Privacy Law and Policy Reporter
The European Union Council personal data protection Directive has completed its five-year passage through the EU legislative process, having been formally adopted by the Council of Ministers on 25 July 1995 (see the European Commission's Press Release in this issue). The Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data is the most important international development in data protection in the last decade. It is important for two principal reasons.
First, it establishes a Europe-wide set of legal principles for privacy protection, to be enacted in all EU member states. EU member states are now allowed three years to amend their laws to conform with the Directive (A 32(1)). Its content therefore represents the most modern international consensus on the desirable content of data protection rights, and may be a valuable model for Asia-Pacific countries. The first part of this article gives an overview of the 'privacy content' of the Directive, pointing out how it differs from the 1992 and 1990 versions.
Second, it prohibits the transfer of personal data from EU countries to any countries which do not have 'adequate' data protection laws, and will therefore place significant international pressure for increased data protection on countries in the Asia-Pacific region and elsewhere, particularly in relation to the private sector. It has already resulted in the new Hong Kong law imposing similar restrictions on 'data exports' (see Private Parts in this issue). The second part of this article will explain how the 'data export' or 'transborder data flow' aspect of the Directive will work.
Earlier this year the European Commission said that the Directive 'gives a signal to the EU's trading partners, such as Canada, Japan and the US, of the importance the EU gives to the protection of the individual's rights in the application of new technological developments'.
The Directive was the subject of substantial lobbying by business interests, particularly the International Chamber of Commerce (ICC), which argued that international privacy laws should be harmonised on the model of the OECD Guidelines and the Council of Europe Convention, rather than the model proposed by the EU. This was not to be.
The European Commission's original draft Directive was issued in September 1990, and was originally proposed to take effect on 1 January 1993. The European Parliament approved the draft Directive in 1992, subject to the adoption of extensive recommended amendments. In October 1992, the Commission released its Amended Proposal for a Council Directive, which was said by the Commission to take into account the comments of the Parliament, the Council of Minister's own working group, the views of the European national Data Protection Commissioners and industry submissions.
A working party of the Council of Ministers then negotiated for three years to reach a 'common position' on the amended proposal. On 20 February 1995, the EU's Council of Ministers adopted a 'common position' on the Directive, making significant amendments in the process. The UK abstained. This 'common position' draft Directive went to the European Parliament for a 'second reading', which resulted in its approval with minor proposed amendments on 15 June 1995. The Council of Ministers then adopted the Directive on 25 July.
References are to the completed Directive unless otherwise noted. The original draft will be referred to as the '1990 draft', and the Commission's subsequent amendments will be referred to as 'the 1992 draft'.
It must be remembered that the Directive is a directive to member states of the EU to amend their respective laws (where necessary) to comply with the requirements of the Directive. The requirements listed below are phrased in that way in the Directive.General structure
The two overall objects of the Directive are the protection of information privacy by member states of the EU (art 1(1)), and the prevention of restrictions on free flow of personal information between EU member states for reasons of privacy protection
(art 1(2)). The Directive therefore aims to create 'a European zone of free information flow' in relation to personal information, by requiring a uniform minimum standard of privacy protection across the EU.
The heart of the Directive is a set of information privacy principles set out in Chapter II ('General rules on the lawfulness of the processing of personal data'). The methods by which these are to be enforced in national law and by the EU are set out in Chapters III ('Judicial remedies, liabilities and penalties'), V ('Codes of conduct'), VI ('Supervisory authority and working party') and VII ('Community implementing measures'). Chapter V deals with prohibitions on transfers of personal data to third countries. Chapter I provides definitions and covers the scope of the Directive. A 16- page preamble to the Directive provides comments on the objectives behind many of the provisions, and therefore aids interpretation.
The requirements of the Directive are, for the most part, in very general terms. Article 5 provides that 'member states shall, within the limits of [Chapter II] determine more precisely the circumstances in which the processing of personal data is lawful'. However, specific national implementations pursuant to art 5 cannot impose restrictions or prohibitions in relation to exchange of personal information between countries within the EU because of art 1(2).
It is clear from its preamble that the Directive should not be seen as a 'minimum' standard for privacy laws within the EU. It is a standard to be complied with as both the minimum and maximum information privacy protection allowable under EU laws, subject to what the preamble refers to as 'a margin for manoeuvre' left to member states. The preamble refers to the need to 'approximate' the laws of member states, to make the protection offered by them 'equivalent', and to reduce 'divergences' between national laws. All this is said to be in order to prevent restrictions on transfer of data between member states. Many of the Directive's articles include exceptions to the general privacy protections that constitute the 'general rule' of the article. These exceptions are just as mandatory as the general rules that they qualify, and national laws which attempted to provide a stricter standard of privacy protection by not recognising or limiting such exceptions would breach the Directive. However, there is room for argument within the language of some articles which do not make it clear that what is not forbidden is allowed (for example, art 7 says 'data many be processed only if', not 'if and only if'). The Directive is therefore best seen as a consensus of EU states on the 'desirable' level of privacy protection, not a minimum level. The preamble makes clear, however, that the Directive is considered to exceed the standard of protection required by the Council of Europe Data Protection Convention.Scope of the Directive
The level of protection is essentially the same in both the public and private sectors, with no formal distinction made between the rules applying in the two sectors.
The Directive applies 'to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which forms part of a filing system or is intended to form part of a filing system' (art 3.1), a 'filing system' being any structured set of personal data (art 2(c)). The working group's most important decision was that structured manual data will remain in the Directive, despite opposition from the UK, Denmark and Ireland.
Processing in the course of activities falling outside Community law is exempted (art 3.2), including 'processing operations concerning public security, defence, State security (including the economic well-being of the State) and the activities of the State in areas of criminal law'. Processing by a natural person in the course 'of a purely personal or household activity' is exempted (art 3.2). Member states are also required to provide exemptions for 'processing carried out solely for journalistic purposes', and where necessary to reconcile freedom of 'artistic or literary expression' with privacy (art 9).
The 'general rules' set out in Chapter II are framed in terms of 'processing' personal data, but are in general terms similar to the information privacy principles found in the OECD Guidelines and the Council of Europe Convention. A rough comparison of the articles in Chapter II with the titles of the OECD's eight principles is as follows: collection limitation principles (art 10, art 11, parts of art 7); data quality principles (art 6); purpose specification principle (art 6); use limitation principle (art 16); security safeguards principle (art 17); openness principle (art 21); individual participation principle (art 12, art 14); and accountability principle (definition of 'controller'). Other articles cover matters not always found in previous sets of principles, such as purpose justification (art 7), 'sensitive' data (art 8), automated decision-making (art 15), and notification (arts 18, 19, 20).
The content of these principles is summarised or paraphrased below, emphasising those elements which are unusual.Data quality requirements
The principle of data quality (art 6) requires that personal data must be (a) processed fairly and lawfully; (b) collected for specified, explicit and legitimate purposes and used in a way compatible with those purposes; (c) adequate, relevant and not excessive in relation to those purposes; (d) accurate and, where necessary, kept up to date; and (e) not kept in identified form for longer than is necessary for those purposes.Legitimate processing
'Processing of personal data' (including collecting, recording, using and communicating it - art 2(b)) is only lawful if it comes within one of the following conditions (art 7):
These six very general conditions apply to both public and private sector processing of personal data. Their generality will obviously allow for a variety of specific implementations in national laws.Use and disclosure - the 'finality' principle
The principle of 'finality' is that use and disclosure of personal information are limited to the original purposes of collection. The Directive retains a general requirement that data must be used in a way compatible with the purpose of collection (art 6(1)(b)), but lays out the above-listed six general grounds for processing (which includes use and disclosure) in art 7, which act in part as justifications for exceptions to the principle of finality.Other rights of data subjects
The other rights of the data subject may be summarised as follows (subject to exceptions not listed here):
Appropriate security safeguards must be adopted by controllers, and controllers must have significant responsibilities in relation to anyone who processes personal data for them (art 17).Notification
Automated processing operations carried out by private and public sector bodies must be notified in advance to the national supervising authority (arts 18-19). This need not be a licensing system, and exemption from or simplification of notification is allowed for processing which is unlikely to adversely affect people's rights and freedoms, or where the organisation concerned has appointed an independent data protection official (art 18(2)). The notified data is to be used so that a register can be kept by the supervisory authority, and may be inspected by any person (art 21).
National laws are to specify 'processing operations likely to present specific risks', so that 'prior checking' of such systems by the supervisory authority can occur (art 20). The authority must be notified of such proposed operations by the controller or the data protection official (art 20(2)).
Public registers are exempt from the notification requirements (art 21(3)), implying that they are generally subject to the principles.Special categories
The processing of personal data 'revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership' and health or sex life is generally prohibited (art 8(1)), subject to numerous exceptions (art 8(2)-(4)). Data concerning offences or 'security measures' can only be kept under official authority (art 8(5)). Derogations must be notified to the Commission.
One or more public authorities must be responsible for monitoring the application of the Directive ('supervisory authority') (art 28). The supervisory authorities must 'act with complete independence', and must have investigative powers, 'effective powers of intervention' in processing, and powers to take court action where national legislation implementing the Directive is infringed (art 28(3)). They must be consulted concerning legislation affecting privacy (art 28(2)). They must be able to hear complaints concerning breaches of information privacy (art 24(4)), but nothing is specified concerning the remedies available from a supervisory authority.Individual rights of enforcement
An individual must have rights to seek a judicial remedy for any breach of the national law (art 22). There must also be a right to recover compensatory damages (art 23), but it appears that this can be provided as either a judicial or administrative remedy. Dissuasive penalties for breach are also required (art 24).
The Directive therefore requires both a data protection authority with appropriate powers to supervise the information privacy principles, and individual rights of enforcement independent of those authorities. The enforcement mechanisms it requires are therefore quite strong.Codes of conduct
Codes of conduct are to be encouraged, and national laws are to make provision for trade associations and other bodies to submit them to the national supervising authorities for opinion as to whether they comply with the national laws (art 27). EU-wide draft codes are to be submitted to the EU working party (see below) for opinion concerning compliance with the various national laws (art 27(3)). Such codes cannot in themselves satisfy the requirements of the Directive: art 27(1) states that they are to 'contribute to the proper implementation of the national provisions', and art 27(2) states that they are to be measured against such provisions. However, it would seem possible that a legally enforceable code of conduct which implements fully the national legislative provisions could supplant those provisions, as can occur under the New Zealand Privacy Act 1993.Reach of national laws
Member states are required to apply the national provisions they adopt to processing of personal data in two principal situations (art 4): (i) where it is 'carried out in the context of the activities of an establishment of the controller on the territory of a member state'; and (ii) the controller is not established on the territory of an EU member state, but makes use of equipment situated in a member state for purposes of processing (except mere transit). Berthold characterises this as a 'control test' supplemented by a 'processing test'.
Under the control test, a company which carries out activities in an EU member state (even if it is not based there), but which processes personal data relating to those activities in a non-EU state, will find that its activities are subject to the privacy laws of the EU state.
Under the processing test, a company based in a non-EU state which merely uses processing facilities in an EU member state will still find itself bound by the EU state's privacy law. Not surprisingly, Europe cannot be used as a 'data haven' to avoid the reach of privacy laws.Time limits for national implementation
Member states are required to change their laws to comply with the Directive within three years of it coming its adoption (art 32(1)). A further three years may be allowed in national laws for 'processing already underway' to be brought into conformity (art 32(2)). Some rights need not be applied to data held in manual filing systems for 12 years after the national law comes into force, a provision to appease the UK.
The 'EU-level' supervision of the Directive is distributed between three bodies: the Commission of the EU; a Committee of representatives of EU member states (and in some circumstances, the EU Council itself); and an advisory working party of the national data protection authorities. In the 1995 Directive, significant power has shifted from the Commission to the Committee, with the role of the working party remaining unchanged. The role of these various bodies in making decisions concerning the adequacy of protection in third countries is discussed in more detail later.EU Commission's role
The Commission is to report to the Council and the Parliament at regular intervals on the implementation of the Directive, with any proposals for amendment. It is also required to examine the application of the Directive to sound and image processing (art 33). The Commission is also required to advise the working party of what action it has taken concerning its opinions and recommendations (art 30(5)), and to negotiate with non-EU countries concerning 'adequate protection' (art 25(5)).
The Commission proposed it should have a rule-making power to adopt such 'technical measures' as are necessary to apply the Directive, including drawing up sectoral applications of the Directive (1992 draft, art 33), but the 1995 Directive does not provide for any delegated legislation.Committee of member states, and the EU Council
Chapter VII ('Community implementing measures') provides for a Committee comprised of representatives of each, member state and chaired by a non-voting Commission representative (art 31(1)). The Committee acts by majority, but the votes of each representative are weighted according art 148(2) of the Treaty Establishing the European Community (art 31(2)).
The EU Commission's main role in the Directive is to submit to this Committee a draft of the 'community implementing measures' it considers should be taken (art 31(1)). If the Committee approves the proposed measures, the Commission must then adopt them. If the Committee disapproves, or fails to approve them within the time limit set by the chairman, then the proposed measures are to be referred to the Council of Ministers of the EU (which is to vote by qualified majority) (art 31(2)).
The types of 'implementing measures' which will be dealt with by this process include decisions on adequacy of third country laws (art 25(4)), and proposed authorisations of data transfers (art 26(3), (4)).Working party of supervising authorities
There is to be a Working Party on the Protection of Individuals with regard to the Processing of Personal Data composed of representatives of national data protection authorities (one for each EU state), a representative of EU institutions, and a representative of the Commission (art 29). It will take decisions by simple majority.
The working party's functions include examining issues of uniformity in EU national laws, giving opinions on the level of protection in the EU and in third countries, advising the Commission on any proposed additional measures, and giving opinions on codes of conduct drawn up at community level (art 29(1)). It can also, on its own initiative, make recommendations on all matters concerning processing of personal data in the EU (art 29(3)). The Commission is required to produce an annual report on the responses it has made to the working party's opinions and recommendations (art 29(5)), and the working party is to publish an annual report concerning the processing of personal data in Europe and in third countries (art 29(6)).
The Parliament recommended the working party's expansion into, in effect, a supra-national data protection agency, comprising representatives of business and civil liberties groups as well as national authorities, and with a right to be heard on a wide range of issues and to take various independent initiatives, but this approach has not been adopted.
This article will be continued in the next issue.
 International Chamber of Commerce 'Statement on the Protection of Personal Data' 4 October 1991, reprinted in Transnational Data and Communications Report (TDR), January-February 1992, pp 37-41.
 Com (90) 0314 - C3-0323/Syn 287; OJ No. C277, 5 January 1990, p 3.
 Approved 11 March 1992; for the original draft integrated with the Parliament's recommendations, see Dumortier (Ed), Recent Developments in Data Privacy Law: Belgium's Data Protection Bill and the European Draft Directive, Leuven University Press, 1992 (copy circulated with Privacy Laws and Business No 20).
 European Commission Amended Proposal for a Council Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data (92/C 311/04) Com (92) 422 Final - Syn 287, submitted by the Commission 16 October 1992; full text in Computer Law and Security Report Special Supplement - European Information Technology Law, 1994.
 George Papapavlou, Principal Administrator, Commission of the European Communities 'The Commission of the European Communities' Proposals on Personal Data (Privacy) Protection', in Privacy Regulation: International Developments, Australian Implications (Proc. Privacy International Conference), Continuing Legal Education Department, University of New South Wales, Faculty of Law, 1992.
 For examples of the deliberations, see article by Lotte Jorgensen (Working Group Chair during the Danish Presidency), Privacy Laws & Business, December 1993.
 European Union (The Council) Common Position (EC)/95 Adopted by the Council with a view to adopting Directive 94 EC of the European Parliament and the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data.
 Benyekhlef, 'International standards for the protection of personal data and the information highway', Proceedings of Justice on the Electronic Highway (Conference), Ottawa, January 1995, Federal Department of Justice, Canada.
 Convention of 28 January 1981 for the Protection of Individuals with Regard to the Automatic Processing of Personal Data.
 This was a principal change in the 1992 draft, and had been a major recommendation by the European Parliament; see Hoon, rapporteur to the Legal Affairs and Citizens' Rights Committee, speech to the European Parliament, 10 February 1992.
 The definition adds 'which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographic basis'.
 The 1990 draft exempted 'non-profit making bodies' (art 3(2))â and the Parliament recommended more extensive exemptions relating to such bodies and to the press.
 The original draft's reference to 'or in the context of a quasi-contractual relationship of trust' has been deleted, and the Parliament's recommended addition of 'is inherent in the nature of the relationship between the controller of the data and the data subject' has not been followed.
 Explanatory Memorandum to the 1992 draft, p 5; the 1990 draft contained a specific exemption where data comes from generally accessible public sources and is used only for 'correspondence purposes', and the Parliament had recommended that this be extended to cover 'marketing or credit reference purposes', but the 1992 clause (f) replaced both approaches.
 In the original draft, personal data could only be used for the purpose for which it was collected (art 16), and could only be communicated to third parties for purposes 'compatible' with that purpose (art 8.2). The Parliament recommended replacement of the general notion of 'compatibility' by eight situations of permitted 'communication' of data, ranging from the very specific ('for direct marketing or similar purposes') to the very general ('necessary to safeguard the legitimate interests of a third party or the general public').
 See at least arts 8(2)-(7), 9, 11(2), 13, 15(2), 18(4).
 The 1990 draft said 'market research or advertising purposes'; the Parliament recommended 'direct marketing'; and the 1992 draft said 'marketing by mail'.
 National laws can provide either for objection after the data subject has been informed that the data is to be used for direct marketing, or merely at the data subject's request.
 The 1990 draft was limited to decisions 'involving an assessment of conduct', and referred to 'personality or profile'. The Parliament recommended that this only apply to assessments of 'character', that there should be an exception where there is consent, but that there would be a right to be informed of and to challenge any such automated processing. The 1992 draft referred to processing defining a personality profile.
 Benyekhlef op cit, quoting Mei 'The EC proposed data protection law' Law and Policy in International Business, 1993, p 311.
 Berthold 'Hong Kong's data privacy proposals' (1994) 1 PLPR 188.