Privacy & Data Protection in Europe
May 20, 2010 QuickCounsel Download PDF
By Bird & Bird
Organisations doing business in Europe need to be aware of European privacy legislation that restricts what data can be collected and grants individuals rights in relation to such data. Non-compliance can lead to claims for compensation, fines and, in some cases, to prosecution for criminal offences.
In 1995, the European Parliament and Council adopted Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “Directive”). The Directive applies to all member states of the European Economic Area (EEA) – that is to the 27 states of the European Union, plus Norway, Iceland and Liechtenstein.
The aim of the Directive is to set out certain common privacy standards for individuals across the EEA. It is important to note that it only imposes minimum standards; member states are often free to have supplemental, higher, standards of privacy legislation. Organisations operating in the EEA will quickly realise that this is often the case and that the implementation of the Directive varies across the EEA.
The Directive had to be implemented by 24 October 1998, although it permitted many transitional arrangements to continue October 2001 and some very limited transitional provisions to continue until October 2007.
The Directive applies to organisations that are established in the EEA. Establishment would include limited companies, branches, subsidiaries, or any real economic presence. The Directive also applies to organisations which are not established in any EEA State but which use equipment in the EEA to process personal data. Where an organisation is established or uses equipment in several member states, it must comply with the laws of each state.
The Directive regulates personal data> held in certain types of records, which are processed by a data controller.
“Personal data” are information relating to a directly or indirectly identifiable natural personal (i.e. an individual, not a company).
This will include details such as name, postal address and email address as well as facts and opinions held about an individual. Business contact data are also covered. However, truly anonymous data, such as aggregated statistics, are not regulated by the Directive. The Directive also recognises that some data are to be regarded as sensitive and can only be processed under strict conditions. Such data are racial or ethnic origin; political opinions; religious or other beliefs; trade union membership; health; sex life; and the commission of offences and related proceedings. Financial data do not amount to sensitive data, although some member states may have separate protection for such data.
Personal data are covered by the Directive if they are held in automated records (broadly speaking, on computer) or in certain structured paper files. It is for each member state to specify which paper files should be covered by privacy legislation. In the UK, for example, all medical, educational, social services and local authority housing files are covered. Other files are only covered if they are structured in certain ways.
The Directive applies to any operation(s) performed on personal data, from collection, through to storage and destruction.
The data controller is “… the person which (alone or jointly with others) determines the purposes and means of the processing”.
Obligations in the Directive fall mainly on data controllers. Lesser obligations fall on data processors, who are people (other than employees of a data controller) who process personal data on behalf of a data controller and have no independent control over personal data.
Main Obligations Under the Directive
The Directive imposes three main obligations, each of which is considered in further detail below:
In addition, there are special provisions relating to electronic and other communications.
Notification by Data Controllers
Each Member State has established a public register of data controllers. Organisations processing personal data must register in each state in which they are established; there is no central European registration process. Many Member States have de minimis exemptions from the obligation to register. Some have exemptions for organisations which have appointed a data protection officer, or which have internal indexes of data files.
It is important to undertake this registration process – for example, in the UK it is a criminal offence not to register; ignorance of the obligation is no defence.
The Directive grants individuals to whom information relates ('data subjects') rights, including the following:
An individual is also entitled to compensation if he suffers damage because a data controller has breached the provisions of the Directive.
The Data Protection Principles
Organisations must comply with certain principles when processing personal data. These are set out in the Directive and specify:
E-mail, Fax and Phone Provisions
In 2002, an additional Directive was adopted. It introduced supplemental, more detailed rules relating to electronic communications.
Some of these rules are specific to service providers – such as rules relating to security and confidentiality and restrictions on the use of traffic and location data.
However, some provisions apply to all organisations making use of electronic communications. These include:
The Directive was updated in late 2009 and Member States have until 2011 to implement these changes. Some are significant – a possible requirement for consent to cookies and security breach notification requirements for communication service providers.
Each member state has a supervisory authority, or authorities, that enforce data protection and must ensure that there are remedies and enforcement arrangements. In the UK, the Information Commissioner (who has responsibility for enforcement), has been given a right to serve information notices, to serve enforcement notices (like injunctions), to search premises and seize materials and to impose monetary penalties. In a serious case, an enforcement notice could restrict or prohibit the processing of personal data by the individual or company served with the notice. In addition, breach of certain data protection provisions in the UK leads to criminal sanctions. A company’s officers and managers may be personally liable for such a breach if this can be shown to have been committed with their consent or connivance or to be attributable to their neglect. Whilst the precise financial and other consequences of a breach of privacy legislation vary between each State, these type of sanctions are typical.
Organisations need to be aware of how the Directive may affect their business.
Practical steps which organisations can take include:
Additional ACC Resources
What to Do When You Can’t Comply: Foreign Sovereign Compulsion as a Potential Defense to Conflicts between U.S. Discovery Obligations and the GDPR
ACC Resource Library - QuickCounsel - Sponsored by Holwell Shuster & Goldberg
ACC Resource Library - ACC Docket
ACC Resource Library - ACC Docket
Have an idea for a quickcounsel or interested in writing one?
This resource is sponsored by:
Table of Contents