Privacy Law and Policy Reporter
The Directive on the protection of personal data has been formally adopted by the Council of Ministers. 'I am pleased that this important measure, which will ensure a high level of protection for the privacy of individuals in all member states, has been adopted with a very wide measure of agreement within the Council and European Parliament' commented Single Market Commissioner Mario Monti. 'The Directive will also help to ensure the free flow of information society services in the Single Market by fostering consumer confidence and minimising differences between member states' rules. Moreover, the text agreed includes special provisions for journalists, which reconcile the right to privacy with freedom of expression,' he added. 'The member states must transpose the Directive within three years, but I sincerely hope that they will take the necessary measures without waiting for the deadline to expire so as to encourage the investment required for the information society to become a reality.'
The Directive will establish a clear and stable regulatory framework necessary to guarantee free movement of personal data, while leaving individual EU countries room for manoeuvre in the way the Directive is implemented. Free movement of data is particularly important for all services with a large customer base and depending on processing personal data, such as distance selling and financial services. In practice, banks and insurance companies process large quantities of personal data inter alia on such highly sensitive issues as credit ratings and credit-worthiness. If each member state had its own set of rules on data protection, for example on how data subjects could verify the information held on them, cross-border provision of services, notably over the information superhighways, would be virtually impossible and this extremely valuable new market opportunity would be lost.
The Directive aims to narrow divergences between national data protection laws to the extent necessary to remove obstacles to the free movement of personal data within the EU. As a result, any person whose data is processed in the Community will be afforded an equivalent level of protection of his or her rights, in particular the right to privacy, irrespective of the member state where the processing is carried out.
Until now, differences between national data protection laws have resulted in obstacles to transfers of personal data between member states, even when these states have ratified the 1981 Council of Europe Convention on personal data protection. This has been a particular problem, for example, for multinational companies wishing to transfer data concerning their employees between their operations in different member states.
Such obstacles to data transfers could seriously impede the future growth of Information Society services. As the Bangemann Group report to the Corfu European Council remarked: 'Without the legal security of a Union-wide approach, lack of consumer confidence will certainly undermine the rapid development of the information society.' As a result, the Corfu European Council called for the rapid adoption of the data protection Directive.
To prevent abuses of personal data and ensure that data subjects are informed of the existence of processing operations, the Directive lays down common rules, to be observed by those who collect, hold or transmit personal data as part of their economic or administrative activities or in the course of the activities of their association. In particular, there is an obligation to collect data only for specified, explicit and legitimate purposes, and to be held only if it is relevant, accurate and up-to-date.
The Directive also establishes the principle of fairness, so that collection of data should be as transparent as possible, giving individuals the option of whether they provide the information or not. Moreover, individuals will be entitled to be informed at least about the identity of the organisation intending to process data about them and the main purposes of such processing. That said, the Directive applies different rules according to whether information can be easily provided in the normal course of business activities or whether the data has been collected by third parties. In the latter case, there is an exemption where the obligation to provide information is impossible or involves disproportionate effort.
The Directive requires all data processing to have a proper legal basis. The six legal grounds defined in the Directive are consent, contract, legal obligation, vital interest of the data subject or the balance between the legitimate interests of the people controlling the data and the people on whom data is held (that is, data subjects). This balance gives member states room for manoeuvre in their implementation and application of the Directive.
Under the Directive, data subjects are granted a number of important rights including the right of access to that data, the right to know where the data originated (if such information is available), the right to have inaccurate data rectified, a right of recourse in the event of unlawful processing and the right to withhold permission to use their data in certain circumstances (for example, individuals will have the right to opt-out free of charge from being sent direct marketing material, without providing any specific reason).
In the case of sensitive data, such as an individual's ethnic or racial origin, political or religious beliefs, trade union membership or data concerning health or sexual life, the Directive establishes that it can only be processed with the explicit consent of the individual, except in specific cases such as where there is an important public interest (for example, for medical or scientific research), where alternative safeguards have to be established.
As the flexibility of the Directive means that some differences between national data protection regimes may persist, the Directive lays down the principle that the law of the member state where a data processor is established applies in cases where data is transferred between member states.
The Directive also establishes arrangements for monitoring by independent data supervisory authorities, where necessary acting in tandem with each other.
In the specific case of personal data used exclusively for journalistic, artistic or literary purposes, the Directive requires member states to ensure appropriate exemptions and derogations exist which strike a balance between guaranteeing freedom of expression while protecting the individual's right to privacy.
For cases where data is transferred to non-EU countries, the Directive includes provisions to prevent the EU rules from being circumvented. The basic rule is that the non-EU country receiving the data should ensure an adequate level of protection, although a practical system of exemptions and special conditions also applies. The advantage for non-EU countries who can provide adequate protection is that the free flow of data from all 15 EU states will henceforth be assured, whereas up to now each state has decided on such questions separately.
For their part, the Council and the Commission have made it clear that they consider that the European Union institutions and bodies should be subject to the same protection principles as those laid down in the Directive.