Privacy Law and Policy Reporter
EC data protection Directive survives first official review
Lee A Bygrave UNIVERSITY OF OSLO
The Commission of the European Community (the Commission) has recently issued its first official report on the implem-entation of the 1995 EC Directive (95/46/EC) on data protection (the Directive). The report was issued in mid-May, some 18 months after the deadline set by art 33 of the Directive. The Commission attributes the delay to the tardiness of some European Union (EU) Member States in transposing the Directive into national law, though it would be fair to add that the delay is also due to the complexity and enormity of the review process, coupled with under-resourcing of the Commission’s data protection unit.
Fortunately, the report has been worth the wait. It is well written, concise and balanced. More importantly, it sets out a relatively concrete action plan for improving implementation of the Directive over the coming year and a half.
The report — which in hard copy is a slim document of a little less than 30 pages — is accompanied by a much lengthier ‘technical annex’ setting out in detail all of the findings of the review process. In the following, I intend only to give an overview of the main findings.
One of the main conclusions in the report is that it would be premature for the Commission to recommend amendments to the Directive. Thus, the Commission refrains from endorsing the amendment proposals put forward by Sweden and several other countries. The Commission’s stance is primarily grounded in the short experience to date in implementing the Directive, particularly given the failure of many Member States to meet the October 1998 implementation deadline. It is also a stance supported by the majority of Member States and national supervisory authorities. Additionally, the Commission believes that many of the difficulties identified during the review process may be mitigated through improving the way in which the Directive is implemented rather than through changing the Directive itself.
At the same time, the Commission notes the possibility that new sectoral legislation may soon be prepared which builds on the principles of the Directive. The sectors concerned relate to consumer credit and workplace privacy.
Transborder data flow within EU
Despite the considerable delays in its implementation, the Directive is judged as having achieved its core objective of facilitating the free flow of personal data throughout the EU: ‘Since the adoption of the Directive, no case has been drawn to the attention of the Commission in which the transfer of personal data between Member States has been blocked or refused on data protection grounds’. Nevertheless, the Commission notes the possibility of indirect blockages to transborder data flow being occasioned, for example, by different approaches to the protection of data on corporate entities.
High protection level
The Commission finds that the Directive has succeeded in creating a ‘high level’ of data protection in the EU (compare preamble to Directive, recital 10); ‘indeed’, the Commission observes, ‘the Directive itself sets out some of the highest standards of data protection in the world’. At the same time, the report notes the ‘paradox’ that many citizens appear not to share these perceptions. The paradox, the Commission suggests, may be partly attributable to short-comings in the application of data protection rules. For while the Directive is found to have fulfilled some of its objectives, the Commission finds that other of its objectives are being ‘less well served’.
The considerable differences that (still) exist between national data protection regimes in the EU are identified as the main shortcoming. While the Commission recognises that the Directive aims only at an ‘approximation’ as opposed to complete uniformity of national laws, it forcefully states that ‘stakeholders are right to demand more convergence in legislation and in the way it is applied by the Member States and the national supervisory authorities in particular’.
The report notes that many of the points of divergence do not in themselves constitute violations of European Community (EC) law nor impact significantly on the internal market but nevertheless ‘stand in the way of a flexible and simplified regulatory system and are still therefore of concern’.
The Commission signals a strong intent to iron out unjustified divergence using a variety of methods, including ‘appropriate amendment’ of the Directive further down the track ‘if difficulties persist’.
Enforcement, compliance and awareness
The report notes as another general shortcoming the apparently low levels of enforcement, compliance and awareness with respect to data protection rules. National data protection authorities are found, in general, to be under-resourced, leading in turn to under-resourcing of enforcement efforts. Concomitantly, compliance by data controllers is found to be ‘very patchy’, while data subjects appear to have ‘low’ awareness of their data protection rights.
A further shortcoming identified in the report is that Member States generally have yet to fully implement the Directive. The Commission notes that full implementation is a two stage process: stage one being the enactment of implementing legislation; stage two being the harmonisation of that legislation with other legislation, plus the establishment of ‘appropriate safeguards’ that are required when making use of certain derogations permitted by the Directive (see, for example, art 8(2)(b)). ‘In general terms,’ the report states, ‘this second stage of the implementation has not even started in some Member States and among those that have started, some are not very far advanced’.
Difficulties in interpreting and applying certain provisions
The report lists a range of provisions in the Directive which Member States and businesses have problems in construing and applying. These provisions include arts 4, 6, 7, 10, 11, 18, 19, and — most importantly for ‘third countries’ — arts 25 and 26 (see further below). The Commission acknowledges that some of these provisions present genuine difficulties in practice. It points to the ‘use of equipment’ criterion in art 4(1)(c) as one such example. It admits that the criterion needs ‘further clarification’. The Commission adds that should such clarification fail ‘to ensure practical application’ of the criterion, ‘it might in due course be necessary to propose an amendment creating a different connection factor in order to determine the applicable law’.
This notwithstanding, the Commission finds that many of the provisions identified in the review process as practically problematic may be sensibly implemented through a ‘reasonable and flexible interpretation’ that also makes use of the ‘margin of manoeuvre’ accorded by the Directive. Examples cited here include arts 8 (sensitive data), 12 (access right) and 18–19 (notification).
Data flow to third countries — articles 25 and 26
Member States’ implementation of arts 25 and 26 is found to be very broadly divergent and, in many cases, inconsistent with the Directive. The Commission states that the practice of some States of giving data controllers the primary role in assessing adequacy of protection fails to conform with the requirement placed on Member States by art 25(1). Also at odds with the Directive, in the Commission’s opinion, is the practice of some other States subjecting to administrative authorisation all flow of personal data to third countries: ‘Chapter IV of the Directive ... aims at guaranteeing both adequate protection and flows of personal data to third countries without unnecessary burdens’.
The Commission recognises the seemingly large gap between law and practice in this area. As evidence of the gap, it points to the ‘derisory’ number of times when Member States have notified the Commission of authorised data transfers pursuant to art 26(2):
Combined with other evidence pointing in the same direction, this suggests that many unauthorised and possibly illegal transfers are being made to destinations or recipients not guaranteeing adequate protection. Yet there is little or no sign of enforcement actions by the supervisory authorities.
As the Commission observes, this situation is damaging for the credibility of the Directive and EC law generally. The Commission recommends as one ameliorating strategy the increased use of ‘block authorisations’ pursuant to arts 25(6) and 26(4), but admits that generally, ‘[m]ore work is needed on the simplification of the conditions for international transfers’.
Action plan (2003–04)
The report rounds off by setting out a work program for fostering a ‘better’ implementation of the Directive over the coming year and a half. Predictably, increased co-operation between the Commission, the Member States and the national supervisory authorities constitutes a core element of the program. The art 29 working party is particularly encouraged to take a leading role in bringing about greater uniformity in the application of the Directive. At the same time, the Commission draws attention to the ‘importance of transparency in this process’.
Also figuring prominently in the program is an intention to cut back on red tape where this is not required by the Directive. The burdensome notification requirements that many Member States have established pursuant to arts 10, 11 and 18 are singled out for special attention in this regard, as are some of the requirements established pursuant to arts 25 and 26. In terms of the latter, the Commission
expects to see progress in four areas:
(a) a more extensive use of findings of adequate protection in respect of third countries under Article 25(6) ...
(b) further decisions on the basis of Article 26(4) so that economic operators have a wider choice of standard contractual clauses, to the extent possible based on clauses submitted by business representatives ...
(c) the role of binding (intra) corporate rules ... in providing adequate safeguards for intra-group transfers of personal data;
(d) the more uniform interpretation of Article 26(1) of the Directive ... and the national provisions implementing it.
In keeping with its concern about red tape, the Commission also plans to encourage greater use of self-regulatory measures, particularly sectoral codes of conduct that may apply across Europe.
Noteworthy too is the Commission’s intention to promote the development and use of privacy enhancing technologies (PETs). To this end, the Commission hosted early in July a technical workshop in which various strategies for PET promotion were discussed. Based on that discussion, the Commission aims to issue ‘further proposals for the promotion of privacy enhancing technologies at European level. These proposals will pay special attention to the need to encourage governments and public sector institutions to set a good example by using PETs in their own processing operations, for instance in e-government applications.’
All in all, the Commission’s work program appears not only sensible but refreshingly concrete, innovative and proactive. It is also ambitious — perhaps overly so. Given the relatively meagre resources of the Commission’s data protection unit, considerable doubt lingers over its ability to realise all elements of the program within the envisaged timeframe. l
Lee A Bygrave, Associate Professor, Faculty of Law, University of Oslo.
. EC Commission First report on the implementation of the Data Protection Directive (95/46/EC) COM(2003) 265 final, Brussels, 15.5.2003, also available via <http://europa.eu.int/comm/internal_ market/privacy/lawreport_en.htm>.
. Article 33 requires the Commission to report regularly on the Directive’s implementation and, if necessary, to propose amendments, with the first report to be issued not later than three years after the date by which EU Member States are to have implemented the Directive — that date being 25 October 1998 (see art 32(1)).
. The principal laggards have been France, Ireland and Luxembourg. Further on implementation status, see <http:// europa.eu.int/comm/internal_ market/privacy/law/implementation_en.htm>.
. For an overview of the review process, see Bygrave ‘The 1995 EC Directive on data protection under official review — feedback so far’ (2002) 9(7) PLPR 126. The main background studies forming the direct basis for the report are available via <http://europa.eu.int/comm/internal_ market/privacy/studies_en.htm>.
. The proposals are briefly outlined in Bygrave at above note 4 at 126–127.
. See the results of the survey of data subject attitudes as described in Bygrave, above note 4 at 127.
. These divergences are documented in detail in a background study for the Commission: see D Korff, ‘Comparative summary of national laws’ September 2002, available via <http://europa.eu.int/comm /internal_market/privacy/docs/ lawreport/ consultation/univessex-comparativestudy_en.pdf>.
. It is welcome to see that the Commission distinguishes PETs from technologies that are merely ‘privacy compliant’ or ‘privacy friendly’.