The 1995 EC Directive on data protection under official review feedback so far

Similar documents
Proposal for a COUNCIL DECISION

EXECUTIVE SUMMARY. 3 P a g e

Privacy International's comments on the Brazil draft law on processing of personal data to protect the personality and dignity of natural persons

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 24 October 1995

EUROBAROMETER 62 PUBLIC OPINION IN THE EUROPEAN UNION

6. Are European citizens informed?

EU Data Protection Law - Current State and Future Perspectives

Study JLS/C4/2005/04 THE USE OF PUBLIC DOCUMENTS IN THE EU

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

COMMUNICATION FROM THE COMMISSION. On the global approach to transfers of Passenger Name Record (PNR) data to third countries

EUROPEAN PARLIAMENT Committee on the Internal Market and Consumer Protection

Free and Fair elections GUIDANCE DOCUMENT. Commission guidance on the application of Union data protection law in the electoral context

The Law of EC State Aid, Seminar organised by the Centre of European Law at King s College and the European State Aid Law Institute (EStALI)

Data Protection in the European Union. Data controllers perceptions. Analytical Report

Comments. made by the Conference of the German Data Protection Commissioners of the Federation and of the Länder. of 11 June 2012

The EU Visa Code will apply from 5 April 2010

The modernised Convention 108: novelties in a nutshell

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL AND THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE

2018 ISDA Choice of Court and Governing Law Guide

The European emergency number 112

Dispute Resolution Process between Commissioners and Providers for the 2014/15 Contracting Process

Adopted on 26 November 2014

2nd WORKING DOCUMENT (B)

COUNCIL OF THE EUROPEAN UNION. Brussels, 30 January /08 ADD 1 COPEN 4

PERSONAL DATA PROTECTION PRIVACY INFORMATION FOR THE CITIZENS ON THE RIGHT TO PERSONAL DATA PROTECTION

ARTICLE 29 DATA PROTECTION WORKING PARTY

60 th UIA CONGRESS Budapest / Hungary October 28 November 1, UIA Biotechnology Law Commission Sunday, October 30, 2016

Spring Conference of the European Data Protection Authorities, Cyprus May 2007 DECLARATION

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Is information about legal entities personal data? No. The DPA only applies to information about individuals as opposed to legal entities.

EUROPEAN DATA PROTECTION SUPERVISOR

Public access to documents containing personal data after the Bavarian Lager ruling

A Modern European Data Protection Framework Safeguarding Privacy in a Connected World

Table of content What is data protection? Why was is necessary? Beginnings of Data Protection Development of International Data Protection Data Protec

Address given by Lars Heikensten on the euro (Stockholm, 4 September 2003)

ARTICLE 29 Data Protection Working Party

ARTICLE 29 Data Protection Working Party

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

European Economic and Social Committee OPINION. of the

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

Data Protection Bill [HL]

closer look at Rights & remedies

Article 1. Federal Data Protection Act (BDSG)

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a COUNCIL REGULATION. on the control of concentrations between undertakings

Schengen Joint Supervisory Authority Activity Report January 2004-December 2005

COMP Article 1. Article 1 Subject matter and objectives

EDPS Opinion on the proposal for a recast of Brussels IIa Regulation

INTERNAL SECURITY. Publication: November 2011

Presentation to IAPP November 18, EU Data Protection. Monday 18 November 13

ARTICLE 29 Data Protection Working Party

EUROPEAN DATA PROTECTION SUPERVISOR

EUROPEAN COMMISSION COMMUNITY PATENT CONSULTATION COMPTIA S RESPONSES BRUSSELS, 18 APRIL

Report from the Commission to the Council and the European Parliament EU Anti-Corruption Report. Brussels,

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a COUNCIL DECISION

Framework of engagement with non-state actors

THE PATENTABILITY OF COMPUTER-IMPLEMENTED INVENTIONS. Consultation Paper by the Services of the Directorate General for the Internal Market

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

6153/1/18 REV 1 VH/np 1 DGD2

EUROPEAN PARLIAMENT. Session document

THE PROMOTION OF CROSS-BORDER MOBILITY OF CIVIL SERVANTS BETWEEN EU MEMBER STATES PUBLIC ADMINISTRATION. 2nd HRWG MEETING. BRUSSELS, 23th April 2008

EUROPEAN GENERAL DATA PROTECTION REGULATION CONSEQUENCES FOR DATA-DRIVEN MARKETING

BACKGROUND INFORMATION

The public consultation consisted of four different questionnaires targeting respectively:

Summary of the public consultation on EU social security coordination

Proposal for a COUNCIL DECISION

RULES OF PROCEDURE. The Scientific Committees on. Consumer Safety (SCCS) Health and Environmental Risks (SCHER)

the general policy intent of the Privacy Bill and other background policy material;

An international data protection 2000

Data Protection Bill [HL]

Official Journal of the European Union L 94/375

Fieldwork: November December 2010 Publication: June

ANNUAL SURVEY REPORT: REGIONAL OVERVIEW

Bulletin. Networking Skills Shortages in EMEA. Networking Labour Market Dynamics. May Analyst: Andrew Milroy

In the present analysis, we cover the most problematic points of the Directive. For our views on the Regulation, please go to our document pool.

Common ground in European Dismissal Law

Proposal for a COUNCIL REGULATION

CONSUMER PROTECTION IN THE EU

Questionnaire. On the patent system in Europe

EUROPEAN HERITAGE LABEL GUIDELINES FOR CANDIDATE SITES

Adequacy Referential (updated)

A guide to the new privacy landscape for the Commonwealth Government

Consultation Paper. Draft Regulatory Technical Standards on Resolution Colleges under Article 88(7) of Directive 2014/59/EU EBA/CP/2014/46

INVESTIGATORY POWERS BILL EXPLANATORY NOTES

Opinion 3/2016. Opinion on the exchange of information on third country nationals as regards the European Criminal Records Information System (ECRIS)

16 March Purpose & Introduction

AmCham EU Proposed Amendments on the General Data Protection Regulation

Data Protection Bill, House of Lords second reading Information Commissioner s briefing

TO THE PRESIDENT AND MEMBERS OF THE COURT OF JUSTICE WRITTEN OBSERVATIONS

Annex - Summary of GDPR derogations in the Data Protection Bill

Preliminary results. Fieldwork: June 2008 Report: June

Opinion of the Joint Supervisory Body of Eurojust regarding data protection in the proposed new Eurojust legal framework

Self-Assessment of Agreements Under Article 81 EC: Is There a Need for More Commission Guidance?

LOBBYING (SCOTLAND) BILL

Quality Assurance Scheme for Advocates

COMMISSION OF THE EUROPEAN COMMUNITIES

The legal framework and guidance on data protection under the. Cross-border ehealth Information Services (CBeHIS) T6.2 JAseHN draft v.2 (20.10.

Data Protection Policy

Opinion 6/2015. A further step towards comprehensive EU data protection

PREPARING FOR NEW PRIVACY REGIMES: PRIVACY PROFESSIONALS VIEWS ON THE GENERAL DATA PROTECTION REGULATION AND PRIVACY SHIELD

DECISION OF THE EUROPEAN PARLIAMENT AND OF THE

Transcription:

The 1995 EC Directive on data protection under official review feedback so far [Published in Privacy Law & Policy Reporter, 2002, volume 9, pages 126 129] Lee A Bygrave The Commission of the European Communities (EC) is in the process of finalising its first official report on how the 1995 EC Directive on data protection (Directive 95/46/EC) is being applied. This review process is mandated under Article 33 of the Directive which requires the Commission to report regularly on the Directive s implementation and, if necessary, to propose amendments. The first report of the Commission is expected to be released around the beginning of 2003 considerably later than the deadline set by Article 33. 1 To generate feedback for its review, the Commission has been consulting over the past six months with the various parties affected by the Directive. Much of this consultation has been with the national governments and data protection authorities of the Member States of the European Union (EU). As yet (early November 2002), little information has been publicly disclosed about the responses generated by that part of the consultation process. However, some Member States, such as Sweden, have been relatively open in their advocacy of certain regulatory models prior to this latest round of consultation. Sweden s misuse model Over the last few years, Sweden has been pushing for pan-european adoption of a so-called misuse model for data protection regulation; ie, a regulatory approach that seeks to enhance the efficacy of the rules by simplifying and focusing them on preventing misuse of personal data. 2 The chief element of the model involves amending the Directive by exempting from most of its scope automatic processing of personal data in the form of sound and image data and text, where the material has not been structured to enable personal data to be searched for (proposed Article 3A(1)). At the same time, Member States are to prohibit such processing when it involves the distribution of personal data that harms the data subject unless the distributor of the data is obliged to express an opinion or the distribution is otherwise in the public interest (proposed Article 3A(2)). Sweden has advanced several other proposals for more minor amendments to the Directive. For instance, it would like to allow derogation from the general principles for data processing stipulated in Article 6(b) (e) though not Article 6(a) on fair and lawful processing when 1 Article 33 requires the first report to have been issued not later than three years after the date by which EU Member States are to have implemented the Directive that date being 25.10.1998 (see Article 32(1)). Hence, the first report should have been issued by 25.10.2001. 2 See, eg, Sweden, Ministry of Justice, Simplified protection for personal data applying misuse model, Memorandum of 30.11.2000 (Ju2000/4977/L6).

2 the data subject consents to the derogation. 3 This would mean, for example, that a data subject could consent to personal data being processed for a purpose that is incompatible with the original purpose for the processing. The extent to which Sweden has the support of other national governments in its advocacy of these reforms is difficult to determine precisely. Noteworthy, though, is that Sweden just a couple of months ago issued jointly with Austria, Finland and the United Kingdom a set of proposals for amending the Directive which are less radical than its misuse model as originally conceived. 4 The joint proposals deal with the provisions on sensitive data (Article 8), controllers duties to provide information to data subjects (Articles 10 and 11), data subjects access rights (Article 12), controllers notification duties with respect to data protection authorities (Articles 18 and 19) and transborder data flows (Articles 25 and 26). In general, the proposals merely involve simplifying, clarifying and tightening somewhat the ambit of these provisions without any substantial reductions in data protection levels. Consultation with other parties As part of its review, the Commission has also attempted to give parties other than governments and data protection authorities an opportunity to communicate their opinions about the Directive. To this end, the Commission has issued online questionnaires, requested position papers and arranged a major conference. In the following, I present the main lines of feedback generated by these initiatives. Online questionnaires In late June 2002, the Commission put up on its website two questionnaires about the Directive and other data protection issues, with a response deadline of 15 th September. One questionnaire was directed at EU-based data subjects, the other at EU-based data controllers. Any persons/organisations falling within these categories of potential respondents were able to send in their answers online. While this sort of survey cannot accurately gauge the views of the broad community, its results are interesting not least because of the disproportionately high number of German responses! 5 The basic message that can be read out of the survey results is that most respondents whether data subjects or data controllers appear to accept the need for the current regulatory regime established by the Directive, though they also see room for improvement. 3 Ibid. 4 The proposals are available at <http://justitie.regeringen.se/inenglish/_issues/dataprotection/dataprotection.pdf> (last visited 5.11.2002). 5 Respondents registering Germany as their place of residence accounted for approximately 40 percent of the total number of respondents for each questionnaire. This response rate bolsters my long-held impression that, relative to many other nationalities, Germans generally appear to take privacy/data protection very seriously.

3 Data controllers responses The questionnaire for data controllers attracted 982 responses. 6 The great majority of respondents (679) found present data protection rules to be necessary requirements in a market where there is traditionally a high level of protection for consumers and a strong concern for their fundamental rights. Approximately 40 percent of respondents defined the level of protection offered by the Directive as good ; just under 30 percent defined the protection level as minimum ; while approximately 20 percent defined it as high. Some 60 percent of respondents appeared to have experienced little difficulty in servicing data access requests from individuals. A slightly higher proportion reported that they had not received complaints from data subjects during 2001. At the same time, approximately the same number of respondents viewed the level of citizens awareness about data protection as poor. Also noteworthy are the controller responses as to what amounts to personal data under the Directive. Some 35 percent of respondents thought that data would not be personal if identification of a person from the data would be possible but only involving a disproportionate effort. A slightly less proportion of respondents thought that data would not be personal if identification of a person is no longer possible with the data available to you but only with the co-operation of third parties completely outside your organisation. In terms of controller concerns, most respondents sought greater flexibility in the regulation of data transfers from the EU to third countries. Most wanted further guidance on how to strike the appropriate balance between the right to privacy and the right to freedom of expression. Almost half of them felt that companies and data protection authorities have not yet properly exploited the possibilities offered by Article 27 of the Directive for the use of codes of conduct. And just over half were of the opinion that national data protection authorities devote insufficient resources to advise companies. Data subjects responses The questionnaire for data subjects attracted 9,156 responses. 7 Just over 40 percent of respondents thought that their respective country of residence provides a minimum level of data protection; about 30 percent thought it provides a good level of protection; just 10 percent thought it provides a high level. Like the controller respondents, the bulk of data subject respondents perceived citizens level of data protection awareness as poor. At the same time, only about a quarter of the respondents reported ever exercising their own data access rights a surprisingly small 6 An overview of the results from this questionnaire is available at <http://europa.eu.int/comm/internal_market/ en/dataprot/lawreport/docs/consultation-controllers_en.pdf> (last visited 4.11.2002). 7 An overview of the results from this questionnaire is available at <http://europa.eu.int/comm/internal_market/ en/dataprot/lawreport/docs/consultation-citizens_en.pdf> (last visited 4.11.2002). The vast majority of these respondents (7,461) identified themselves as male.

4 proportion given that the respondents as a whole could be seen as relatively active in their concern for privacy/data protection. 8 In terms of Internet practices, it is not surprising to find most of the respondents (6,304) reporting that they do not buy or use online services out of fear that data about them will be misused. Approximately 35 percent of the respondents thought that the best way of safeguarding privacy on the Internet would be use of Internet browsers that prevent collection of personal data without user consent. A slightly smaller group viewed as an alternative best option in this context the enactment of legislation dealing specifically with privacy on the Internet, while about 15 percent favoured the use of website privacy seals. With regard to e- mail advertising, the great majority of respondents (5312) preferred this to be subject to an opt-in system of consent. Position papers In addition to the online questionnaires, the Commission invited more detailed written commentary in the form of position papers from interested parties both within and outside the EU. The deadline for submitting such papers was 31 st August. Just over sixty papers have been received, the vast majority of them coming from business groups. 9 Recurring concerns in these papers include the following: The lack of harmonisation of EU Member States respective data protection regimes; The poor transparency of the process by which the Article 29 Working Party arrives at its determinations some papers call for greater public consultation before such determinations are made; The potentially extensive ambit of the notion of personal data some papers argue that this should be cut back so that it does not extend to information relating to individual persons in their work/professional capacity; The ambiguity of many of the terms and rules in the Directive central examples cited are the notion of consent as employed in Articles 2(h), 7(a) and 26(a); the provisions on applicable law in Article 4; and the derogations in Article 26 from the adequacy criterion in Article 25; The extra-territorial application of European data protection law(s) pursuant to Article 4(1)(c); The notification requirements in Articles 10, 11 and 18 many papers argue that these requirements should be scaled back considerably, if not abolished altogether; The regulation of transfer of personal data to third countries pursuant to Articles 25 and 26 most papers view the present rules as unnecessarily complex, rigid and/or ambiguous; they also point to significant divergences in how the rules are applied at the Member State level. Some papers call for clarification of whether principles 1 6 in the Safe Harbor 8 This modest exercise of access rights adds weight to other evidence indicating that these rights tend to be little used. For examples of such evidence, see LA Bygrave, Data Protection Law: Approaching Its Rationale, Logic and Limits (The Hague / London / New York: Kluwer Law International, 2002), p 280 (n 995) and references cited therein. 9 The papers can be accessed at <http://europa.eu.int/comm/internal_market/en/dataprot/lawreport/papers_en. htm> (last visited 4.11.2002).

5 agreement can be regarded as a universally applicable minimum for what is adequate protection; The role and status of codes of conduct questions here include whether such codes may constitute adequate safeguards pursuant to Article 26(2); whether technical protocols may qualify as codes; whether a code that has been approved by a data protection agency in one Member State may be relied upon as acceptable in other European jurisdictions. Many papers call for implementation of a system allowing for mutual recognition of codes. None of the above-listed concerns is especially surprising in light of the pro-business agenda of most of the papers. What is perhaps most surprising, though, is that the rule on automated profiling stipulated in Article 15 hardly receives a mention, let alone criticism. This is despite the fact that it is a new addition to most European data protection regimes and, at the same time, extremely difficult to construe. 10 The scarcity of feedback about it could well indicate that it is still of marginal practical significance. Conference As the final major element of the Commission s consultation strategy, a conference on implementation of the Directive was held in Brussels on 30 th September and 1 st October 2002. Commission officials, business leaders, consumer associations, academics and data protection authorities from both the EU and third countries were present in relatively large numbers. Indeed, the conference was noteworthy for its sizeable attendance figures; the number of participants, particularly from the USA, was considerably higher than it was, for instance, at the conference of privacy/data protection commissioners held a month earlier in Cardiff. One got the sense that the Brussels conference mattered in practical, regulatory and hence business terms to a much greater extent than did the Cardiff event. Besides its high attendance figures, the conference was relatively successful on several scores. First, it managed to prevent the time set aside for discussion from being eaten up by prepared speeches. Secondly, it managed to give considerable airplay to privacy advocates and academics both categories were well-represented in the panels of invited speakers. 11 Thirdly, while much of the conference discussion focused on the concerns set out in the position papers and the online questionnaires, other issues were covered as well. One such issue and one of large importance concerns development and use of privacyenhancing technologies (PETs). The workshop devoted to this issue was one of the most popular of the conference. From the discussion of the issue there seemed to emerge fairly broad agreement that PET development faces considerable difficulties on many fronts and therefore needs greater support, possibly through minor amendments to the text of the Directive. 12 10 See further Bygrave, supra n 8, pp 319 328; Bygrave, Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling (2000)7 PLPR, pp 67 76. 11 Indeed, in the workshop for which I was a panelist (workshop 2: Developments in the Information Society: Internet and Privacy-Enhancing Technologies ), an executive from Microsoft Corp took the floor and angrily asked why the Commission had not appointed to the panel any representatives from the software industry or other business sectors(!). He was given, however, ample opportunity at the workshop to correct any of the panelists purported misrepresentations. 12 Compare my paper for the conference ( Privacy-enhancing technologies caught between a rock and a hard place ), reproduced at (2002) 9 PLPR, pp 135 137.

6 Summing up, although it is obviously too early to predict with great certainty the contents of the Commission s coming report, my gut feeling is that the Commission is highly unlikely to call for any major revision of the Directive at this stage. This feeling is partly based on the feedback so far from the consultation process, partly on off-the-cuff commentary by Commission officials at the conference and partly on the undeniable fact that it is still too early to gauge accurately the practical effects of the Directive. France and Ireland have still not fully implemented the Directive; Luxembourg and Germany have done so only very recently. Nevertheless, it is conceivable that the Commission will propose amending the Directive so that Member States are given considerably less leeway to adopt protection levels above those required by the Directive; ie, rendering the Directive less of a so-called minimum Directive and more of a maximum Directive. The Commission, though, is highly unlikely to go so far as to recommend replacing the Directive by a Regulation, particularly given the traditional strength of the subsidiarity principle in EU governance of these sorts of matters. At the same time, the Commission will probably recommend fine-tuning of the Directive in order to bring greater clarity to its provisions. The most likely candidates for clarification are the rules on applicable law and transborder data flows. Other deserving candidates here are undoubtedly the notions of consent and personal data. It would not be surprising were the Commission also to propose more direct regulation of several data-processing practices which are clearly significant for privacy interests but poorly captured by the current Directive. Such practices include the use of video surveillance, biometrics and blacklists. Finally, it is conceivable and to be hoped that the Commission will advocate stronger legislative support for PETs.

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback