The European Commission on Friday issued its first assessment of the 1995 Data Protection Directive, arguing that data protection legislation has achieved many of its aims, but admitting it still faces steep opposition from businesses and non-EU governments.
The directive also faces a major obstacle from EU member states themselves, the Commission said, which have been late in implementing their own legislation, have allowed discrepancies to creep into the Europe-wide data protection framework, or, in the case of France, still have not introduced appropriate legislation.
Despite shortcomings in the directive's implementation, it has made broad progress toward allowing businesses to operate Europe-wide, argued Internal Market Commissioner Frits Bolkestein. "Without free movement of data across borders, Europe's economy cannot work properly," he said in a statement. "I am pleased that most businesses seem to appreciate that the directive has made it easier to move data around and that maintaining the free movement of data depends on their meeting their data protection obligations."
The Commission noted that businesses were still concerned to make the rules work in a more business-friendly way, although this was an improvement from an earlier attitude of "outright hostility" on the part of businesses.
The legislation was introduced in 1995 in order to make it possible for companies to more easily transfer personal data -- whether on their customers, their own employees or other individuals -- from one country to another. Each member state was to introduce its own legislation embodying the requirements of the directive, so that data protection laws would be equivalent across the region. In the UK, it was codified in the Data Protection Act 1998.
Data protection has become an increasingly contentious issue since 1995, partly because of the increasing amounts of personal data flowing over the Web. Recent pressure to combat terrorism has also led governments to propose legislation that would give law enforcement agencies broader access to personal data.
However, one of the biggest obstacles to the initiative's success has been the delay in its implementation by some countries; in fact, the current report was delayed because several EU member states had not yet passed their own updated data protection laws. France, Germany, Ireland, Luxembourg and the Netherlands were taken to the European Court of Justice over the matter in 1999, and France remains a holdout, sticking to its 1978 law, the Commission said.
Another problem has been differences in the way member states have implemented data protection. The report proposes a programme to reduce these differences, which will include a review in 2005 of whether amendments are needed.
The Commission based its report on a consultation during 2002 that included a survey with 10,000 responses and an international conference. Position papers were also gathered from businesses and governments.
The US government used its position paper to praise the US-EU Safe Harbour framework, which allows transfer of personal data to businesses in non-EU countries, as long as they have agreed to abide by "adequate" protection measures. More than 225 US organisations have signed up to the agreement, according to Michelle O'Neill, Deputy Assistant Secretary for Information Technology Industries with the US government.
However, the US warned against any attempt to impose further conditions on Safe Harbour companies. The nation also warned the EU "to refrain from concentrating their enforcement activities exclusively on large multinational corporations", saying that this "would call into question the consistency with which the Directive is applied and enforced".