Harmonisation of Data Protection Law in Europe
Working Conference on the EC Data Protection Directive
10th & 11th June 1996
Dr. Andreas Wiebe
University of Hannover
- 1. Introduction
- 2. Country Reports
- 2.1 Denmark and Finland
- 2.2 UK, Ireland The Netherlands, Belgium, Greece and Italy
- 2.3 Germany, Austria, Poland, Hungary and Russia
- 2.4 Norway and The United States
- 3. Common Problems
- 4. Data Security
- 5. Conclusion
Date of publication: 24 July 1996
Citation: Wiebe, A (1996), 'Harmonisation of Data Protection Law in Europe', Conference Report, 1996 (3) The Journal of Information, Law and Technology (JILT). <http://elj.warwick.ac.uk/elj/jilt/confs/3dp/>. New citation as at 1/1/04: <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1996_3/wiebe/>
The EC Data Protection Directive of Oct. 24, 1995 (OJ L 281/31 of Nov. 23, 1995) poses several problems to member states, not only stemming from the differing levels of protection. The resulting need to evaluate and discuss these problems led Prof. Kilian (Institute of Law und Informatics, University of Hannover, Germany) to invite leading experts from 16 countries, EC member states as well as from Poland, Hungary, Russia, Norway and the U.S.A., to come to Hannover for a working conference which took place on June 10 and 11, 1996. This article is meant to report on the conference and present the results of the prolific discussions centered around the complex process of data protection harmonisation in Europe.
Prof. Kilian presented an overview on the objectives. structure, and contents of the EC Directive. It aims at balancing the conflict between protection of privacy and the free flow of information on a certain level. As regards German data protection law it will result in a lowering of the level of protection. Prof. Kilian supported the enhanced application of technical standards relating to data security including certification procedures. Discussion centered around the question whether, notwithstanding the leeways provided for in the Directive, countries with an 'advanced' level of data protection were forced to lower this level. Another critical point is the permission of free data flow between countries of differing levels of protection putting the question which rights will remain for the individual in practice.
In the first part of the conference, national reports were delivered concerning the problems relating to the implementation of the Directive on the background of the existing data protection laws. This includes different speed of the process as well as problems specific to each country. However, some common issues were identified.
Prof. Blume (University of Copenhagen) named as main problems in Denmark the extended definition of processing, the uniform rules for the public and private sector, the position of affiliated companies and the use of data for marketing purposes. The last point was not regarded as a relevant data protection problem which initiated a discussion on the relation of data protection and consumer protection.
Prof. Saarenpää (University of Lapland) reported on the lengthy history of data protection in Finland. He emphasized that structure and contents were mainly in accordance with the Directive but some improvements would result for the individual. One point to be reassessed is the media privilege. Mr. Öman (Swedish Governmental Data Act Committee) delivered the Swedish report. In a country with a long data protection tradition the creation of personal data files still is to a large extent dependant on a permission of the Data Inspection Board. For the implementation of the Directive, a Committee has been set up to deliver a report including proposals for new or amended legislation in revision of the outdated 1973 Data Protection Act. A specific Scandinavian problem is posed by the constitutionally based principle of public access to official documents which has to be reconciled with data protection principles. Other fields of discussion concerned the freedom of the press and freedom of expression.
Dr. Lloyd (University of Strathclyde, Glasgow) reported on the 'minimalistic' approach of the British government as regards the implementation of the European Council Convention as well as the EC Directive on data protection. Its objective is to limit data protection to the bare minimum necessary for compliance and to avail itself of the 'opt out' clauses. Still, some significant changes and extensions of the current practice will have to be made, expecially with respect to sensitive data, the provision of subject access and the control of transborder data flow. Prof. Clark (University of Dublin) regarded the legal situation in Ireland as more favorable to data protection. However, the implementation seems to be rather deficient. Codes of Practice have not been established so far but this may change in the course of the implementation of the Directive. Subsequently, the compatibility of such Codes with continental legal systems where they do not seem to play a significant role were subject of an intense discussion.
Prof. Kaspersen (Computer/Law Institute, Free University of Amsterdam) cautioned against a lowering of the level of data protection in the course of the implementation of the Directive in the Netherlands. In Belgium, the Dirctive is to be implemented nearly literally as Prof. Poullet (University of Namur) pointed out. As compared to the present state of the law bureaucratic 'burdens' will be reduced as well as the rights of the data subjects improved and the compentences of the data protection authority strengthened.
Prof. Kaissis (University of Thessaloniki) reported that there is no data protection act in Greece as yet which also is true of Italy. However, until the end of year a draft bill on the implementation of the Directive will be presented in Greece. Prof. Losano (University of Milan) showed some incompatibilities of data protection principles with existing laws, especially organized crime laws. He also emphasized the importance of criminal sanctions for the effectuation of data protection as compared to administrative means. Subsequently, the appropriateness of various legal means of enforcement was subject of controversial discussion.
Mr. Heil, representative of the German Data Protection Commissioner, gave an impression of the difficult drafting process as concerns the Directive in which he was personally involved. Generally, he regarded German law as being in accordance with the Directive with some changes to be made. He was sceptical about contract solutions to the third country problem which may prevent third countries from implementing their own data protection law. Moreover, the Directive should be reason for rnodernizing data protection law to take account of new technologies (e.g. multimedia/internet).
Mrs. Kotschy, Data Commissioner of the Austrian government, reported the different regulatory approach of the Austrian data protection law including a higher standard of protection. In her opinion, there was no need for adopting the structure of the Directive. She emphasized the dangers of differing levels of protection that would result in a general deposition as companies would prefer countries with a low level. This danger has been reduced in the draft ISDN Directive by including regulations on the most important problems. The main problem from her point of view may be the distribution of powers between the authorities and the courts.
The first to deliver a third country report was Prof. Banaszak (University of Wroclaw). After 1989, Poland has acknowledged the need to establish its own data protection law. Drafts have been prepared taking into account the principles of the Directive. There may be different statutes for the public and private sector. Hungary has established a data protection and informational freedom statute in 1992 as well as a data commissioner in 1994, as Prof. Vida (University of Budapest) pointed out. This was in accordance with the Covention of the European Council. The Directive was distributed among public agencies within six weeks in order that 'people will get used to how it will be in the future'. This appears to be a general trend in Eastern Europe and demonstrates the impact of the Directive on countries knocking at the door of the EU. Prof. Sergeev (University of St.Petersburg) also gave an impression of the orientation towards Europe even in Russsia although the future of data protection and the impact of the Directive is rather uncertain there.
Prof. Bing (University of Oslo) explained how Norway as a country showing a high level of automation will adopt the Directive while also emphasizing the dangers of a reduced standard of protection. Prof. Rule (New York State University) reported that there is still no data protection statute for the private sector or a data commissioner in the U.S.A. although the protection of privacy has its origin here. The present climate seems to be very much against any further regulation. Accordingly, the Directive has not been greeted favorably. Repudiation, however, does not seem to be that strong with large companies active in international business. Another interesting aspect is that Quebec has followed the guide of the Directive while Canada generally seems to take a more positive approach towards the protection of personal data.
The country reports painted a somewhat diverse picture. However, some common problems could be identified meriting further discussion. One of the issues that were subsequently being discussed concerned the question of 'informed consent' (Art. 7a of the Directive). In search for identifying a general principle on which it could be based the market principle was proposed. This would turn on the availability of alternatives. The discussion then turned on the related questions of consumer protection and freedom of contract. Another issue in the subsequent discussion related to the protection of legal persons that has been acknowledged only in some countries. Realization could involve antitrust problems. Another basic problem of the Directive would be its international application (Art. 4). The Directive appears to aim at the application of only one single national law. Some participants insisted that the objectives of free flow of information and data protection would be incompatible from the outset. This also relates to the issue of the reduction of the level of protection in some states. Although this seems to be foreclosed by Art. 10 of the Directive, in Holland implementation of the Directive would result in relinquishing the principle of strict liability (Art. 23).
An important issue relates to data security. As regards German law, there is a need to adopt specific standards. Conflicts of interest will arise with respect to the interests of national security as put forward by secret services. In many countries, press/media constitutes a field of exceptions which have to be reassessed as the reports have shown. The German position is against a general privilege for the media. In this field there are also problems of geting access to the files. Finally, the importance of the enforcement of data protection laws were emphasized. These have to be made effective to make data protection work. Especially the extention of criminal sanctions was disputed.
In concluding, a major result of the working conference has been the identification of common problems in the implementation deserving further discussion. The reports also demonstrated that third countries can hardly escape the impact of the Directive. Naturally, it was not possible to develop comprehensive solutions within the framework of the conference. However, it demonstrated the need for an extensive international discussion, not only relating to the implementation of the Directive but also concerning the need to further develop data protection principles. The working conference in Hannover has made an important contribution and the limited forum of internationally well known experts in the field seems to provide the appropriate framework for an extended European discussion. The contributions of the participants will be reviewed in light of the results of the conference and subsequently be published in English.