Organisations doing business in Europe need to be aware of European privacy legislation that restricts what data can be collected and grants individuals rights in relation to such data. Non-compliance can lead to claims for compensation and, in some cases, to prosecution for criminal offences.
In 1995, the European Parliament and Council adopted a Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “Directive”). The Directive applies to all Member States of the European Economic Area – that is to the 15 states of the European Union, plus Norway, Iceland and Liechtenstein.
The aim of the Directive is to set out certain common privacy standards for individuals across the EEA. It is important to note that it only imposes minimum standards; Member States are free to have supplemental, higher, standards of privacy legislation. Organisations operating in the EEA will quickly realise that this is often the case and that the implementation of the Directive varies across the EEA.
The Directive had to be implemented by 24 October 1998, although it permitted many transitional arrangements to continue October 2001 and some very limited transitional provisions to continue until October 2007. Although there has been substantial delay in implementing the Directive, almost all Member States have now done so.
The Directive applies to organisations that are established in the EEA. Establishment would include limited companies, branches, subsidiaries, or any real economic presence. The Directive also applies to organisations which are not established in any EEA State but which use equipment in the EEA to process personal data. Where an organisation is established or uses equipment in several Member States, it must comply with the laws of each state.
What is covered by the Directive?
The Directive regulates personal data held in certain types of records, which are processed by a data controller.
“Personal data” are information relating to a directly or indirectly identifiable natural personal (i.e. an individual, not a company).
This will include details such as name, postal address and email address as well as facts and opinions held about an individual. Business contact data are also covered. However, truly anonymous data, such as aggregated statistics, are not regulated by the Directive. The Directive also recognises that some data are to be regarded as sensitive and can only be processed under strict conditions. Such data are racial or ethnic origin; political opinions; religious or other beliefs; trade union membership; health; sex life; and the commission of offences and related proceedings. Financial data do not amount to sensitive data, although some Member States will have separate protection for such data.
Personal data are covered by the Directive if they are held in automated records (broadly speaking, on computer) or in certain structured paper files. It is for each Member State to specify which paper files should be covered by privacy legislation. In the UK, for example, all medical, educational, social services and local authority housing files are covered. Other files are only covered if they are structured in certain ways.
The Directive applies to any operation(s) performed on personal data, from collection, through to storage and destruction.
The data controller is “… the person which (alone or jointly with others) determines the purposes and means of the processing”.
Obligations in the Directive fall mainly on data controllers. Lesser obligations fall on data processors, who are people (other than employees of a data controller) who process personal data on behalf of a data controller and have no independent control over personal data.
Main obligations under the Directive
The Directive imposes three main obligations, each of which are considered in further detail below:
- an obligation to notify (ie to register) processing;
- an obligation to respect individuals' rights; and
- an obligation to comply with data protection principles set out in the Directive.
Notification By Data Controllers
Each Member State has established a public register of data controllers. Organisations processing personal data must register in each state in which they are established; there is no central European registration process. Many Member States have de-minimis exemptions from the obligation to register.
It is important to undertake this registration process – for example, in the UK it is a criminal offence not to register; ignorance of the obligation is no defence.
The Directive grants individuals to whom information relates ("data subjects") rights including the following:
- to be provided with specified information about the processing of information relating to them (including the right to a copy of the actual information held, if requested);
- a right to prevent certain types of processing on “compelling legal grounds” and an absolute right to object to direct marketing; and
- rights in relation to significant automated decisions (such as computerised decisions about credit worthiness).
An individual is also entitled to compensation if he suffers damage because a data controller has breached the provisions of the Directive.
The Data Protection Principles
Organisations must comply with certain principles when processing personal data. These are set out in the Directive and specify:
- data quality standards;
- the need for a lawful, and legitimate, basis for processing (one such basis is freely given consent);
- security and confidentiality obligations; and
- restrictions on transferring data outside the EEA, except in limited circumstances.
Each Member State has a supervisory authority, or authorities, that enforce data protection and must ensure that there are remedies and enforcement arrangements. The financial and other consequences of a breach of privacy legislation vary between each State. In the UK, the Information Commissioner (who has responsibility for enforcement), has been given a right to serve information notices, to serve enforcement notices (like injunctions) and to search premises and seize materials. In a serious case, an enforcement notice could restrict or prohibit the processing of personal data by the individual or company served with the notice: this could destroy a business. In addition breach of certain data protection provisions in the UK leads to criminal sanctions. A company’s officers and managers may be personally liable for such a breach if this can be shown to have been committed with their consent or connivance or to be attributable to their neglect.
As most of the Directive is now in force across the EEA, organisations need to be aware of how this may affect their business.
Practical steps which organisations can take include:
- Preparing sytems and staff for an increase in requests for access to data from individuals – especially those who have a separate motive and complaint (e.g. disgruntled customers, or ex-employees pursuing a claim).
- Performing a data protection compliance audit, to determine what data an organisation uses, and how, and drawing up policies and procedures to comply with the Directive.
- Reviewing and if necessary, purging out-of-date and/or unnecessary personal data.
- Reviewing transfers of personal data to other countries, both within and outside the EEA, for compliance with EU and third country laws.