Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Bygrave, Lee A --- "The 1995 EC Directive on data protection under official review - feedback so far" [2002] PrivLawPRpr 52; (2002) 9(7) Privacy Law and Policy Reporter 126

The 1995 EC Directive on data protection under official review — feedback so far

Lee A Bygrave

The Commission of the European Communities (EC) is in the process ,of finalising its first official report on how the 1995 EC Directive on data protection (Directive 95/46/EC) is being applied. This review process is mandated under art 33 of the Directive which requires the Commission to report regularly on the Directive’s implementation and, if necessary, to propose amendments. The first report of the Commission is expected to be released around the beginning of 2003 — considerably later than the deadline set by art 33.[1]

To generate feedback for its review, the Commission has been consulting over the past six months with the various parties affected by the Directive. Much of this consultation has been with the national governments and data protection authorities of the Member States of the European Union (EU). At the time of writing (early November 2002), little information has been publicly disclosed about the responses generated by that part of the consultation process. However, some Member States, such as Sweden, have been relatively open in their advocacy of certain regulatory models prior to this latest round of consultation.

Sweden’s misuse model

Over the last few years, Sweden ,has been pushing for pan-European adoption of a so-called ‘misuse model’ for data protection regulation; that is, ,a regulatory approach that seeks to enhance the efficacy of the rules by simplifying and focusing them on preventing misuse of personal data.[2] The chief element of the model involves amending the Directive by exempting from most of its scope ‘automatic processing of personal data in the form of sound and image data and text, where the material has not been structured to enable personal data to be searched for’ (proposed art 3A(1)). At the same time, Member States are to prohibit such processing when it involves ‘the distribution of personal data that harms the data subject’ unless the distributor of the data ‘is obliged to express an opinion’ or the distribution is otherwise in the ‘public interest’ (proposed art 3A(2)).

Sweden has advanced several other proposals for more minor amendments to the Directive. For instance, it would like to allow derogation from the general principles for data processing stipulated in art 6(b)-(e) — though not art 6(a) on fair and lawful processing — when the data subject consents to the derogation.[3] This would mean, for example, that a data subject could consent to personal data being processed for a purpose that is incompatible with the original purpose for the processing.

The extent to which Sweden has the support of other national governments in its advocacy of these reforms is difficult to determine precisely. Noteworthy, though, is that Sweden ,just a couple of months ago issued jointly with Austria, Finland and the United Kingdom a set of proposals ,for amending the Directive which are less radical than its misuse model as originally conceived.[4] The joint proposals deal with the provisions on sensitive data (art 8), controllers’ duties to provide information to data subjects (arts 10 and 11), data subjects’ access rights (art 12), controllers’ notification duties with respect to data protection authorities (arts 18 and 19) and transborder data flows (arts 25 and 26). In general, the proposals merely involve simplifying, clarifying and tightening somewhat the ambit of these provisions without any substantial reductions in data protection levels.

Consultation with ,other parties

As part of its review, the Commission has also attempted to give parties other than governments and data protection authorities an opportunity to communicate their opinions about the Directive. To this end, the Commission has issued online questionnaires, requested ‘position papers’ and arranged a major conference. In the following, I present the main lines of feedback generated by these initiatives.

Online questionnaires

In late June 2002, the Commission put up on its website two questionnaires about the Directive and other data protection issues, with a response deadline of 15 September. One questionnaire was directed at EU based data subjects, the other at EU based data controllers. Any persons/organisations falling within these categories of potential respondents were able to send in their answers online. While this sort of survey cannot accurately gauge the views of the broad community, its results are interesting — not least because of the disproportionately high number of German responses![5] The basic message that can be read out ,of the survey results is that most respondents, whether data subjects or data controllers, appear to accept the need for the current regulatory regime established by the Directive, though they also see room for improvement.

Data controllers’ responses

The questionnaire for data controllers attracted 982 responses.[6] The great majority of respondents (679) found present data protection rules to be ‘necessary requirements in a market where there is traditionally a high level of protection for consumers and a strong concern for their fundamental rights’. Approximately 40 per cent of respondents defined the level of protection offered by the Directive as ‘good’; just under 30 per cent defined the protection level as ‘minimum’; ,while approximately 20 per cent ,defined it as ‘high’.

Some 60 per cent of respondents appeared to have experienced little difficulty in servicing data access requests from individuals. A slightly higher proportion reported that they had not received complaints from data subjects during 2001. At the same time, approximately the same number of respondents viewed the level of citizens’ awareness about data protection as poor.

Also noteworthy are the controller responses as to what amounts to personal data under the Directive. ,Some 35 per cent of respondents thought that data would not be personal if identification of a person from the data would be possible but only with ‘a disproportionate effort’. A slightly lower proportion of respondents thought that data would not be personal if identification of a person ,‘is no longer possible with the data available to you but only with the co-operation of third parties completely outside your organisation’.

In terms of controller concerns, most respondents sought greater flexibility in the regulation of data transfers from the EU to third countries. Most wanted further guidance on how to strike the appropriate balance between the right to privacy and the right to freedom of expression. Almost half of them felt ,that companies and data protection authorities have not yet properly exploited the possibilities offered by,art 27 of the Directive for the use of codes of conduct. And just over half were of the opinion that national data protection authorities devote insufficient resources to advising companies.

Data subjects’ responses

The questionnaire for data subjects attracted 9156 responses.[7] Just over ,40 per cent of respondents thought that their country of residence provides a ‘minimum’ level of data protection; about 30 per cent thought it provides a ‘good’ level of protection; just 10 per cent thought it provides a ‘high’ level.

Like the controller respondents, the bulk of data subject respondents perceived citizens’ level of data protection awareness as poor. At the same time, only about a quarter of the respondents reported ever exercising their own data access rights — a surprisingly small proportion given that the respondents as a whole could be seen as relatively active in their concern for privacy/data protection.[8]

In terms of internet practices, it ,is not surprising to find most of the respondents (6304) reporting that they do not buy or use online services out ,of fear that data about them will be misused. Approximately 35 per cent of the respondents thought that the best way of safeguarding privacy on the internet would be use of internet browsers that prevent collection of personal data without user consent. ,A slightly smaller group viewed as an alternative ‘best option’ in this context the enactment of legislation dealing specifically with privacy on the internet, while about 15 per cent favoured the use of website privacy seals. With regard to email advertising, the great majority of respondents (5312) preferred this to be subject to an ,‘opt-in’ system of consent.

Position papers

In addition to the online questionnaires, the Commission invited more detailed written commentary in the form of ‘position papers’ from interested parties both within and outside the EU. The deadline for submitting such papers was 31 August. Just over 60 papers have been received, the vast majority of them coming from business groups.[9]

Recurring concerns in these papers include the following:

• the lack of harmonisation of EU Member States’ respective data protection regimes;
• the poor transparency of the process by which the Article 29 Working Party arrives at its determinations — some papers call for greater public consultation before such determinations are made;
• the potentially extensive ambit of the notion of ‘personal data’ — some papers argue that this should be cut back so that it does not extend to information relating to individual persons in their work/professional capacity;
• the ambiguity of many of the terms and rules in the Directive — central examples cited are the notion of ‘consent’ as employed in arts 2(h), 7(a) and 26(a), the provisions on applicable law in art 4, and the derogations in art 26 from the adequacy criterion in art 25;
• the extra-territorial application of European data protection law(s) pursuant to art 4(1)(c);
• the notification requirements in ,arts 10, 11 and 18 — many papers argue that these requirements should be scaled back considerably, if not abolished altogether;
• the regulation of transfer of personal data to third countries pursuant to arts 25 and 26 — most papers view the present rules as unnecessarily complex, rigid and/or ambiguous and also point to significant divergences ,in how the rules are applied at the Member State level, while some papers call for clarification of whether principles 1-6 in the Safe Harbor agreement can be regarded as a universally applicable minimum for what is adequate protection; and
• the role and status of codes of conduct — questions here include whether such codes may constitute adequate safeguards pursuant to art 26(2), whether technical protocols may qualify as codes, and whether ,a code that has been approved by ,a data protection agency in one Member State may be relied upon ,as acceptable in other European jurisdictions. Many papers call for implementation of a system allowing for mutual recognition of codes.

None of the above listed concerns is especially surprising in light of the pro-business agenda of most of the papers. What is perhaps most surprising, though, is that the rule on automated profiling stipulated in art 15 hardly receives a mention, let alone criticism. This is despite the fact that it is a new addition to most European data protection regimes and, at the same time, extremely difficult to construe.[10] The scarcity of feedback about it could well indicate that it is still of marginal practical significance.

Conference

As the final major element of the Commission’s consultation strategy, a conference on implementation of the Directive was held in Brussels on ,30 September and 1 October 2002. Commission officials, business leaders, consumer associations, academics and data protection authorities from both the EU and third countries were present in relatively large numbers. Indeed, the conference was noteworthy for its sizeable attendance figures; the number of participants, particularly from the US, was considerably higher than it was, for instance, at the conference of privacy/data protection commissioners held a month earlier in Cardiff. One got the sense that the Brussels conference ‘mattered’ in practical, regulatory and hence business terms to a much greater extent than did the Cardiff event.

Besides its high attendance figures, the conference was relatively successful on several scores. First, it managed to prevent the time set aside for discussion from being eaten up by prepared speeches. Secondly, it managed to give considerable ‘airplay’ to privacy advocates and academics — both categories were well represented in the panels of invited speakers.[11] Thirdly, while much of the conference discussion focused on the concerns set out in the position papers and the online questionnaires, other issues were covered as well.

One such issue — and one of large importance — concerns development and use of privacy enhancing technologies (PETs). The workshop devoted to this issue was one of the most popular of the conference. From the discussion of the issue there seemed to emerge fairly broad agreement that PET development faces considerable difficulties on many fronts and therefore needs greater encouragement, possibly through minor amendments to the text of the Directive.[12]

Summing up, although it is obviously too early to predict with great certainty the contents of the Commission’s coming report, my gut feeling is that the Commission is highly unlikely to call for any major revision of the Directive at this stage. This feeling is partly ,based on the feedback so far from the consultation process, partly on ‘off ,the cuff’ commentary by Commission officials at the conference and partly on the undeniable fact that it is still too early to gauge accurately the practical effects of the Directive. France and Ireland have still not fully implemented the Directive; Luxembourg and Germany have done so only very recently.

Nevertheless, it is conceivable that the Commission will propose amending the Directive so that Member States are given considerably less leeway to adopt protection levels above those required by the Directive; that is, rendering the Directive less of a so-called ‘minimum’ Directive and more of a ‘maximum’ Directive. The Commission, though, ,is highly unlikely to go so far as to recommend replacing the Directive ,by a Regulation, particularly given the traditional strength of the subsidiarity principle in EU governance of these sorts of matters.

At the same time, the Commission will probably recommend fine-tuning of the Directive in order to bring greater clarity to its provisions. The most likely candidates for clarification are the rules on applicable law and transborder data flows. Other deserving candidates here are undoubtedly the notions of ‘consent’ and ‘personal data’. It would not be surprising were the Commission also ,to propose more direct regulation of several data processing practices which are clearly significant for privacy interests but poorly captured by the current Directive. Such practices include the use of video surveillance, biometrics and blacklists. Finally, it is conceivable — and to be hoped — that the Commission will advocate stronger legislative support for PETs.

Dr Lee Bygrave is Research Fellow at the Norwegian Research Centre for Computers and Law, and a member ,of the PLPR Editorial Board.

[1] Article 33 requires the first report to have been issued not later than three years after the date by which EU Member States are to have implemented the Directive, that date being 25 October 1998 (see art 32(1)). Hence, the first report should have been issued by ,25 October 2001.

[2] See, for example, Sweden, Ministry of Justice, ‘Simplified protection for personal data applying misuse model’ Memorandum of 30.11.2000 (Ju2000/4977/L6).

[3] As above.

[4] The proposals are available at <justitie.regeringen.se/inenglish/_issues/dataprotection/dataprotection.pdf>.

[5] Respondents registering Germany as their place of residence accounted for approximately 40 per cent of the total number of respondents for each questionnaire. This response rate bolsters my longheld impression that, relative to many other nationalities, Germans generally appear to take privacy/data protection very seriously.

[6] An overview of the results from this questionnaire is available at <europa.eu.int/comm/internal_market/en/dataprot/lawreport/docs/consultation-controllers_en.pdf>.

[7] An overview of the results from this questionnaire is available at <europa.eu.int/comm/internal_market/en/dataprot/lawreport/docs/consultation-citizens_en.pdf>. The vast majority of these respondents (7461) identified themselves as male.

[8] This modest exercise of access rights adds weight to other evidence indicating that these rights tend to ,be little used. For examples of such evidence, see Bygrave LA Data Protection Law: Approaching Its Rationale, Logic and Limits Kluwer Law International The Hague 2002, ,p 280 (n 995) and references cited therein.

[9] The papers can be accessed at <europa.eu.int/comm/internal_market/en/dataprot/lawreport/papers_en.htm>.

[10] See further Bygrave, above note 8, pp 319-328; Bygrave, ‘Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling’ (2000) 7(4) PLPR, pp 67-76.

[11] Indeed, in the workshop for which I was a panelist (workshop 2: ‘Developments in the Information Society: Internet and Privacy-Enhancing Technologies’), an executive from Microsoft Corp took the floor and angrily asked why the Commission ,had not appointed to the panel any representatives from the software industry or other business sectors(!). He was given, however, ample opportunity at the workshop to ,correct any of the panelists’ ,purported misrepresentations.

[12] Compare my paper for the conference (‘Privacy enhancing technologies — caught between a ,rock and a hard place’), reproduced ,in this issue of PLPR on p 135.