Directive on personal data protection enters into effect
Rights for individual data subjects
Data flows to non-EU countries
The Directive on the protection of personal data (95/46/EC) enters into effect on 25 October 1998. The Directive will establish a clear and stable regulatory framework to ensure both a high level of protection for the privacy of individuals in all Member States and the free movement of personal data within the European Union. By fostering consumer confidence and minimising differences between Member States' data protection rules, the Directive will facilitate the development of electronic commerce. The Directive also establishes rules to ensure that personal data is only transferred to countries outside the EU when its continued protection is guaranteed, so as to ensure the high standards of protection introduced by the Directive within the EU are not undermined.
"The entry into effect of this Directive is good news for both individual citizens, who will enjoy safeguards concerning data held on them, and economic operators, who will benefit from the free flow of information and the boost to consumer confidence", commented the European Commissioner for the Single Market, Mario Monti. "I am of course disappointed that some Member States are lagging behind on implementing the Directive in national law, and will not hesitate to open infringement procedures against them. However, I would like to stress that the Directive will be applicable from 25 October."
In most European countries, personal data protection is a constitutional principle and the right to privacy is enshrined in the European Convention on Human Rights (Article 8). However, until now, differences between national data protection laws have resulted in obstacles to transfers of personal data between Member States. The Directive therefore lays down common rules, to be observed by those who collect, hold or transmit personal data as part of their economic or administrative activities or in the course of the activities of their association. There is an obligation to collect and process personal data only for specified, explicit and legitimate purposes, and to ensure that such data is relevant, accurate and up-to-date.
Rights for individual data subjects
Under the Directive, data subjects are granted a number of important rights and may appeal to independent national authorities if they consider their rights are not being respected. These rights include:
information from subsequent data users about where the data originated (where such information is available),
the identity of the organisation processing data about them and the purposes of such processing
a right of access to personal data relating to him/her
a right to rectification of personal data that is shown to be inaccurate and
the right to opt out of allowing their data to be used in certain circumstances (for example, for direct marketing purposes, without providing any specific reason).
In the case of sensitive data, such as an individual's ethnic or racial origin, political or religious beliefs, trade union membership or data concerning health or sexual life, the Directive establishes that such data can only be processed with the explicit consent of the individual, subject to a number of exemptions for specific cases such as consent of the data subject or where there is an important public interest (e.g. for medical or scientific research) where alternative safeguards have to be established.
In the specific case of personal data used exclusively for journalistic, artistic or literary purposes, the Directive requires Member States to ensure appropriate exemptions and derogations exist which strike a balance between guaranteeing freedom of expression while protecting the individual's right to privacy.
Data flows to non-EU countries
For cases where data is transferred to non-EU countries, the Directive includes provisions to prevent the EU rules from being circumvented. The basic rule is that the data should only be transferred to a non-EU country if it will be adequately protected there, although a practical system of exemptions and special conditions also applies (such as for data where the subject has given consent or which is necessary for performance of a contract with the person concerned, to defend legal claims or to protect vital interests (e.g. health) of the person concerned).
Such provisions are compatible with the General Agreement on Trade in Services (GATS, Article XIV), which recognises the protection of personal data as a legitimate reason for restricting the free movement of services. The advantage for non-EU countries where adequate protection can be provided is that the free flow of data from all 15 EU states will henceforth be assured, whereas up to now each Member State has decided on such questions separately.
The adequacy of data protection safeguards concerning transfers to non-EU countries will be considered case by case. Adequacy will not necessarily require a non-EU country to apply legislation similar to the EU's Directive. Alternative systems, such as voluntary arrangements applied by industry, or binding contractual clauses between the parties concerned by the data transfer, may be considered adequate if they are effectively applied and offer sufficient safeguards concerning data subjects' rights, including rights of redress.
Under the Directive, if a Member State's data protection authorities considered a particular set of data would not be adequately protected if transferred to a non-EU country, they could block the individual data transfer, but not all transfers of data to the country concerned. The national authorities would have to inform the Commission, which would inform all other Member States. If the Commission and all other Member States agreed that the decision was justified, it would be extended to the EU as a whole.
Otherwise, the decision would be overturned. In other words, a decision to block a transfer of data to a non-EU country applies across the EU as a whole or not at all. A committee of Member State officials established under the Directive (Article 31) considers issues arising from data transfers to third countries.
The Commission is involved in on-going contacts with a number of non-EU countries in order to explore ways of avoiding possible interruptions to exchanges of personal data. The Article 31 Committee meets on 26 October to consider the current state of play on these contacts.
As of 23 October, Greece ,Portugal, Sweden, the United Kingdom and Italy have implemented the Directive, although the latter three still need to adopt some additional rules. Implementing laws are under consideration by the Parliaments of all other Member States except Germany, France and Luxembourg.
In those Member States where the implementing legislation is not yet in place, individuals will be entitled to invoke the Directive's provisions before national courts, in accordance with the case law of the Court of Justice (Marleasing case, C-106/89, 13.11.90). In addition, individuals suffering damage as a result of a Member State's failure to implement the Directive will be entitled to seek reparations before national courts, under the terms of the Court of Justice's case law in the Francovich case (C-6/90 and C-9/90, 19.11.91).
Date: 23 October 1998
For further details: E1@dg15.cec.be