An international data protection 2000

Similar documents
The 1995 EC Directive on data protection under official review feedback so far

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

ARTICLE 29 Data Protection Working Party

Proposal for a COUNCIL DECISION

BACKGROUND INFORMATION

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 24 October 1995

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

THE EU S ATTEMPTS AT SETTING A GLOBAL DATA PROTECTION NORM

ARTICLE 29 Data Protection Working Party

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

AIA Australia Limited

EXECUTIVE SUMMARY. 3 P a g e

Table of content What is data protection? Why was is necessary? Beginnings of Data Protection Development of International Data Protection Data Protec

EDPS Opinion on the proposal for a recast of Brussels IIa Regulation

The Transfer of Data Abroad by Private Sector Companies: Data Protection Under the German Federal Data Protection Act

International cooperation on the protection of personal data: Moroccan practice

Annex - Summary of GDPR derogations in the Data Protection Bill

Privacy Policy. Cabcharge will only collect personal information which is necessary for the operation of its business.

Main findings of the joint EC/OECD seminar on Naturalisation and the Socio-economic Integration of Immigrants and their Children

The Act on Processing of Personal Data

EUROPEAN PARLIAMENT COMMITTEE ON CIVIL LIBERTIES, JUSTICE AND HOME AFFAIRS

EUROPEAN DATA PROTECTION SUPERVISOR

DECISION OF THE EEA JOINT COMMITTEE. No 200/2016. of 30 September amending Annex IX (Financial services) to the EEA Agreement [2017/277]

Act No. 502 of 23 May 2018

STATOIL BINDING CORPORATE RULES - PUBLIC DOCUMENT

XVIth Meeting of European Labour Court Judges 12 September 2007 Marina Congress Center Katajanokanlaituri 6 HELSINKI, Finland

Proposal for a COUNCIL DECISION

Comments. made by the Conference of the German Data Protection Commissioners of the Federation and of the Länder. of 11 June 2012

60 th UIA CONGRESS Budapest / Hungary October 28 November 1, UIA Biotechnology Law Commission Sunday, October 30, 2016

***I POSITION OF THE EUROPEAN PARLIAMENT

Opinion of the European Banking Authority on cooperation with third countries Article 161(7) CRD

Opinion 3/2016. Opinion on the exchange of information on third country nationals as regards the European Criminal Records Information System (ECRIS)

EFTA Surveillance Authority Notice on Immunity from fines and reduction of fines in cartel cases

1. Why do we need this guide? The rules at a glance 4

COMMUNICATION FROM THE COMMISSION. On the global approach to transfers of Passenger Name Record (PNR) data to third countries

DECISION OF THE EEA JOINT COMMITTEE. No 199/2016. of 30 September amending Annex IX (Financial services) to the EEA Agreement [2017/276]

PE-CONS 71/1/15 REV 1 EN

TOPIC TWO: SOURCES OF INTERNATIONAL LAW

1. UNHCR s interest regarding human trafficking

Bitkom views on EDPB Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

The Council of Europe Convention of the OECD Guidelines on Data Protection

COMP Article 1. Article 1 Subject matter and objectives

September Press Release /SM/9256 SC/8059 Role of business in armed conflict can be crucial for good or ill

(Notices) NOTICES FROM EUROPEAN UNION INSTITUTIONS, BODIES, OFFICES AND AGENCIES EUROPEAN COMMISSION

Proposal for a COUNCIL REGULATION

In the present analysis, we cover the most problematic points of the Directive. For our views on the Regulation, please go to our document pool.

REGULATION (EU) No 649/2012 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 4 July 2012 concerning the export and import of hazardous chemicals

PHARMAC s implementation of Trans-Pacific Partnership (TPP) provisions and other amendments to application processes September 2016 Appendix two

COMMISSION OF THE EUROPEAN COMMUNITIES REPORT FROM THE COMMISSION

L 33/10 Official Journal of the European Union DIRECTIVES

Data Protection Bill [HL]

AmCham EU Proposed Amendments on the General Data Protection Regulation

OPINION OF ADVOCATE GENERAL LÉGER delivered on 11 November

Study JLS/C4/2005/04 THE USE OF PUBLIC DOCUMENTS IN THE EU

EDPS - European Data Protection Supervisor. Public access to documents and data protection

Information Privacy Act 2000

Ⅰ Introduction. Ⅱ ALI Draft and Its Background. Research Fellow:Wataru Fukumoto

public consultation on a draft Regulation of the European Central Bank February 2014

DATA PROTECTION LAWS OF THE WORLD. South Korea

DIRECTIVE 2014/57/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 16 April 2014 on criminal sanctions for market abuse (market abuse directive)

Data Protection Bill [HL]

GDPR and India. By ADITI CHATURVEDI Edited by AMBER SINHA. The Centre for Internet and Society, India

EUROPEAN UNION. Brussels, 4 April 2014 (OR. en) 2011/0297 (COD) PE-CONS 8/14 DROIPEN 1 EF 6 ECOFIN 21 CODEC 47

REGULATION (EU) No 439/2010 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 19 May 2010 establishing a European Asylum Support Office

The global diffusion of data privacy laws and their interoperability

The modernised Convention 108: novelties in a nutshell

EUROPEAN PARLIAMENT Committee on the Internal Market and Consumer Protection

Amended proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Article 1. Federal Data Protection Act (BDSG)

Adopted on 26 November 2014

Client Privilege in Intellectual Property Advice

EUROPEAN UNION. Brussels, 12 December 2012 (OR. en) 2011/0093 (COD) PE-CONS 72/11 PI 180 CODEC 2344 OC 70

Civil and Political Rights

Committee on Legal Affairs Committee on Civil Liberties, Justice and Home Affairs

Implementing Data Protection in Law

Personal Data Protection Act

Official Journal of the European Union. (Legislative acts) REGULATIONS

MEMORANDUM OF UNDERSTANDING CONCERNING CONSULTATION, COOPERATION AND THE EXCHANGE OF INFORMATION

REGULATORY IMPACT ANALYSIS

TRANSNATIONAL COLLECTIVE BARGAINING: PAST AND PRESENT. Final Report

ECN RECOMMENDATION ON COMMITMENT PROCEDURES

European Protection Order Briefing and suggested amendments February 2010

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

PRIVACY POLICY. 1. OVERVIEW MEGT is committed to protecting privacy and will manage personal information in an open and transparent way.

32000D0520. Official Journal L 215, 25/08/2000 P

PROVISIONAL AGREEMENT RESULTING FROM INTERINSTITUTIONAL NEGOTIATIONS

COMMISSION OF THE EUROPEAN COMMUNITIES COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT

Consultation Paper. Draft Regulatory Technical Standards on Resolution Colleges under Article 88(7) of Directive 2014/59/EU EBA/CP/2014/46

Strengthening Privacy Protection through Co-Regulation

The Consolidate Trade Marks Act 1)

REGULATIONS. (Acts adopted under the EC Treaty/Euratom Treaty whose publication is obligatory)

The Right to Data Protection and the Commissions Adequacy Decision

T he European Union s Article 29 Data Protection

13346/15 JDC/psc 1 DPG

EN Official Journal of the European Union L 157/ 45. DIRECTIVE 2004/48/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 29 April 2004

ARTICLE 29 Data Protection Working Party

Data Protection Bill, House of Lords second reading Information Commissioner s briefing

ECB-PUBLIC. Recommendation for a

Official Journal of the European Union

Adequacy Referential (updated)

Transcription:

An international data protection stocktake @ 2000 Part 1: regulatory trends [Published in Privacy Law & Policy Reporter, 2000, volume 6, pp 129 132] Lee A. Bygrave Introduction In the year 2000, it is timely to reflect on the general nature of data protection law. 1 While certainly not old, data protection as a field of law has now attained considerable maturity and spread. The first data protection laws were passed some three decades ago. In the course of those decades, the number of countries with such laws has burgeoned to well over twenty. Although these countries are still predominantly European (and still predominantly part of the First World), legislative concern for data protection has become increasingly global. 2 Augmenting this development is a growing body of commentary (hereinafter termed data protection discourse ), both descriptive and prescriptive, concerned specifically with the character, application and development of data protection laws. This article is the first of a series in which the central and most striking features of data protection law and, to some extent, data protection discourse are discussed in a transnational perspective. 3 To a large extent, the analysis is broad-brush. It aims to provide an overview of regulatory patterns across jurisdictions. It also aims to set out and challenge some of the conceptions that have developed over the last three decades about the character of data protection law. The article series begins with a presentation of the major regulatory trends in the field. Subsequent articles will involve canvassing a range of other issues, including the rationale and normative underpinnings for data protection law, and the issue of data protection rights for collective entities. 1 2 3 Although this will be obvious to many readers, the term data protection is used here to denote a set of measures (legal and/or non-legal) which are aimed at safeguarding persons from detriment resulting from the processing of information on them, and which embody the bulk of principles laid down in recognised data protection instruments, such as the OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (Paris: OECD, 1980 hereinafter termed OECD Guidelines ). In Australasia and North America, the term privacy protection tends to be employed instead, though this nomenclature is prima facie broader than what is denoted by data protection (as defined in this article). For a reasonably current, global overview of legislative activity in the field of data protection, see Global Internet Liberty Campaign, An International Survey of Privacy Laws and Practice, published October 1998, available at <http://www.gilc.org/privacy/survey/>. This series of articles draws heavily on the author s doctoral thesis entitled Data Protection Law: Approaching Its Rationale, Logic and Limits (Faculty of Law, Oslo University, 1999). A modified version of the thesis is due to be published in late 2000.

Points of regulatory convergence Although data protection laws around the globe have not all been enacted for the same reasons, 4 nor had the same sort of gestation, 5 they have tended to share a great deal of common ground in terms of the principles expressed by their central rules. 6 They have also tended to share a great deal of common ground in terms of the mechanisms adopted for monitoring their application and for generating new regulatory norms. The overwhelming majority of the laws provide for the establishment of special independent bodies typically termed data protection authorities to oversee their implementation. At the same time, most of the laws take the form of so-called framework laws: instead of stipulating in casuistic fashion detailed provisions for regulating the processing of personal information, they set down rather diffusely formulated, general rules for such processing, and make specific allowance for the subsequent development of more detailed regulatory norms as the need arises. Primary responsibility for developing these norms has usually been given to the respective data protection authority. More remarkable is the apparent existence of considerable cross-jurisdictional similarities in terms of how the laws are enforced. In many jurisdictions, the enforcement of the laws seems rarely to have involved meting out penalties in the form of fines or imprisonment. Data protection authorities appear generally reluctant to punitively strike out at illegal activity with a big stick. A variety of other means of remedying recalcitrance most notably dialogue and, if necessary, public disclosure via the mass media seem to be preferred instead. 7 In other words, data protection laws have often functioned to a relatively large extent as soft law ; that is, law which works by persuasion, is enforced by shame and punished by blame. 8 A related feature is that courts have tended to play a minor, if not marginal, role in the enforcement and development of data protection laws. Indeed, there seems to be a striking paucity of judicial decisions in which the interpretation of such laws figures centrally. 9 This aggravates the already considerable interpretative difficulties caused by 4 5 6 7 8 9 Compare, for instance, the predominantly economic motivations of the legislators of the Data Protection Act 1984 (UK) with the apparently more civil libertarian concerns of the architects of the equivalent French legislation of 1978. See further CJ Bennett, Regulating Privacy: Data Protection and Public Policy in Europe and the United States (Ithaca/London: Cornell University Press, 1992), pp 141 143. Compare, for example, the protracted and at times stormy legislative histories of the respective data protection laws of Germany, Australia, the UK, Finland and the Netherlands with the relatively quick and smooth enactment of such laws in Scandinavia. See further Bygrave, supra note 3, pp 6 8 and references cited therein. These and the following points of regulatory convergence are elaborated upon in Bennett, supra note 4. See also Bygrave, supra note 3, especially chapts 3 4. It is beyond the scope of this article to discuss the reasons for this convergence. Bennett s work provides an excellent analysis of possible reasons. His basic conclusion is that the aetiology in this regard embraces a complex array of factors and hypotheses. My impressions here are based on perusal of the annual reports issued by the data protection authorities of Australia, Denmark, Norway, Switzerland and the UK, together with David Flaherty s description of enforcement practices in Sweden, France, Canada and the Federal Republic of Germany. See further DH Flaherty, Protecting Privacy in Surveillance Societies (Chapel Hill/London: University of North Carolina Press, 1989). E Blankenburg, The Invention of Privacy, in P Ippel, G de Heij & B Crouwers (eds), Privacy disputed (The Haag: SDU/Registratiekamer, 1995), pp 31, 39. In Norway, for example, there has only been one instance (over a period of more than 15 years) in which an appeal from a decision of the country s data protection authority has been treated by the courts. And only one other notable instance exists of judicial commentary on the Norwegian Personal Data Registers Act of 1978. Much the same situation pertains with respect to Australia and Denmark. 2

the diffuse formulation of many of the laws provisions and the sparse or nebulous commentary in the preparatory works and explanatory memoranda for the laws. That courts often take a backseat in the application of data protection laws is due to a multiplicity of factors. One important factor is that in dealing with complaints, data protection authorities frequently put weight on conciliation rather than confrontation, an approach which tends to head off court litigation. Another important factor is that, in some countries, appeals from decisions of data protection authorities, or complaints which authorities fail to resolve, do not go directly to ordinary courts for adjudication but to other quasi-judicial bodies first (such as the Complaints Review Tribunal in NZ and the Data Protection Tribunal in the UK). 10 Nevertheless, we should not forget that courts in some countries have played a significant role in underpinning and steering the direction of data protection law. Undoubtedly, the most notable case is the landmark decision of 15 December 1983 by the German Federal Constitutional Court (Bundesverfassungsgericht) which struck down parts of the federal Census Act (Volkzählungsgesetz) for lack of data protection guarantees and in the process found a right of informational self-determination ( informationelle Selbstbestimmung ) pursuant to Arts 1(1) and 2(1) of the Federal Republic s Basic Law (Grundgesetz). 11 Points of regulatory divergence While data protection laws expound broadly similar core principles, and share much common ground in terms of enforcement patterns, they are not as homogeneous as they appear at first glance. Numerous differences exist between them. These differences arise to a large extent in relation to the monitoring and supervisory regimes established by the laws. The basic differences here relate to the powers of data protection authorities (for example, some function essentially as ombudsmen, others are able to issue legally binding orders) and, concomitantly, the nature of the legal preconditions for processing personal data (for example, some require merely that data protection authorities be notified of processing, others require prior authorisation/licensing by the authorities). There are also significant differences in the ambit of data protection laws. Some cover data processing in both the private and public sectors, others cover processing by certain government agencies only. Some regulate both manual and automated processing methods, others regulate only the latter. Some place restrictions on the flow of personal data to foreign countries, others do not. Some provide express protection for data on collective entities, others protect data on individuals only. Some lay down extra limits on the processing of designated categories of especially sensitive data, others do not. To some extent, these differences have constituted a cleavage line between European and 10 11 In Australia, on the other hand, the principal reason for lack of judicial involvement in determining the ambit of the Privacy Act 1988 (Cth) is that the Act has applied mainly to the activities of federal government agencies, which are under a duty (pursuant to s 58; compare s 55) to comply with the Privacy Commissioner s determinations of complaints against them. See 65 BverfGE (Entscheidungen des Bundesverfassungsgerichts), 1. 3

non-european data protection regimes, with the former offering generally more comprehensive and stringent safeguards than the latter, but the line is far from clean. 12 Points of regulatory change Moving from the oldest of the data protection instruments to the youngest, we can discern certain regulatory trends. In data protection discourse, it is popular to categorise these trends in terms of generations; that is, one differentiates between first-, second- and third-generation data protection laws. 13 Such categorisation, however, can easily result in ambiguous or misleading generalisations in which distinctions are overstated. 14 Accordingly, these categories are not employed in the following analysis. The regulatory trends are most easily discernible when we compare the international data protection instruments. However, they are also visible at a national level, particularly in the current round of reform of domestic data protection law by member states of the European Union (EU) and European Economic Area (EEA) pursuant to the 1995 European Community (EC) Directive on data protection. 15 In the first place, we can see a trend towards more detailed, discriminating provisions and requirements. In short, we can see increasing regulatory density. Part and parcel of this trend is a growing concern to lay down procedural mechanisms for enforcing compliance with data protection principles. 16 At the same time, we can see the contours of new data protection principles emerging. One such principle is that fully automated assessments of a person s character should not form the sole basis of decisions that impinge upon the person s interests. While this principle is not yet manifest in the majority of data protection laws, it will be so in the near future, on account of its embodiment in Art 15 of the EC Directive. Another such principle is that persons should be able to enter into transactions anonymously unless overriding legitimate interests exist to the contrary. Inherent in this principle is that active consideration should be given to crafting technical/organisational 12 13 14 15 16 See generally Bygrave, supra note 3, espec chapts 3 4. Again, it is beyond the scope of this article to present in detail possible explanations for these differences. The study by Bennett (supra note 4, espec chapt 6) provides an excellent analysis of this issue. As with his examination of the reasons for policy convergence in terms of core data protection principles, Bennett finds that no one theory or hypothesis suffices to explain national divergence in terms of how these principles have been implemented: ibid, p 219. See e.g. V Mayer-Schönberger, Generational Development of Data Protection in Europe, in PE Agre & M Rotenberg (eds), Technology and Privacy: The New Landscape (Cambridge, Massachusetts: MIT Press, 1997), pp 219 241. See further Bygrave, supra note 3, pp 114 115. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ No L 281, 23.11.1995, 31) hereinafter termed EC Directive. Compare, for instance, the paucity of requirements in the 1980 OECD Guidelines and 1981 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No 108 hereinafter termed CoE Convention ) regarding sanctions and the establishment and competence of national data protection authorities with the more exacting requirements on the same matter in Art 28 of the EC Directive. Compare also the simple provisions in the CoE Convention and OECD Guidelines on fair processing of personal data with the more elaborate provisions in Arts 10, 11 and 15 of the EC Directive. 4

solutions for ensuring transactional anonymity and/or pseudonymity. However, while this type of principle is expressly promoted in an increasing number of policy documents, it is still far from prominent in the bulk of data protection laws. 17 Nevertheless, it can reasonably be expected to influence the drafting of future laws, at least in relation to certain sectors of activity. 18 Under the influence of the Directive, we can also expect considerable expansion in the set of phenomena regulated by data protection laws, at least within the EU and EEA. Currently, the set of phenomena which all non-sectoral data protection laws regulate (with minor exceptions) is rather narrow. This set of phenomena consists of: (1) the establishment, maintenance and use by (2) government agencies other than the police and national security services, of (3) computerised registers/files, which (4) contain data on individual, physical/natural persons, but which (5) are not used solely for statistical or accounting purposes, or which (6) are not generally available to the public. 19 In the near future, the data protection legislation of EU and EEA member states will embrace: (1) fully or partly automated processing of personal data largely irrespective of the way the data are organised, along with (2) the setting up and use of manual personal data files, by (3) data controllers in both private and public sectors with the optional exception of police and national security services, even when the data or files are (4) used solely for statistical or accounting purposes, or are (5) publicly available, but not necessarily when they are (6) used solely for journalistic, artistic or literary purposes. Under the influence of the EC Directive, we can further expect the data protection legislation of EU and EEA member states to become more uniform in terms of monitoring and supervisory regimes. Data protection authorities which currently are able to issue mere recommendations will probably be given competence to issue legally binding orders; 20 notification schemes will become the rule, licensing the exception; 21 and, to a greater extent, these notification schemes will involve a duty for data controllers to inform not just data protection authorities of the basic details of their operations but also the data subjects. 22 Nevertheless, it is extremely doubtful that we will see, at least in the short term, complete or even near-complete uniformity achieved in the data protection 17 18 19 20 21 22 Compare the specific requirements for transactional anonymity laid down in ss 3(4) and 4(1) of the federal German Teleservices Data Protection Act of 1997. For an overview of these provisions, see LA Bygrave, Germany s Teleservices Data Protection Act (1998) 5 Privacy Law & Policy Reporter, pp 53 54. In this respect, note, for example, Victoria s Data Protection Bill 1998 which makes express provision for a principle of anonymity in its list of Information Privacy Principles. See also Principle 8 of the Australian federal Privacy Commissioner s National Principles for the Handling of Personal Information (Sydney: HREOC, 1999, revised edition). See generally Bygrave, supra note 3, chapt 3. See particularly Art 28(3) of the Directive. See Arts 18 & 20 of the Directive, together with recital 54 in the Directive s preamble. See particularly Arts 10 11 of the Directive. 5

regimes of these states. The EC Directive has given too much reign to the principle of subsidiarity to be able to achieve such uniformity. 23 A large question mark hangs also over the ability of the Directive to bring the data protection regimes of non-european states largely in line with the EU/EEA pattern of data protection. With the threat that EU/EEA member states will prevent, pursuant to Art 25 of the EC Directive, transfers of personal data to countries without adequate levels of data protection, there is now greater legal (and economic) pressure on countries like the USA, Japan and Australia to enact laws more closely resembling the European model. But we should not overlook the possibility of one or more of these countries governments (particularly that of the USA) thumbing their noses at the EU in defiance of the adequacy criterion laid down in the Directive. The extent to which this might occur is likely to depend on how stringently and consistently the adequacy criterion is applied, 24 together with the extent to which implementation of Arts 25 26 of the Directive is found to conflict with the 1994 General Agreement on Trade in Services. Other factors might also prove significant, not least the extent to which business enterprises in, say, the USA tire of having to cope with the patchy, sometimes uncertain and inconsistent legal regimes for data protection in that country. Finally, we can discern some shift in the regulatory focus of data protection laws, or, perhaps more accurately, consolidation of such shift. An important example here is the EC Directive s focus on the processing of personal data rather than the establishment and use of personal data files a focus already present in, for example, the OECD Guidelines. Another important example is the Directive s focus on manually processed data in addition to automated data processing again a focus already present in the OECD Guidelines. Yet another noteworthy example is the Directive s explicit encouragement in Art 27of the creation of sectoral codes of practice again something already anticipated by, for example, the OECD Guidelines and, more indirectly, the various data protection recommendations of the Council of Europe. This encouragement, though, is offset by a lack of consensus and certainty over exactly what sort of legal function such codes are to have vis-à-vis data protection laws within the EU. Further, there is a discernible trend away from comprehensive licensing regimes to requirements for mere notification/registration of data-processing operations. This is a development in which anticipatory, paternalistic control 25 by data protection authorities is giving way to (though is not necessarily extinguished by) more reactive control on the part of such authorities. This development is offset by enhancement (at least on paper) of the opportunities for participatory control: 26 data subjects access rights are supplemented 23 24 25 26 See espec Art 5 of the Directive, together with recital 9 in the Directive s preamble. See also S Simitis, From the Market to the Polis: The EU Directive on the Protection of Personal Data (1995) 80 Iowa L Rev, pp 445, 449. See further G Greenleaf, Death of the EU Privacy Directive? Choppy waters in the Safe Harbor (2000) 6 Privacy Law & Policy Reporter, pp 81 83. By paternalistic control is meant control exercised by governmental agencies (primarily data protection authorities) on behalf of, and supposedly in the best interests of, citizens (data subjects). By participatory control is meant control exercised by citizens themselves. 6

by more extensive notification duties for data controllers, 27 and there is greater readiness to make the consent of data subjects a prerequisite for certain kinds of data processing. 28 Certainly, this gives individuals more room to determine for themselves the manner and extent to which data on them are processed, though it does not necessarily mean that individuals will act to delimit such processing or that such processing will decrease. Moreover, data controllers will often be able to avoid the consent rule because of the existence of broadly drawn, alternative requirements for the data processing in question. 29 27 28 29 See particularly Arts 10 11 of the EC Directive. See, for example, Arts 7 8 of the EC Directive. See, for example, Art 7(b) (f) of the EC Directive. 7

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback