Data protection regulation in the EU

THE DIRECTIVE There is currently considerable variation between the level of data protection afforded to individuals in different countries, and the background to the Directive is the perceived need to achieve harmonisation on the basis of a common level of protection in all member states. The philosophy underlying the Directive is evident both from the introductory recitals and from the articles that make up the body of the text; the two fundamental aims of the Directive are firstly that “the fundamental rights and freedoms of natural persons, and in particular their right to privacy” shall be protected by member states and secondly a commitment to free movement of information between member states, analogous- to the general principle of free movement of goods and services within a common external boundary. The following paragraphs highlight some topics of particular interest. PRIVACY Privacy is a concept familiar in European legislation, where the European Convention on Human Rights and its commitment to fundamental human rights has been reflected in much EU legislation. The concept of a law of privacy and providing protection for individuals’ privacy is also a concept apparent in the national legal systems of several continental European states. However, it is not a familiar approach in English Law, where the European Convention on Human Rights has yet to be adopted into law and there is at present no general law of privacy. The Data Protection Act 1984 makes no reference to a right of privacy and it will be interesting to see whether the amended law does include a reference to such a right. What may be of concern to data users is the prospect that the new law may give more emphasis to the rights of the individual in preventing or controlling use and disclosure of their personal information than is presently the case. Whether or not the interpretation of this aspect of the Directive will, when implemented, cause data users difficulties is at this stage highly speculative; however, the emphasis in the directive on its twin aim, to maintain the free flow of information between member states, may ensure that in practice there is no such difficulty. DATA PROTECTION REGULATION IN THE EU MANUAL DATA (ARTICLE 3) One of the aspects of the Directive which is of most obvious significance is the extension of the scope of protected information to include information held in manual records. Article 3 of the Directive provides that the law shall cover automatic processing of personal data and also extend to processing which is not automatic where personal data “form part of a filing system or are intended to form part of a filing system.” The definition of a filing system is extremely broad, being “any structured set of personal data which are accessible according to specified criteria, whether centralised, decentra- lised or dispersed on a functional or geographical basis”. One view is that in fact only a very limited class of data will be covered by the terms of the Directive, but this is by no means clear from the wording of the definition. The amount of information that potentially could be subject to data protection law under this broad definition is considerable. For example, even where manual records are held in different offices, provided they are accessible by specific criteria they will be within the scope of the Directive. This feature was present in the earlier drafts of the Directive, but is wholly new to English data protection law. The fact that manual records will be subject to the same controls as information stored on computer is clearly a matter of concern for organizations that hold such filing systems of personal information, particularly as in some cases organizations will have taken the decision (as they are entitled to do) to store information manually to prevent the rights and obligations of data subject and data user under the Data Protection Act applying to it. DATA QUALITY (ARTICLE 6) The Directive also provides a set of principles governing data quality. These principles govern how the information should be obtained and what type of information can be obtained. The provisions relating to data quality strongly resemble the existing provisions in the Data Protection Act reflecting their common origin, the Council of Europe Convention on data protection,* and therefore should cause little difficulty in practice. LEGITIMATE PROCESSING (ARTICLE 7) Another area of interest is that of legitimate processing. The Directive lays down various circumstances that may justify processing of data. These requirements are similar to those that appeared in the second draft of the Directive, but are on the face of it entirely new to English law. However, it may well be that in practice these requirements amount to no more than a restatement in a different form of the existing requirement in the first data protection principle of the Data Protection AG3 as interpreted by the Data Protection Tribunal,4 that personal data must be processed fairly and lawfully. One question that arises is, how much of the previous case law will remain relevant following the adoption of the directive into English Law. An interesting parallel arises in the Trade Mark Act 1994 and previous cases decided under the 1938 Act; it is not yet 269

Data protection regulation in the EU

Documents