The European Commission recently reported on how EU Member States were getting on with implementing the 1995 Data Protection Directive. It also looked at possible upgrades to the law.
Topic: Data protection
Who: The European Commission
When: May 2003
The European Commission published a progress report on the implementation and operation of the Data Protection Directive of 1995. This report should in fact have been prepared in 2001, but so many member states lagged in implementing the Directive that it was felt best to postpone the day.
On a negative note, the report bemoaned the late implementation of the Directive by several member states. In fact only four states passed suitable national laws by the October 1998 deadline. France, Germany, Ireland, Luxembourg and the Netherlands were taken to the European Court of Justice in December 1999 for their delay and even now, seven years after the Directive's adoption and more than four years since the implementation deadline, France has still not yet passed suitable legislation, whilst Ireland has only very recently done so.
Another negative aspect was the disappointing levels of awareness and enforcement of the data protection laws driven by the Directive. As in the UK, it appears that most EU states have given enforcement a low priority, which has in turn led to patchy compliance and low levels of knowledge by citizens of their data protection rights.
On a more positive note, the report concludes that the results of the Directive in terms of the free movement of personal data across the union are broadly satisfactory. Legal obstacles to data movement have been removed, facilitating easier Europe-wide clinical trials for medical research, for example, which were very problematic under the previous regimes. Also in a positive vein, the Commission found that the Directive had achieved a high level of protection for personal data in the European Union, although it did not seem that Europe's citizens appreciated that this was the case.
More disappointingly, there appeared to be distinct differences in the ways in which various member states laws had transposed the Directive. This had led to continuing difficulties for EU businesses in operating Europe-wide data processing systems. In this connection the report sets out a work plan to narrow down these divergences. This is intended for completion by the end of 2004, following a dialogue between the Commission, Member States and their respective national data protection authorities (for instance our own Information Commission).
In a statement which will ring true with many UK marketers, the report goes on to say "making compliance less complicated will help to improve compliance standards". It does not suggest, however, that there is any immediate need for amendments to the Directive.
The consultation process leading up to the report did not result in many member states advocating modifications, apart from a joint paper prepared by the Governments of Austria, Finland, Sweden and the UK. This paper did make submissions on modifications for data subject access requests. This cited the current time and expense taken up by businesses in dealing with such requests, by which individuals are entitled to see any data held by a company which relates to them. Despite these submissions, the report does not advocate changes in this area at this time, but leaves the door open to modifications when the position is next assessed in 2005.
Why this matters:
By and large one imagines that UK industry, including UK marketers in particular, will breathe a collective sigh of relief that there will be no significant changes in the immediate future to Europe's basic data protection law regime. Having said this, as marketinglaw readers will be well aware, there has been no shortage of other regulations such as the recent E Commerce Regulations and the up and coming Privacy and Electronic Communications Regulations, which are driven by data privacy concerns. These are quite enough to be getting on with.