An outline of the European Data Protection Directive
Dr. Ian Lloyd
Date of publication: 31 January 1996
Citation: I. Lloyd, An outline of the European Data Protection Directive, 1996, 1 The Journal of Information, Law and Technology (JILT), 1996. <http://elj.warwick.ac.uk/elj/jilt/dp/intros/>. New citation as at 1/1/04: <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1996_1/special/lloyd/>
The European Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data was adopted by the Council of Ministers on October 24, 1995. The impact of the legislation has been felt beyond the European Union.
One Australian commentator has described the Directive as being 'the most important international development in privacy protection for a decade' whilst concern has been expressed in the United States and elsewhere about the domestic impact of the Directive's provisions on transborder data flows.
Member States are obliged to implement the provisions of the Directive within a three year period. At present, there is considerable variation in the national approaches.
Greece and Italy have no data protection legislation and although they are signatories to the Council of Europe's Convention on the Automated Processing of Personal Data have not been in a position to ratify the convention. The other Member States have data protection statutes in force and have ratified the convention. Significant variations exist, however, in respect of the contents of national statutes.
The EU's involvement in data protection can be traced back to the 1970s when a number of Parliamentary initiatives sought the introduction of community legislation. This pressure was rejected by the Commission which preferred to address a Recommendation to Member States (OJ 1981 L246/31) that they should sign and ratify the Council of Europe instrument before the end of 1982.
Although at the time of writing only Greece and Italy remain without data protection legislation, compliance with the Recommendation was slow with Belgium, Portugal and Spain enacting legislation only in 1992, 1991 and 1992 respectively. Equally significantly, significant variations have come to exist in the level of protection afforded in different Member States.
Some statutes, the United Kingdom's Data Protection Act being an apposite example, have sought to achieve no more than compliance with the Convention's minimum requirements. Other states such as Germany have developed the concept of data protection to a much greater extent, seeking to elevate the interests and wishes of the individual above those of data users.
The discrepancies between national data protection statutes was identified by the Commission as constituting an impediment to the attainment of the Single Market. In 1990 the Commission submitted a package of proposals to the Council aimed at promoting the free movement of data within the Community. Included in this was a proposal for a Directive on the topic of data protection.
In addition to the importance of data flows for the attainment of the single market, the proposal is also founded in the Treaty of Rome's provisions relating to consumer protection and the promotion of fundamental human rights. In these fields, the Treaty obliges the Community to ensure that harmonisation of national laws occurs at a 'high level'.
During the course of its lengthy passage through the European legislative processes, the Directive was criticised both by countries such as the UK which considered that its requirements marked too great an advance over current data protection statutes and by those such as Germany which were concerned that European legislation might lead to a diminution in the level of protection provided under existing national regimes.
A further factor complicating EU action is that its legislative competence generally does not extend to matters coming within the fields of criminal law and national security.
The Directive applies whenever personal data is processed wholly or partly by automatic means and also to certain forms of manual systems. In this latter situation the legislation will apply only where the data is held as part of a structured filing system.
Although an extensive transitional period of 12 years is made available to those Member States whose legislation presently excludes manual systems this will apply only in respect of data held in systems at the date of the Directive's adoption (24 October 1995).
Even in this limited situation, the subject access and rectification provisions of the Directive must apply from the date of the introduction of national implementing statutes.
One of the significant features of the Directive is its provision that processing of personal data will be legitimate only in specified situations. The first of these is where 'the data subject has unambiguously given his consent'. Further provisions in the Directive make it clear that the subject's consent is to be given freely in knowledge of the purposes for which the data is to be used.
This is particularly important where data is collected from the data subject and in this context it is provided that notification is to be given of the purpose for which the data is sought, whether the subject is obliged to supply the information and, if so, the consequences of any refusal. The subject must be given details of the controller's name and address and must also be informed of the parties to whom the data may be disclosed and of the existence of a right of access.
Exceptions to this provision may be made where the requirement to inform the subject would prejudice the maintenance of public order or what is described as the 'supervision and verification functions of a public authority'.
Although it may often be necessary for data users to seek the specific consent of subject's to proposed forms of data processing the Directive provides a number of additional justifications for processing. Thus, processing may be carried out in the performance of a contract with the data subject or where it is necessary to protect the subject's vital interests, is required by law, is necessary for the performance of a task in the public interest or in pursuit of either the general interest or the legitimate interest of the controller or of a third party to whom the data may be disclosed.
These interests have to be weighed against those of the data subject. The Directive provides that a data subject is to be given rights to object to the processing of personal data at least in the situations where the justification for processing lies in the performance of a task carried out in the public interest or is undertaken for the purposes of the legitimate interests of the controller or of third parties to whom the data is disclosed.
The proposal also requires as a general principle that the data subject be notified when personal data is disclosed to a third party and of the identity, or at least the categories, of recipients involved. Where data is to be transferred to a third party for the purposes of direct mailing, it is specifically provided that the subject must be informed and given the opportunity to require that the data be erased. No fee may be levied for such erasure.
The impact of this provision upon data users may be limited by the fact that subject notification may be made at any time. Thus, notification of the intended transfer at the time the data is collected will suffice.
Special provision is made in the Directive for the situation where personal data is to be used for the purpose of direct mailing. Member States must confer on data subjects the right either to object to the processing of data for the purposes of direct mailing or - more significantly - to be informed of the fact that processing is to be carried out for this purpose and expressly offered the right to object. In both cases the objection may be made free of charge.
The principle of notification is, almost inevitably, subject to exceptions. Some relate to the situation where the subject has been informed, presumably at the time of collection, that the data may be transferred or where the disclosure is required by law or is for specified purposes including national security, revenue protection or criminal proceedings.
It is provided also that the subject need not be informed where this would be impossible, would involve a 'disproportionate effort' or would run 'counter to the overriding legitimate interests of the controller or similar interests of a third party'. Once again, the exceptions may prove more important that the rule, but it is a significant feature that the onus throughout will be on the data user or the Member States concerned to justify their application.
Although the topic is possessed of a considerable element of subjectivity it has been recognised in most national statutes that certain categories of data should be regarded as particularly sensitive. The Directive adopts a broad definition of the term sensitive data as encompassing indications as to 'racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and ... health or sex life'. Such data may only be processed under specific conditions including the 'explicit consent' of the data subject.
It is not clear from the Directive where the distinction lies between a data subject's 'unambiguous' and 'explicit' consent.
One of the more significant innovations in the Directive concerns the proposal that limits should be placed upon the use of data processing equipment in order to make decisions which may adversely affect an individual. A general prohibition is proposed upon the use of automatic processing as the sole basis for making such a decision. An example might be where credit scoring techniques are utilised in order to determine whether credit facilities should be extended to a particular applicant.
It is unclear, however, how influential the automatic element may be. Exceptions are proposed where the process occurs in the course of entering into a contract with the data subject. Although the Directive proposes that 'any request' by the data subject must be satisfied or that there be 'suitable measures to safeguard his legitimate interests' including 'arrangements allowing him to defend his point of view', the imbalance of power that frequently exists in such situations may render the protection of limited value.
A further exception to the prohibition against total reliance upon automatic processing arises where such practices are authorised by law, subject to the condition that this should prescribe measures to safeguard the data subject's legitimate interests.
The right of a data subject to obtain access to data held concerning them - and rectification of any errors discovered therein - is one of the key elements of any data protection regime. The Directive's proposals are broadly in line with those currently operating in the United Kingdom. A number of significant differences may be noted.
First, although Member States are empowered to provide that access to medical data should be obtained through the medium of a medical practitioner, there is no provision for refusal of access to such data as is presently the case under the Data Protection Act.
More significantly, where access may be denied under specified exemptions such as national security, criminal proceedings or revenue protection, the Directive provides that 'the supervisory authority shall be empowered to carry out the necessary checks, at the data subject's request, so as to verify the lawfulness of the processing ..'.
If implemented, the effect of this will be to empower the Data Protection Registrar to inspect the data processing activities of national security agencies, a sector which is at present excluded totally from supervision.
The emphasis of much of the Directive is preventative, seeking to avoid personal data being processed in such a manner as to cause harm to the data subject(s) concerned. There may be occasions when such endeavours will fail and here it is provided that Member States are to ensure that a subjects are to be entitled to compensation for any damage suffered as a result of an 'unlawful processing operation'.
The uneasy relationship between the principles of data protection and those of freedom of expression which are integral to media activities has created problems in determining the scope of the legislation. Fundamental aspects of data protection such as subject access and the right to correct false information exists uneasily alongside the proliferation of electronic data bases which contain the contents of previous issues of newspapers or periodicals.
The use of these services may well involve the processing of personal data but the notion that the contents of a newspaper report should subsequently be changed is a somewhat chilling one. The concept of subject access has also been identified as posing problems for the work of investigative journalists.
Initial drafts of the Directive proposed reasonably extensive exclusions for the media but the format as adopted is much more restrictive providing that restrictions or exclusions may be provided by the Member States 'only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression'.
The concept of an independent supervisory agency being appointed and held responsible for monitoring and enforcing the operation of data protection legislation has become an integral part of data protection legislation within Europe.
This approach is perpetuated in the Directive whilst, leaving the status and format of the agency to Member States, prescribes a number of powers and duties which are to be part of the role of a supervisory agency.
In particular, the agency is to be possessed of investigative powers - including power to investigate subject complaints relating to exempt applications such as those concerned with national security - powers to order the cessation of data processing and the blocking, erasure or rectification of data and to bring complaints regarding processing to the attention of the parliamentary and judicial authorities.
The Directive also provides that the supervisory authority must be consulted when any administrative measures or regulations concerned with data protection are being drawn up.
If the appointment of supervisory agencies is non-controversial, the same cannot be said of the concept of universal registration or licensing of data users. In the quarter of a century since the first data protection statutes were enacted, the number of machines capable of being used for the processing of personal data has increased from a few hundreds or thousands to tens of millions.
The notion that realistic scrutiny could be given to applications is widely regarded as outdated and more recent data protection statutes have moved away from the concept of universal registration. The Directive follows this approach and can be seen as introducing a three tiered supervisory regime. For processing operations which are considered to pose no significant threat to data subject, Member States may either remove them from the requirement to notify details of the processing carried out or may introduce a simplified scheme.
This possibility is also open where a data user itself appoints a 'personal data protection official' with responsibility for acting in an 'independent manner' to ensure that 'the rights and freedoms of data subjects are unlikely to be adversely affected by the processing operations'. Users whose activities possess implications for data subjects are required to notify details of their activities with the Directive specifying those items of information which must be supplied.
One notable inclusion is the requirement that the user supply a description of measures which have been taken to ensure the security of any processing activities. Although breach of the substantive provisions of the Directive will render processing unlawful, there is no provision for a notification to be rejected by the supervisory agency.
The final category of users encompasses those whose processing activities carry the most significant implications for the rights of data subjects. The Directive requires that Member States must 'determine the processing operations likely to present specific risks to the rights and freedoms of data subjects'.
Having identified the applications, checks must be made by the supervisory agency prior to the commencement of processing. The number of activities and users coming within this category is uncertain but the system proposed is akin to one of prior licensing of sensitive applications.
The information supplied by the data user is to be included in a publicly available register. It is provided, however, that sections of the register may be excluded from public access where they relate to national security, criminal proceedings, revenue protection or similar specified purposes.
The Directive envisages a role for both national and Community wide codes of practice. In a number of respects, this will be more extensive than is the case under current UK legislation. In particular, the Directive proposes that the contents of national codes should be scrutinised by the supervisory authority which may both indicate approval of their contents and arrange for their 'official publication.
In the case of codes which will operate on a Community wide basis, it is provided that the Commission may arrange for their publication in the Official Journal. Although these changes might enhance the evidential value of codes, it is not proposed to confer any formal legal status upon the documents themselves.
The initial proposal submitted by the Commission contained a provision prohibiting the transfer of data to third countries which did not provide for an 'adequate' level of protection. This approach was criticised as being excessively ambiguous. If it were interpreted in the sense of 'equivalent', it would, in particular, have threatened data transfers to countries such as the United States which have favoured a sectoral approach to the problems of data processing rather than the omnibus model adopted within Europe.
The amended Directive contains more detailed provisions describing when third party provisions are to be considered 'adequate'. It is provided that in determining the adequacy of the level of protection provided by a third country, account is to be taken of 'all the circumstances surrounding a data transfer operation'. Particular reference is to be made to 'the nature of the data, the purpose or purposes and duration of the proposed processing operation .. the legislative provisions, both general and sectoral, in force in the third country in question and the professional rules which are complied with in that country.'.
Where legislative provisions are not considered adequate, Member states may authorise a transfer if safeguards are provided in other ways. Here, the Directive makes specific reference to the possibility that the subject's interests may be safeguarded by the terms of a contract between the data users concerned. Model terms for such a contract have been devised by the International Chamber of Commerce acting in conjunction with the Council of Europe.