® InfoJur.ccj.ufsc.br

The EC Data Protection Directive 1995: An Analysis

Freddy Kosten and Dr. Chris Pounder

Data Protection News
Hoskyns Group plc

Copyright © 1996 Freddy Kosten and Chris Pounder.
First Published in Web Journal of Current Legal Issues in association with Blackstone Press Ltd.





This paper explores and analyses the provisions of the EC Data Protection Directive 1995. To assist readers, it is our practice to capitalise terms, relating to natural or legal persons, which are defined in the Directive.


Chapter 1: General Provisions

This Chapter contains Articles 1-4 of the EC Data Protection Directive 1995 (95/46/EC) (the Directive). They are preliminary provisions which describe why the Directive is important, identify what kinds of personal data are covered by its provisions, define the scope of the Directive and specify which national law is to apply.

Article 1 explains the purpose of the Directive: to "protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data". Such protection 'shall neither restrict nor prohibit the free flow of personal data between Member States'.

Article 2 introduces definitions which differ from those in the Data Protection Act 1984 (the UK Act). For instance:

(a) 'personal data' comprise "any information relating to an identified or identifiable natural person ('Data Subject')". Personal data are, therefore, not limited to information which is processed automatically, nor to information about a 'living individual', nor do they exclude the intentions of the Data User with respect to the Data Subject (the UK Act imposes all three of these restrictions).

 (b) 'processing of personal data' describes "any operation or set of operations which is performed upon personal data, whether or not by automatic means". Use of the word 'any' clearly emphasises that every conceivable operation on personal data is'processing' (eg from collection, use, and disclosure, to storage and destruction). Thus, non-automated processing such as the manual manipulation of personal information stored on a micro-fiche would be an 'operation'.

 (c) a 'Controller' is the "natural or legal person" who "determines the purposes and means of the processing of personal data" (whether "alone or jointly with others"). This definition is close to that of 'Data User' in the UK Act.

 (d) a 'Processor' is the "natural or legal person" who "processes personal data on behalf of the Controller". Since the definition of processing encompasses 'any operation', a 'Processor' includes any person who is instructed by the Controller to manipulate personal data (eg a contractor who destroys printout, organises mailings, or collects completed application forms). In practice, this definition will generally not impact on staff acting on behalf of their employer who is also a Controller.

 (e) a 'Third Party' is "any natural or legal person...other than the Data Subject, the Controller, the Processor and the persons who, under the direct authority of the Controller or the Processor, are authorised to process the data". This elucidates the status of 'Third Party' implicit in the UK Act.

 (f) a 'Recipient' is one "to whom data are disclosed, whether a Third Party or not". Data Subjects can thus be Recipients of personal data. The definition permits "authorities which may receive data in the framework of a particular enquiry" not to be regarded as 'Recipients', a qualification which can be seen as introducing the equivalent of some of the non-disclosure exemptions of the UK Act (eg disclosures required by law; Section 34(5)(a)).

 (g) 'Data Subject's consent' is "any freely given specific and informed indication of his wishes by which the Data Subject signifies his agreement to personal data relating to him being processed". The Directive does not demand express consent in writing, or the keeping of formal consent records; the indication could be a verbal "yes" or even a 'nod and a wink' although, in some circumstances, the absence of proof that consent had been given could create problems

 (h) 'personal data filing system' comprises "any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis". If personal data can be retrieved through use of an index, or accessed via criteria such as name, reference or policy number, address, vehicle registration mark etc, then these data can be considered as stored in a 'filing system'.

Article 3 limits the scope of the Directive to personal data that are processed wholly or partly by automatic means, and to personal data processed by non-automatic means if these data are, or are intended to be, part of a 'filing system' (eg organised, or intended to be organised, in a structured manual file). In addition, Article 3 stipulates that Member States shall not apply this Directive to the processing of personal data outwith Community competence (eg to policing or to 'purely personal' matters). These exceptions prepare the ground for continuation of the wide exemptions found in Sections 27 (national security) and 33(1) (domestic and recreational affairs) of the UK Act.

 Article 4 establishes that each Member State shall apply the Directive:

(a) to any Controller "established on the territory of the Member State".

 (b) to Controllers who are "established on the territory of several Member States". For instance, if a UK company had offices in Paris and Berlin, then the French and German offices would have to comply with the standards of French and German law.

 (c) to circumstances under which a specific national law applies because of the application of international public law. For instance, the UK Embassy based in any country is in international law UK territory; any Controller established at this location would be subject to UK data protection law.

 (d) to processing carried out, in a Member State, on behalf of a Controller who is not established in the European Union. For instance, a USA company which processes personal data in the UK would need to appoint someone who can be 'nobbled' by the UK's Data Protection Authority. However, if the processing takes place "only for purposes of transit (of the data) through the territory of the Community" then there is no need to appoint a representative.

Chapter II: General Rules on the Lawfulness of the Processing of Personal Data

This, the longest Chapter of the Directive, contains Articles 5-21. These are the main operative provisions. They list the main obligations placed on Controllers and specify the rights of Data Subjects. All these provisions, together, define what constitutes lawful processing.

Article 5: Lawfulness

This Article permits Member States to "determine more precisely the conditions under which the processing of personal data is lawful", as long as this is "within the limits...of this Chapter". The Article can be seen, therefore, as promoting subsidiarity; it provides Member States with the flexibility to implement Articles 6-21 whilst taking into account national, legal and cultural traditions.

Article 6: A Principled Approach

This Article introduces a duty on Member States to ensure that Controllers comply with five "principles relating to data quality"; some aspects differ significantly from the first six Data Protection Principles of the UK Act. For instance, personal data must be:
(a) "processed fairly and lawfully". Since processing, by definition, includes collection (ie obtaining), this obligation incorporates the First Data Protection Principle of the UK Act. Articles 10 and 11 provide more detail as to the information which has to be provided to Data Subjects and to Third Parties, when information is collected about the Data Subjects.

 (b) "collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes". This Principle prohibits any "further processing of personal data if such processing would be incompatible with the purpose(s) of collection. The link to the purpose specified at collection is important; new purposes determined after collection are likely to be in breach of the Principle unless necessary steps are taken by the Controller (eg to seek the consent of the source(s) for the new purpose). This approach is often referred to as the 'Finality Principle'.

 (c) "adequate, relevant and not excessive in relation to the purposes for which they are collected and/or for which they are further processed". Note that the Directive again links the Controller's purpose(s) at the time of collection and at the time of further processing. The preamble to the Directive states that the latter purpose(s) "shall not be incompatible with the purposes...originally specified".

 (d) "accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified". The word 'reasonable' provides some flexibility with respect to the obligations imposed by this principle; however, Article 12 does imply that a disclosure log will be necessary.

 (e) "kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed". This extends the UK's Sixth Principle by differentiating between the purpose(s) associated with collection and the purpose(s) of further processing. Longer periods can apply if personal data are processed for "historical, statistical or scientific" purposes and if a Member State imposes "appropriate safeguards".

Article 7: When Can You Process?

This Article sets out the only circumstances under which personal data can be processed lawfully (ie at least one such circumstance must apply, otherwise a Controller's processing is unlawful). These circumstances are:
(a) "the Data Subject has given his consent unambiguously". Since there must, by definition, be an 'indication' of consent, implied consent (ie when consent is assumed in the absence of an indication) is unlikely to meet this requirement.

 (b) "processing is necessary for the performance of a contract to which the Data Subject is party" (or in order to complete some pre-contractual stage at the request of the Data Subject).

(c) "processing is necessary for compliance with a legal obligation to which the Controller is subject" (eg statutory duties imposed, by law, on Controllers).

(d) "processing is necessary in order to protect the vital interests of the Data Subject". 'Vital interests' should involve some kind of emergency; the preamble to the Directive cites the protection of "an interest which is essential for the Data Subject's life".

 (e) "processing is necessary...in the public interest". The phrase 'public interest', as the first Calcutt Report (Cm 1102) noted "means different things to different people"; in other words, the phrase has uncertain application in the UK.

 (f) "processing is necessary...in the exercise of official authority vested in the Controller or in a Third Party to whom the data are disclosed". This would cover many Controllers and Third Parties who are public bodies, and others whose responsibilities are established and limited by statute.

 (g) "processing is necessary for the purposes of the legitimate interests pursued by the Controller or by the Third Party or Parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject". The condition sets up a balance between two interests. Thus, if the consequences of the processing are detrimental to a particular Data Subject, and there are no other 'necessary' grounds that would take precedence, then one would expect the Data Subject's interests to override the Controller's interests in the continuation of the processing. One would always expect the Data Subject's interests to prevail if the Controller acted unlawfully (eg did not comply with the provisions of this Directive).

Article 8: Sensitive Personal Data

This Article specifies that the processing of special categories of personal data (ie those described in Section 2(3) of the Data Protection Act, plus "trade-union membership") is prohibited, unless at least one of the conditions outlined below applies. The conditions which permit such processing comprise:
(a) "the Data Subject has given his explicit consent to the processing"; however, Member States can enact legislation to prohibit the processing even if such consent has been obtained.

 (b) "processing is necessary for the purpose of carrying out the obligations and specific rights of the Controller in the field of employment law insofar as it is authorised by national law providing for adequate safeguards". Note that this condition is very narrowly defined.

 (c) "processing is necessary to protect the vital interests of the Data Subject or of another person where the Data Subject is physically or legally incapable of giving his consent". As mentioned above with respect to Article 7, 'vital interests' is of limited scope.

 (d) "processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a Third Party without the consent of the Data Subjects". The objective is to ensure that organisations like charities (eg in support of certain religious beliefs) are not subject to the need to obtain consent to the processing of sensitive personal data. This exception seems odd since one would expect the 'members' in 'regular contact' to have provided such consent. Cults with 'philosophical' or 'religious' aims which are also suspected of 'brainwashing' their members will presumably have no difficulty in obtaining the necessary consent!

 (e) "processing relates to data which are manifestly made public by the Data Subject" (eg when a person 'comes out', or reveals political loyalties in a letter to a newspaper) or if the processing "is necessary for the establishment, exercise or defence of legal claims" (eg an insurance company which holds medical data because the Data Subject is suing for negligence).

 (f) "processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health- care services, and where those data are processed by a health professional subject...to the obligation of professional secrecy". The UK Government expressed concern that compliance with earlier drafts of Article 8 would entail a cost of £1 billion to obtain the necessary consent, and would thus interfere with the internal NHS market. This wording should lay these worries to rest.

 (g) when processing is sanctioned through legislation. Article 8 provides Member States with considerable flexibility (eg on the grounds of "substantial public interest", whatever this means; see Article 7) to lay down exemptions in addition to those listed above (eg who is allowed to hold criminal records, or use a Universal Personal Identifier or a PIN) ; however, such legislation must provide 'suitable safeguards'. The Commission must be notified of the scope of any legislation which permits an exemption which relates to these special categories of personal data.

Article 9: Freedom of Expression

This Article permits Member States to provide exemptions for the specific purposes of journalism, and to protect artistic or literary expression, but only if such exemptions "are necessary to reconcile the right to privacy with the rules governing freedom of expression". Since in the UK there are no statutory controls on the media (ie no rules governing freedom of expression), it is difficult to see how the provisions of this Article can be implemented in this case.

Article 10: "Collection of Data From the Data Subject"

Article 10 imposes procedures similar to those developed through the 'fair obtaining' obligations of the First Principle of the UK Act. The Article stipulates that Controllers "must provide a Data Subject from whom data relating to himself are collected with at least the following information, except where he already has it:"
(a) "the identity of the Controller and of his representative, if any".

 (b) "the purposes of the processing for which the data are intended"( the use of the word 'intended' implies that the Data Subject must be given advance notice of all the Controller's purposes).

 (c) and "any further information...insofar as such...is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the Data Subject". The Article illustrates the kinds of details which might help "guarantee fair processing"; these include: "the Recipients or categories of Recipients of the data", "whether replies to the questions are obligatory or voluntary", the "possible consequences of failure to reply", and the existence of the Data Subject's rights of access and rectification.

Article 11: Collection of Data About the Data Subject From a Third Party

This Article requires a Controller to provide the Data Subject with certain information whenever personal data about the Data Subject are obtained from somebody else (eg via a report containing a Third Party's opinion of the Data Subject, or when an employee of a Controller contributes to the personal data held about Data Subjects). This information must be provided either "at the time of undertaking the recording of personal data" or "if a disclosure to a Third Party is envisaged, no later than the time when the data are first disclosed". The details to be provided are similar to those set out in relation to Article 10, except that Article 11 states that it might also be necessary to provide the Data Subject with details of "the categories of data concerned" (ie a description of the items of data held by the Controller).

There are several exceptions from the need to provide these details; they apply when:

(a) the Data Subject already has the information.

 (b) an exemption applies (see Article 13).

 (c) "if recording or disclosure is expressly laid down by law". So, for instance, the Electoral Registrars in the UK would not have to inform Data Subjects concerning those who had purchased the register, since this disclosure is authorised by statute.

 (d) if the provision of information proves impossible. This is a tough condition, and is only likely to apply in rare cases (eg the personal data do not include the Data Subject's address).

 (e) if the provision of information involves "a disproportionate effort". There are two ways of interpreting the word 'disproportionate'. Firstly, in relation to the effort involved (eg if the obligation would impose unreasonable demands on the Controller) and secondly, in relation to the Directive's prime objective of protecting the Data Subject (eg if the recording or disclosure involved was unlikely to harm or distress the Data Subject, then provision of this information could be claimed to be disproportionate to that aim).

Article 12: Rights of Access

The Directive grants Data Subjects several rights which Controllers have to satisfy; these rights extend beyond those provided in Part III of the Data Protection Act. The complete list in Article 12 is as follows:
(a) to obtain "confirmation as to whether or not data relating to him are processed", and information concerning (at least) "the purposes of the processing, the categories of data concerned, and the Recipients or categories of Recipients to whom the data are disclosed". These requirements resemble those in the UK Act: via part of the Subject Access provisions (Section 21(1) (a) ) , and the right to inspect any Data User's Register Entry (Section 9).

(b) to obtain "in an intelligible form...the data undergoing processing". Unlike the UK Act, Article 12 further identifies, as one component of the right of Access, the obligation to provide the Data Subject with "any available information" as to the source of the data; this information can only be withheld if an exemption applies (Article 13; see next paragraph). By contrast, the UK Act permits an individual, as source, to remain unidentified (except if the source is a social worker or health professional involved in a professional capacity with the Data Subject).

 (c) to obtain "knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15(1) ". In essence, Member States have to enact legislation so that the broad facts provided to Data Subjects (eg under Article 10) could be augmented, on demand, by details about any automated decision-making process.

 (d) to have personal data rectified, erased or blocked if the processing "does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data". This could be a very powerful weapon: Controllers could find it difficult to refuse Data Subjects who say "you have not complied with Article X. Now delete my data".

 (e) to obtain "notification to Third Parties to whom the data have been disclosed of any rectification, erasure or blocking...unless this proves impossible or involves a disproportionate effort". The Article points, inexorably, towards the implementation of a disclosure log.

Article 13: Exemptions and Restrictions

The Directive provides that Member States can, to 'safeguard' certain aspects, "adopt legislative measures to restrict the scope of the obligations and rights" in relation to: compliance with the Principles (Article 6) ; the provision of information to Data Subjects (Articles 10 and 11) ; the rights of Data Subjects (Article 12) ; and the requirement to publicise the existence of a processing operation (Article 21). Article 13 therefore would, for instance, permit the UK to maintain all the Subject Access and non-disclosure exemptions found in the UK Act. In further detail, exemptions and restrictions may be imposed whenever these are necessary to safeguard:
(a) 'national security' and 'defence' purposes. Note that under Article 3, personal data held for certain purposes (eg national security, public security, policing) are excluded from the scope of the Directive. The exemption is necessary since 'ordinary' Controllers who process personal data for 'normal' purposes might need to disclose such data for these purposes.

 (b) 'public security'. In the UK Act, there is no specific exemption for this aspect, but certain personal data could involve the exemptions under Section 28.

 (c) "the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated professions". In the UK Act, Section 28 permits exemptions for crime prevention purposes and for breaches of ethics which result in crime.

 (d) "an important economic or financial interest of a Member State or of the European Union, including monetary, budgetary and taxation matters". These interests link to at least three Sections of the UK Act: Section 27 since national security relates to the economic well-being of the UK, Section 28 with respect to the "collection of any tax or duty", and Section 30 with respect to the finance sector. These last provisions will permit the continuation of some of the Subject Access exemptions found in the Orders made under Section 30 of the UK Act, as modified by Section 190 of the Financial Services Act 1986 (eg pertaining to the regulatory functions of the Bank of England).

 (e) "a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority" (mainly in respect of security and criminal matters). This exemption would cover relevant disclosures of personal data to official bodies (eg as with many disclosures subject to the non-disclosure provisions).

 (f) "the protection of the Data Subject". This could maintain the Subject Access exemptions to particular health and social work data, if Access to those data could seriously harm the patient or social work client (Section 29 of the UK Act).

 (g) "the rights and freedoms of others". This could maintain the exemptions associated with legal professional privilege (Section 31(2) of the UK Act) and other restrictions on the right of Access already sanctioned (eg adoption records as in Section 34(2) , or genetic records as in Section 32(8) of the Human Fertilisation and Embryology Act 1990).

 (h) research and statistics. The exemption is limited to Article 12 only, and applies to personal data which "are processed solely for purposes of scientific research" or are kept no longer than "necessary for the sole purpose of creating statistics", but only if such data are "subject to adequate legal safeguards". This would allow the UK to continue with Section 33(6) of the UK Act.

Article 14: The Data Subject's Right to Object

Article 14(a) obliges Member States to grant the Data Subject the right to object "at least in the cases referred to in Article 7(e) and (f) " and "at any time" when there are "compelling legitimate grounds relating to his particular situation to the processing of data relating to him, save where otherwise provided by national legislation". The words:
(a) "at least in the cases referred to in Article 7(e) and (f) " allow Member States to legislate with respect to any 'case' whatsoever (ie even beyond those specified in Article 7). However, the minimum scope of such legislation must relate at least to the last two paragraphs of Article 7 (ie if "processing is necessary...in the public interest or in the exercise of official authority...or...for the purposes of the legitimate interests pursued by the Controller...except where such interests are overridden by the interests...of the Data Subject").

(b) "compelling legitimate grounds relating to his particular situation to the processing of data relating to him" place the right to object onto a case-by-case basis, and ensure that, to succeed, Data Subjects would have to show that the consequences of the processing were likely to be strongly detrimental to them.

 (c) "save where otherwise provided by national legislation" permit Member States to enact legislation which would override the right to object in any appropriate circumstance.

The right in Article 14(b) to object with respect to direct marketing is much clearer; it is strengthened by the requirement that "Member States shall take the necessary measures to ensure that Data Subjects are aware" of this opportunity (eg through appropriate publicity). The options provided are:
(a) for a Data Subject to "object, on request and free of charge, to the processing of (his) personal data...which the Controller anticipates being processed for the purposes of direct marketing", or

(b) if the purposes of the direct marketing involve Third Parties (eg host mailing) , the Controller must inform the Data Subject "before personal data are disclosed for the first time to Third Parties or used on their behalf", and expressly offer "the right to object free of charge to such disclosures or uses".

Article 15: Automated Decisions About Individuals

This Article first establishes the right not to be subject to a decision based on automated processing, and follows this with several exceptions; decisions which do not conform with one of these exceptions may be set aside. The detailed obligation on Member States is to "grant the right to every person not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct etc". However, the Article accepts the validity of such a decision (and the negating of the Data Subject's right) when the processing:
(a) does not produce a 'legal effect', nor 'significantly' affect the Data Subject, nor concern any 'personal aspect' of the Data Subject.

 (b) allows for a review of the decision (eg by staff), since the decision would then not be 'solely' the result of an automated process.

 (c) results in a decision which relates to the performance of a contract (or entering into a contract) "provided that the request (for the processing) by the Data Subject has been satisfied or that there are suitable measures to safeguard his legitimate interests". The Article provides one example of a safeguard: "arrangements allowing him to defend his point of view" (ie an appeal against the decision)

(d) "is authorised by a law which also lays down measures to safeguard the Data Subject's legitimate interests".

Article 16: Confidentiality of Processing

This Article stipulates that "any person acting under the authority of the Controller or of the Processor" (eg staff, or a sub-contractor) , "including the Processor himself, who has access to personal data must not process them except on instructions from the Controller, unless he is required to do so by law". Given that processing, by definition, is "any operation performed on personal data" (eg collection, transmission, disclosure and destruction) , then depending on the processing operations, these instructions might need to be quite detailed.

Article 17: Security of Processing

Controllers and Processors will be obliged, by law, to take "appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing"; this, in essence, is a restatement of the Eighth Principle of the UK Act. However, this Article also specifies other security obligations for Controllers. These are:
(a) a requirement to have "regard to the state of the art" with respect to security measures (ie be aware of new security fandangos);

(b) to see that "such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected" (ie carry out some kind of risk analysis) , and to take account of "the cost of their implementation" (ie how cost-effective the new security methods would be);

 (c) to "choose a Processor providing sufficient guarantees in respect of the technical security measures and organisational measures governing the processing to be carried out", and to "ensure compliance with those measures";

 (d) to record the security measures adopted "in writing or in another equivalent form". This "contract or legal act" shall stipulate that "the Processor shall act only on instructions from the Controller" and that the Processor shall meet the security obligations of this Article.

Articles 18-20: Notification

Articles 18-20 outline a number of options, which range from a Controller having to obtain prior approval of the Data Protection Authority to process personal data, to exemption from the duty to notify. These options are:
(a) full notification. Articles 18(1) and 19 establish a regime very similar to the current UK registration framework (ie Data User identification details and, for each Purpose, a description of Data Subject Types, Data Classes, Sources, Disclosures and Overseas Transfers). Article 19 slightly modifies this list: it omits the obligation to register Sources; it expands Disclosures to include "Recipients or categories of Recipient", and adds an obligation to notify "a general description allowing a preliminary assessment to be made of the appropriateness of the measures taken...to ensure security of processing".

 (b) simplification of, or exemption from, notification. Article 18(2) allows Member States to determine that certain personal data, whose processing is "unlikely...to affect adversely the rights and freedoms of Data Subjects", can be exempt from notification or be subject to a simplified notification procedure. UK legislation can thus be expected to continue the exemptions from registration found in the current UK Act (eg payroll and accounts; Section 32) , where each exemption sets out a list of conditions to which Data Users must conform (otherwise the exemption is invalid). Simplification of the registration process, on the basis of the risks which the processing signifies to Data Subjects, is actively being considered by the UK's Data Protection Registrar.

 (c) notification through a designated official. Article 18(2) permits Member States to provide for simplified notification or for exemption from notifying the Data Protection Authority, if national law requires a Controller to appoint "a data protection official" who is responsible "for ensuring in an independent manner the internal application of the national provisions taken pursuant to this Directive", and "for keeping the register of processing operations carried out by the Controller".

 (d) special exemption from notification. Through Article 18(3) , Member States can exempt from the notification procedures any 'registers' of personal data which, by statute, have to be made public; in this way, the UK Government can broadly maintain the exemption from registration found in Section 34(1) of the UK Act.

 (e) optional notification. Article 18(5) states that "Member States may stipulate that certain or all non-automatic processing operations involving personal data shall be notified, or provide for these processing operations to be subject to simplified notification". Given the current UK Government's opposition to the extension of legal safeguards to structured manual records, it would be surprising if it decided to take advantage of this provision.

 (f) advance notification. Article 20 permits Member States to define certain processing operations as "likely to present specific risks to the rights and freedoms of Data Subjects". If a State takes advantage of this provision, the Data Protection Authority will be obliged to carry out checks prior to permitting a Controller to start processing operations.

Article 21: Publicising of Processing Operation

Member States are obliged to "take measures to ensure that processing operations are publicised", and to ensure that "a register of processing operations" is open to public inspection. Thus, there will be a list in the public domain, equivalent to the Register established by the UK Act, of Controllers and their Purposes, categories of Data Subjects, Data Classes, Recipients or categories of Recipients, and Transfers to third countries. However, there is no obligation for this public register to include the notified "general descriptions" of security arrangements, although States can legislate for this if they so wish. If an exemption or simplified notification applies, then "Controllers or another body appointed by the Member States" must make available, on request, "at least" the information that would have been notified if an exemption or simplification did not apply.

Chapter III: Judicial Remedies. Liability and Sanctions

Articles 22-24 link national data protection legislation to the judicial process; they oblige Member States to:
(a) enable any person to have access to the Courts and "provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law". The UK Act establishes such access through Sections 21, 24 and 25.

 (b) allow "any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions" to seek compensation from the Controller. This extends compensation possibilities considerably when compared with those provided by Section 22 (inaccuracy) and Section 23 (inadequate security) of the UK Act. In effect, any breach of Chapter II, if damage arose as a result, could lead to a claim for compensation.

 (c) "lay down sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive". In the UK Act, these find expression through criminal sanctions (eg in Section 5) , and through the various Supervisory Notices available to the Registrar (eg the power to enforce compliance with the Principles).

Chapter IV: Transfer of Personal Data to Third Countries

Article 25 stipulates, in essence, that transfer of personal data to Third Countries can take place so long as "the third country in question ensures an adequate level of protection".

Article 26 defines derogations from Article 25, and indicates that transfer can occur even though an adequate level of protection cannot be guaranteed, on condition that:

(a) "the Data Subject has given his consent unambiguously to the proposed transfer".

 (b) "the transfer is necessary" as part of "a contract between the Data Subject and the Controller", or for "the implementation of precontractual measures".

 (c) "the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Controller and a Third Party". This is a very flexible condition, and permits the Controller to transfer personal data to any Third Party anywhere in the world (eg for telesales, airline bookings etc).

 (d) "the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims"; as mentioned with respect to Article 7, 'public interest' is a vague term.

 (e) "the transfer is necessary in order to protect the vital interests of the Data Subject" (see Article 7).

 (f) "the transfer is made from a register which according to laws or regulations is intended to provided information to the public". The logic for this provision seems to be as follows: the personal data are in the public domain, and consequently are insecurely held (ie anybody can access the data). Thus, there are no grounds on which to prohibit the transfer of the data to a very 'insecure' third country, irrespective of what use may then be made of those data.

 (g) Controllers are authorised, by Member States, to transfer personal data to countries which offer an inadequate level of protection, if a Controller "adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals" (eg via a contract).

Chapter V: Codes of Conduct

Article 27 allows for Member States and the Commission to "encourage the drawing up of Codes of Conduct intended to contribute to the proper implementation of the national provisions"; draft Codes can then be submitted "to the opinion of the national (data protection) authority" which in turn can seek "the views of Data Subjects or their representatives". Draft Codes can be submitted to the Working Party (a group of Data Protection Commissioners; see Articles 29 and 30) to determine for instance, whether the Codes would comply with national law. In short, these Community Codes will have the same status as Codes of Practice under the current UK Act; whilst a Code is for 'guidance' only, disregard could trigger sanctions by the professional body which produced that Code, and complaints to the Authority that the processing operations had contravened the legitimate expectations of Data Subjects.

Chapter VI: Supervisory Authority

Article 28 concerns Data Protection Authorities. It requires each Member State to "provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions (in) this Directive". Member States with a federal structure can thus have more than one Data Protection Authority (eg one per Land in Germany). From the UK perspective, the Article also establishes a more powerful Authority than the current Office of the Data Protection Registrar, which will be:
(a) endowed with "investigative powers, such as powers of access to data forming the subject-matter of processing operations (covered by this Directive) and powers to collect all the information necessary for the performance of its supervisory duties".

 (b) equipped with "effective powers of intervention, such as (that of) ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing, of warning or admonishing the Controller, or that of referring the matter to national parliaments or other political institutions".

 (c) involved in the prior checking of certain sensitive processing operations (see Article 20).

 (d) consulted when Member States are "drawing up administrative measures or regulations relating to the protection of individuals' rights and freedoms with regard to the processing of personal data".

 (e) able "to engage in legal proceedings" when breaches of national legislation occur, subject to appeal through the Courts.

 (f) able to "hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data".

 (g) able to "hear claims for checks on the lawfulness of data processing lodged by any person when the national provisions adopted pursuant to Article 13 of this Directive apply".

 (h) expected to produce "a report on its activities at regular intervals" (eg as per the UK Registrar's reports to Parliament).

 (i) expected to liaise with other Data Protection Authorities "to the extent necessary for the performance of their duties".

Articles 29-30 establish a Working Party whose members will include one representative of the Data Protection Authority in each Member State (if the State has a federal structure, then a joint representative of all its Authorities has to be found) , as well as one representative each from the Commission and from the Community. The Working Party will have "advisory status and act independently" and will be able to convey, to the Commission, its opinions on various data protection problems (eg on 'Codes of Conduct', divergences between national legislation, data protection problems occurring in third countries, implementation of the Directive by Member States). The Working Party will publish an annual report which will be presented to the European Parliament and the Commission. At first reading this seems a body with little power except to put forward opinions; much will depend on its expertise and the status accorded to it by Member States.

Chapter VII: Community Implementing Measures

Article 31 deals with ‘The Committee’. This Committee is, so to speak, the political powerhouse. It comprises representatives of the Member States, is chaired by the representative of the Commission, and makes its decisions through qualified majority voting (which excludes the chair). If there is a data protection problem, the representative from the Commission submits draft measures to be adopted; the Committee then deliberates and delivers its opinion. If the Committee disagrees with the Commission, then the matter is remitted to the Council of Ministers for resolution (at most within 3 months). In this way, initiatives or opinions arising from Working Party concerns can be reported to the Commission, considered by the Committee, and adopted if agreed; once adopted, the measures "shall apply immediately". Note that the Committee is not obliged to follow the Working Party's advice, neither is it obliged to inform or even seek the views of the Working Party if it wishes to pursue a data protection matter on its own initiative.

Final Provisions

The Directive, although agreed in July 1995, was not formally adopted until October 24th. Articles 32 and 33 dictate that Member States shall enact the required new legislation within three years of the date of adoption and provide some 'breaking in' flexibility which allows States to:
(a) apply a delay of up to three years, from the date the national legislation comes into force, with respect to personal data whose processing is underway at that time. This means there is no delay with respect to personal data whose processing begins after this time (even if the data are processed in a manual filing system).

(b) apply a nine year delay, from the date the national legislation comes into force, to the application of three Articles with respect to personal data already held in manual filing systems. These Articles are: Article 6 (Principles) , Article 7 (Lawfulness of processing) , and Article 8 (special personal data). Note that this extension does not include Article 12 (ie the rights of Data Subjects)

(c) provide, subject to suitable safeguards, that "data kept for the sole purpose of historical research" need never be brought into conformity with Articles 6 - 8. Note that this derogation is limited; it excludes any other form of research, and leaves such data subject to the other Articles in the Directive.

Finale: Data Protection News

The views expressed are those of the authors and are a condensed and revised version of a 22,000 word analysis of the Directive published in Issue No.21 (Spring 1995) of Data Protection News (a quarterly publication). If you wish to obtain further details about Data Protection News, please contact Dr. Chris Pounder, Data Protection News, Hoskyns Group plc, 190 City Road, City House, London EC1V 2QH. Telephone 0171-814-5738. Email: < dp.news@hoskyns.co.uk>


The EC Data Protection Directive 1995 The pages of the Legal Advisory Board of the European Commission which contain, amongst other things, the full text of the Directive albeit an unofficial version.

 The Journal of Information Law and Technology The first issue of this new UK based electronic journal contains a useful special feature on the EC Data Protection Directive. This feature contains articles on the impact of the Directive from the UK, Danish, Dutch, Irish and Swedish perspectives.

 Surfing The Internet - Skating on Thin Ice? An article by Dr Chris Pounder and Freddy Kosten, published by UK Index.

 The UK Data Protection Registrar The home page of the Office of the Registrar which includes a brief outline of the UK Data Protection Act 1984.