- Directive 95/46/EC on the protection of personal data
The full title of this
European Union directiveis Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The directive was implemented in 1995 by the European Commission.
The right to
privacyis a highly developed area of law in Europe.All the member states of the European Union(EU) are also signatories of the European Convention on Human Rights(ECHR). Article 8 of the ECHR provides a right to respect for one's "private and family life, his home and his correspondence," subject to certain restrictions. The European Court of Human Rightshas given this article a very broad interpretation in its jurisprudence. In 1981 the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Datawas negotiated within the Council of Europe. This convention obliges the signatories to enact legislation concerning the automatic processing of personal data, which many duly did.
In order to understand the Directive, it is necessary to understand how and why EU and US perspectives on data protection and privacy are different. The United States prefers what is called a 'sectoral' approach to data protection legislation, relying on a combination of legislation, regulation, and self-regulation, rather than overarching governmental regulations. [See William J. Clinton & Albert Gore, Jr., A Framework for Global Electronic Commerce, July 1, 1997, available at http://www.technology.gov/digeconomy/framewrk.htm); See also Robert R. Schriver, You Cheated, You Lied: the Safe Harbor Agreement and Its Enforcement By the Federal Trade Commission, 70 Fordham L. Rev. 2777, 2779 (2002)] Former U.S. President
Bill Clintonand former Vice President Al Goreexplicitly recommended in their “Framework for Global Electronic Commerce” that the private sector should lead, and companies should implement self-regulation in reaction to issues brought on by Internet technology. [Clinton & Gore, supra] To date, the US has no single, overarching privacy law comparable to the EU Directive. [See Julia M. Fromholz, The European Union Data Privacy Directive, 15 Berkeley Tech. L.J. 471, 472 (2000); Dean William Harvey & Amy White, The Impact of Computer Security Regulation on American Companies, 8 Tex. Wesleyan L. Rev. 505 (2002); Kamaal Zaidi, Harmonizing U.S.-EU Online Privacy Law: Toward a U.S. Comprehensive Regime For the Protection of Personal Data, 12 Mich.St. J. Int’l L. 169 (2003).] Privacy legislation in the United States tends to be adopted on an “as needed” basis, with legislation arising when certain sectors and circumstances require (e.g., the Video Protection Actof 1988, the Cable Television Consumer Protection and Competition Actof 1992, and the Fair Credit Reporting Act). Therefore, while certain sectors may already satisfy the EU Directive, at least in part, most do not. [Fromholz, supra]
The reasoning behind this approach probably has as much to do with American
laissez-faire economicsas with different social perspectives. The First Amendment of the United States Constitutionguarantees the right to free speech. [U.S. Const. amend. I] While free speech is an explicit right guaranteed by the United States Constitution, privacy is an implicit right guaranteed by the Constitution as interpreted by the United States Supreme Court. [See, for example, Roe v. Wade, 410 U.S. 113 (1973)] Nowhere in the US Constitution does the word 'privacy' appear. Europeans, however, have an entirely different attitude.
Europeans are acutely familiar with the dangers associated with uncontrolled use of personal information from their experiences under
World War II-era fascist governments and post-War Communistregimes, and are highly suspicious and fearful of unchecked use of personal information. [See Ryan Moshell, …And Then There was one: The Outlook for a Self-Regulatory United States Amidst a Global Trend Toward Comprehensive Data Protection, 37 Tex. Tech. L. Rev. 357, 358; See also The History of Place, Kristallnacht, available at http://www.historyplace.com/worldwar2/timeline/knacht-bio.htm & Jason Kotzker, The Great Cookie Caper: Internet Privacy and Target Marketing at Home and Abroad, 15 St. Thomas L. Rev. 727, 748 (2003)] World War II and the post-War period was a time in Europe that disclosure of race or ethnicity led to secret denunciations and seizures that sent friends and neighbors to work camps and concentration camps. [ Id.] Europe has experienced atrocities directly related to privacy and the release of personal information inconceivable to most Americans. In the age of computers, Europeans’ guardedness of secret government files has translated into a distrust of corporate databases, and governments in Europe took decided steps to protect personal information from abuses in the years following World War II. [See Marsha Cope Huie, Stephen F. Laribee & Stephen D. Hogan, The Right to Privacy and Person Data: The EU Prods the U.S. and Controversy Continues, 9 Tulsa J. Comp. & Int'l L. 391, 441 (2002)] Germanyand France, in particular, set forth comprehensive data protection laws. [Id. at footnote 4.]
In 1980, in an effort to create a comprehensive data protection system throughout Europe, the
Organization for Economic Cooperation and Development(OECD) issued its “Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data.” [See The Organization for Economic Co-Operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, available at http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html (last modified Jan. 5, 1999)] The seven principles governing the OECD’s recommendations for protection of personal data were:
# Notice—data subjects should be given notice when their data is being collected;
# Purpose—data should only be used for the purpose stated and not for any other purposes;
# Consent—data should not be disclosed without the data subject’s consent;
# Security—collected data should be kept secure from any potential abuses;
# Disclosure—data subjects should be informed as to who is collecting their data;
# Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; and
# Accountability—data subjects should have a method available to them to hold data collectors accountable for following the above principles. [Anna Shimanek, Note, Do you Want Milk with those Cookies?: Complying with Safe Harbor Privacy Principles, 26 Iowa J. Corp. L. 455, 462-463 (2001)] The
OECDGuidelines, however, were nonbinding, and data privacy laws still varied widely across Europe. The US, meanwhile, while endorsing the OECD’s recommendations, did nothing to implement them within the United States. [ Id. at 463 ] However, all seven principles were incorporated into the EU Directive. [Id.]
European Commissionrealised that diverging data protection legislation in the EU member states would impede the free flow of data within the EU zone. Therefor the European Commission decided to harmonize data protection regulation and proposed the Directive on the protection of personal data.
The directive regulates the processing of personal
data, regardless if the processing is automated or not.
Personal data are defined as "any information relating to an identified or identifiable
natural person("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;" (art. 2 a)
This definition is meant to be very broad. Data are "personal data" when someone is able to link the information to a person, even if the person holding the data cannot make this link. Some examples of "personal data" are: address, credit card number, bank statements, criminal record, etc.
The notion "processing" means "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;" (art. 2 b)
The responsibility for compliance rests on the shoulders of the "controller", meaning the natural or artificial person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; (art. 2 d)
The data protection rules are applicable not only when the controller is established within the EU, but whenever the controller uses equipment situated within the EU in order to process data. (art. 4) Controllers from outside the EU, processing data in the EU, will have to follow data protection regulation. In principle, any online business trading with EU citizens would process some personal data and would be using equipment in the EU to process the data (i.e. the customer's computer). As a consequence, the website operator would have to comply with the European data protection rules. The directive was written before the breakthrough of the Internet, and to date there is little
jurisprudenceon this subject.
Personal data should not be processed at all, except when certain conditions are met.These conditions fall into three categories: transparency, legitimate purpose and proportionality.
The data subject has the right to be informed when his personal data are being processed. The controller must provide his name and address, the purpose of processing, the recipients of the data and all other information required to ensure the processing is fair. (art. 10 and 11)
Data may be processed only under the following circumstances (art. 7):
* when the data subject has given his consent
* when the processing is necessary for the performance of or the entering into a
* when processing is necessary for compliance with a legal obligation
* when processing is necessary in order to protect the vital interests of the data subject
* processing is necessary for the performance of a task carried out in the
public interestor in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed
* processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject
The data subject has the right to access all data processed about him. The data subject even has the right to demand the rectification, deletion or blocking of data that is incomplete, inaccurate or isn't being processed in compliance with the data protection rules. (art. 12)
Personal data can only be processed for specified explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes. (art. 6 b)
Personal data may be processed only insofar as it is adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed.The data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;The data shouldn't be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use. (art. 6)
When sensitive personal data (can be: religious beliefs, political opinions, health, sexual orientation, race, membership of past organisations) are being processed, extra restrictions apply. (art. 8)
The data subject may object at any time to the processing of personal data for the purpose of direct marketing. (art. 14)
A decision which produces legal effects or significantly affects the data subject may not be based solely on automated processing of data. (art. 15) A form of appeal should be provided when automatic decision making processes are used.
upervisory authority and the public register of processing operations
Each member state must set up a supervisory authority, an independent body that will monitor the data protection level in that member state, give advice to the government about administrative measures and regulations, and start legal proceedings when data protection regulation has been violated. (art. 28) Individuals may lodge complaints about violations to the supervisory authority or in a court of law.
The controller must notify the supervisory authority before he starts to process data. The notification contains at least the following information (art. 19):
* the name and address of the controller and of his representative, if any;
* the purpose or purposes of the processing;
* a description of the category or categories of data subject and of the data or categories of data relating to them;
* the recipients or categories of recipient to whom the data might be disclosed;
* proposed transfers of data to third countries;
* a general description of the measures taken to ensure security of processing.This information is kept in a public register.
Transfer of personal data to third countries
"Third countries" is the term used in EU legislation to designate countries outside the
European Union.Personal data may only be transferred to third countries if that country provides an adequate level of protection. Some exceptions to this rule are provided, for instance when the controller himself can guarantee that the recipient will comply with the data protection rules.
European Commissionhas set up the "Working party on the Protection of Individuals with regard to the Processing of Personal Data," commonly known as the "Article 29 Working Party". The Working Party gives advice about the level of protection in the European Union and third countries.
The Working Party negotiated with U.S. representatives about the protection of personal data, the
Safe Harbor Principleswere the result. According to critics the Safe Harbor Principles do not provide for an adequate level of protection, because it contains less obligations for the controller and allows the contractual waiver of certain rights.
In July 2007, a new, controversial ,
Passenger Name Recordagreement between the US and the EU was undersigned. [See [http://www.libertysecurity.org/article1591.html] .]
In February 2008,
Jonathan Faull, the head of the EU's Commission of Home Affairs, complained about the US bilateral policy concerning PNR [http://euobserver.com/9/25657 Brussels attacks new US security demands] , European Observer. See also [http://www.statewatch.org/news/ Statewatch newsletter] February 2008] . The US had signed in February 2008 a [http://www.statewatch.org/news/2008/mar/us-czech-mou-visas-etc.pdf memorandum of understanding] (MOU) with the Czech Republicin exchange of a VISA waiver scheme, without concerting before with Brussels [http://www.rue89.com/2008/03/04/a-divided-europe-wants-to-protect-its-personal-data-wanted-by-the-us A divided Europe wants to protect its personal data wanted by the US] , " Rue 89", 4 March 2008 en icon] . The tensions between Washington and Brussels are mainly caused by a lesser level of data protectionin the US, especially since foreigners do not benefit from the US Privacy Act of 1974. Other countries approached for bilateral MOU included the United Kingdom, Estonia, Germany and Greece [ Statewatch, March 2008 ] .
Implementation by the member states
EU directives are addressed to the member states, and aren't legally binding for citizens in principle. The member states must transpose the directive into internal law.Directive 95/46/EC on the protection of personal data had to be transposed by the end of 1998. All member states have enacted their own data protection legislation.
Health Insurance Portability and Accountability Act(USA)
Information technology audit
Auditing information security
International Safe Harbor Privacy Principles
* [http://ec.europa.eu/justice_home/fsj/privacy/ EU data protection page] . The European Commission provides elaborate information on its website. The following subjects are covered:
**Transposition and implementation of Directive 95/46/EC
**European Data Protection Supervisor
**National Data Protection Commissioners
**Art. 29 Data protection Working Party
**Adequacy of protection in third countries and model contracts for the transfer of personal data to third countries
* [http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML 2000/520/EC: Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council] (Safe harbor principle)
* [http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:HTML Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002] (Directive on privacy and electronic communications)
Wikimedia Foundation. 2010.