® InfoJur.ccj.ufsc.br


by Jonathan Rosenoer



On July 25, 1995, the European Union announced adoption of a Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data. The Directive seeks to prevent abuses of personal data and lays down comprehensive rules, including an obligation to collect data only for specified, explicit and legitimate purposes, as well as to only hold data if it is relevant, accurate and up-to-date. The Directive requires all data processing to have a proper legal basis and, as noted in the European Commission's announcement of the adoption of the Directive, grants data subjects "a number of important rights including the right of access to that data, the right to know where the data originated (if such information is available), the right to have inaccurate data rectified, a right of recourse in the event of unlawful processing and the right to withhold permission to use their data in certain circumstances." Although an English version of the Directive will not be published until later this year, its outline was stated in a Common Position published in February 1995 (http://privacy.org/pi/). As written in that version, it is clear that a number of substantial loopholes exist. Success of the Directive will depend upon the commitment of the European Union and its Member States to uphold individual privacy against the pressures of commerce, politics, and security concerns.


In its preamble, the Directive states that free movement of goods, person, services, and capital requires not only the free flow of personal data from one Member State to another, but also that "fundamental rights of individuals should be recognized." Different levels of protection for individual rights and freedoms (particularly the right of privacy) are seen as "an obstacle to the pursuit of a number of economic activities at [European] Community level, distort[ing] competition and imped[ing] authorities in the discharge of their responsibilities under Community law." An objective of the Directive, therefore, is a system acceptable to all members, so they no longer have grounds for inhibiting the flow of personal data among them on the ground of protecting individual rights and freedoms.

Importantly, the Directive excludes exclusively personal or domestic matters, such as correspondence and holding address records. There are also significant carve-outs for video surveillance carried out for purposes of "public security, defense, State security (including the economic well-being of the State) and the activities of the State in areas of criminal law," as well as for the processing of sound and image data for journalistic, artistic or literary purposes.


The Directive, in its operative provisions, expressly states that the right to privacy is a fundamental right and freedom of natural persons. The Directive covers not only processing of personal data by automatic means, but also other forms of processing personal data which form part of a filing system or are intended to do so. Personal data, itself, is defined as data relating to a natural person, or a person who can be identified, by an identification number, or by reference to specific factors such as physical, physiological, mental, economic, cultural or social identity.

Subject to various exceptions, personal data may only be processed if: the data subject has given unambiguous consent (meaning a "freely given and informed indication" of a person's "wishes" signifying "his agreement to personal data about him being processed"); necessary to the performance of a contract to which the data subject is a party or at his request on entering into a contract; to protect his vital interests; in compliance with a legal obligation of the person responsible for the processing; or necessary for performance of a task carried out in the public interest. A data subject may object to processing of data related to him "on compelling and legitimate grounds relating to his particular situation."


Member States are required, generally, to ensure personal data is:

1. "[P]rocessed fairly and lawfully"; 2. "[C]ollected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes"; 3. "[A]dequate, relevant and not excessive in relation to the purposes for which they are collected," or further processed; 4. "[A]ccurate and, where necessary, kept up to date"; 5. "[K]ept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected," or further processed.

Member States are also required to prohibit processing of data "revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life." But States may establish exceptions for reasons of important public interest, if suitable safeguards are implemented. Other exceptions include cases where the data subject's explicit consent is obtained, as well as in the field of employment law.

The Directive seeks to guarantee fair processing of data. States must notify persons from whom personal data are collected of the following:

1. The identity of the person or company that determines the purposes and means of processing the personal data;

2. "[T]he purposes of the processing for which the data are intended";

3. Other information , including the recipients of the data, whether replies to questions are obligatory, the possible consequence of failure to reply, and "the existence of the right of access to and the right to rectify the data concerning him."

Similar rights exist where the data has not been obtained from the data subject. But the protections may not apply where the provision of information "proves impossible, involves a disproportionate effort," or if recording or disclosure is required by law. Again, adequate safeguards are required.

In addition to notice, a right of access is established. At reasonable intervals and without excessive delay or expense, a data subject has the right to receive confirmation of whether data related to him are being processed and the purpose therefor. He may also learn the categories of data involved, as well as the recipients of the data. Regarding the data, he may receive the data and information about the source and logic involved in the data processing. In addition, a data subject may obtain rectification, erasure or blocking of incorrect or incomplete data. Unless impossible or involving a disproportionate effort, third parties to whom the incorrect or incomplete data has been disclosed are to be notified of this.

Significantly, broad exemptions and restriction may be established relating to data quality, notice requirements, and rights of access. Member States can adopt legislation to restrict their rights and obligations in order to safeguard: national security, defense, and public security; the prevention, investigation and prosecution of criminal offenses or breaches of professional ethics; "an important economic or financial interest of a Member State or of the Economic Union"; and, the data subject or the rights and freedoms of others. Rights of access may also be restricted in the case of data processed for scientific research or creation of statistics.


The data subject's subject's right to object to processing of personal data is not limited to "compelling legitimate grounds." There is also a right to object to data processing for direct marketing purposes. The data subject is given notice of disclosure of data to third parties for the first time, along with the right, on request and free of charge, to object to data processing for direct marketing purposes.

A data subject is granted, generally, the right not to be subjected to decisions producing a legal effect, or significantly affecting him, solely based on "automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc." Broad exceptions exist, however, allowing such decisions if pursuant to a contract, if "there are suitable measures to safeguard his legitimate interests, such as arrangements allowing him to defend his point of view; or ... [if] authorized by a law which also lays down measures to safeguard the data subject's legitimate interests."


Regarding data processing, itself, Member States are required to "implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss and against unauthorized alteration, disclosure or access, in particular where the processing involves the transmission of data over a network, against all other unlawful forms of processing." Security measures are to be commensurate with the risks represented and the data to be protected. In addition, Member States are to be notified of data processing operations. But a State may opt out of this notification by allowing appointment of independent data protection officials, responsible for compliance with the Directive and maintaining a register of processing operations.


Under the Directive, personal data may be transferred to third countries "only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of [the] Directive, the third country in question ensures an adequate level of protection." Adequacy of protection will be assessed in light of all the circumstances. Member States and the European Commission are to notify each other of cases where a third country does not ensure an adequate level of protection. But transfers to countries that do not ensure adequate levels of protection may occur, if, among other things, "the data subject has given his consent unambiguously to the proposed transfer."


Violation of the Directive's provisions, as enacted by Member States, may lead to a judicial remedy for breach of rights. Compensation for damage suffered may be recovered. Member States are also required to provide for independent, public authorities responsible for monitoring implementation of the Directive. Such authorities shall be able to investigate, intervene, engage in legal proceedings or to bring violations to the attention of judicial authorities, and to hear claims.

CyberLaw (tm) is published solely as an educational service. The author, a California attorney, is Executive Editor of LEXIS COUNSEL CONNECT CALIFORNIA. He may be contacted at cyberlaw.us@counsel.com or cyberlaw@cyberlaw.com. Questions and comments may be posted on America Online (go to keyword "CYBERLAW") or CyberLaw World Wide (http://www.portal.com/~cyberlaw/), made possible with support from Portal Communications Co. (ph. 408/973-9111). CyberLaw is a trademark of Jonathan Rosenoer. Copyright © 1995 Jonathan Rosenoer; All Rights Reserved.