On 15 May 2003 the European Commission published its first report on the implementation of the Data Protection Directive (95/46/EC) (the "Directive"). The report is based on a review of Member States’ legislation and wide consultation, including an online survey which generated over 10,000 responses.
The essential questions to be addressed by the report were whether the ways in which the Member States have transformed the Directive into national law achieve the ambitions of the Directive and, if not, what should be done to correct this, for example, should the Directive itself be amended? (Click here for a copy of the report).
Conclusions
The Commission expressed itself generally satisfied with the implementation of the Directive and there are no current plans to amend it. However, the Commission recognised that, so far as ensuring a level playing field for operators in different Member States and simplifying the regulatory environment, the differences between Member States’ laws and the Directive are still too great. Amendments to national legislation are likely to be required in due course (this will be the subject of future reviews). The Commission has proposed a programme of work to address divergences in implementation and raise awareness (see below).
Specific Areas of Difficulty Identified by the Review
These included the following key findings:
Sensitive and non-sensitive personal data - greater clarity on the "legitimate interests" condition1 was sought; this allows processing of non-sensitive personal data by data controllers without the subject's consent, provided that the legitimate interests, rights and freedoms of the individual are not overridden. The Commission’s view is that the absence of adequate safeguards means appropriate levels of protection for individuals are not being achieved.
Applicable Data Protection Law – this came in for heavy criticism by respondents as, currently, organisations with a presence in (or which merely "use equipment" to process personal data in) more than one Member State may have to comply with multiple national laws. Submissions received argued for a "country of origin rule", allowing multinationals to operate via one set of rules throughout the EU. The Commission agreed that this area, and the term "use of equipment" in particular, needed clarification.
Legitimate Processing Conditions – these have been implemented unsatisfactorily in a number of jurisdictions, raising issues concerning appropriate safeguards and grounds for legitimate processing. In particular, the distinction between "unambiguous consent" (one of the conditions for lawful processing of non-sensitive personal data) and "explicit consent" (which is the level of consent required to process sensitive personal data) needs to be clarified to ensure uniformity across Member States.
Provision of Information to Data Subjects – in some jurisdictions the law (incorrectly) requires that certain "fair processing" information2 always has to be provided to the data subject, regardless of whether the individual already has that information or not. This causes significant difficulties for multinational companies operating at pan-European level, especially via the Internet.
Notification Requirements – many submissions argued for a need to simplify the notification process3. The Commission felt that problems here were largely due to Member States’ failures to carry through the exemptions available in the Directive.
Data Exports Outside the EEA – Member States have diverged greatly on this business-critical issue. The Directive mandates that (unless exempt) personal data may only be transferred to countries which ensure an adequate level of data protection (click here for our 21 December 2001 Newsflash on data exports). At present, some Member States require almost no referral to the national supervisory authority, whereas others require everything to be referred for authorisation, even where exemptions apply. The effect of this is likely to be that data exports will "switch to the ‘least burdensome’ point of export".
Subject Access Requests4 - despite calls for more flexible interpretation by those consulted, the Commission was not convinced (surprisingly, in our view) that this aspect of the Directive was posing serious practical problems for controllers. The Commission relied on the 62% of data controllers whose responses to the online questionnaire indicated that responding to subject access requests did not constitute an important effort for their organisation. (However, as most of the respondents apparently had no figures available or had received fewer than 10 requests, it is possible that their responses reflect a lack of experience).
Future Plans
In response to concerns identified in its report, including on the levels of compliance, enforcement and awareness, the Commission intends to put in place a number of initiatives. A work programme for 2003-4 has been proposed which includes discussions between the Commission and Member States and Data Protection Authorities and also requests that the Article 29 Working Party5 makes proposals for a substantial simplification of notification requirements, more harmonised information requirements and simplifying the international data transfer regime. Promoting PETs (Privacy Enhancing Technologies), self-regulation and raising awareness of data privacy rights were also highlighted as aims.
What Changes Can Businesses Expect to See?
Over the short to medium term, the call for increased resources for national Data Protection Authorities and efforts to heighten the public’s awareness of data protection rights can be expected to raise the compliance stakes for data controllers throughout the European Union. The sooner organisations put in place compliance programmes, the better the position they will find themselves in once the anticipated tougher enforcement regime becomes a reality.
The outlook is not just pro-data subject however. At a detailed level there is recognition that the lack of consistency in data export restrictions, applicable law and notification obligations needs to be addressed. On data exports, the Commission expects to see progress in four key areas: (1) more "approved country" findings; (2) a wider choice of recognised standard clauses for data export contracts; (3) the role of binding intra-corporate rules e.g. group-wide data protection policies; and (4) more uniform interpretation of the exemptions. This will be heartily welcomed by business and can only promote smooth international data flows, with all the enhancements in information exploitation and efficiencies these entail.
1 See Schedule 2, condition 6(1) of the UK’s Data Protection Act 1998.
2 This includes ensuring the data subject knows who the data controller is and the purposes for which his personal data are being processed.
3 The duty for data controllers to notify or register their processing activities in advance with the national data protection authority; in the UK, this is the Information Commissioner.
4 The exercise by an individual of his right to see information held about him by a data controller.
5 This Working Party has an independent, advisory role and includes representatives from the Member States’ data protection authorities.
Article by Kate Brimsted