JILT 1996 (1) - Consultation Paper
Table of Contents
|
CONSULTATION PAPER ON THE EC DATA PROTECTION DIRECTIVE (95/46/EC)
ISBN 1-85893-604-7
©Crown Copyright 1996
HOME OFFICE
INTRODUCTION
Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("the Data Protection Directive") was adopted on 24 October 1995. A copy of the Directive may be accessed by clicking here. Member States are required to give effect to the Directive within three years of the date of its adoption. In other words, the United Kingdom must have relevant national provisions ("the new law") in place by 24 October 1998. The purpose of this consultation paper is to seek views on the way in which the Directive should be implemented in the United Kingdom. The Government would welcome responses by 19 July 1996. They should be sent to:
Graham SuttonData Protection SectionHome OfficeRoom 118150 Queen Anne's GateLONDON SW1H 9AT
Fax: 0171 273 3205
This consultation paper is Crown Copyright, but there is no objection to it being photocopied. Additional copies can be obtained from the Data Protection Section on 0171 273 3755 and any enquiries should be directed to this telephone number.
DATA PROTECTION DIRECTIVE 95/46/EC
COMPARISON WITH THE DATA PROTECTION ACT 1984
DIRECTIVE | 1984 ACT |
Applies to automatically processed and certain types of manually processed data | Applies only to automatically processed data. |
Applies only to activities within the scope of Community law. | Applies to all activities. |
Contains a wide definition of "processing" (ie. everything from collection to destruction). | Contains a narrower definition of "processing". |
Establishes data protection principles with which processing must comply. | Makes similar provision. |
Sets conditions which must be met before personal data may be processed. | No express equivalent provision. Relies on data protection principles. |
Sets tighter conditions for the processing of "sensitive" data (eg. data about racial or ethnic origin). | Allows special conditions for "sensitive" data to be set by Order. No Order has been made. |
Provides for certain exemptions for journalism etc . | No corresponding provision. |
Requires individuals whose data is processed to be provided with certain information (eg. about the purpose of processing). | No express equivalent provision. Relies on data protection principles. |
Gives individuals the right of access to their personal data, and the right to have inaccurate data amended etc. | Makes broadly equivalent provision, but with some important differences. |
Gives individuals the right to object to lawful processing of their data. | No equivalent provision. |
Gives individuals the right to object to their data being used for direct marketing purposes. | No express equivalent provision. Relies on data protection principles. |
Places restrictions on fully automated decision-making. Sets specific requirements for security of processing operations. | No equivalent provision. Relies on data protection principles. |
Requires registration of some categories of automated processing operations. Requires prior checking in some circumstances. | Requires registration of all automated processing operations. No requirement for prior checking. |
Requires information about processing operations to be publicly available. | Requires register of data users to be available for public inspection. |
Requires Member States to provide remedies for breach of the Directive. | Provides for remedies for breach of the Act. |
Sets detailed conditions for transfer of personal data to countries outside the EU. | Contains much simpler provision. |
Requires a national supervisory body to be established, and specifies its powers. | Establishes the Data Protection Registrar, with supervisory powers |
Establishes arrangements for monitoring of the Directive at Community level. | Not applicable. |
SUMMARY AND QUESTIONS
CHAPTER 1: THE GENERAL APPROACH
The Directive establishes common rules for data protection among Member States of the EU in order to facilitate the free flow of personal data within the EU. The Directive gives Member States some flexibility. The Government intends to implement the Directive in the least burdensome way for data users, while protecting individuals. How should the scope for discretion which the Directive affords be exercised in the United Kingdom?
Are there additional proposals for simplifying the existing data protection regime? How should the Government deal with those provisions of the Directive which are unclear or open to a range of interpretations?
What additional costs (both one-off and recurring) or savings are likely to result from the application of the different provisions of the Directive?
CHAPTER 2: DEFINITIONS, SCOPE AND EXTENT (Articles 2-4)
The key terms used in the Directive are defined in article 2. Whilst some of the terms themselves are familiar from the 1984 Act, they do not have exactly the same meaning in the Directive. The scope of the Directive is set in article 3. It applies to the processing of personal data by automatic means, and to the processing of certain categories of manual records. It does not apply to activities outside the scope of Community law, or to essentially personal activities. The purpose of article 4 is to determine which Member State's law applies in a particular case. What are the implications of the definitions in article 2, and in particular what are the criteria to be applied in determining the scope of the term "filing system"? Please tell us if you anticipate any problems in the application of article 3.
How should article 4 be interpreted? How could the problems identified be avoided?
CHAPTER 3: THE MAIN RULES GOVERNING PROCESSING (Articles 6, 7, 10-13, 16 and 17)
The Directive creates a set of rules which apply to the processing of all personal data. Article 6 establishes data protection principles, which are broadly similar to those in the 1984 Act. Article 7 sets out criteria which have to be satisfied before personal data may be processed. There is no equivalent in the 1984 Act to this elaboration of the data protection principles. Also new is the express requirement in Articles 10 and 11 for certain information to be provided to individuals whose data are processed. Article 12 contains a familiar right of access for data subjects but includes some new associated rights. Articles 16 and 17 deal respectively with the confidentiality and security of processing. Again, the 1984 Act contains no express corresponding provision. Finally, article 13 makes provision for exemptions from certain of these general rules.
What are the implications of article 6, and in particular what might be the safeguards for processing for historical, statistical or scientific purposes (article 6.1(b) and (e))?
What are the implications of article 7, and in particular:
- which tasks should come within the scope of the expression "carried out in the public interest or in the exercise of official authority" (article 7(e));
- in which circumstances might article 7(f) apply?
What are the implications of articles 10 and 11, and in particular what safeguards and "compensatory measures"should be provided where the derogation in article 11.2 is invoked?
What are the implications of article 12, and in particular:
- do the existing 40 day limit on dealing with subject access requests and the maximum œ10 fee remain appropriate;
- should the existing absolute requirement to provide a copy of an individual's data be modified (article 12(a))? What are the implications of articles 16 and 17?
What are the implications of article 13, and in particular:
- which activities need to be covered by the exemptions;
- what sort of legal safeguards need to be provided under article 13.2?
CHAPTER 4: SPECIAL CASES (Articles 8, 9, 14 and 15)
The main rules governing the processing of personal data are complemented by special rules which apply to particular types of case. Article 8 establishes criteria for the processing of what are generally known as "sensitive data". Article 9 makes special provision for the processing of data for journalistic and similar purposes. Article 14 provides data subjects with a right to object to processing in certain circumstances, including, in particular, direct marketing. Article 15 deals with decision-making based solely on automated processing.
What is the scope of the exemptions provided for in articles 8.2 to 8.4, and in particular:
- what employment-related activities should be covered by article 8.2(b) and what should the safeguards be;
- what should be the nature of the guarantees to be provided in regard to article 8.2(d);
- what activities should be prescribed under article 8.4 as being of "substantial public interest", and what should the nature of the safeguards be?
What are the implications of the first part of article 8.5 (processing of personal data relating to criminal convictions etc), and in particular:
- what are the circumstances in which such data need to be processed otherwise than under the control of official authority;
- what should be the nature of the appropriate "specific" safeguards?
What are the implications of article 9, and in particular:
- what is the scope of the expressions "journalistic purposes" and "the purpose of artistic or literary expression";
- what are the considerations which should be taken into account in balancing privacy with freedom of expression, and by what mechanism should the balance be struck?
What are the implications of article 14(a), and in particular:
- what sort of circumstances might constitute "compelling legitimate grounds" for an objection;
- what are the circumstances in which national legislation should provide that the right to object, in relation to articles 7(e) and (f), should not be available?
What are the implications of the right to object to the use of personal data for direct marketing purposes (article 14(b))? Which variant of article 14(b) should be adopted in the United Kingdom?
What are the implications of article 15, and in particular:
- to which categories of decision should the article be taken as applying;
- what should be the nature of the safeguards for the data subject's legitimate interests;
- which categories of decision should be authorised by law?
CHAPTER 5: NOTIFICATION/REGISTRATION
(Articles 18-21) Notification/registration is a requirement of the Directive as it is of the 1984 Act. In some respects the Directive is more flexible than the 1984 Act. However, it also introduces new requirements. Article 18 establishes a general requirement for controllers to notify the supervisory authority of their activities, and makes provision for exemptions and simplification. Article 19 describes the information which has to be notified. Article 20 introduces a new requirement for certain categories of processing operation to be checked by the supervisory authority before they can begin. Article 21 deals with the provision of information about processing operations, and requires the supervisory authority to establish a register of notified processing operations.
What categories of processing operation should be brought within the scope of the exemption from, or simplification of, the notification arrangements (article 18.2)? Should there be provision for exemption from, or simplification of, the notification requirements, or both (article 18.2)?
Should provision be made for controllers to appoint "in-house" data protection officials (article 18.2)?
Please provide examples of registers which "according to laws or regulations..." are intended for public consultation, with information about the enactment which provides for them (article 18.3).
What are the implications of article 18.4 for the notification of sensitive data? Should any non-automatic processing operations be subject to a notification requirement (article 18.5)?
What are the implications of article 19?
What are the implications of article 20, and in particular:
- what are the categories of processing operation which are likely to present specific risks, including the possible implications of new technologies;
- within what time period should the supervisory authority be required to give its opinion? What are the implications of article 21?
CHAPTER 6: ENFORCEMENT
(Articles 22-24, 27 and 28) Articles 22-24 establish the broad framework for dealing with breaches of the national provisions giving effect to the Directive. Article 22 requires individuals to have access to a judicial remedy for breach of their rights under the applicable national law; article 23 requires individuals to be able to secure compensation for damage; and article 24 requires Member States to provide measures to enforce the national law and provide sanctions for breach. Article 27 provides for national and EU codes of conduct. These provisions need to be read alongside article 28 which requires each Member State to establish at least one independent authority to oversee the national provisions giving effect to the Directive.
What are the implications of articles 22 to 24, 27 and 28? Does the enforcement model provided by the 1984 Act remain acceptable, or are modifications desirable?
CHAPTER 7: TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES (Articles 25 and 26)
In order to maintain a comparable level of protection for data from the EU and to prevent the EU data protection regime being circumvented, the Directive establishes a set of rules which apply when personal data are transferred to countries outside the EU. Article 25 sets the basic rule, that the third countries must provide an adequate level of data protection. Article 26 provides for a number of exceptions.
What are the implications of articles 25 and 26, and in particular:
- what should be the method of authorising transfers under article 26.2 and the nature of the guarantees;
- should arrangements be made in the United Kingdom for the central determination of "adequacy" under article 25.2?
CHAPTER 8: TRANSITIONAL ARRANGEMENTS
(Article 32) Article 32 sets the date by which national provisions have to be in force and specifies transitional arrangements.
What are the implications of the transitional arrangements, and in particular what should
be the nature of the safeguards required by article 32.3?
CHAPTER 1
THE GENERAL APPROACH
1.1 The Directive has two main purposes: to establish common rules for data protection at a high level among all Member States of the EU; and, in doing so, to facilitate the free flow of personal data within the EU in the interests of improving the operation of the single market. The main thrust of the Directive is similar to that of the Data Protection Act 1984 ("the 1984 Act"). There are, however, many differences, both of substance and of detail. In particular, the scope of the two instruments differs. Unlike the 1984 Act, which applies to automatically processed personal data in all sectors, the Directive does not apply to activities which fall outside the scope of Community law. The Directive also applies to certain categories of manually held record as well as to automatically processed records.
1.2 The Government believes that the United Kingdom's data protection regime should be the least burdensome for business and other data users, while affording the necessary protection for individuals. The Government has long recognised the importance of effective data protection controls: that is why it enacted the 1984 Act and ratified the Council of Europe Data Protection Convention. It believes, however, that those provisions are sufficient, both for the protection of individuals, and as a means of ensuring the free flow of data between European partners. Indeed, the existing law itself has been criticised as being unnecessarily regulatory in certain respects. An example is the requirement for all data users to register with the Data Protection Registrar. Over-elaborate data protection threatens competitiveness, and does not necessarily bring additional benefits for individuals. It follows that the Government intends to go no further in implementing the Directive than is absolutely necessary to satisfy the UK's obligations in European law. It will consider whether any additional changes to the current data protection regime are needed so as to ensure that it does not go beyond what is required by the Directive and the Council of Europe Convention.
1.3 The Directive gives Member States some flexibility. Some provisions allow Member States a choice whether or not to do something. Others require Member States to do something, but give them some discretion. Even where the Directive imposes a strict requirement to do something, there may sometimes be scope for flexibility in interpreting the precise meaning. Moreover, the Directive expressly requires Member States to set out more precisely than the Directive itself does the conditions under which the processing of personal data is lawful. The Government would find it helpful to have at an early stage views on the way in which the scope for discretion which the Directive affords should be exercised in the United Kingdom, and any additional proposals for simplifying the existing regime.
1.4 A particular problem arises with those provisions of the Directive which are either unclear or open to a range of interpretations. The Government would welcome views on how this problem should be addressed. One approach would be to include a particular interpretation of the relevant provision in the implementing measure. An alternative would be to reproduce in the implementing measure the precise words used in the Directive, and to issue separately guidance on the interpretation of the provision.
1.5 In the light of the responses it receives, the Government will carry out a compliance cost assessment to determine the final form of the provisions to be contained in the new law. It would help this exercise if respondents were able to indicate now, necessarily in very general terms, where additional costs (both one-off and recurring) or savings would be likely to result from the application of the different provisions of the Directive.
CHAPTER 2
DEFINITIONS, SCOPE AND EXTENT (Articles 2-4)
DEFINITIONS
Article 2(a): Personal data
2.1 "Personal data" is defined as "any information relating to an identified or identifiable individual". Recital 14 makes clear that data in the form of sounds and images are included. The definition lists a number of factors by reference to which an individual may be identified. In the 1984 Act, an individual is "identifiable" only if the information allowing identification is held by the data user. Under the Directive, an individual is identifiable if any person at all holds data permitting identification. Recital 26 explains that, in deciding whether a person is identifiable, account should be taken of "all the means likely reasonably to be used either by the controller or by any other person".
2.2 The definition uses the familiar expression "data subject" to describe the individuals with whom the Directive is concerned. Although the definition is not expressly limited to living individuals, the Government has established that Member States have discretion whether or not to limit the application of the Directive in this way. The Government intends to limit the scope of the new law to living individuals.
Article 2(b): Processing
2.3 In section 1(7) of the 1984 Act, the term "processing" includes a relatively limited range of functions. In contrast, the definition in the Directive is all-encompassing. It includes anything done with personal data, whether or not by automatic means, from collection right through to destruction. It includes merely holding the data, whether or not any active function is performed upon them. Section 1(8) of the 1984 Act expressly excludes the preparation of text (eg word-processing) from the definition of "processing". There is no such exemption in the Directive.
Article 2(c): Filing system
2.4 This is the definition which determines the categories of manual record which come within the scope of the Directive. Article 3.1 explains that the only manual records which are covered are those which form part of a filing system or are intended to form part of such a system. The definition itself should be read alongside recital 27 which attempts to clarify the way in which the definition should be interpreted.
2.5 The definition identifies two crucial determining features. For sets of personal data to constitute a "filing system", they must be "structured" and "accessible according to specific criteria". Recital 27 says that for filing systems to be caught, they must be structured "according to specific criteria relating to individuals allowing easy access to the personal data". This suggests that the records must be set up in such a way as to enable a specific individual to be identified, without any elaborate cross-referencing or matching having to be done. The recital goes on to say that it is for Member States to establish the criteria which determine whether a set of personal data is "structured", and those which govern "access". Finally, the recital says that files (ie binders) or sets of files, as well as their cover pages, which are not structured according to specific criteria, do not come within the scope of the Directive.
2.6 Even with the elaboration in the recital, the Directive does not establish beyond doubt the precise categories of manual record which are covered. The flexibility which the Directive allows Member States in drawing up the criteria which will determine the scope of the definition is welcome. Nevertheless, it is not without problems, since difficulties could arise if incompatible approaches were adopted in different Member States. In considering how to apply this provision in the United Kingdom, the Government will have regard to the provision made in other Member States. Meanwhile it would welcome views on the interpretation of article 2(c) and recital 27, and on the criteria that should be used in drawing up the relevant provision in the United Kingdom.
The main players
2.7 In addition to the data subject, the Directive identifies four categories of persons who play some part in the processing of personal data. The definitions do not make clear beyond doubt exactly where the boundaries between the four categories lie.
Article 2(d): Controller
2.8 The term "controller" corresponds broadly to the term "data user" under the 1984 Act. The definition allows both individuals and organisations to be controllers. Recital 47 sets out who the controller is considered to be where messages are sent by telecommunications or electronic mail.
Article 2(e): Processor
2.9 It is not clear whether this definition includes employees of the controller. The definition of "third party" (see below), suggests that a processor is something more than an employee who routinely uses personal data in the course of his employment (eg a clerk in a personnel department). Its sense comes closer to that of "computer bureau" in the 1984 Act (ie an outside body which provides the controller with a processing service). This interpretation is supported by the description of the relationship between the controller and the processor in article 17.Article 2(f): Third Party
2.10 This definition is relatively clear. However, whether or not certain employees (particularly in organisations with complex structures) are third parties may well depend upon who is the controller.
Article 2(g): Recipient
2.11 This term is a very broad one. It covers any person at all to whom personal data are disclosed, whether or not those persons work for the controller or processor or are third parties. Again, whether employees are recipients may depend upon who is the controller. The meaning of the second part of the definition is unclear.
Article 2(h): Consent
2.12 Unlike the 1984 Act, the Directive expressly recognises the data subject's consent as one of the grounds for processing data. The definition requires such consent to be "freely given, specific and informed". Later articles qualify the concept. Articles 7(a) and 26.1(a) refer to consent being given "unambiguously"; and article 8.2(a) refers to "explicit" consent. This latter reference suggests that in other circumstances implied consent is not ruled out. It is not clear what additional test the addition of "unambiguously" requires.
2.13 The Government would welcome views on the implications of these definitions, and in particular the criteria to be applied in determining the scope of the term "filing system".
SCOPE
2.14 Article 3.1 establishes that the Directive applies to personal data processed by automated means, and to certain categories of personal data processed by non-automated means (see paragraph 2.4 above).
2.15 The first subparagraph of article 3.2 makes clear that the Directive applies to processing operations carried out in the course of activities which come within the scope of Community law. It expressly provides that, wherever the parameters of Community law may lie at any given time, "processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law" are not covered by the Directive.
2.16 In considering this provision, it is important to have clearly in mind the fact that it relates to specific activities. Organisations most of whose activities are outside the scope of Community law may, nonetheless, still be involved in processing operations in relation to activities which are caught by Community law, and vice versa.
2.17 The Government will consider the implications of the Directive for the United Kingdom data protection law in its application to areas outside the scope of Community law in the light of the responses to this consultation document.
Personal/Household activities
2.18 The second subparagraph of article 3.2 exempts from the scope of the Directive processing operations carried out by an individual in the course of "a purely personal or household activity". Recital 12 gives as examples of such activities correspondence and the holding of records of addresses. This means, for example, that a list of names and addresses which an individual holds for the purpose of keeping in touch on a social basis with friends and relations would not be caught by the Directive. However, the same list held by an individual for a purpose connected with, say, the individual's business would be caught. The exemption corresponds broadly to that in section 33(1) of the 1984 Act.
2.19 The Government would welcome views on any problems anticipated in the application of article 3.
GEOGRAPHICAL EXTENT
2.20 One of the primary purposes of the Directive is to establish a common approach to data protection among all 15 Member States of the EU. This approach presupposes not only a consistent level of data protection in all 15 Member States, but also a means of ensuring that only one national law applies to any particular processing operation. The purpose of article 4 is to establish which national law is to apply in any particular case.
2.21 Whilst the intention underlying article 4 is clear, the practical effect of the article, read with recitals 18 to 21, is far from being certain. The following paragraphs set out one interpretation. Others may be possible.
2.22 The basic rule is that the law to apply in a particular case is the law of the Member State in which the controller is established. (The meaning of "established" is explained in recital 19.) A controller established in the United Kingdom and in no other Member State would be subject only to United Kingdom law, even though some of his processing operations were carried out in a another Member State - for example, if the data were collected elsewhere.
2.23 However, a controller may be established in more than one Member State. In this case, the factor determining which law applies is the place of establishment of the "branch" for whose purposes the processing operation in question is carried out. Thus, in the case of a controller established in both the United Kingdom and, say, France, United Kingdom law would apply to all processing operations carried out for the purposes of the United Kingdom "branch", irrespective of where the processing took place. Similarly, French law would apply to all processing operations carried out for the purposes of the French "branch".
2.24 The controller may be established outside the territory of a particular Member State but in a place where that Member State's national law applies. In this case, the law of that Member State will apply to the processing.
2.25 The controller may be established outside the Community but may nonetheless be responsible for processing operations which are carried out within the Community. In this case, the national law to apply is the law of the Member State in which the equipment used for processing (eg a computer) is situated. Thus, a controller based in, for example, the United States, who carried out processing operations using equipment in the United Kingdom, France and Germany would be subject to the national law of each of those Member States in respect of the particular processing operations carried out using the equipment in the Member State in question. This provision does not apply where the equipment is used only for the purpose of transit "through the territory of the Community". Where controllers are situated outside the Community, they must designate a representative established on the territory of each Member State in which processing equipment is situated.
2.26 By virtue of article 4, processing which takes place in the United Kingdom may be subject to the law of another Member State. Article 28.6 provides that, despite the fact that another country's law applies, the United Kingdom's supervisory authority may take appropriate enforcement measures. These can include referring cases to the judicial authorities. It is possible in some circumstances for other countries' civil law to be applied in United Kingdom courts. Foreign criminal laws are not capable of being directly enforced in United Kingdom courts. Recital 21 explains that the provisions of the Directive on the applicability of national law are without prejudice to the normal rules of territoriality which apply in criminal matters.
2.27 While some of the provisions relating to geographical extent are clear enough, others are obscure and possibly ambiguous. There is, therefore, the potential for inconsistent approaches being adopted in different Member States. The danger is that this could make it possible either for the national law of more than one Member State to apply to a single processing operation, or for no Member State's law so to apply. The Government will consider what action might be necessary with its EU partners to deal with these difficulties.
2.28 The Government would welcome views on the interpretation of article 4, and how the identified problems could be avoided.
CHAPTER 3
THE MAIN RULES GOVERNING PROCESSING
(Articles 6, 7, 10-13, 16 and 17)
DATA PROTECTION PRINCIPLES
3.1 The data protection principles established by the 1984 Act are a sort of statutory code of practice with which data users are required to comply. The principles themselves are set out in Part I of schedule 1 to the Act. Part II of the schedule contains some interpretative provisions. The Directive contains similar principles, although not in precisely the same form. Article 6.1 sets out principles which correspond broadly to the first six principles in the 1984 Act. (The seventh principle from the 1984 Act is dealt with in article 12 and the eighth in article 17.)
3.2 As with the 1984 Act, the data protection principles in article 6.1 establish the ground rules for the processing of personal data. Member States are required to provide that all processing of personal data must comply with them. However, the power provided by article 13.1 for Member States to specify exemptions applies to article 6.1 (see paragraphs 3.33-3.38 below).
3.3 In considering the effect of the principles it is important to bear in mind the much wider scope of the term "processing" in the Directive compared with the 1984 Act. Other differences from the principles in the 1984 Act are:
- the inclusion of a requirement in article 6.1(b) for data to be collected for explicit (as well as specified and legitimate/lawful) purposes;
- the inclusion in article 6.1(d) of a requirement for "every reasonable step" to be taken to erase or rectify inaccurate or incomplete data.
3.4 The 1984 Act contains provision broadly equivalent to article 6.1(b) and (e) which confirm that personal data collected for one purpose may be further processed, or stored for longer than the purpose requires, for historical, statistical or scientific purposes. However, the Directive contains the additional requirement that Member States must provide appropriate safeguards. Recital 29 amplifies the references to the need for safeguards. It says that the safeguards "must in particular rule out the use of the data in support of measures or decisions regarding any particular individual".
3.5 The Government would welcome views on the implications of applying article 6, and in particular on what the safeguards mentioned in article 6.1(b) and (e) might be.
CRITERIA FOR PROCESSING
3.6 Article 7 develops the principles set out in article 6 by establishing six criteria, at least one of which must be satisfied if processing is to take place lawfully. Meeting one or more of these criteria does not absolve the controller from the need to respect the data protection principles. The requirements of both articles must be satisfied, as must the other rules established by the Directive.
3.7 Article 7(a) provides that personal data may be processed if the data subject has given his consent "unambiguously" (see paragraph 2.12 above). This does not mean that all processing requires consent: article 7 provides five other criteria which justify processing, none of which require consent. These are likely to cover a very high proportion of processing operations.
3.8 Article 7(b), which relates to contracts, and (c), which allows processing where there is a legal obligation upon the controller, should be self-explanatory.
3.9 Article 7(d) allows processing which is necessary to protect the vital interests of the data subject. It is not clear whether the word "vital" should be given its everyday meaning of "having the highest importance" or its etymological sense of "essential to physical life". Recital 31 attempts to clarify the interpretation. However, its reference to "an interest which is essential for the data subject's life" is not conclusive. Some might think, for example, that avoidance of bankruptcy is "essential for the data subject's life".
3.10 Article 7(e) allows processing which is necessary for the performance of a task carried out "in the public interest or in the exercise of official authority". The expression "exercise of official authority" is difficult to define precisely in the abstract. It refers, broadly, to the functions of the State. Whether or not an activity is carried out "in the exercise of official authority" is likely to depend upon the circumstances of individual cases.
3.11 Article 7(f) introduces a "balance of interests" test. In essence, the balance is between, on the one hand, the legitimate interests of the controller in doing the processing; and, on the other, the data subject's interests or his "fundamental rights and freedoms" which might be put at risk by the processing. This is a very important provision since it is likely to be relevant to a very large proportion of processing. Recital 30 makes clear that Member States may determine the circumstances in which personal data may be used (sic) or disclosed to third parties either for legitimate, ordinary business activities or for the purposes of marketing.
3.12 Article 7(e) and (f) are subject to the provision in article 14(a) which allows the data subject to object to and secure the cessation of lawful processing "on compelling legitimate grounds" (see paragraphs 4.22 - 4.24 below).
3.13 The Government would welcome views on the implications of article 7 and in particular on:
- the tasks which come within the scope of the expression "carried out in the public interest or in the exercise of official authority" (article 7(e));
- the circumstances in which article 7(f) might apply.
INFORMING THE DATA SUBJECT
3.14 Like article 7, articles 10 and 11 elaborate the concept of fair processing. They require certain information to be provided to the data subject either where the data are collected directly from the data subject (article 10) or where they are collected from some other source (article 11). Although the 1984 Act contains no express corresponding provisions, the idea is not new: the Data Protection Registrar, supported by the Data Protection Tribunal, requires certain information to be provided in order to meet the data protection principles.
3.15 Articles 10 and 11 have a number of common features. Both require the information for the data subject to be provided by the controller or his representative. Both articles also relieve the controller of the need to provide the information where the data subject already has it. The Government takes the view that, in circumstances such as house to house surveys where data about everybody in the household are collected from just one person, the controller's responsibility under article 11 may often be capable of being discharged by the provision of the information through the person from whom the data are collected.
3.16 Under both articles it is a requirement for information about
- (a) the identity of the controller (and any representative); and
- (b) the purposes of the processing,
to be provided in all cases. Both articles require certain other information to be provided, but only where necessary in the circumstances to guarantee fair processing. The information to be provided to data subjects in these circumstances is slightly different as between the two articles.
3.17 Article 10 is silent on the question of the timing of the provision of the information. However, since it deals with collection of data directly from the data subject, it will, presumably, usually be convenient to provide the information when the data are collected. Article 11 requires the data to be provided either
- when the data are recorded; or
- if disclosure to a third party is envisaged, no later than the time of first disclosure.
3.18 The power provided by article 13.1 for Member States to specify exemptions applies to both articles (see paragraphs 3.33-3.38 below). In addition, article 11.2 provides a specific derogation which is not available under article 10. Subject to the provision of appropriate safeguards, the derogation applies
- where the provision of information proves impossible or involves a disproportionate effort; or
- where recording or disclosure is expressly laid down by law.
The article suggests that the derogation might be appropriate, in particular, for processing for statistical purposes or for the purposes of historical or scientific research. However, other cases are not ruled out. Recital 40 says that factors to be taken into account in assessing whether disproportionate effort would be involved include the number of data subjects, the age of the data and "any compensatory measures adopted" .
3.19 The Government would welcome views on the implications of articles 10 and 11, and in particular on the safeguards and "compensatory measures" that should be provided where the derogation in article 11.2 is invoked.
SUBJECT ACCESS
3.20 Article 12, provides for a right of access by the data subject to the data about him which are being processed. This article corresponds to the seventh data protection principle in the 1984 Act, as developed in section 21 of the Act. In certain respects, however, it goes beyond what is required by the Act.
3.21 Article 12(a) requires the data subject to be able to exercise his right to obtain certain information from the controller "without constraint at reasonable intervals and without excessive delay or expense". The meaning of the words "without constraint" is not altogether clear. The German text of the Directive gives the expression the sense of "without impediment". The remainder of the requirement is similar to that in the 1984 Act. The Act explains that in assessing what "at reasonable intervals" means " regard shall be had to the nature of the data, the purpose for which the data are held and the frequency with which the data are altered". Broadly, the Act requires data users to provide the information requested within 40 days of receiving the details necessary for them to discharge the request. The Act also allows the Secretary of State to set the level of fee which may be charged by data users for providing the information. The maximum fee that may be charged is currently œ10, although data users may set a lower fee or none at all should they choose to do so.
3.22 Like the 1984 Act, the first subparagraph of article 12(a) requires the data subject to be able to gain confirmation from the controller whether or not information about him are being processed. However, the Directive goes beyond the 1984 Act by requiring the data subject also to be able to gain information from the controller about the purposes of the processing, the categories of data concerned, and the recipients of the data.
3.23 The second subparagraph provides the data subject's right of access to the data themselves. The entitlement is to "communication in an intelligible form". This differs marginally from the 1984 Act which requires the data subject to be provided with an intelligible copy of the data.
3.24 The second subparagraph also requires the communication of "any available information" about the source of the data. Use of the word "available" indicates that controllers need not go out of their way to find this information if they do not already have it.
3.25 The 1984 Act contains no provision equivalent to that in the third subparagraph which requires the data subject to be able to gain access to the logic involved in automatic processing, at least in those cases to which article 15 applies (see paragraph 4.29 - 4.33, below). Providing this information could, in some circumstances, be prejudicial to the controller's interests (for example, in the context of credit scoring). However, recital 41 explains that the right to be informed about logic "must not adversely affect trade secrets or intellectual property and in particular the copyright protecting software", provided that data subjects are not deprived of all information. The Government believes that this provides a safeguard for controllers in protecting business confidentiality. The specific reference to article 15 suggests that Member States have discretion whether to apply the requirement in other cases. The Government intends to limit the application of this provision to the cases covered by article15.
3.26 The 1984 Act provides for data subjects to be able to secure the rectification or erasure of inaccurate data. Under article 12(b) the blocking of data whose processing does not comply with the requirements of the Directive becomes an alternative to rectification or erasure. ("Blocking" is understood to mean retaining the data, but preventing their further active processing.)
3.27 There is no equivalent in the 1984 Act to the right provided by article 12(c), to have third parties to whom the data have been disclosed notified of action taken under article 12(b).
3.28 The power provided by article 13 for Member States to specify exemptions applies to article 12 (see paragraphs 3.33-3.40 below).
3.29 The Government would welcome views on the implications of article 12, and in particular on
- whether the existing 40 day limit on dealing with subject access requests and the maximum œ10 fee remain appropriate;
- whether the existing absolute requirement to provide a copy of an individual's data should be modified on the lines of the Directive requirement.
CONFIDENTIALITY AND SECURITY
3.30 Articles 16 and 17 deal respectively with the confidentiality and security of processing. Neither article has an exact equivalent in the 1984 Act, although article 17 is an elaboration of the eighth data protection principle.
3.31 The articles are largely self-explanatory and need little commentary. However, it is perhaps worth noting that the second subparagraph of article 17.3 leaves open the possibility of confusion as to which Member State's law is to apply where the processor is established in more than one Member State. (See discussion of article 4 in paragraphs 2.20 -2.28 above.)
3.32 The Government would welcome views on the implications of these articles.
EXEMPTIONS
- 3.33 Article 13.1 allows Member States to provide exemptions from certain of the provisions described above in certain circumstances. The exemptions apply to - the data protection principles (article 6.1);
the requirement to provide information to data subjects (articles 10 and 11.1); and
- the subject access provisions (article 12).
Exemptions may also be provided from the requirement to provide information about processing operations in article 21 (see paragraphs 5.27-5.31 below).
3.34 The exemptions may be provided only where they are necessary to safeguard the matters set out in article 13.1. The matters mentioned in Articles 13.1(a), (b), (c) and, to some extent, (d) are expressly excluded from the scope of the Directive by article 3. The further reference to them here is in recognition of the possibility of processing operations carried out in the context of activities which are within the scope of Community law nonetheless bearing on matters of this kind.
3.35 The reference in article 13.1(d) to "regulated professions" is intended to cover those areas of work which are subject to some form of ethical code, whether statutory or self-regulatory. Examples might be the legal profession, architects, doctors or City institutions.
3.36 Article 13.1(e) should be self-explanatory.
3.37 The meaning of "exercise of official authority" in article 13.1(f) has already been discussed (see paragraph 3.10 above). It should be noted that the extent of this exemption is limited to monitoring etc functions carried out in relation to activities covered by article 13.1(c), (d) and (e). An example of the sort of functions covered might be the financial supervisory functions required by certain Council Directives (eg the Investment Services Directive).
3.38 The reference to "the rights and freedoms of others" in article 13.1(g) seems sufficiently broad to be capable of applying to the controller as well as to third parties.
3.39 Article 13.2 allows Member States to provide exemptions from the right of subject access and associated rights in article 12 (but not the other articles to which article 13.1 applies) in relation to data used for scientific research or for the purpose of creating statistics, in certain circumstances. Member States are required to provide "adequate legal safeguards". The paragraph gives as an example of such a safeguard, a requirement for data not to be used for taking measures or decisions in relation to any particular individual. There is also a requirement that there should be no risk of breaching the privacy of the data subject.
3.40 The Government would welcome comments on the implications of article 13. In particular it would welcome
- examples of activities which need to be covered by the exemptions in the article; and
- suggestions as to the sort of legal safeguards to be provided under article 13.2.
CHAPTER 4
SPECIAL CASES (Articles 8, 9, 14 and 15)
SENSITIVE DATA
4.1 Article 8 sets special rules for the processing of data which are regarded as being particularly sensitive. Such special rules are effectively new to United Kingdom law. Section 2(3) of the 1984 Act allows the Secretary of State to make special provision by order for certain categories of sensitive data, but it has not been found necessary to make use of this provision.
4.2 Article 8.1 sets out the categories of sensitive data to which the article applies. It places a complete prohibition on the processing of such data, but articles 8.2, 8.3 and 8.4 prescribe exemptions from that prohibition. Even if the requirements of article 7 are met, processing involving sensitive data may not take place unless one of these exemptions applies.
Where processing is permitted
4.3 Article 8.2(a) allows the processing of sensitive data where the data subject has given his explicit consent (see paragraph 2.12 above), except where national law prevents the data subject from giving consent.
4.4 Article 8.2(b) deals with the processing of sensitive data in the employment field. Such processing may take place only where it is necessary to carry out the controller's obligations and specific rights, and must be authorised by national law providing adequate safeguards.
4.5 Article 8.2(c) allows the processing of sensitive data to protect the vital interests of the data subject or of another person (see paragraph 3.9 above). However, this may take place only where the data subject is incapable of giving consent. This would seem to imply that processing may not take place where a person is capable of giving consent but chooses not to do so even though his own or a third party's vital interests are at stake. It cannot, however, have been intended that a person should be able to endanger the vital interests of a third party by refusing consent to processing. In this connection, the power provided by article 8.4 (see below) might be relevant.
4.6 Article 8.2(d) allows the processing of sensitive data by certain categories of non-profit seeking body in certain very limited circumstances and subject to the provision of appropriate guarantees.
4.7 Article 8.2(e) allows the processing of sensitive data where the data are "manifestly made public" by the data subject or where the processing is required in connection with legal claims.
4.8 Article 8.3 allows the processing of sensitive data which is required for various health-related purposes. The exemption applies only where the data are processed by people (be they health professionals or others) who are subject to an obligation of secrecy. This obligation must be laid down in law or in rules established by national competent bodies (e.g professional associations). Not all circumstances in which it may be necessary to process data about health, even for health-related purposes, are covered by the exemption. For example, health research is not expressly covered (although it might be covered by the reference to preventive medicine). Moreover, insurance companies, employers, schools and some Government Departments process sensitive data of the kind in question in circumstances which may or may not be covered by the exemption. Some of the processing operations may be covered by other exemptions in article 8 (for example, article 8.2(b) in the case of employers). In other cases, there may be a need to seek an exemption on the ground of substantial public interest under article 8.4 (see below).
4.9 Article 8.4 allows Member States to specify further exemptions for reasons of "substantial public interest". Recitals 34-36 give some examples of what this expression might cover. (Recital 34 uses the word "important" rather than "substantial" but the context gives the words the same meaning.) These include public health and social protection, scientific research, Government statistics and political canvassing in the course of electoral activities. In each case suitable safeguards have to be provided. Article 8.4 expressly allows Member States to provide for these exemptions by means of national law or by decision of the supervisory authority.
4.10 The Government would welcome views on the scope of the exemptions provided for in article 8.2 to 8.4, and in particular on
- (a) what employment-related activities should be covered by article 8.2(b) and what the nature of the safeguards should be;
- (b) the nature of the guarantees to be provided in regard to article 8.2(d);
- (c) what activities should be prescribed under article 8.4 as being of "substantial public interest", and what the nature of the safeguards should be.
- Criminal records
4.11 Article 8 does not include criminal records within the general category of sensitive data. However, the first part of article 8.5 establishes special rules which apply to the processing of "data relating to offences, criminal convictions or security measures". The processing of such data is allowed only if it is carried out under the control of official authority (see paragraph 3.10 above). However, derogations from this basic rule are permitted subject to the provision of suitable specific safeguards. In addition, complete registers of criminal convictions may be kept only under the control of official authority. There is no provision allowing Member States to derogate from this requirement.
4.12 The second part of article 8.5 allows Member States to provide that data relating to administrative sanctions or civil trials may be processed only under the control of official authority. The Government does not intend to introduce such a requirement.
4.13 The Government would welcome views on the implications of the first part of article 8.5, and in particular on
- (a) the circumstances in which data relating to offences etc need to be processed otherwise than under the control of official authority;
- (b) the nature of the appropriate "specific" safeguards.
National identification number
4.14 Article 8.7 requires Member States to determine the conditions under which a national identification number "or any identifier of general application" may be processed. The Directive gives no guidance on the nature of the conditions that might be appropriate.
4.15 The possibility of introducing a separate national identification number was one of the issues considered in the Government's consultation document on identity cards published in May 1995 (Cm 2879). If the Government does introduce some kind of identity card scheme, it would need to be decided whether this should be accompanied by a national identity number, and, if so, whether the number should be shown on the card. It is not clear whether the provision also applies to other sorts of personal identifiers, such as national insurance and NHS numbers. The Government will consider further whether the Directive applies to these or any other existing numbers, and, should the need arise, what the nature of the conditions for their use should be.
JOURNALISM AND ARTISTIC OR LITERARY EXPRESSION
4.16 Article 9 requires Member States to provide exemptions from certain provisions of the Directive for processing which is carried out solely for journalistic purposes or the purpose of artistic or literary expression. The requirement is not absolute. The exemption must be necessary to reconcile "the right to privacy with the rules governing freedom of expression". At the same time, where there is a need to provide exemptions in order to strike the balance between privacy and freedom of expression, Member States must do so.
4.17 Exemptions may be provided from chapter II (ie articles 5 to 21, which contain the main rules governing processing); chapter IV (ie articles 25 and 26 which relate to transfers of data to countries outside the EU); and chapter VI (ie articles 28 to 30 which deal with the powers of the supervisory authority and the EU-wide working party of representatives of all supervisory authorities). However, recital 37 says that Member States should not provide exemptions from "the measures to ensure security of processing" (ie article 17). It also says that the supervisory authority should retain what it describes as "certain ex-post powers" in respect of processing to which the exemptions provided under article 9 apply. It gives as examples of such powers, the publication of the supervisory authority's regular reports, or the reference of matters to the judicial authorities. Recital 17 confirms that the processing of sound and image data carried out for the relevant purposes comes within the scope of article 9.
4.18 Provision of this kind will be new to United Kingdom data protection law. The 1984 Act applies to journalists and others who engage in artistic and literary activities to the same extent as it applies to any other users of computerised personal data.
4.19 The Directive is silent on how the balance between privacy and freedom of expression is to be struck. Clearly, a requirement for a case by case assessment to be made in advance by a third party would be impracticable, given the nature of journalism. It could also threaten the fundamental principle of journalistic independence. At the same time, it is clear that a blanket exemption for the press would not be compatible with the Directive.
4.20 The Government would welcome comments on the implications of article 9, and in particular on
- (a) the scope of the expressions "journalistic purposes" and "the purpose of artistic or literary expression";
- (b) the considerations which should be taken into account in balancing privacy with freedom of expression, and the mechanism by which the balance should be struck.
THE DATA SUBJECT'S RIGHT TO OBJECT
4.21 Article 14 requires Member States to give data subjects an express right to object to the processing of their personal data in certain circumstances.
- (a) Compelling legitimate grounds
4.22 Article 14(a) requires the data subject to be able to object to the lawful processing of his personal data "on compelling legitimate grounds relating to his particular situation". Where the objection is justified, the processing involving the individual's data must cease. This right must be available in respect of processing which is based on article 7(e) or (f) (see paragraphs 3.10 and 3.11 above). Member States may extend the right to processing carried out on other grounds, but the Government does not intend to do so. They may also specify in national legislation circumstances in which the right is not available even in respect of processing carried out under article 7(e) or (f).
4.23 This provision will be new to United Kingdom data protection law, and we have no experience of the sort of considerations which might justify the provision being invoked. An example given during the negotiations was of data which, although processed in all respects in accordance with the requirements of the Directive, would in practice be likely to come into the hands of persons known to the data subject.
4.24 The Government would welcome views on the implications of article 14(a), and in particular on
- (a) the sort of circumstances which might constitute "compelling legitimate grounds" for an objection;
- (b) the circumstances in which national legislation should provide that the right to object should not be available, in relation to articles 7(e) and (f).
- (b) Direct marketing
4.25 The processing of personal data for direct marketing purposes is covered by the Directive in the same way as any other processing of personal data. In addition, article 14(b) requires data subjects to have the right to object to such processing. It offers two variants between which Member States may choose.
4.26 The first variant is for Member States to provide a simple right for the data subject to ask the controller not to process his data for direct marketing purposes. Data subjects must be able to exercise this right free of charge. Member States are required to take steps to ensure that data subjects are aware of the right.
4.27 The second variant is less straightforward. It gives the data subject the right to be informed, and to be offered the right to object in two sets of circumstances: before his personal data are disclosed for the first time to third parties for direct marketing purposes; and before his personal data are used on behalf of third parties for direct marketing purposes. Thus, a controller may not disclose personal data to any other person for use for direct marketing purposes, unless the data subjects concerned have been informed of the controller's intention to disclose their data for this purpose. Similarly, he may not use personal data himself for direct marketing on behalf of another person without the data subjects having been informed. In both cases, the data subject must expressly be offered the right to object, free of charge.
4.28 The Government would welcome views on the implications of this provision and in particular on which variant should be adopted in the United Kingdom.
AUTOMATED DECISION-TAKING
4.29 A further novel feature of the Directive is the requirement in article 15 that every person should have the right not to have certain decisions made about him which are based solely on automatic processing. By virtue of article 15.1 the decisions which can be prohibited are those:
- which produce legal effects concerning the data subject or significantly affect him; and
- which are based solely on automated processing of data; and
- where the processing is intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct etc.
4.30 Article 15.2 provides exemptions from the right described above. These apply where:
- there is a contractual arrangement and either the request made by the data subject has been granted (e.g. his application for credit has been approved), or there are suitable measures to safeguard his legitimate interests (e.g. arrangements allowing him to defend his point of view); or
- the decisions are authorised by a law which also lays down measures to safeguard the data subject's legitimate interests.
4.31 It should be recalled that the third subparagraph of article 12(a) expressly requires data subjects to be able to gain knowledge of the logic involved in the decision-making to which article 15 applies (see paragraph 3.25 above).
4.32 The precise scope of the right provided by article 15.1 is far from clear. The expressions "produces legal effects", "significantly affects" and "certain personal aspects relating to him" are all very imprecise.
4.33 The Government would welcome views on the implications of article 15, and in particular on
- (a) the categories of decision to which the article should be taken as applying;
- (b) the nature of the safeguards for the data subject's legitimate interests;
- (c) the categories of decision which should be authorised by law.
CHAPTER 5
NOTIFICATION/REGISTRATION (Articles 18-21)
5.1 Article 18.1 requires Member States to provide for controllers to notify the supervisory authority (see Chapter 6, below) before they process personal data. This notification requirement corresponds broadly to the registration requirement under the 1984 Act. It applies only to automatic processing operations. Article 18.5 allows Member States to choose whether or not to require the notification of non-automatic processing operations (see paragraph 5.15 below).
EXEMPTIONS AND SIMPLIFICATION
5.2 Article 18.2 sets out the circumstances in which Member States may provide exemptions from, or simplification of, the notification requirement. There is nothing corresponding to this flexibility in the 1984 Act. The Government takes the view that registration under the 1984 Act has been an unnecessarily burdensome requirement for many data users. It welcomes the work which the Data Protection Registrar is doing to simplify the present arrangements within the constraints imposed by the 1984 Act. Consistent with the needs of business and other data users, the Government intends to make full use of the scope which the Directive offers for easing still further the present burden of registration.
5.3 The Directive envisages two broad approaches to exemption/simplification: a system under which Member States specify the processing operations which are exempt or to which the simplified arrangements apply; and a system involving "in-house" data protection officials.
- (a) Specification by the Member State
5.4 The first indent of article 18.2 deals with the power for Member States to specify exemption/simplification. This power applies only to categories of processing operation "which are unlikely, taking account of the data to be processed, to affect adversely the rights and freedoms of data subjects". In identifying the categories of processing operation which are to benefit from the exemption/simplification, Member States must specify:
- the purposes of the processing;
- the data or categories of data undergoing processing;
- the category or categories of data subject;
- the recipients or categories of recipient to whom the data are to be disclosed;
- the length of time the data are to be stored.
5.5 Member States may provide either exemptions or simplification or a combination of both. In considering which option to follow, it will be relevant to bear in mind the requirement in article 21 for certain information about processing operations to be publicly available. The information in question is all that mentioned in article 19.1(a) to (e). In the case of simplified notifications, it may be possible to discharge this requirement by including the relevant information in the publicly accessible register which the supervisory authority is required to maintain. However, for exempt processing operations, the controller will have to arrange for the information to be made available on request.
5.6 The Government would welcome views on
- (a) the categories of processing operation which should be brought within the scope of the exemption/simplification arrangements;
- (b) whether provision should be made for exemption or simplification or both.
- (b) "In-house" data protection official
5.7 The second indent of article 18.2 reflects the position in Germany. There the law provides for certain data protection supervisory functions to be carried out by specially appointed data protection officials working within organisations. These "in-house" officials are required to be fully independent of the organisation within which they operate. The appointment of such officials removes the need for the supervisory authority to become involved in at least some of the supervisory functions in respect of the organisation in question.
5.8 The Directive provides for exemption/simplification in relation to notification where such an independent "in-house" official has been appointed. The Directive requires the official to take on responsibility for ensuring that the normal data protection rules are complied with, and to maintain a register of the controller's processing operations.
5.9 In the absence of experience of operating such a system in the United Kingdom it is difficult to assess its value. The Government recognises, however, that there might be some interest in adopting this model, particularly among organisations which already have specialist data protection officers.
5.10 The Government would welcome views on whether provision should be made for controllers to appoint "in-house" data protection officials.
- (c) Registers
5.11 Article 18.3 empowers Member States to exempt from the notification arrangements processing whose sole purpose is the keeping of registers which "according to laws or regulations" are intended for public consultation. Article 21.3 further allows Member States to exempt such processing from the requirement to provide information to the public under that article. An example of a register coming within the scope of the exemption would be the electoral register. The Government intends to make provision for the general application of these exemptions to all registers which meet the criteria set by the Directive.
5.12 The Government would welcome further examples of registers whose processing should be exempted from the notification requirement under article 18.3 and the requirement to provide information under article 21.3. It would be helpful also to have information about the enactment under which the register is kept.
- (d) Sensitive data
5.13 Processing operations involving sensitive data (see article 8.1) are not expressly excluded from the exemption/simplification arrangements under article 18.1. However, article 18.4 expressly allows exemption/simplification for those processing operations involving sensitive data to which article 8.2(d) applies (ie certain processing operations by voluntary organisations). The relationship between the two paragraphs is unclear.
5.14 The Government would welcome views on the implications of article 18.4 for the notification of processing operations involving sensitive data.
- (e) Non-automatic processing operations
5.15 The general requirement to notify does not apply to non-automatic processing operations (i.e. those involving manual data held in filing systems). Article 18.5 explains that it is for Member States to choose whether or not to apply the notification arrangements to such operations. As noted in paragraph 5.5 above, in considering whether or not to apply the arrangements, it is relevant to bear in mind the transparency requirements in article 21. That is to say, there may be benefits in notification/registration for some data users, which may outweigh the bureaucratic disadvantages.
5.16 The Government would welcome views on whether any non-automatic processing operations should be notified.
INFORMATION TO BE NOTIFIED
5.17 Article 19 sets out the information which is required to be provided to the supervisory authority under the notification arrangements. The information listed is similar to that which is required to be registered under section 4 of the 1984 Act, but there are some differences: the Directive does not require the provision of information about the sources of the data, nor does it require a description of the data subjects to whom the data relate.
5.18 A further difference is that article 19.1(f) requires controllers to provide general information about security measures. Concern has been expressed that this might put at risk the effectiveness of those measures. It is important to note that the information about security is not required to be included in the register to be maintained by the supervisory authority under article 21.2. The Government does not intend that it should be.
5.19 Article 19.2 requires Member States to specify the procedures for informing the supervisory authority of any changes affecting the information with which the supervisory authority has been provided under the notification arrangements. The 1984 Act allows a data user at any time to apply to the Registrar for alteration of any particulars contained in his register entry. It puts a duty on the data user to make such an application where he changes his address. Failure to do so is a criminal offence.
5.20 The Government would welcome views on the implications of article 19.
PRIOR CHECKING
5.21 Article 20 requires Member States to have a system of prior checking by the supervisory authority (or the "in-house" data protection official) of processing operations "likely to present specific risks to the rights and freedoms of data subjects". It also provides for the prior checking requirement to be carried out by Member States in the course of preparing primary or secondary legislation. There is no prior checking requirement in the 1984 Act.
5.22 Prior checking could impede the speedy and efficient discharge of the business to which the processing operations in question relate. The Government therefore intends to apply this requirement only to those processing operations in respect of which there is a clear and real risk. Recital 54 makes clear that such processing operations will be very few indeed. It says that "with regard to all the processing undertaken in society, the amount posing such specific risks should be very limited". Recital 53 says that the nature, scope or purposes of the processing operation will be relevant to this decision. By way of example, it mentions the exclusion of individuals from a right, benefit or a contract, and the specific use of new technologies.
5.23 Article 20 is silent on the powers which the supervisory authority (or the "in-house" official) should have in relation to data which are subject to prior checking. Recital 54 appears to leave open the possibility of two courses of action: giving an opinion on the processing; or giving an authorisation for the processing to go ahead. The latter implies that there should also be a power to refuse to authorise the processing. Consistent with its intention to keep the effect of prior checking to a minimum, the Government believes it preferable to give the supervisory authority a power to give an opinion rather than to authorise processing. However, the precise arrangements to be made will need to be consistent with the general enforcement regime (see chapter 6 below).
5.24 Article 20 does not specify the time period within which the prior check must be carried out. There is a balance to be struck between the need of the controller for the check to be carried out swiftly and the ability of the supervisory authority to do so, having regard to the resources available. The Government will determine the time limit in the light of views which are expressed in response to this paper. It will also consider what the mechanism should be to ensure that the supervisory authority completes the check within the set period.
5.25 The Government notes the provision in the Directive for prior checking to be done during the course of preparing primary or subordinate legislation. It is unclear at present exactly how this procedure might operate. The Government will give it further consideration.
5.26 The Government would welcome views on the implications of article 20, and in particular on
- the categories of processing operation which are likely to present specific risks, including the possible implications of new technologies;
- within what time period the supervisory authority should be required to give its opinion.
TRANSPARENCY
5.27 Article 21 deals with the transparency of processing operations. The power provided by article 13.1 for Member States to specify exemptions applies to this article (see paragraphs 3.33 - 3.38, above)
5.28 Article 21.1 requires Member States to take measures to ensure that processing operations are publicised. It is not clear what publicity arrangements are envisaged. In particular, it is not clear whether something more than inclusion in the register held by the supervisory authority (see below) is required.
5.29 Article 21.2 requires the supervisory authority to maintain and make publicly available a register of processing operations notified to it. The register must include all the information specified in article 19.1, except information about security arrangements (article 19.1(f)).
5.30 Article 21.3 requires arrangements to be made for the public to gain access to the information where processing operations are not notified. This may be done either by the data controller or by another body appointed by the Member State. For those processing operations which are not notified, controllers will need to consider how to discharge both this requirement and that to give publicity to their processing operations. A range of approaches may be desirable. For example, some organisations may choose to produce tailor-made material giving information about data protection to their customers and others. Others may decide to include information about processing operations in more general publicity information. Some organisations may find these devices burdensome, and they will wish to consider whether the benefits to be gained from notification outweigh any perceived drawbacks.
5.31 Article 21.3 provides a power to derogate in respect of publicly available registers (see paragraph 5.11 above).
5.32 The Government would welcome views on the implications of article 21.
TRANSITIONAL ARRANGEMENTS
5.33 The Government recognises that there is likely to be a need for special arrangements to cater for the transition from the existing registration system to the new notification system introduced under the Directive. It will consider what these arrangements should be in developing proposals for the new system in the light of responses to this paper.
CHAPTER 6
ENFORCEMENT (Articles 22-24, 27 and 28)
EXISTING ARRANGEMENTS
6.1 Under the 1984 Act, the enforcement arrangements are broadly as follows.
- Data users are required to register with the Data Protection Registrar.
- The Registrar has the power to refuse applications for registration in certain circumstances. Holding personal data without being registered is an offence. Knowing or reckless failure to comply with the terms of the register entry is also an offence. Offences are punishable with a fine, whose maximum level varies according to the jurisdiction of the court and the nature of the offence. In some cases, the court has the power to order the forfeiture, destruction or erasure of data material. The Registrar is a prosecuting authority for the purposes of the 1984 Act.
- Where breaches of the data protection principles are alleged, individuals may complain to the Registrar. The Registrar may, and in some cases must, investigate the complaint.
- Where the Registrar believes that the data protection principles are being breached by registered data users, she may issue one of three types of formal notice requiring the data user to take certain action. Non-compliance with the notices is a criminal offence. Data users may appeal against the notices to the Data Protection Tribunal. Appeals against the Tribunal's decisions on points of law may be made to the courts.
- Individuals may go direct to court to seek subject access where this has been refused by the data user; to seek compensation; or to seek the rectification or erasure of inaccurate data. Compensation is available only for damage and distress caused by the inaccuracy, loss, unauthorised destruction or unauthorised disclosure of personal data.
THE DIRECTIVE'S REQUIREMENTS
6.2 For the most part, the enforcement provisions of the Directive are relatively flexible. The Directive establishes general requirements, but leaves it to Member States to determine what precise arrangements to adopt.
- (a) Judicial remedies
6.3 Article 22 says that the data subject must have the right "to a judicial remedy for any breach of the rights guaranteed by the national law applicable". This must be available "without prejudice to any administrative remedy". which may be provided prior to referral to the judicial authority.
- (b) Compensation
6.4 Article 23 requires compensation to be available from the controller for damage caused by any breach of the national provisions giving effect to the Directive. Unlike the 1984 Act, the Directive contains no express provision relating to the payment of compensation for distress. There is a defence against the requirement for the controller to pay compensation if he can prove that he is not responsible for the event giving rise to the damage.
- (c) Sanctions
6.5 Article 24 leaves the choice of enforcement measures and sanctions to the discretion of Member States.
- (d) Supervisory authority
6.6 Article 28.1 requires each Member State to have at least one independent (public) supervisory authority responsible for monitoring the application of the national provisions giving effect to the Directive.
6.7 Article 28.2 requires the supervisory authority to be consulted when "administrative measures or regulations" relating to data protection are drawn up.
6.8 Article 28.3 specifies the powers which the supervisory authority is to have. It must have:
- investigative powers, such as the power of access to personal data and the power to collect all the information necessary for the performance of its duties;
- effective powers of intervention, such as the power to give and publish opinions in connection with prior checking, the power to order the blocking, erasure or destruction of data, the power to suspend or prohibit processing etc;
- the power to engage in legal proceedings in respect of breaches of the Directive, or to bring such breaches to the attention of the judicial authorities.
- There must be a right of appeal through the courts against the supervisory authority's decisions.
6.9 Article 28.4 requires the supervisory authority to "hear claims" from individuals, particularly where these go to the lawfulness of processing where the exemptions provided in accordance with article 13 apply.
6.10 In addition the supervisory authority must:
- publish regular reports on its activities (article 28.5);
- have the power to take enforcement action where processing takes place in the United Kingdom, even though another Member State's law may apply (article 28.6 first sub-paragraph);
- cooperate with other Member States' supervisory authorities (article 28.6 second sub-paragraph);
- provide that its members and staff are subject to a duty of professional secrecy (article 28.7).
- (e) Codes of conduct
6.11 Article 27 requires Member States to encourage the production of codes of conduct, and to empower the supervisory authority to consider them and seek data subjects' views on them.
CHANGES TO THE PRESENT ARRANGEMENTS
6.12 If they were to be made the basis for the new law, the present arrangements would need some adjustment in order to accommodate specific Directive requirements. However, given the Government's intention to keep to a minimum the burdens flowing from data protection requirements, the question arises whether the present arrangements are the correct model to follow in the new law or whether more extensive changes are desirable.
6.13 The Government has already begun the process of reviewing the present enforcement powers of the Registrar, in its proposal to submit them to the procedures contained in section 5 of the Deregulation and Contracting Out Act 1994. Further modifications might be desirable. For example, there might be a case for requiring the supervisory authority to seek the view of the Data Protection Tribunal before issuing a formal "action" notice in some or in all instances. It would be for consideration whether the supervisory authority should retain the power to issue formal "action" notices in all cases, or, indeed, whether this form of enforcement mechanism remains appropriate at all.
6.14 Other changes might be appropriate. It might be helpful to enable the Tribunal to give an opinion, in advance, on new forms of data processing which have not yet been brought into operation. Or it might be appropriate to require individuals in all cases (even those where a direct right of access to the courts is currently available) to take complaints to the supervisory authority in the first instance. That would allow the opportunity for the supervisory authority to seek to negotiate remedial action before the formality of the law courts was involved. This would appear compatible with the Directive, which expressly provides that individuals' right to seek a judicial remedy for breach of their rights is without prejudice to any administrative remedy that may be available.
6.15 In considering the new enforcement regime, it will be important to ensure consistency with the new notification arrangements. For example, as already noted, the Registrar currently has the power to refuse applications for registration in certain circumstances. One of the grounds for refusal is that the Registrar is satisfied that the applicant is likely to breach the data protection principles. The question arises whether, under the new arrangements, the supervisory authority should have the power to refuse notifications on this, or a similar, ground. Further, compliance with register entries is currently enforced by means of criminal sanctions. It is for consideration whether this approach will remain appropriate under the new arrangements.
6.16 The Government would welcome views on the implications of articles 22 to 24, 27 and 28. In particular it would welcome views on whether the enforcement model provided by the 1984 Act remains acceptable, or whether any modifications might be desirable.
CHAPTER 7
TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES (Articles 25 and 26)
7.1 The basic principle set by article 25 is that personal data may only be transferred to third countries which provide an adequate level of data protection. Article 26 sets out a number of exceptions to this rule, by specifying circumstances in which personal data may be transferred to third countries which do not provide an adequate level of data protection. These exceptions are wide-ranging, and the Government believes that the number of cases in which transfers have to be prohibited because of the inadequacy of data protection in third countries is likely to be small. Controllers wishing to transfer personal data outside the EU will, therefore, probably find it most convenient to consider first whether their proposed transfers come within the scope of the exceptions. Only if they do not will controllers need to consider the question of adequacy.
TRANSFERS TO ANY COUNTRY
7.2 Article 26.1 requires Member States to allow the transfer of personal data to all third countries, whether or not they provide an adequate level of data protection, in certain circumstances. (The requirement does not apply where national law expressly provides otherwise in particular cases.) Transfers may take place: Article 26.1(a): Where the data subject has consented "unambiguously" (see paragraph 2.12, above). Article 26.1(b): Where the transfer is required by a contractual (or pre-contractual) arrangement to which the data subject is a party. This provision mirrors the ground for processing personal data in article 7(b). Article 26.1(c): Where the transfer is required to fulfil a contract between the controller and a third party which is in the data subject's interest. Article 26.1(d): Where the transfer is "necessary or legally required" on important public interest grounds, or for the establishment etc of legal claims. The second limb mirrors the provision in article 8.2(e). Recital 58 gives as examples of important public interest grounds, transfers of data between tax or customs administrations, or between services competent for social security matters. (For use of the word "important" rather than "substantial" as in article 8.4, see paragraph 4.9 above.) Article 26.1(e): Where the vital interests of the data subject need to be protected. This provision is similar to that in article 7(d). Article 26.1(f): Where the transfer is made from a public register, subject to two provisos. First, the article itself specifies that the conditions laid down in law for consultation of the register must be fulfilled in a particular case. This presumably means that the people to whom the transfer is to be made in the third country would be entitled to see the register or part of it were they in this country. Second, recital 58 says that the transfer should not involve all the data in the register or all the data in particular categories contained in the register.
7.3 In addition article 26.2 allows Member States to authorise transfers to third countries with an inadequate level of protection where the controller provides sufficient guarantees to ensure that the rights and freedoms of individuals are protected. The article says that the guarantees could, for example, be provided by appropriate contractual clauses.
7.4 There are a number of ways in which authorisations under article 26.2 could be provided. The Secretary of State could prescribe categories of guarantee which were sufficient to allow transfers. Alternatively, the supervisory authority could be made responsible for establishing such categories of guarantee. These approaches would be consistent with article 26.4 which allows the Commission to draw up standard contractual clauses which offer the necessary guarantees. A third, and probably less satisfactory, option would be to require authorisation to be given on a case by case basis by the supervisory authority.
7.5 Article 26.3 requires Member States and the Commission to inform each other of authorisations granted under article 26.2. If a Member State or the Commission objects to the authorisations "on justified grounds", the Commission may, in accordance with the procedures laid down in article 31 (ie after consultation with, and with the agreement of, Member States), take "appropriate measures" with which Member States are required to comply. The Directive gives no guidance on what "justified grounds" for objecting to authorisations might be, nor on the measures which the Commission may decide to take.
DETERMINING "ADEQUACY"
7.6 Transfers made in the circumstances described above are exempted from the principle established by article 25.1 that transfers of personal data to third countries which do not provide an "adequate" level of data protection are prohibited. Article 25.1 specifies that this arrangement applies both to personal data already undergoing processing within the EU, and to those intended for processing after the transfer has taken place. The second category is specifically mentioned in order to cover the collection and storage of personal data which do not constitute "processing" within the meaning of the Directive. For example, personal data collected and stored manually otherwise than in a filing system are not "processed" within the meaning of that term in the Directive. However, article 25 applies to them if they are to be transferred to a third country where they will be "processed".
7.7 Article 25.2 deals with the determination of adequacy. Each transfer or set of transfers has to be considered on a case by case basis, according to a long list of criteria. It is apparent from this that the level of data protection in a particular country may be assessed as being adequate in certain circumstances but not in others. For example, the protection may be adequate for the transfer of data to provide a service of one kind, but not of another kind (although the data may be exactly the same).
7.8 This raises the question how a data controller is to decide whether the country to which he proposes to transfer data offers an adequate level of protection for that particular transaction. The Government believes it would be helpful if, so far as possible, central arrangements within the United Kingdom could be established to guide controllers in these decisions. The objective would be to identify countries where data protection is adequate, either for transfers either for all purposes, or for specified purposes or categories of data. For example, there will be some third countries with data protection laws which meet the requirements of the Council of Europe Convention on data protection, where the controller can probably be confident that an adequate level of protection exists for all types of automated transaction. There may also be countries which have no national data protection law of universal application, but which have sectoral laws which afford adequate protection in particular circumstances.
7.9 Not all transfers would necessarily be covered by these arrangements. There might still be a need to make individual decisions about the adequacy of protection in some third countries in respect of some transactions. In these cases, the Government believes that it should be left to the controller to take a view on the question of adequacy having regard to the factors which are set out in article 25.2, and to proceed in the light of that assessment. Any necessary checks by the supervisory authority would be carried out after the event. The Government does not favour the alternative - prior authorisation by the supervisory authority - because of the disruption and delay which would be caused to day-to-day business.
7.10 Article 25.3 requires Member States and the Commission to inform each other of cases where they consider that a third country does not have an adequate level of protection. The Government proposes that the supervisory authority should be charged with informing other Member States and the Commission where it takes the view that protection in a third country is inadequate.
7.11 The remainder of the article deals with the procedural arrangements under which the Commission may find, in accordance with the procedure laid down in article 31, that a third country has or does not have an adequate level of data protection. Where the Commission finds that the protection in a given case is inadequate, Member States are required to take the necessary measures to prevent "any transfer of data of the same type" to the third country in question.
7.12 The Government would welcome views on the implications of articles 25 and 26, and in particular on
(a) the method of authorising transfers under article 26.2 and the nature of the guarantees;
(b) whether arrangements should be made in the United Kingdom for the central determination of "adequacy" under article 25.2.
CHAPTER 8
TRANSITIONAL ARRANGEMENTS (Article 32)
8.1 Article 32.1 requires national provisions to be in force by no later than three years after the date of adoption of the Directive (i.e. by 24 October 1998). (That date is referred to in this chapter as the "national implementation date".) It goes on to specify transitional arrangements.
ALL PROCESSING OPERATIONS
8.2 The first paragraph of article 32.2 provides (subject to some further derogations for manual records, see below) that processing which is already under way at the national implementation date need not be brought into compliance with the new law until three years after that date. Where existing processing is to continue beyond the transitional period, all necessary steps to ensure that the processing (including merely storing the data) is in accordance with the new law will have to be taken by the controller during this period. For example, the controller will have to comply with the requirements of articles 10 and 11 and to check that the criteria justifying the processing under articles 7 or 8 are met. (In the case of automated data, additional checks for compliance with the data protection principles in article 6 are unlikely to be necessary since the principles in the Directive are very similar to those in the 1984 Act.)
8.3 Recital 69 requires the national provisions to be applied "progressively" to processing operations which are already under way at the national implementation date. Presumably the intention is to prevent controllers waiting until the end of the transitional period before ensuring compliance with the national provisions. As a matter of good management practice, the best approach is likely to be to check compliance as and when the data are actively used.
8.4 Recital 70 provides a little relief from this task. It explains that, where, before national implementation date, the data subject has given his consent to the processing of sensitive data for the performance of a contract, it will not be necessary for the controller to seek the consent of the data subject again in order to continue processing the data.
MANUAL RECORDS
8.5 The second paragraph of article 32.2 provides special transitional arrangements for the processing of personal data held in manual records in filing systems. This processing benefits from the normal three year transitional arrangements described above. A further limited derogation is allowed for these data for the period up to 12 years from the date of adoption of the Directive (i.e. until 24 October 2007).
8.6 By the end of the normal three year transitional period, all the provisions of the Directive have to be complied with except articles 6,7 and 8. Data stored in filing systems at the national implementation date do not need to be brought into compliance with those three provisions until the end of the 12 year period. However, recital 69 puts a gloss on this. It says that compliance with those three provisions must be ensured when such data are "manually processed" during the extended transitional period. (The use of the term "manually processed" is curious. It should perhaps be interpreted as meaning "actively processed" - ie not merely being stored.)
8.7 The subparagraph confirms that, during the extended transitional period for ensuring compliance with articles 6,7 and 8, data subjects are entitled to secure the rectification, erasure or blocking of their personal data which are incomplete, inaccurate or improperly stored.
8.8 Over the years, some organisations have built up large collections of manual records containing personal data which are covered by the provisions of the Directive. In some cases, these may need to be retained for legal or other reasons, although very few if any of them may ever be actively used. Where very large quantities of records are concerned, even the extended 12 year transitional period may be inadequate to allow the controller to check that the relevant provisions are being complied with in respect of all the records, without incurring wholly disproportionate cost.
8.9 During negotiations on the Directive, the Council and the Commission took note of this problem. They made a joint statement to the effect that, in these specific circumstances, at the end of the 12 year transitional period, controllers must take all reasonable steps relating to the requirements of articles 6, 7 and 8, which do not prove impossible or involve a disproportionate effort in terms of cost. The statement drew attention to the need for controllers to bear in mind the need to ensure the protection of the rights and freedoms of individuals.
8.10 It may be necessary to rely on this statement in only a very small number of cases. During the 12 year transitional period for manual records, it should be possible in almost every case for controllers either to destroy manual records or to make sure that they are brought into compliance with the relevant provisions of the Directive. The Government proposes, however, to take reserve powers to deal with the issue, in the spirit of the Council/ Commission statement, if this should prove necessary.
HISTORICAL RESEARCH
8.11 Article 32.3 allows Member States to provide that, subject to suitable safeguards, the processing of data kept for the sole purpose of historical research need not be brought into conformity with articles 6, 7 and 8 of the Directive even at the end of the extended transitional period.
8.12 The Government would welcome views on the implications of the transitional arrangements, and in particular on the nature of the safeguards required by article 32.3.