the Directive and the way the national law of the Member States specifies the conditions of the Directive.
The Directive does not differentiate between the private and the public sector. The WPR states separate rules for private sector and public sector personal data filing systems, albeit that in practice there is not much difference. The major difference is the possibility for public sector controllers to issue data to third parties in the public sector.
Overkleeft-Verburg notes that the Dutch legislator's intention concerning the Decree on Conditional Exemption was a reduction of the cost of operation for more or less standard registrations with a low degree of sensitivity. Since the decree is based on a traditional typology of information systems dedicated to a single function and in part very detailed, it will need severe adjustment under the Directive (art. 18 Directive).
The obligation to notify the supervisory authority includes specific information as stated in article 19 section 1 sub a - f . of the Directive. There is not much difference between the requirements stated above and those under the WPR.
Furthermore, the Directive leaves room for additional specific information in the national law. The recommendation of mrs. Overkleeft-Verburg has not had much effect. Although she may be right stating that notification is mainly a one-time obligation of a purely administrative nature and therefore has no meaning with regard to self-regulation, it's still better than nothing.
The Dutch concept of self-regulation through codes of conduct, both national and international, is promoted by the Directive (art. 27) . In this place I can only endorse the recommendation of mrs. Overkleeft-Verburg to use the Directive's possibility for an optional procedure for the approval of codes of conduct.
Apart from some municipal privacy committees privacy-officers per company or per branch or sector are not used frequently in the Netherlands . This could very well change now that the directive in art. 18 offers the possibility of appointing a privacy-officer. Member States may simplify or exempt the duty of the controller to notify the supervisory authority if a privacy-officer is appointed.
The German way of appointing a privacy-officer implicates that this officer should control the appliance of the national data protection law within the organisation, keep register of all the data processings and stay independent in doing so. A combination of codes of conduct and privacy-officers per branch or sector might lead to better results in the Netherlands than the notification by means of a form or a regulation.
Although the international aspects of the Directive do not constitute a specific problem for Dutch privacy legislation, it is good to note that the one-stop-shopping facilities that are known through telecommunications and financial/banking directives also exist in the field of notification of processing personal data in the Member States. The establishment of a Working Party on the protection of individuals is an important step towards bringing more unity in the implementation of the Directive.
The final text of the directive is, although a mix of different legal approaches, considered to be a sound basis for data protection in the coming era. However, it is very unlikely that any existing data protection legislation will not have to be amended when the Directive comes into force.
Implementation of the EC Data Protection Directive in the Netherlands will not have many consequences for the organisations that already (have to) comply with existing privacy regulation's. Only the government will have a difficult task in adapting the existing data protection laws in a new framework based on the Directive.
According to the Registration Chamber there will be continuity to a large extend as regards content, but due to the differences in structure between the Directive and the WPR, implementation will require a completely new law, the WBP (Personal Data Protection Act), of which a concept will be presented in the near future.