The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, is a
European Union directive
A directive is a legal act of the European Union that requires member states to achieve a particular result without dictating the means of achieving that result. Directives first have to be enacted into national law by member states before the ...
which regulates the processing of
personal data
Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.
The abbreviation PII is widely accepted in the United States, but the phrase it abbreviates ha ...
within the
European Union
The European Union (EU) is a supranational political and economic union of member states that are located primarily in Europe. The union has a total area of and an estimated total population of about 447million. The EU has often been ...
(EU) and the free movement of such data. The Data Protection Directive is an important component of EU
privacy
Privacy (, ) is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively.
The domain of privacy partially overlaps with security, which can include the concepts of a ...
and
human rights law
International human rights law (IHRL) is the body of international law designed to promote human rights on social, regional, and domestic levels. As a form of international law, international human rights law are primarily made up of treaties, a ...
.
The principles set out in the Data Protection Directive are aimed at the protection of
fundamental rights
Fundamental rights are a group of rights that have been recognized by a high degree of protection from encroachment. These rights are specifically identified in a constitution, or have been found under due process of law. The United Nations' Susta ...
and freedoms in the processing of personal data. The
General Data Protection Regulation, adopted in April 2016, superseded the Data Protection Directive and became enforceable on 25 May 2018.
Context
The right to
privacy
Privacy (, ) is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively.
The domain of privacy partially overlaps with security, which can include the concepts of a ...
is a highly developed area of law in Europe. All the member states of the
Council of Europe (CoE) are also signatories of the
European Convention on Human Rights
The European Convention on Human Rights (ECHR; formally the Convention for the Protection of Human Rights and Fundamental Freedoms) is an international convention to protect human rights and political freedoms in Europe. Drafted in 1950 by t ...
(ECHR). Article 8 of the ECHR provides a right to respect for one's "private and family life, his home and his correspondence", subject to certain restrictions. The
European Court of Human Rights
The European Court of Human Rights (ECHR or ECtHR), also known as the Strasbourg Court, is an international court of the Council of Europe which interprets the European Convention on Human Rights. The court hears applications alleging that a ...
has given this article a very broad interpretation in its jurisprudence.
In 1973, American scholar
Willis Ware published ''Records, Computers, and the Rights of Citizens'', a report that was to be influential on the directions these laws would take.
In 1980, in an effort to create a comprehensive data protection system throughout Europe, the
Organisation for Economic Co-operation and Development
The Organisation for Economic Co-operation and Development (OECD; french: Organisation de coopération et de développement économiques, ''OCDE'') is an intergovernmental organization, intergovernmental organisation with 38 member countries ...
(OECD) issued its "Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data". The seven principles governing the
OECD
The Organisation for Economic Co-operation and Development (OECD; french: Organisation de coopération et de développement économiques, ''OCDE'') is an intergovernmental organisation with 38 member countries, founded in 1961 to stimulate ...
's recommendations for protection of personal data were:
# Notice—data subjects should be given notice when their data is being collected;
# Purpose—data should only be used for the purpose stated and not for any other purposes;
# Consent—data should not be disclosed without the data subject's consent;
# Security—collected data should be kept secure from any potential abuses;
# Disclosure—data subjects should be informed as to who is collecting their data;
# Access—data subjects should be allowed to access their data and make corrections to any inaccurate data
# Accountability—data subjects should have a method available to them to hold data collectors accountable for not following the above principles.
The
OECD
The Organisation for Economic Co-operation and Development (OECD; french: Organisation de coopération et de développement économiques, ''OCDE'') is an intergovernmental organisation with 38 member countries, founded in 1961 to stimulate ...
Guidelines, however, were non-binding, and
data privacy
Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data ...
laws still varied widely across Europe. The United States, meanwhile, while endorsing the
OECD
The Organisation for Economic Co-operation and Development (OECD; french: Organisation de coopération et de développement économiques, ''OCDE'') is an intergovernmental organisation with 38 member countries, founded in 1961 to stimulate ...
's recommendations, did nothing to implement them within the United States.
[ However, the first six principles were incorporated into the EU Directive.][
In 1981, the Members States of the Council of Europe adopted the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) to implement Article 8 of the ECHR. Convention 108 obliges the signatories to enact legislation concerning the automatic processing of personal data, and was modernised and reinforced in 2018 to become "Convention 108+".
In 1989 with German reunification, the data the Stasi in East Germany collected became well known, increasing the demand for privacy in Germany. At the time West Germany already had privacy laws since 1977 (]Bundesdatenschutzgesetz
The German (BDSG) is a federal data protection act, that together with the data protection acts of the German federated states and other area-specific regulations, governs the exposure of personal data, which are manually processed or stored in I ...
). The European Commission
The European Commission (EC) is the executive of the European Union (EU). It operates as a cabinet government, with 27 members of the Commission (informally known as "Commissioners") headed by a President. It includes an administrative body ...
realized that diverging data protection legislation amongst EU member states impeded the free flow of data within the EU and accordingly proposed the Data Protection Directive.
Content
The directive regulates the processing of personal data regardless of whether such processing is automated or not.
Scope
''Personal data'' are defined as "any information relating to an identified or identifiable natural person
In jurisprudence, a natural person (also physical person in some Commonwealth countries, or natural entity) is a person (in legal meaning, i.e., one who has its own legal personality) that is an individual human being, distinguished from the bro ...
("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;" (art. 2 a).
This definition is meant to be very broad. Data are "personal data" when someone is able to link the information to a person, even if the person holding the data cannot make this link. Some examples of "personal data" are: address, credit card number, bank statements, criminal record, etc.
The notion ''processing'' means "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;" (art. 2 b).
The responsibility for compliance rests on the shoulders of the "controller", meaning the natural
Nature, in the broadest sense, is the physical world or universe. "Nature" can refer to the phenomena of the physical world, and also to life in general. The study of nature is a large, if not the only, part of science. Although humans are ...
or artificial person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; (art. 2 d)
The data protection rules are applicable not only when the controller is established within the EU, but whenever the controller uses equipment situated within the EU in order to process data. (art. 4) Controllers from outside the EU, processing data in the EU, will have to follow data protection regulation. In principle, any online business trading with EU residents would process some personal data and would be using equipment in the EU to process the data (i.e. the customer's computer). As a consequence, the website operator would have to comply with the European data protection rules. The directive was written before the breakthrough of the Internet, and to date there is little jurisprudence
Jurisprudence, or legal theory, is the theoretical study of the propriety of law. Scholars of jurisprudence seek to explain the nature of law in its most general form and they also seek to achieve a deeper understanding of legal reasoning ...
on this subject.
Principles
Personal data should not be processed at all, except when certain conditions are met. These conditions fall into three categories: transparency, legitimate purpose, and proportionality.
Transparency
The data subject has the right to be informed when his personal data is being processed. The controller must provide his name and address, the purpose of processing, the recipients of the data and all other information required to ensure the processing is fair. (art. 10 and 11)
Data may be processed only if at least one of the following is true (art. 7):
* when the data subject has given his consent.
* when the processing is necessary for the performance of or the entering into a contract.
* when processing is necessary for compliance with a legal obligation.
* when processing is necessary in order to protect the vital interests of the data subject.
* processing is necessary for the performance of a task carried out in the public interest
The public interest is "the welfare or well-being of the general public" and society.
Overview
Economist Lok Sang Ho in his ''Public Policy and the Public Interest'' argues that the public interest must be assessed impartially and, therefore ...
or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed.
* processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are over-ridden by the interests for fundamental rights and freedoms of the data subject. The data subject has the right to access all data processed about him. The data subject even has the right to demand the rectification, deletion or blocking of data that is incomplete, inaccurate or not being processed in compliance with the data protection rules. (art. 12)
Legitimate purpose
Personal data can only be processed for specified explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes. (art. 6 b) The personal data must have protection from misuse and respect for the "certain rights of the data owners which are guaranteed by EU law."
Proportionality
Personal data may be processed only insofar as it is adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed.
The data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
The data shouldn't be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use. (art. 6).
When sensitive personal data (can be: religious beliefs, political opinions, health, sexual orientation, race, membership of past organisations) are being processed, extra restrictions apply. (art. 8).
The data subject may object at any time to the processing of personal data for the purpose of direct marketing. (art. 14)
An algorithmic-based decision which produces legal effects or significantly affects the data subject may not be based solely on automated processing of data. (art. 15) A form of appeal should be provided when automatic decision making processes are used.
Supervisory authority and the public register of processing operations
Each member state must set up a supervisory authority, an independent body that will monitor the data protection level in that member state, give advice to the government about administrative measures and regulations, and start legal proceedings when data protection regulation has been violated. (art. 28) Individuals may lodge complaints about violations to the supervisory authority or in a court of law.
The controller must notify the supervisory authority before he starts to process data. The notification contains at least the following information (art. 19):
* the name and address of the controller and of his representative, if any;
* the purpose or purposes of the processing;
* a description of the category or categories of data subject and of the data or categories of data relating to them;
* the recipients or categories of recipient to whom the data might be disclosed;
* proposed transfers of data to third countries;
* a general description of the measures taken to ensure security of processing.
This information is kept in a public register.
Transfer of personal data to third countries
''Third countries'' is the term used in legislation to designate countries outside the European Union
The European Union (EU) is a supranational political and economic union of member states that are located primarily in Europe. The union has a total area of and an estimated total population of about 447million. The EU has often been ...
.
Personal data may only be transferred to a third country if that country provides an adequate level of protection of the data. Some exceptions to this rule are provided, for instance when the controller himself can guarantee that the recipient will comply with the data protection rules.
The Directive's Article 29 created the "Working party on the Protection of Individuals with regard to the Processing of Personal Data", commonly known as the " Article 29 Working Party". The Working Party gives advice about the level of protection in the European Union and third countries.
The Working Party negotiated with United States representatives about the protection of personal data, the Safe Harbour Principles were the result. According to critics the Safe Harbour Principles do not provide for an adequate level of protection, because they contain fewer obligations for the controller and allow the contractual waiver of certain rights.
In October 2015 the European Court of Justice ruled that the Safe Harbour regime was invalid as a result of an action brought by an Austrian privacy campaigner in relation to the export of subscribers' data by Facebook's European business to Facebook in the USA. The US and European Authorities worked on a replacement for Safe Harbour and an agreement was reached in February 2016, leading to the European Commission adopting the EU-US Privacy Shield framework on 12 July 2016.
In July 2007, a new, controversial,[ passenger name record (PNR) agreement between the US and the EU was undersigned.
In February 2008, ]Jonathan Faull
Sir Jonathan Michael Howard Faull KCMG (born 20 August 1954 in Chatham, Kent) is a former British official in the European Commission.
Biography
He joined the European Commission in 1978, becoming Director for Competition Policy at the Directo ...
, the head of the EU's Commission of Home Affairs, complained about the United States bilateral policy concerning PNR.[Brussels attacks new U.S. security demands](_blank)
'' EUobserver''. See als
Statewatch newsletter
February 2008 The US had signed in February 2008 a memorandum of understanding (MOU) with the Czech Republic
The Czech Republic, or simply Czechia, is a landlocked country in Central Europe. Historically known as Bohemia, it is bordered by Austria to the south, Germany to the west, Poland to the northeast, and Slovakia to the southeast. Th ...
in exchange of a visa waiver scheme, without first consulting Brussels.[A divided Europe wants to protect its personal data wanted by the U.S.]
''Rue 89
Rue89 is a French news website started by former journalists from the newspaper ''Libération''. It was officially launched on 6 May 2007, on the day of the second round of the French presidential election. Its news editor is Pascal Riché, forme ...
'', 4 March 2008 The tensions between Washington and Brussels are mainly caused by the lower level of data protection
Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as da ...
in the US, especially since foreigners do not benefit from the US Privacy Act of 1974
The Privacy Act of 1974 (, ), a United States federal law, establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained ...
. Other countries approached for bilateral Memoranda of Understandings included the United Kingdom, Estonia
Estonia, formally the Republic of Estonia, is a country by the Baltic Sea in Northern Europe. It is bordered to the north by the Gulf of Finland across from Finland, to the west by the sea across from Sweden, to the south by Latvia, and t ...
, (Germany) and Greece
Greece,, or , romanized: ', officially the Hellenic Republic, is a country in Southeast Europe. It is situated on the southern tip of the Balkans, and is located at the crossroads of Europe, Asia, and Africa. Greece shares land borders wit ...
.
Implementation by the member states
EU directives are addressed to the member states, and are not legally binding for individuals in principle. The member states must transpose the directive into internal law.
Directive 95/46/EC on the protection of personal data had to be transposed by the end of 1998. All member states had enacted their own data protection legislation.
Replacement by the General Data Protection Regulation
On 25 January 2012, the European Commission
The European Commission (EC) is the executive of the European Union (EU). It operates as a cabinet government, with 27 members of the Commission (informally known as "Commissioners") headed by a President. It includes an administrative body ...
(EC) announced it would be unifying data protection law across a unified European Union via legislation called the " General Data Protection Regulation." The EC's objectives with this legislation included:
* the harmonisation of 27 national data protection regulations into one unified regulation;
* the improvement of corporate data transfer rules outside the European Union; and
* the improvement of user control over personal identifying data.
The original proposal also dictated that the legislation would in theory "apply for all non-EU companies without any establishment in the EU, provided that the processing of data is directed at EU residents," one of the biggest changes with the new legislation.[ This change carried on through to the legislation's final approval on 14 April 2016, affecting entities around the world. "The Regulation applies to processing outside the EU that relates to the offering of goods or services to data subjects (individuals) in the EU or the monitoring of their behavior," according to W. Scott Blackmer of the InfoLawGroup, though he added " is questionable whether European supervisory authorities or consumers would actually try to sue US-based operators over violations of the Regulation."][ Additional changes include stricter conditions for consent, broader definition of sensitive data, new provisions on protecting children's privacy, and the inclusion of "rights to be forgotten."][
The EC then set a compliance date of 25 May 2018, giving businesses around the world a chance to prepare for compliance, review data protection language in contracts, consider transition to international standards, update privacy policies, and review marketing plans.
]
Comparison with other jurisdictions
Comparison with United States data protection law
, the United States has no single data protection law comparable to the EU's Data Protection Directive.
United States privacy legislation tends to be adopted on an ''ad hoc'' basis, with legislation arising when certain sectors and circumstances require (e.g., the Video Privacy Protection Act of 1988, the Cable Television Protection and Competition Act of 1992, the Fair Credit Reporting Act
The Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 ''et seq'', is U.S. Federal Government legislation enacted to promote the accuracy, fairness, and privacy of consumer information contained in the files of consumer reporting agencies. It ...
, and the 1996 Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy– Kassebaum Act) is a United States Act of Congress enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 19 ...
, HIPAA (US)). Therefore, while certain sectors may already satisfy parts of the EU Directive most do not. The United States prefers what it calls a 'sectoral' approach to data protection legislation, which relies on a combination of legislation, regulation, and self-regulation, rather than governmental regulation alone. Former US President Bill Clinton
William Jefferson Clinton (Birth name, né Blythe III; born August 19, 1946) is an American politician who served as the 42nd president of the United States from 1993 to 2001. He previously served as governor of Arkansas from 1979 to 1981 ...
and former Vice-President Al Gore explicitly recommended in their "Framework for Global Electronic Commerce" that the private sector should lead, and companies should implement self-regulation in reaction to issues brought on by Internet technology.
The reasoning behind this approach has as much to do with American laissez-faire economics as with different social perspectives. The First Amendment
First or 1st is the ordinal form of the number one (#1).
First or 1st may also refer to:
*World record, specifically the first instance of a particular achievement
Arts and media Music
* 1$T, American rapper, singer-songwriter, DJ, and reco ...
of the United States Constitution guarantees the right to free speech. While free speech is an explicit right guaranteed by the United States Constitution, privacy is an implicit right guaranteed by the Constitution as interpreted by the United States Supreme Court
The Supreme Court of the United States (SCOTUS) is the highest court in the federal judiciary of the United States. It has ultimate appellate jurisdiction over all U.S. federal court cases, and over state court cases that involve a point ...
, although it is often an explicit right in many state constitutions.
Europe's extensive privacy regulation is justified with reference to experiences under World War II
World War II or the Second World War, often abbreviated as WWII or WW2, was a world war that lasted from 1939 to 1945. It involved the World War II by country, vast majority of the world's countries—including all of the great power ...
-era fascist governments and post-War Communist
Communism (from Latin la, communis, lit=common, universal, label=none) is a far-left sociopolitical, philosophical, and economic ideology and current within the socialist movement whose goal is the establishment of a communist society, a ...
regimes, where there was widespread unchecked use of personal information. World War II and the post-War period was a time in Europe when disclosure of race or ethnicity led to secret denunciations and seizures that sent friends and neighbours to work camps and concentration camps.[ In the age of computers, Europeans' guardedness of secret government files has translated into a distrust of corporate databases, and governments in Europe took decided steps to protect personal information from abuses in the years following World War II. (Germany) and France, in particular, set forth comprehensive data protection laws.
Critics of Europe's data policies, however, have said that they have impeded Europe's ability to monetize the data of users on the internet and are the primary reason why there are no ]Big Tech
Big Tech, also known as the Tech Giants, refers to the most dominant companies in the information technology industry, mostly located in the United States. The term also refers to the four or five largest American tech companies, called the B ...
companies in Europe, with most of them instead being in the United States. Furthermore, with Alibaba
Ali Baba is a character from the folk tale ''Ali Baba and the Forty Thieves''.
Ali Baba or Alibaba may also refer to:
Films
* ''Ali Baba and the Forty Thieves'' (1902 film), a French film directed by Ferdinand Zecca
* ''Ali Baba'' (1940 film ...
and Tencent
Tencent Holdings Ltd. () is a Chinese multinational technology and entertainment conglomerate and holding company headquartered in Shenzhen. It is one of the highest grossing multimedia companies in the world based on revenue. It is also the wo ...
joining the ranks of the world's 10 most valuable tech companies in recent years, even China is moving ahead of Europe in the performance of its digital economy, which was valued at $5.09 trillion in 2019 (35.8 trillion yuan).
China and the US together comprised 75% of all patents filed related to leading information technologies such as blockchain, 50% of global spending on the Internet of Things
The Internet of things (IoT) describes physical objects (or groups of such objects) with sensors, processing ability, software and other technologies that connect and exchange data with other devices and systems over the Internet or other com ...
, more than 75% of the world market for cloud computing
Cloud computing is the on-demand availability of computer system resources, especially data storage ( cloud storage) and computing power, without direct active management by the user. Large clouds often have functions distributed over m ...
, and 90% of the market capitalization of the world's 70 largest digital platforms. The EU's share is only 4%.[
Meanwhile, Europe's preoccupation with the US is likely misplaced in the first place, as China and Russia are increasingly identified by European policymakers as "hybrid threat" aggressors, using a combination of ]propaganda
Propaganda is communication that is primarily used to influence or persuade an audience to further an agenda, which may not be objective and may be selectively presenting facts to encourage a particular synthesis or perception, or using loa ...
on social media and hacking to intentionally undermine the functioning of European institutions.
See also
* Auditing information security
An information security audit is an audit on the level of information security in an organization. It is an independent review and examination of system records, activities and related documents. These audits are intended to improve the level of in ...
* Data governance
* Data Protection Act 1998
The Data Protection Act 1998 (DPA, c. 29) was an Act of Parliament of the United Kingdom designed to protect personal data stored on computers or in an organised paper filing system. It enacted provisions from the European Union (EU) Data Prot ...
UK, Data Protection (Jersey) Law
The Data Protection (Jersey) Law 2018 is an information privacy law in the Crown dependencies, Crown Dependency of the Bailiwick of Jersey, one of the Channel Islands. The latest version is 2018, updating the previous law from 2005 to mirror the G ...
* Directive on Privacy and Electronic Communications
Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive (ePD), is an EU directive on data protection and privacy in the digital age. It presents a continuation ...
* ePrivacy Regulation
The ePrivacy Regulation (ePR) is a proposal for the regulation of various privacy-related topics, mostly in relation to electronic communications within the European Union. Its full name is "Regulation of the European Parliament and of the Coun ...
* Information Commissioner
* Information privacy
Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data ...
(data protection)
* Information technology audit
* International Safe Harbor Privacy Principles
* National data protection authorities
* Personal Data Privacy and Security Act of 2009 The Personal Data Privacy and Security Act of 2009 ( Official title: ''A bill to prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other ...
* Safe harbour
References
External links
Directive 95/46/EC
(Directive on protection of individuals with regard to the processing of personal data and on the free movement of such data)
EU data protection page
The European Commission provides elaborate information on its website. The following subjects are covered:
**Legislative documents
**Transposition and implementation of Directive 95/46/EC
**European Data Protection Supervisor
**National Data Protection Commissioners
**Art. 29 Data protection Working Party
**Adequacy of protection in third countries and model contracts for the transfer of personal data to third countries
2000/520/EC: Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council
(Safe harbour principle)
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002
(Directive on privacy and electronic communications)
Procedure 2012/0011/COD
Procedure file for the proposed revised legal framework (General Data Protection Regulation)
{{Legislation of the European Union
Information privacy
Privacy legislation
European Union directives
1995 in law
1995 in the European Union
Data laws of Europe