Importantly, the Directive excludes exclusively personal or domestic matters, such as correspondence and holding address records. There are also significant carve-outs for video surveillance carried out for purposes of "public security, defense, State security (including the economic well-being of the State) and the activities of the State in areas of criminal law," as well as for the processing of sound and image data for journalistic, artistic or literary purposes.
Subject to various exceptions, personal data may only be processed if: the data subject has given unambiguous consent (meaning a "freely given and informed indication" of a person's "wishes" signifying "his agreement to personal data about him being processed"); necessary to the performance of a contract to which the data subject is a party or at his request on entering into a contract; to protect his vital interests; in compliance with a legal obligation of the person responsible for the processing; or necessary for performance of a task carried out in the public interest. A data subject may object to processing of data related to him "on compelling and legitimate grounds relating to his particular situation."
1. "[P]rocessed fairly and lawfully"; 2. "[C]ollected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes"; 3. "[A]dequate, relevant and not excessive in relation to the purposes for which they are collected," or further processed; 4. "[A]ccurate and, where necessary, kept up to date"; 5. "[K]ept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected," or further processed.
Member States are also required to prohibit processing of data "revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life." But States may establish exceptions for reasons of important public interest, if suitable safeguards are implemented. Other exceptions include cases where the data subject's explicit consent is obtained, as well as in the field of employment law.
The Directive seeks to guarantee fair processing of data. States must notify persons from whom personal data are collected of the following:
1. The identity of the person or company that determines the purposes and means of processing the personal data;
2. "[T]he purposes of the processing for which the data are intended";
3. Other information , including the recipients of the data, whether replies to questions are obligatory, the possible consequence of failure to reply, and "the existence of the right of access to and the right to rectify the data concerning him."
Similar rights exist where the data has not been obtained from the data subject. But the protections may not apply where the provision of information "proves impossible, involves a disproportionate effort," or if recording or disclosure is required by law. Again, adequate safeguards are required.
In addition to notice, a right of access is established. At reasonable intervals and without excessive delay or expense, a data subject has the right to receive confirmation of whether data related to him are being processed and the purpose therefor. He may also learn the categories of data involved, as well as the recipients of the data. Regarding the data, he may receive the data and information about the source and logic involved in the data processing. In addition, a data subject may obtain rectification, erasure or blocking of incorrect or incomplete data. Unless impossible or involving a disproportionate effort, third parties to whom the incorrect or incomplete data has been disclosed are to be notified of this.
Significantly, broad exemptions and restriction may be established relating to data quality, notice requirements, and rights of access. Member States can adopt legislation to restrict their rights and obligations in order to safeguard: national security, defense, and public security; the prevention, investigation and prosecution of criminal offenses or breaches of professional ethics; "an important economic or financial interest of a Member State or of the Economic Union"; and, the data subject or the rights and freedoms of others. Rights of access may also be restricted in the case of data processed for scientific research or creation of statistics.
A data subject is granted, generally, the right not to be subjected to decisions producing a legal effect, or significantly affecting him, solely based on "automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc." Broad exceptions exist, however, allowing such decisions if pursuant to a contract, if "there are suitable measures to safeguard his legitimate interests, such as arrangements allowing him to defend his point of view; or ... [if] authorized by a law which also lays down measures to safeguard the data subject's legitimate interests."
CyberLaw (tm) is published solely as an educational service. The author,
a California attorney, is Executive Editor of LEXIS COUNSEL CONNECT CALIFORNIA.
He may be contacted at firstname.lastname@example.org or email@example.com.
Questions and comments may be posted on America Online (go to keyword "CYBERLAW")
or CyberLaw World Wide (http://www.portal.com/~cyberlaw/), made possible
with support from Portal Communications Co. (ph. 408/973-9111). CyberLaw
is a trademark of Jonathan Rosenoer. Copyright © 1995 Jonathan Rosenoer;
All Rights Reserved.