Report from the Commission - First report on the implementation of the Data Protection Directive (95/46/EC) /* COM/2003/0265 final */
REPORT FROM THE COMMISSION - First report on the implementation of the Data Protection Directive (95/46/EC) INDEX 1. The reasons for the report and the open consultation on the Implementation of directive 95/46/EC 2. The open review process preceding the preparation of this report 3. The main results of the review 4. The main findings of the review in more detail 5. The processing of sound and image data 6. work programme for a better implementation of the data protection directive (2003-2004) 7. Conclusion 1. The reasons for the report and the open consultation on the Implementation of directive 95/46/EC 'The Commission shall report to the Council and the European Parliament at regular intervals, starting not later than three years after the date referred to in Article 32 (1), on the implementation of this Directive, attaching to its report, if necessary, suitable proposals for amendments.' (Article 33 of EC Directive 95/46) The present report is the Commission's response to the above requirement. The Commission has delayed its report by 18 months because the Member States have been slow to transpose the Directive into national law [1]. [1] The Commission decided in December 1999 to take France, Germany, Ireland, Luxembourg and the Netherlands to the European Court of Justice for failure to notify all the necessary measures to implement Directive 95/46. In 2001 the Netherlands and Germany notified and the Commission closed the cases against them. France notified the data protection law of 1978 so that the proceedings for non notification against that state were dropped. France announced at the same time its intention to pass a new law that is not yet adopted. In the case of Luxembourg, the Commission action has led to this Member State being condemned by the Court of Justice for failure to fulfil its obligations. The Directive was then implemented with a new law that entered into force in 2002. Ireland notified a partial implementation in 2001; a complete bill has however recently been passed. The implementation status in Member States is available at: The Commission has approached the preparation of this report from a broad perspective. It has gone beyond the simple examination of the Member States' acts of implementation and has conducted in addition an open public debate, encouraging a wide participation on the part of stakeholders. This approach is not only in line with the Commission's approach to governance at the European level as set out in its White Paper of July 2001 [2]; it is also justified by first, the specific nature of Directive 95/46 and second, the rapid pace of technological development in the information society and other international developments which have brought about significant changes since the Directive was finalised in 1995. [2] COM(2001) 428 final http://europa.eu.int/eur-lex/en/com/cnc/ 2001/com2001_0428en01.pdf 1.1. A Directive with very broad impact Directive 95/46 enshrines two of the oldest ambitions of the European integration project: the achievement of an Internal Market (in this case the free movement of personal information) and the protection of fundamental rights and freedoms of individuals. In the Directive, both objectives are equally important. In legal terms, however, the existence of the Directive rests on Internal Market grounds. Legislation at the EU level was justified because differences in the way that Member States approached this issue impeded the free flow of personal data between the Member States [3]. Its legal base was thus Article 100a (now Article 95) of the Treaty. However, the proclamation of the Charter of Fundamental Rights of the European Union [4] by the European Parliament, the Council and the Commission in December 2000, and in particular Article 8 thereof which incorporates the right to data protection, has given added emphasis to the fundamental rights dimension of the Directive. [3] See COM (90) 314 final - SYN 287 AND 288, 13 September 1990, page 4: "The diversity of national approaches and the lack of a system of protection at Community level are an obstacle to completion of the internal market. If the fundamental rights of data subjects, in particular their right to privacy, are not safeguarded at Community level, the cross-border flow of data might be impeded..." [4] http://europa.eu.int/comm/justice_home/ unit/charte/index_en.html Moreover, by its nature, the Directive has a very broad impact. Every individual is a data subject and entities in every sector of the economy are data controllers. Thus, even if its legal justification is rather specific, its effects are very wide and its implementation must be examined with that in mind. 1.2. Developments in information technology and increased security concerns have sharpened the debate on data protection Since the adoption of the Directive in 1995, there has been an exponential growth in the number of households and businesses connected to the Internet and thus in the number of people leaving an increasing amount of personal information of all kinds on the web. At the same time, the means of collecting personal information has become increasingly sophisticated and less easily detectable: closed circuit TV systems monitoring public places; spyware installed in PCs by web-sites to which they have been connected which collect information about users' browsing habits, information that the sites often sell to others; or the monitoring of employees', including the use of emails and internet, at the workplace. This "data explosion" inevitably raises the question whether legislation can fully cope with some of these challenges, especially traditional legislation which has a limited geographical field of application, with physical frontiers which the Internet is rapidly rendering increasingly irrelevant [5]. [5] The report "Future bottlenecks in the information society" prepared for the Joint Research Centre of the Commission and the Institute for Prospective Technological Studies in June 2001 concludes that there are some emerging areas that do not fit easily with the provisions of the Directive and that it may therefore be necessary to revise it in the future. At the same time, the report notes that "although we have the Directive implemented in all Member States, there is increasing social anxiety with regard to the abuse and misuse of personal data within on-line information systems". Evidence gathered during the preparation of this report lends some support to this conclusion. Notably as a response to technological developments, Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector [6] translated the principles set out in Directive 95/46/EC into specific rules for the telecommunications sector. Directive 2002/58/EC on privacy and electronic communications of 12 July 2002 [7] has recently updated Directive 97/66/EC to reflect developments in the markets and technologies for electronic communications services, such as the Internet, so as to provide an equal level of protection of personal data and privacy, regardless of the technologies used. [6] OJ No L 24, 30.1.1998, p. 1-8 [7] OJ No L 201, 31 July 2002, p. 37-47. Member States have until 31 October 2003 to transpose the new Directive into national law. The emergence of a knowledge based economy combined with technological progress and the growing role attributed to human capital have intensified the collection of workers' personal data in the employment context. These developments gave rise to a number of concerns and risks and brought the issue of effective protection of workers' personal data into focus. The Commission noted, in its second stage consultation document addressed to the European social partners in October 2002, that there is scope for EU legislative action under Article 137 (2) of the Treaty, aiming at improving working conditions by establishing a European framework of principles and rules in this field. The Commission is currently reflecting on the follow-up to this consultation and intends to decide thereon before the end of 2003. Such a European framework would build on the existing general principles of Directive 95/46 EC while supplementing and clarifying these principles in the employment context. As regards consumer credit, the Commission has set out, in its proposal for a European Parliament and Council Directive on the harmonisation of laws, regulations and administrative provisions of the Member States concerning credit for consumers [8], some specific provisions on data protection aimed at further strengthening the protection of consumers. [8] COM (2002) 443 final of 11.09.2002 At the same time, increased concerns about security, especially following the events of 11 September 2001, have put civil liberties in general and the rights to privacy and the protection of personal data in particular under some pressure. This is neither new nor surprising. The European Court for Human Rights found it necessary to issue the following warning in 1978: "States may not..., in the name of the struggle against espionage and terrorism, adopt whatever measures they deem appropriate... the danger (is that) of undermining or even destroying democracy on the ground of defending it". [9] [9] Klass and Others v. Germany judgment of 6 September 1978, Series A no. 28 The Directive does not of course apply to the processing of personal data in the course of so-called "third pillar" activities [10] and data protection in these areas is not therefore covered by this report. The same distinction is however often not made in Member States laws. This raises a number of questions and problems, which have in particular been highlighted by the European Parliament and which deserve further debate. [10] Article 3.2. first indent excludes from the scope of the Directive "activity falling outside the scope of Community law... and in any case processing operations concerning public security, defence, State security (including the public well-being of the State when the processing operations relate to State security matters) and the activities of the States in areas of criminal law". 2. The open review process preceding the preparation of this report Against the above background, the Commission sought to organise an open debate with the widest possible participation to accompany its review of the implementation of the Directive. All interested parties - governments, institutions, business and consumer associations, even individual companies and citizens - have been given the opportunity to participate and express their views [11]. The Commission regards this process as positive. It has enriched the sources of information on which the Commission has drawn for this report and the recommendations for future action that it makes. It has also confirmed the shift in opinion that had already been discerned among data controllers in general [12] and representatives of the business community in particular: data controllers are now constructively engaged in a dialogue about how to ensure the effective protection of personal data in an efficient way, instead of opposing regulation in this field outright. [11] The Commission addressed questions to Member State governments and separately to supervisory authorities; commissioned two studies by academic experts; issued a general invitation to make contributions published in the Official Journal and on the Commission's web-site; placed two questionnaires on its web-site for over two months, one aimed at data controllers and the other at data subjects; held an international conference at which a wide range of issues were discussed in six separate workshops. [12] Although this report usually refers to data controllers as "Industry" or "business representatives" (because they are those that most have contributed to the debates), public authorities carrying out activities within the scope of Community law are also data controllers and of course the recommendations and observations contained in this report also concern them. The Commission regrets, on the other hand, the limited response of consumer organisations to the consultation process. [13] [13] Only BEUC, the European Consumer's Organisation, submitted a position paper, stating i.al. that in response to those who have argued that the Directive needs to be adapted to the imperatives of the online environment, in their view it is the online environment that needs to be adapted to ensure full respect of the principles of the Directive. This report summarises the Commission's findings in the light of the input it has gathered and its recommendations for action. The Commission considers however that this can only be regarded as the first step in a longer process. 3. The main results of the review 3.1. For and against the amendment of the directive The Commission considers that results of the review on balance militate against proposing modifications to the Directive at this stage. In the course of the consultations conducted, few contributors explicitly advocated the modification of the Directive. The most notable exception was the detailed proposals for amendments submitted jointly by Austria, Sweden, Finland and the UK [14]. These proposals for amendments concerned only a small number of provisions (notably Article 4 which determines the applicable law, Article 8 on sensitive data, Article 12 on the right of access, Article 18 on notification and Articles 25 and 26 on transfers to third countries), leaving most of the provisions and all of the principles of the Directive untouched. The specific difficulties arising from these and some other provisions will be looked at in more detail later in this report. [14] http://www.lcd.gov.uk/ccpd/ dpdamend.htm. The Netherlands adhered to these proposals at a later stage. The Commission believes that the following general considerations make it unwise to make proposals to amend this Directive in the immediate future: - Experience with the implementation of the Directive is so far very limited. Only few Member States implemented the Directive on time. Most Member States only notified implementing measures to the Commission in the years 2000 and 2001, and Ireland has still not notified its recent implementation. Important implementation legislation is still pending in some Member States. This constitutes an inadequate basis of experience for a proposal for a revised Directive. - Many of the difficulties that have been identified during the review can be addressed and resolved without amending the Directive. In some cases, where problems are caused by incorrect implementation of the Directive, they must be solved by specific modifications of Member State law. In others, the margins of manoeuvre allowed by the Directive permit closer co-operation among supervisory authorities to achieve the convergence necessary to overcome difficulties arising from practices that diverge too widely from Member State to Member State. In any event, such means are likely to take effect more quickly than would an amendment of the Directive and so should be fully exploited first. - Where amendments have been proposed by stakeholders, the aim is often the reduction of compliance burdens for data controllers. While this is a legitimate end in itself and indeed one that the Commission espouses, the Commission believes that many of the proposals would also involve a reduction in the level of protection provided for. The Commission believes that any changes that might in due course be considered should aim to maintain the same level of protection and must be consistent with the overall framework provided by existing international instruments [15]. [15] In the words of Commissioner Bolkestein at the closing session of the Conference on the implementation of the Directive: "There is certainly no such thing as a clean sheet of paper when it comes to making policy in the field of data protection (...) In drafting its report the Commission will ... need to bear in mind the broader legal and political framework, in particular the principles of Convention 108 of the Council of Europe" Following discussions with the Member States, the Commission notes its view that a modification of the Directive is neither necessary nor desirable at present is shared by a comfortable majority of Member States and also of national supervisory authorities. The Commission considers that some of the issues that have emerged and which are here only the subject of a preliminary analysis need to be further analysed and may need in due course to be the subject of a proposal to revise the Directive. Such a proposal would benefit from the greater experience of the Directive's implementation which will have been gained in the meantime. Moreover, as stated above, there is considerable scope for improvement in the implementation of the present Directive which is likely to resolve a number of the difficulties identified during the review, some of them wrongly attributed to the Directive itself. The Commission's attention has been and will continue to be focussed in particular on areas where Community law is clearly being breached and on areas where divergent interpretations and/or practices are causing difficulties in the Internal Market. The Commission also considers as a priority the harmonious application of the rules relating to the transfer of data to third countries, with a view to facilitating legitimate transfers and avoiding unnecessary barriers or complexities. 3.2. Overall assessment of the implementation of the directive in the Member States. The problem of the divergences between the Member States' legislation. The Commission's services have made a thorough analysis of the implementation in the fifteen Member States on the basis of the information collected. The co-operation of the Member States and the national supervisory authorities in this regard has been of great help. The initial results of this analysis are contained in this report and in a technical annex that will be published separately, but the process of collection of information and analysis of the implementation in the Member States will need to continue during 2003. RESULTS FROM THE ON-LINE QUESTIONNAIRES Using Inter-Active Policy Making on-line consultation-tool, the Commission placed two questionnaires on its web-site in June and invited data subjects (public consultation) and data controllers (target group) to give their views on various aspects of data protection. By the time the questionnaires were closed, 9156 individuals and 982 data controllers had replied. The full results of the consultations are available at: http://europa.eu.int/comm/internal_market/ privacy/lawreport/consultation_en.htm The Commission finds the following results to be of particular interest: - Although the Data Protection Directive incorporates high standards of protection, most individuals (4113 out of 9156 or 44.9%) considered the level of protection a minimum. - 81% of individuals thought the level of awareness about data protection was insufficient, bad or very bad, whereas only 10.3% thought it was sufficient and only 3.46% thought it was good or very good. Among controllers there was an almost equally negative view on awareness among citizens: Most of the respondents (30%) thought that citizens' awareness about data protection is insufficient whilst only 2.95% thought that the level was very good. - There is greater acceptance of data protection rules now among businesses. For example, 69.1% of the respondents (data controllers) considered data protection requirements necessary in our society whilst only a 2.64% regarded them as completely unnecessary and needing to be removed. - A large majority of the data controllers that responded to the questionnaire (62.1%) did not consider that responding to requests from individuals for access to their personal data involved an important effort for their organisation. Indeed, most of the data controllers responding to the questionnaire either did not have figures available or received fewer than 10 requests during the year 2001. The Commission recognises that these results cannot be considered representative in the way that survey results based on a scientifically selected sample can. The Commission proposes to conduct another survey in 2003, both to test the reliability of the results of the open questionnaire and to establish a yardstick against which to measure the evolution of various views or indicators in the future. Late implementation The implementation of a Directive of this kind, that is a Directive leaving a considerable latitude to the Member States, but also requiring them to fill in a significant amount of detail, is undoubtedly a complex task. But the serious delays in implementation that occurred in most Member States is the first and main shortcoming which the Commission has the duty to register as regards the implementation of the Directive which it unequivocally condemns. It has of course taken the appropriate action under Article 226 of the Treaty, as described above. Free movement of information secured Despite these delays and gaps in implementation, the Directive has fulfilled its principal objective of removing barriers to the free movement of personal data between the Member States. In fact, the main difficulty prior to the adoption of the Directive arose because, while most Member States had adopted data protection legislation, a small number had not. By 1995, only Italy and Greece did not have such legislation, but these two Member States were among the first to transpose the Directive, thus removing the main difficulty. Since the adoption of the Directive, no case has been drawn to the attention of the Commission in which the transfer of personal data between Member States has been blocked or refused on data protection grounds. Of course, obstacles to the free circulation of personal data can be more subtle than blatant prohibitions in the national laws or blocking decisions taken by national supervisory authorities: there might for example be cases where an unnecessarily restrictive rule in one Member State limits the internal processing of personal data in that Member State in the first place and, thus the exportation of the same data to other Member States. In other words, while the Commission is broadly satisfied with the impact of the Directive as regards the free movement of information within the Community, further experience with its implementation may produce evidence of problems that need to be tackled [16]. [16] For example different approaches as regards protection for data of legal persons. High level of protection As provided for in Recital 10, the aproximation of the national laws pursued by the Directive must seek to ensure a high level of protection in the Community. The Commission believes that this has been achieved. Indeed the Directive itself sets out some of the highest standards of data protection in the world. However, the results of the on-line survey suggest that the perception of citizens at this regard is different. This paradox requires further reflection. A preliminary analysis would suggest that at least part of the problem is attributable to an incomplete application of the rules (see further section on "enforcement, compliance and awareness") Other Internal Market policy objectives less well served The Commission takes a view of the overall policy objectives to be pursued by Internal Market legislation that goes beyond mere free movement. This should provide a level playing field for economic operators in different Member States; help to simplify the regulatory environment in the interests of both good governance and competitiveness; and tend to encourage rather than hinder cross-border activity within the EU. Judged against these criteria, the divergences that still mark the data protection legislation of the Member States are too great. This was the prevalent message received from the contributors to the review, in particular those representing business interests, who complained that present disparities prevent multinational organisations from developing pan-European policies on data protection. The Commission recalls that the ambition of a Directive is approximation and not complete uniformity and that, in order to respect the subsidiarity principle, the process of approximation should not go further than is necessary. Nevertheless, it thinks that stakeholders are right to demand more convergence in legislation and in the way it is applied by the Member States and the national supervisory authorities in particular. Some contributors to the review proposed the amendment of the Directive to add more detail or specification to achieve this convergence. The Commission prefers to proceed at least initially by other means. Furthermore, the general nature of this Directive, i.e. the fact that it applies to a large number of sectors and contexts, generally argues against adding more detail or specification. Divergences in Member States laws call for a range of solutions Since the divergences between Member States' laws have different causes and different consequences, they also call for a range of different solutions. It is clear that when a Member State has gone beyond the limits of the Directive or fallen short of its requirements, it creates a divergence that must be remedied by the modification of the Member State law in question. There are certain provisions which leave little or no margin to the Member States and where divergences have nevertheless occurred - see for example "definitions" or closed lists in the Directive such as in Articles 7 (grounds for legitimate processing), 8.1 (sensitive data), 10 (information to data subjects), 13 (exceptions), 26 (exceptions as regards transfers to third countries, etc). This points to non-compliance with Community law. Article 4 (applicable law) has also been badly transposed in a number of cases. The Commission is of course prepared to use its powers under Article 226 of the Treaty to bring about such changes, but it hopes that it will not be necessary to proceed by way of formal action. Bilateral and multilateral discussions will be held with the Member States with a view to arriving at agreed solutions in line with the Directive. Other divergences may be the legitimate result of correct implementation by a Member State that has taken a different direction within the margin of manoeuvre allowed by the Directive. For the purposes of this report, the Commission considers the existence of such differences only in so far as they have significant negative consequences in the Internal Market or from the "better regulation" point of view, for example the creation of unjustified administrative burdens for operators. Summing up: a) Overall, a large proportion of the divergences detected by the Commission's services cannot be considered as a violation of Community law nor as having a significant negative impact on the Internal Market, but when this is the case, the Commission will do the necessary to remedy the situation; b) Many of the divergences detected nevertheless do stand in the way of a flexible and simplified regulatory system and are still therefore of concern (see for example the differences in the notification requirements or the conditions for international transfers). There is a broad spectrum of possible actions to address these, as indicated in the work programme in section 6. The pursuit of these solutions in the immediate future does not mean, however, that the Commission excludes the possibility of appropriate amendment to the Directive subsequently, if the difficulties persist. Closer co-operation among the supervisory authorities of the Member States and a general willingness to reduce the negative impact of divergences are therefore to be seen as one alternative, while amendments to the Directive reducing the amount of choice left to the national legislator and to national supervisory authorities are the other. The Member States and their supervisory authorities will no doubt prefer the first option and it is up to them to show that it can work. Enforcement, compliance and awareness Before proceeding to a closer examination of some of the problematic areas of the Directive's implementation, one other general issue deserves attention, which is that of the general level of compliance with data protection law in the EU and the related question of enforcement. Given (or despite) the ubiquitous character of personal data processing, it is hard to obtain accurate or complete information about its compliance with the law. The input which the Commission received in response to its call for contributions did not cast much new light on this issue. Anecdotal evidence, however, combined with various elements of "hard" information available to the Commission [17] suggests the presence of three inter-related phenomena: [17] For example the relatively small number of individual complaints received by the Commission itself and the low number of authorisations by national authorities for transfers to third countries notified to the Commission in accordance with Article 26 (3) - An under-resourced enforcement effort and supervisory authorities with a wide range of tasks, among which enforcement actions have a rather low priority; - Very patchy compliance by data controllers, no doubt reluctant to undertake changes in their existing practices to comply with what may seem complex and burdensome rules, when the risks of getting caught seem low; - An apparently low level of knowledge of their rights among data subjects, which may be at the root of the previous phenomenon. The supervisory authorities themselves in many Member States are also concerned about this, in particular their lack of resources. Resource difficulties may affect independence. Independence in the taking of decisions is a sine qua non for the correct functioning of the system. This aspect requires further investigation, but if these tendencies are confirmed, they are reasons for serious concern and reflections need to be undertaken between the Commission and the Member States and the supervisory authorities to determine their causes and design feasible solutions. The fact that the three aspects are linked means that addressing one of them successfully can have positive spill-over on the others. More vigorous and effective enforcement will improve compliance with the legislation. Better compliance will result in data controllers providing more and better information to data subjects about the existence of the processing and their rights under the law, with a beneficial effect on the level of awareness about data protection among citizens in general. The candidate countries In line with the Copenhagen criteria, all candidate countries are commited to transposing Directive 95/46/EC by the time of accession. To date, all have passed legislation in this field, except for Turkey, where preparation of a Data Protection Act is well under way. In the 10 countries that have signed the Treaties of Accession, the legislation in place incorporates most of the key elements of the Directive. However, further efforts are needed to bring this legislation fully into line with all provisions of the Directive. In this regard, the establishment of independent data protection supervisory authorities is of utmost importance. The independence of some supervisory authorities is exemplary, whilst in other countries it is clearly insufficient. On the other hand, all the supervisory authorities lack the necessary resources and some also the necessary powers to ensure effective implementation of data protection legislation. 4. The main findings of the review in more detail [18] [18] Readers should refer to the technical annex for a more complete picture. This section looks more closely at and provides more concrete examples of the main issues which the Commission considers require attention in the light of its review. 4.1. The need to complete the implementation of the Directive A full implementation of the Directive normally requires (besides the enactment of implementing legislation) a second stage which mainly consists in the review of other legislation that may conflict with the Directive's requirements and/or the specification of certain general rules and the provision of appropriate safeguards where exceptions foreseen by the Directive have been used. In general terms, this second stage of the implementation has not even started in some Member States and among those that have started, some are not very far advanced. Several national laws make reference to further clarification being issued, for example as regards the application of Article 7 (f) (balance of interest clause) but this has not happened yet. [19] [19] Several submissions - see for example that from Clifford Chance - highlighted the importance of this provision which adds an important element of flexibility to the conditions of "fairness" of processing. An incomplete or unclear implementation of this provision causes unnecessary rigidity in the regulatory framework. Another provision where implementation is often incomplete is Article 8 (2) (b). This provision allows Member States to make exceptions from the general rule that sensitive data should not be processed, where such processing is necessary to carry out the obligations and specific rights of the controller in the field of employment law, but only subject to adequate safeguards being put in place. In some Member States, these requirements are met through specific data protection legislation in the employment context, which is either quite comprehensive (eg. Finland) or regulates particular issues (eg. health legislation in Denmark and the Netherlands). In other Member States, the situation is less clear. The provisions containing safeguards have not been adopted by all Member States. Where they exist, they are often unsatisfactory. The situation is similar as regards Article 8 (4) and (5) - the processing of sensitive data for reasons of public interest or with regard to criminal convictions. The absence of safeguards means the required level of protection for individuals is not being met, which should be a matter of concern for the Member States, as it is for the Commission. This will be addressed in particular under Action 1 of the work programme. Furthermore, where personal data are processed in a particular sector or context, such as in employment, this may be addressed through sectoral Community action [20]. [20] Cf., in this regard, point 1.2 supra. 4.2. The need for a reasonable and flexible interpretation Many submissions have advocated a reasonable and flexible interpretation of certain provisions of the Directive [21]. A good example is the issue of sensitive data [22]. It is necessary to find an interpretation consistent both with the reinforced protection foreseen for this category of data by the Directive and the realities of daily business, routine processing operations and the effective risks that certain operations pose for the protection of the fundamental rights and freedoms of individuals. [23] [21] The submission of the European Privacy Officers Forum (EPOF) is particularly interesting in this regard, for example on the need for a reasonable interpretation of notions like "anonymous data" or "sensitive data". [22] The submission of FEDMA, for example, contains some practical examples of the different interpretations of this notion in Member States such as the United Kingdom, France or Portugal. [23] The call for a reasonable interpretation can also be found in the suggested amendment to recital 33 submitted by Austria, Finland, Sweden and the United Kingdom. Article 12 of the Directive (right of data subjects to have access to information held about them) is another provision that has prompted calls for a flexible interpretation in relation to the exercise of the right of access and the possibility of refusals. It is argued that meeting access requests concerning data processed in enormous and complex information networks could be extremely difficult and costly for the data controller. The submission from Austria, Sweden, Finland and the United Kingdom seeks a change in the Directive to make clear that if the access request concerns information extremely difficult to retrieve and clearly excluded from the normal operations of the controller, the data controller may ask the data subject to assist the organisation in searching for his data. [24] The Commission recalls that the possibility of asking for such assistance is already in conformity with the Directive in its present form. The Commission is not convinced that the implementation of this provision of the Directive is in fact posing serious practical problems. In any case, the number of access requests seems to remain low. [25] The Commission considers the interpretations and guidance provided by national supervisory authorities so far to be wholly reasonable. [24] Such assistance is already foreseen under British and Austrian law. [25] See figures and responses of data controllers to the on-line questionnaire on this issue above Article 5 of the Directive states that Member States shall, within the limits of the provisions of Chapter II (Articles 6 to 21), determine more precisely the conditions under which the processing of personal data is lawful. In this respect, the Commission notes the concerns expressed by Sweden in the framework of the ongoing review of their legislation as regards the application of data protection principles to continuous text or sound and image data. The Commission considers that the aim of simplifying the conditions for data processing where such processing is not likely to pose any substantial risks to individual's rights can be better met by making use of the margin of manoeuvre that the Directive provides and in particular of the possibilities allowed by articles 7 (f), 9, and 13. 4.3. Promotion and encouragement of Privacy Enhancing Technologies The idea of Privacy Enhancing Technologies is to design information and communication systems and technologies in a way that minimises the collection and use of personal data and hinders unlawful forms of processing. The Commission considers that the use of appropriate technological measures is an essential complement to legal means and should be an integral part in any efforts to achieve a sufficient level of privacy protection. Technological products should be in all cases developed in compliance with the applicable data protection rules. But being in compliance is only the first step. The aim should be to have products that are not only privacy-compliant and privacy-friendly but if possible also privacy-enhancing [26]. [26] See in this sense the conclusions of the document WP 37 of the Article 29 Working Party, November 2000:"Privacy on the Internet - An integrated EU Approach to On-line Data Protection". Privacy-compliant products are products developed in full compliance with the Directive, privacy-friendly products go one step further by introducing some elements that make the privacy aspects more easily-accessible to the users like for instance by providing very user-friendly information to the data subject or very easy ways of exercising their rights. Privacy-enhancing products are those that have been designed in a way that aims at accomplishing the largest possible use of truly anonymous data. http://europa.eu.int/comm/internal_market/ privacy/workingroup/wp2000/wpdocs00_en.htm During the discussions on PETs at the Commission's 2002 conference on the implementation of the Directive, it was pointed out that the use of certain technical tools makes it impossible for controllers to comply with the law. An additional problem that emerged is the difficulty of recognising which products are genuinely PETs. Some participants called for some form of certification or seal based on an independent verification of the product. At present, some systems presenting themselves as PETs are not even privacy-compliant. The key-issue is therefore not only how to create technologies that are really privacy-enhancing, but how to make sure that these technologies are properly identified and recognised as such by the users. Certification schemes play a crucial role and the Commission will continue to follow developments in this area [27]. [27] For instance in Canada, where the Federal Government became the first national government to make Privacy Impact Assessments (PIAs) mandatory for all federal departments and agencies for all programmes and services where privacy issues might be inherent. This policy requires agencies to initiate PIAs in the early stages of the design or redesign of a programme or service, so as to influence the development process and make sure that privacy protection is a core consideration. The German Land of Schleswig-Holstein has introduced a certification scheme involving both the public and private sector on similar lines. The Commission believes that such schemes should indeed be encouraged and further developed. The objective is not just better privacy practices, but also to increase transparency and therefore the trust of users and to give those investing in compliance and even enhanced protection an opportunity to demonstrate their performance in this respect and exploit this to their competitive advantage. 4.4. Comments on some specific provisions This report only indicates the main findings in each case. Details will be made available in a technical annex to be published separately [28]. [28] www.europa.eu.int/comm/privacy 4.4.1. Article 4: Applicable law This is one of the most important provisions of the Directive from the perspective of the Internal Market and its correct implementation is crucial for the functioning of the system. The implementation of this provision is deficient in several cases with the result that the kind of conflicts of law this Article seeks to avoid could arise. Some Member States will have to amend their legislation in this regard. The provision was one of the most criticised during the review process. Submissions argued for a country of origin rule that would allow multinational organisations to operate with one set of rules across the EU. Many also argued that the "use of equipment" was not an appropriate or workable criterion for determining the application of EU law to controllers established outside the EU. As regards the country of origin rule, the Directive already allows for the organisation of processing under a single data controller, which means complying only with the data protection law of the controller's country of establishment. This of course does not apply where a company has chosen to exercise its right of establishment in more than one Member State. As regards the "use of equipment" the Commission is aware that this criterion may not be easy to operate in practice and that it needs further clarification. Should such clarification not be sufficient to ensure its practical application, it might in due course be necessary to propose an amendment creating a different connection factor in order to determine the applicable law. The Commission's priority is, however, to secure the correct implementation by the Member States of the existing provision. More experience with its application and more reflection is needed, taking into account technological developments, before any proposal to change Article 4 (1) (c) might be made. Notwithstanding the need for this further reflection, it would be wrong to give the impression that the whole of Article 4 is contested. On the contrary, large areas of its application are uncontested and are the subject of unanimous agreement among all data protection authorities and the Commission. 4.4.2. Articles 6 and 7: Data quality and criteria for legitimate processing The analysis of national legislation shows that the implementation of these provisions is sometimes unsatisfactory. Article 6 (1)(b) allows further processing for historical, statistical or scientific purposes, but only when appropriate safeguards are in place. Safeguards have not been provided for in all Member States, whilst such further processing is generally authorised. Some Member States have gone beyond or fallen short of the list of grounds for legitimate processing in Article 7 and they will have to amend their legislation. The notion of "unambiguous consent" (Article 7 (a)) in particular, as compared with the notion of "explicit consent" in Article 8, needs further clarification and more uniform interpretation. It is necessary that operators know what constitutes valid consent, in particular in on-line scenarios. 4.4.3. Articles 10 and 11: Provision of information to data subjects The implementation of Articles 10 and 11 of the Directive showed a number of divergences. To some extent this is the result of incorrect implementation, for instance when a law stipulates that additional information must always be provided to the data subject, irrespective of the necessity test the Directive foresees, but also stems from divergent interpretation and practice by supervisory authorities. Submissions stressed the difficulties for multinational companies operating on a pan-European level that arise from these divergences [29]. [29] See for example the views of the EPOF (European Privacy Officers Forum): 4.4.4. Articles 18 and 19: Notification requirements Many submissions argue for the need to simplify and approximate the requirements in Member States as regards the notification of processing operations by data controllers. The Commission shares this view, but recalls that the Directive already offers the Member States the possibility to provide for wide exemptions from notification in cases where low risk is involved or when the controller has appointed a data protection official. These exemptions allow for sufficient flexibility while not affecting the level of protection guaranteed. Regrettably, some Member States have not availed themselves of these possibilities. However, the Commission agrees that, in addition to wider use of the existent exemptions, some further simplification would be useful and should be possible without amending the existing Articles. 4.4.5. Articles 25 and 26: The external dimension. Divergences between Member States laws on the implementation of these two provisions are very broad indeed. The approach adopted by some Member States, where the assessment of the adequacy of protection provided for by the recipient is supposed to be made by the data controller, with very limited control of the data flows by the State or the national supervisory authority, does not seem to meet the requirement placed on Member States by the first paragraph of Article 25 (1) [30]. [30] "The Member States shall provide that the transfer to a third country of personal data (....) may take place only if (....) the third country in question ensures an adequate level of protection" The approach taken by some other Member States, submitting all transfers to third countries to an administrative authorisation [31], also seems inconsistent with Chapter IV of the Directive, which aims at guaranteeing both adequate protection and flows of personal data to third countries without unnecessary burdens. Notifications to national supervisory authorities may be required under Article 19, but notifications cannot be turned into de facto authorisations in those cases where the transfer to a third country is clearly permitted, either because the recipient is a destination providing adequate protection as confirmed in a binding Commission decision, or is a party to the standard contractual clauses approved by the Commission, or because the data controller declares that the transfer benefits from one of the exceptions provided for in Article 26 of the Directive. Whilst the data protection authority may legitimately require the notification of these transfers [32], there is no need to authorise these transfers because they are already authorised by Community law. [31] Transfers benefiting from the exceptions of Article 26 (1) or even to other Member States or third countries declared adequate by the European Commission need an authorisation in some Member States. [32] To check, for example, that the model contract fully corresponds with the model approved by the Commission or that the recipient is effectively covered by the adequacy decision. An overly lax attitude in some Member States - in addition to being in contravention of the Directive - risks weakening protection in the EU as a whole, because with the free movement guaranteed by the Directive, data flows are likely to switch to the "least burdensome" point of export. An overly strict approach, on the other hand, would fail to respect the legitimate needs of international trade and the reality of global telecommunications networks and risks creating a gap between law and practice which is damaging for the credibility of the Directive and for Community law in general. Indeed, international transfers appear to be an area where the lack of enforcement action creates such a gap. National authorities are supposed to notify the Commission when they authorise transfers under Article 26 (2) of the Directive. Since the Directive came into operation in 1998, the Commission has received only a very limited number of such notifications. Although there are other legal transfer routes apart from Article 26 (2), this number is derisory by comparison with what might reasonably be expected. Combined with other evidence pointing in the same direction [33], this suggests that many unauthorised and possibly illegal transfers are being made to destinations or recipients not guaranteeing adequate protection. Yet there is little or no sign of enforcement actions by the supervisory authorities. [33] The report approved by the Spring Conference of Data Protection Authorities in May 2001 showed that most national supervisory authorities were unable to indicate the number of processing operations that affected international transfer of data. Where figures were available, they were insignificant (600 transfers from France, 1352 from Spain and 150 from Denmark) Transfers requiring authorisation and notification do of course create a considerable administrative burden, both for data exporters and for supervisory authorities. It is therefore desirable that more use be made of the "block authorisations" provided for in Articles 25(6) and 26(4) of the Directive. These have so far produced only four adequacy findings for third countries (Hungary, Switzerland, Canada, and the US Safe Harbor [34]) and two sets of standard contractual clauses, one for transfers to data controllers in third countries and one for transfers to processors. More work is needed on the simplification of the conditions for international transfers. [34] There is also a Commission decision on adequate protection in Argentina close to finalisation. 5. The processing of sound and image data During the Directive's preparation, some people were concerned that it might not be able to cope with future technological developments. The extent of such technological developments was uncertain, but there was concern that a text drafted mainly with text processing in mind could encounter difficulties when applied to the processing of sound and image data. For this reason, Article 33 contains a specific reference to sound and image data. The Commission has based this review on a study carried out by an external contractor to analyse the situation in the Member States and on contributions from the Member States themselves and the national supervisory authorities. The information received shows that the processing of sound and image data falls within the scope of all national laws implementing the Directive and that the application of the Directive to these categories of processing has not been particularly problematic. In most Member States the same (general) provisions apply to the processing of sound and image data as apply to other personal data. Only two Member States (Germany and Luxembourg) have included specific provisions on the processing of sound and image in their laws implementing the Directive. Three Member States (Denmark, Sweden and Portugal) have special provisions on video surveillance in separate laws. Despite the doubts raised during the negotiation of the Directive, Member States have thus reached the conclusion that the Directive's ambition to be technology-neutral is achieved, at least as regards the processing of sound and image data. No Member State or other contributor has proposed modifications to the Directive in this regard. The joint proposals tabled by Austria, Finland, Sweden and the United Kingdom express some concern about the ability of the Directive to cope with certain technological developments, but do not contain any concrete proposals directly related to this issue. One of the workshops of the conference on the implementation of the Directive was entirely devoted to this issue. The main topic was video surveillance, the issue (followed by biometrics) that has received most attention so far from the national supervisory authorities. Participants believed that there has so far been insufficient public debate about the limits that needed to be placed on the use of video surveillance in order to safeguard certain rights and freedoms in a democratic society. The Article 29 Working Party has also devoted considerable energies to this issue and has approved a draft working document which has been published in the data protection web-site of the Commission, inviting comments from interested parties. There is in addition a number of legal and practical issues resulting from the implementation of the Directive in the Member States as regards sound and image data that create some uncertainty for operators called on to comply with the legislation and for individuals entitled to exercise their data protection rights. There are for instance uncertainties as regards the definitions of the Directive, for example, to what extent an isolated image or a finger print can be considered personal data in those cases where the data controller is unable or extremely unlikely to identify an individual; or whether simple monitoring constitutes a processing operation or how to achieve a reasonable interpretation of the concept of sensitive data. The Commission acknowledges that there are answers to all these questions in the national legislation transposing the Directive, but considers it necessary that more guidance is provided. This guidance needs to be realistic and pragmatic if it is to help improve compliance and should as far as possible be co-ordinated between the Member States. The Commission welcomes the Article 29 Working Party's work in this area so far and encourages it to continue to provide useful guidance, with appropriate input from interested parties. 6. work programme for a better implementation of the data protection directive (2003-2004) The analysis of the implementation in the Member States contained in this report reveals problems which need to be addressed if the Directive is to have its full intended effects. The work plan that follows comprises actions that will take place from the adoption of this report until the end of 2004 and will require the joint efforts of the European Commission, the Member States (including the candidate countries) and their national supervisory authorities and in some cases also those of data controllers' representatives. A general, serious concern indicated above is that the level of compliance, enforcement and awareness appears not to be at an acceptable level. As a general action point applicable to all initiatives listed below, the Commission will work with the Member States, supervisory authorities and interested parties to determine the causes of and design feasible solutions for this set of problems. Commission's initiatives Action 1 : Discussions with Member States and Data Protection Authorities During 2003 the Commission services will hold bilateral meetings with the Member States with the main purpose of discussing necessary changes to bring national legislation fully in line with the requirements of the Directive. The involvement of the competent data protection authority may be necessary on some issues. The need for more vigorous enforcement may also be a topic in these bilateral discussions. The lack of resources allocated to supervisory authorities should also be discussed. Such meetings may be supplemented by discussions on the incorrect implementation of the Directive at the "package meetings" that are periodically organised with Member States by the Secretariat General of the Commission and/or DG Internal Market. Discussions in the Article 29 Working Party and in the Article 31 Committee will enable certain issues affecting a large number of Member States to be tackled on a multilateral basis, it being understood that there can be no question of such discussions leading to a de facto amendment of the Directive. In addition to ad hoc discussions on specific issues, the Commission proposes that each group devotes one complete meeting to this subject in the course of 2003. Action 2 : Association of the candidate countries with efforts to achieve a better and more uniform implementation of the Directive This report has focused almost entirely on the situation in the 15 Member States. Before the work plan has been completed, 10 new Member States will have joined the Union. Representatives of the supervisory authorities of several candidate countries have been attending meetings of the Article 29 Working Party since 2002. From the date of signature of the Treaties of Accession the acceding countries will be invited to all meetings of both the Working Party and the Article 31 Committee. To the extent reasonably possible, bilateral discussions and possibly peer reviews will also be continued up to and beyond accession, in order to achieve the best possible alignment of the legislation of the new Member States with the Directive and to keep formal infringement procedures to a minimum. Action 3 : Improving the notification of all legal acts transposing the Directive and notifications of authorisations granted under Article 26(2) of the Directive The Commission's services, in close co-operation with the Data Protection Authorities and the Member States, will continue with the collection of information about the implementation of the Directive and will in particular identify the areas where there are clear gaps in the implementing measures notified and seek the co-operation of the Member States in filling these gaps as quickly as possible. The Commission will facilitate the exchange of best practice where this might help. The Commission will use its formal powers under Article 226 of the Treaty if this co-operative approach (6.1, 6.2 and 6.3) fails to produce the necessary results. The Member States and their supervisory authorities also need to put in place the necessary arrangements to notify (as required by Article 26(3) of the Directive) national authorisations for international transfers granted under Article 26(2) of the Directive. The Commission will discuss this with the Member States and their supervisory authorities and ensure the exchange of best practice. The Commission will create a new page on its web-site [35] where it will post in a structured form not only all information collected for the preparation of this report, but also information about the work to be carried out under this work plan. It will also invite national supervisory authorities to make available for inclusion in this web-site decisions and recommendations adopted by data protection authorities and significant items of guidance issued by them, with an emphasis on areas where a more even interpretation and application of the law is necessary. [35] www.europa.eu.int/comm/privacy Article 29 Working Party's contribution [36] [36] This list is without prejudice to the general work programme of the Article 29 Working Party, available at http://europa.eu.int/comm/internal_market/ privacy/docs/wpdocs/2003/wp71_en.pdf The Commission welcomes the Working Party's contributions to achieving a more uniform application of the Directive. It wishes to recall the importance of transparency in this process and encourages the efforts the Working Party is currently undertaking further to enhance the transparency of its work. Action 4 : Enforcement The Commission calls on the Article 29 Working Party to hold periodic discussions on the overall question of better enforcement. This should inter alia lead to the exchange and adoption of best practices. The Working Party should also consider the launching of sectoral investigations at EU level and the approximation of standards in this regard. The aim of such joint investigations would be to provide a more accurate picture of the implementation of data protection law in the Community and make agreed recommendations and practical guidance to the sectors concerned with a view to improving compliance in the least burdensome ways possible. Action 5 : Notification and publicising of processing operations The European Commission shares to a large extent the criticism expressed by data controllers during the review concerning the divergent content of notification obligations placed on data controllers. The Commission recommends a wider use of the exceptions and in particular of the possibility foreseen in Article 18(2) of the Directive, that is the appointment of a data protection officer which creates an exemption from notification requirements. The Commission calls on the Article 29 Working Party to contribute to a more uniform implementation of the Directive by putting forward proposals for a substantial simplification of the notification requirements in the Member States and for co-operation mechanisms to facilitate notifications by multinational companies with establishments in several Member States. These proposals may need to include proposed amendments to national legislation. The Commission is prepared itself to make proposals if the Working Party is unable to do so within a reasonable period (12 months). Action 6 : More harmonised information provisions The Commission shares the view that the present patchwork of varying and overlapping requirements as regards the information that controllers have to provide to data subjects is unnecessarily burdensome for economic operators, without adding to the level of protection. In so far as information requirements placed on data controllers are inconsistent with the Directive, it is hoped that this can be remedied expeditiously through dialogue with the Member States and corrective legislative action by them. In addition, the Commission calls on the Article 29 Working Party to co-operate in the search for a more uniform interpretation of Article 10. Action 7 : Simplification of the requirements for international transfers In parallel to the discussions that are intended to bring about the necessary changes in Member State law to ensure conformity with the Directive, the Commission calls on the Article 29 Working Party to use the last report of the international complaint handling workshop as a basis for further discussions with a view to a substantial approximation of existing practices in the Member States and the simplification of the conditions for international data transfers. The Commission itself intends to make more extensive use of its powers under Articles 25(6) and 26(4) which provide the best means of simplifying the regulatory framework for economic operators, while ensuring adequate protection for data transferred outside the EU. With the co-operation of the Article 29 Working Party and the Article 31 Committee, the Commission expects to see progress in four areas: a) a more extensive use of findings of adequate protection in respect of third countries under Article 25(6), while maintaining of course an even-handed approach vis-à-vis third countries in line with the EU's WTO obligations; b) further decisions on the basis of Article 26(4) so that economic operators have a wider choice of standard contractual clauses, to the extent possible based on clauses submitted by business representatives, for example those submitted by the International Chamber of Commerce and other business associations; c) the role of binding (intra) corporate rules (e.g. internal rules that bind a given multi-national corporate group doing business in several different jurisdictions, both inside and outside the EU) in providing adequate safeguards for intra-group transfers of personal data; d) the more uniform interpretation of Article 26(1) of the Directive (permitted exceptions to the adequate protection requirement for transfers to third countries) and the national provisions implementing it. All this work should be carried out with an appropriate degree of transparency and with periodic input from stakeholders. Other initiatives Action 8 : Promotion of Privacy Enhancing Technologies The Commission is already doing work in the field of privacy-enhancing technologies, especially at the research level, like for instance the RAPID [37] and PISA [38] projects. [37] Roadmap for Advanced Research in Privacy and Identity Management [38] Privacy-Enhancing Intelligent Software Agents It proposes to organise a technical workshop in 2003 in order to increase awareness regarding PETs and to offer an opportunity to discuss in depth the measures that could be taken to promote the development and use of PETs, such as for instance the role that seals, certification systems or PIAs [39] could play in Europe. [39] Privacy Impact Assessments It invites the Working Party to continue discussing the issue of PETs and to reflect on possible measures the national supervisory authorities could take in order to promote the use of these technologies at national level. After the technical workshop, and taking on board the input received, the Commission will make further proposals for the promotion of privacy-enhancing technologies at European level. These proposals will pay special attention to the need to encourage governments and public sector institutions to set a good example by using PETs in their own processing operations, for instance in e-government applications. Action 9 : Promotion of self-regulation and European Codes of Conducts The Commission is disappointed that so few organisations have come forward with sectoral Codes of Conduct for application at Community level. It will keep on encouraging and giving advice on (within the limits imposed by the resources available) draft codes of conduct submitted for the consideration of the Article 29 Working Party [40]. It encourages sectors and interest groups to take a much more pro-active role, as it believes that self-regulation, and in particular codes of conduct should play an important role in the future development of data protection in the EU and outside, not least in order to avoid excessively detailed legislation. [40] The Article 29 Working Party is considering at the moment the following submissions: Code of conduct on direct marketing submitted by FEDMA; Code of conduct on the processing of personal data by executive search consultants (head-hunters) submitted by AESC and Code of conduct on pan-European calling line identification submitted by ETP. A previous request from IATA did not fulfil the requirements for a code of conduct under Article 27 of the Directive but received a positive comment from the Article 29 Working on its opinion WP 49 adopted on 13 September 2001. http://europa.eu.int/comm/internal_market/ privacy/docs/wpdocs/2001/wp49en.pdf To the same end, the Commission expressed, in its consultation document addressed to the European social partners on personal data protection in the employment context, its strong hope that they will engage in negotiations with a view to concluding a European agreement in this field. The Commission regrets that the social partners did not agree to negotiate on this issue and hopes that the avenue of collective agreements in this field will be further explored. Action 10 : Awareness raising The Commission intends to launch a Eurobarometer survey along the lines of the questions contained in the on-line consultation carried out in 2002. It hopes that some data protection authorities will be associated with this initiative and that there will be joint efforts to make data protection issues the subject of public debate. It encourages Member States to devote more resources in awareness raising, in particular via the budgets of the national supervisory authorities. 7. Conclusion This report constitutes a first step in the analysis of information concerning the implementation of Directive 95/46/EC and the identification of the actions necessary to address the main problems that have emerged. The Commission hopes that this analysis will help governments, data protection authorities and operators to clarify what needs to be done to achieve a better application of the Directive in the EU, with more vigorous enforcement, better compliance and greater awareness of their rights and obligations among data subjects and data controllers. The Commission expects that, where necessary, Member States will amend their legislation to achieve compliance with the provisions of the Directive and provide supervisory authorities with sufficient resources. The Commission also expects that Member States and supervisory authorities will make all reasonable efforts to create an environment in which data controllers - and not least those operating on a pan-European level and/or international level - can conform with their obligations in a less complex and burdensome way and to avoid imposing requirements that could be dropped without any detrimental effects for the high level of protection guaranteed by the Directive. The Commission encourages citizens to make use of the rights conferred by the legislation and data controllers to take all necessary steps to guarantee compliance with the legislation. The Commission will closely monitor further technological developments and the results of the work programme contained in this report and make proposals for further follow-up towards the end of 2004, by which time both the Commission and the Member States will have the benefit of considerably more experience than at present with the implementation of the Directive.