The European Commission has now published its first report on the implementation of the general Data Protection Directive. The commission concluded that while the directive is achieving many of its aims, there are some problems being caused for businesses as a result of differing rules being adopted by member states in their national implementing legislation. As part of the report, the commission has set out a work programme for this year and next, highlighting key areas it would like to see harmonised or simplified at a national level.
While there will be no amendment to the directive at present, changes are in the pipeline with a full review of the directive now scheduled to take place in 2005.
Internal Market Commissioner Frits Bolkestein said the directive had helped to achieve both strong protection for an individual's privacy and the free movement of data across borders within Europe, which had helped to grow the information services economy. But he criticised those countries which had been slow to fully implement the Directive, namely Ireland, Luxembourg, France and Germany.
The commission called for national authorities to toughen up enforcement regimes and to back enforcement with greater resources in order to ensure better compliance. The report follows an analysis by the commission of how the directive is working across Europe and a public consultation on the law in practice. Almost 10,000 responses were made to the commission's public consultation, with many businesses commenting that the wide variations between member states' implementation and enforcement of the directive were holding back market developments and not helping to promote data subject confidence. The report suggests that the commission has taken on board that message -- it will now stage one-to-one talks with UK government representatives and the Office of the Information Commissioner, as part of its work programme outlined in the report, to set out areas where it would like to see general improvements or alterations to bring the whole of Europe into line. This will be part of a series of such discussions with all Member States and with the accession countries joining the European Union. While the Commission wants data subjects and controllers to have greater awareness of their rights and obligations, it also favours making the compliance regime more business-friendly. Key topics
The key topics for discussion between the commission and member states are: Definitions: Examining the notion of both the 'consent' to be given by data subjects for processing of their personal data and the concept of 'legitimate processing' of personal data by a data controller, as these terms have been defined differently by different Member States (Article 7); Information to be provided to data subjects: Harmonising between member states the different obligations as to the information which must be provided to a data subject when data are collected -- at present the commission says these are too burdensome for businesses because a patchwork of overlapping and varying obligations has emerged in different member states which is confusing for controllers and does not add protection for data subjects (Articles 10 and 11); Notification: Simplification of the notification requirements for data controllers and approximation of these rules between member states (Articles 18 and 19); Notification exemptions: Consideration of increased use of exemptions from notification for data controllers, such as where a data controller appoints a data protection officer (Article 18(2)); International transfers: Improving the ease with which data can be transferred out of the EU while still ensuring adequate protection (Articles 25 and 26), including by:
- greater use of clear intra-corporate rules to aid multinational companies transferring data between operations
- the commission giving additional countries 'safe harbour' status
- further approval of standard contractual clauses under which data may be transferred internationally; and
- development of a more uniform interpretation of permitted exceptions to the requirement for adequate protection for transfers out of the EU.
The commission will undertake work on encouraging data controllers to make more use of privacy enhancing technologies (PETs) such as certification systems and intelligent software agents, with a technical workshop planned for later this year in order to increase awareness of PETs. The Commission will also discuss measures to promote the use of PETs. All business sectors are being encouraged to adopt their own codes of conduct on data protection, in a bid to boost industry self-regulation (the Article 29 Working Party set up by the directive can consider industry codes of conduct submitted to it). The commission sees this as an area for development and, if successful, a way to avoid the need for further detailed legislative measures in the future. Finally, a major online survey is proposed to help raise awareness of the rights and obligations of both individuals and businesses under the directive. The work programme outlined by the commission will take place during the remainder of 2003 and in 2004.