Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

EU countries implement the Directive in various ways [1998] PLBIRp 16; (1998) 45 Privacy Laws and Business International Report 3

Variations in implementation of the Data Protection Directive

NEW EUROPEAN DATA PROTECTION LAWS tend to go further than required by the EU Directive, and give emphasis to different features. Professor Dr Spiros Simitis, Director at the Institute of Labour Law and the Research Centre for Data Protection Law at the University of Frankfurt, offers an explanation.

In his presentation at the Privacy Laws & Business Annual Conference, Professor Simitis explored the state of implementation of the EU Data Protection Directive. At 14 July 1998, only three Member States had enacted a data protection law implementing the directive into national law: Italy, Greece and Sweden. The first two did not previously have a data protection law. At the time of speaking, four other Member States were on the edge of enacting a new law.

The presentation by Professor Simitis dealt with two main issues: What does the deadline of 24 October really mean, and is it possible to data subjects. This should lead to the harmonisation of national data pro- tection laws. The directive underlines two points which should be taken into account by national legislators:

1) Member States may not diminish the level of protection granted by their present data protection laws, and

2) the directive does not hinder national laws in going further than the directive, even if this has negative consequences for harmonisation. National legislators transposing the directive into national law have to understand that data protection is a continuing process. The directive is their favourite parts of their existing legislation into the new laws. A good example is the German draft legislation regarding supervi- sion. The directive determines that there should be one fully independent authority. This does not apply to the private sector, but the draft published in July insists on keeping the system as it was. In the end there will be one authority in both sectors.

Another example relates to filing systems. A discussion has taken place in Germany regarding personnel files; the main issue was to determine which criteria should be fulfilled in order to call a collection of data “a

define trends in the way in which Member States are implementing filing system.” However, the directive does not require this. It would, there

the directive?

It appears to be a common error by the Member States to wait until

24th October to transpose the direc- tive. The European Court of Justice has clearly stated in the Wallonie case (December 1997) that the fact that a Member State has not transposed a directive in time does not free this State from applying the directive. At the latest, national law has to be applied in accordance with the direc- tive on the date when the directive should be implemented. Citizens can actually sue Member States for liabili- ty for not transposing the directive in time.

CLEAR IMPLEMENTATION TRENDS The purpose of the EU directive is to guarantee the fundamental rights of the beginning of this process, and should act as an incentive for better regulation. One of the current tend- encies in the Member States is to transpose the directive literally. Some of the draft laws almost copy the directive. Nevertheless, though trans- posing the directive literally, Member States try to interpret the directive in a way that allows them to “inject” fore, be better not to define the term “filing system.”

BACK TO BAD HABITS

There was a tendency in the 1970’s to believe that by having a system of notification and licence you could better control data protection. Sweden has abandoned this system because it has been shown to be counterproduc- tive, and it is almost impossible to apply in the private sector. However, the new laws of Italy and Greece now establish such a system.

The laws of Italy and Greece also stick to the system of fees for exercis- ing data subjects’ rights. Data subjects should not have to pay for access to their own data. The Italian law says that data subjects have to pay if it is proven that the data controller, to whom they have asked for access, did not store their personal data. This is an absurd system since data subjects cannot know beforehand if their data has been stored or not.

DEFINING EXCEPTIONS

Greece has substantially improved the regulation of access rights. If a con- troller does not want to grant access to a data subject, he needs to ask for the permission of the Data Protection Authority. It is, therefore, almost impossible for the data controller not to grant access to the data subject., Exceptions to the data protection rights should be defined by law. They should not be left to the data protec- tion authorities.

CRIME DATA

In the UK Bill we can find a part of the directive which causes many problems: the use of personal data for the investigation of crimes. Simply speaking about the prevention of any crime in the text of the law would allow us to collect unlimited amounts of data. Even gathering genetic data preventively (no crime involved) would be possible.

DETERMINING ADEQUACY

Italy and Greece have changed the rules on transborder data flows by deliberately not mentioning contracts (PL&B May ’98 p.19). Professor

Simitis was of the opinion that in determining adequacy, law would have to come first, and if there is no law, then contracts could also be considered. The Directive tends to promote contracts instead of regula- tion by law.

RESEARCH DATA

“The UK draft contains positive provisions regarding research data. However, if we want to enable researchers to keep data for undefined periods of time and not for specific purposes we need something addi- tional: the existence of a specific sort of secrecy,” Professor Simitis said.

There should be a rule stating that once data has been used for research purposes, nobody apart from the researchers could have access to the data. The rule would apply even to police authorities. This step has not been reached yet.

MEDIA PROBLEMS

“The media provisions of the direc- tive are interesting but they create a particular difficulty, as can be seen in the UK and Greek laws. Data protec- tion provisions should never come near censorship because this would affect their credibility. The UK and Greek laws have not solved this problem,” Professor Simitis explained.

CALL FOR CLEAR LANGUAGE

Some changes will take place regard- ing the data protection authorities. In

the UK, the Registrar will become Commissioner with the intention of making clear that her functions are not merely registration. In Italy, the Cabinet and the Prime Minister are obliged to ask the Data Protection Commissioner for advice when they intend to enact laws which could affect data protection. In this way, the legislator has tried to emphasise the position of the Data Protection Commissioner.

In his last remark Professor Simitis referred to the situation of America, which does not have omnibus data protection legislation. However, Europeans could try to learn from the American example of making an effort to write laws for the citizens rather than the specialists.

“Problems and misunderstandings can be minimised by using simple and clear language. The Swedish law is a good example of this,” Professor Simitis said.

This edited report on Professor Dr

Simitis’ speech at the Privacy Laws

& Business Annual Conference 1998, held in July in Cambridge, is based on a summary prepared by Diana Alonso Blas, International Relations/Strategy, Registratiekamer,

The Netherlands.