Data Protection Directive


The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, was a European Union directive which regulated the processing of personal data within the European Union and the free movement of such data. The Data Protection Directive was an important component of EU privacy and human rights law.
The principles set out in the Data Protection Directive were aimed at the protection of fundamental rights and freedoms in the processing of personal data. The General Data Protection Regulation, adopted in April 2016, superseded the Data Protection Directive and became enforceable on 25 May 2018.

Context

The right to privacy is a highly developed area of law in Europe. All the member states of the Council of Europe are also signatories of the European Convention on Human Rights. Article 8 of the ECHR provides a right to respect for one's "private and family life, his home and his correspondence", subject to certain restrictions. The European Court of Human Rights has given this article a very broad interpretation in its jurisprudence.
In 1973, American scholar Willis Ware published Records, Computers, and the Rights of Citizens, a report that was to be influential on the directions these laws would take.
In 1980, in an effort to create a comprehensive data protection system throughout Europe, the Organisation for Economic Co-operation and Development issued its "Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data". The seven principles governing the OECD's recommendations for protection of personal data were:
  1. Notice—data subjects should be given notice when their data is being collected;
  2. Purpose—data should only be used for the purpose stated and not for any other purposes;
  3. Consent—data should not be disclosed without the data subject's consent;
  4. Security—collected data should be kept secure from any potential abuses;
  5. Disclosure—data subjects should be informed as to who is collecting their data;
  6. Access—data subjects should be allowed to access their data and make corrections to any inaccurate data
  7. Accountability—data subjects should have a method available to them to hold data collectors accountable for not following the above principles.
The OECD Guidelines, however, were non-binding, and data privacy laws still varied widely across Europe. The United States, meanwhile, while endorsing the OECD's recommendations, did nothing to implement them within the United States. However, the first six principles were incorporated into the EU Directive.
In 1981, the Members States of the Council of Europe adopted the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data to implement Article 8 of the ECHR. Convention 108 obliges the signatories to enact legislation concerning the automatic processing of personal data, and was modernised and reinforced in 2018 to become "Convention 108+".
In 1989 with German reunification, the data the East German secret police collected became well known, increasing the demand for privacy in Germany. At the time West Germany already had privacy laws since 1977. The European Commission realized that diverging data protection legislation amongst EU member states impeded the free flow of data within the EU and accordingly proposed the Data Protection Directive.

Content

The directive regulates the processing of personal data regardless of whether such processing is automated or not.

Scope

Personal data are defined as "any information relating to an identified or identifiable natural person ; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity".
This definition is meant to be very broad. Data are "personal data" when someone is able to link the information to a person, even if the person holding the data cannot make this link. Some examples of "personal data" are: address, credit card number, bank statements, criminal record, etc.
The notion processing means "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction".
The responsibility for compliance rests on the shoulders of the "controller", meaning the natural or artificial person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
The data protection rules are applicable not only when the controller is established within the EU, but whenever the controller uses equipment situated within the EU in order to process data. Controllers from outside the EU, processing data in the EU, will have to follow data protection regulation. In principle, any online business trading with EU residents would process some personal data and would be using equipment in the EU to process the data. As a consequence, the website operator would have to comply with the European data protection rules. The directive was written before the breakthrough of the Internet, and to date there is little jurisprudence on this subject.

Principles

Personal data should not be processed at all, except when certain conditions are met. These conditions fall into three categories: transparency, legitimate purpose, and proportionality.

Transparency

The data subject has the right to be informed when his personal data is being processed. The controller must provide his name and address, the purpose of processing, the recipients of the data and all other information required to ensure the processing is fair.
Data may be processed only if at least one of the following is true :
  • when the data subject has given his consent.
  • when the processing is necessary for the performance of or the entering into a contract.
  • when processing is necessary for compliance with a legal obligation.
  • when processing is necessary in order to protect the vital interests of the data subject.
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed.
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are over-ridden by the interests for fundamental rights and freedoms of the data subject. The data subject has the right to access all data processed about him. The data subject even has the right to demand the rectification, deletion or blocking of data that is incomplete, inaccurate or not being processed in compliance with the data protection rules.

    Legitimate purpose

Personal data can only be processed for specified explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes. The personal data must have protection from misuse and respect for the "certain rights of the data owners which are guaranteed by EU law".

Proportionality

Personal data may be processed only insofar as it is adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed.
The data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
The data shouldn't be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use..
When sensitive personal data are being processed, extra restrictions apply..
The data subject may object at any time to the processing of personal data for the purpose of direct marketing.
An algorithmic-based decision which produces legal effects or significantly affects the data subject may not be based solely on automated processing of data. A form of appeal should be provided when automatic decision making processes are used.

Supervisory authority and the public register of processing operations

Each member state must set up a supervisory authority, an independent body that will monitor the data protection level in that member state, give advice to the government about administrative measures and regulations, and start legal proceedings when data protection regulation has been violated. Individuals may lodge complaints about violations to the supervisory authority or in a court of law.
The controller must notify the supervisory authority before he starts to process data. The notification contains at least the following information :
  • the name and address of the controller and of his representative, if any;
  • the purpose or purposes of the processing;
  • a description of the category or categories of data subject and of the data or categories of data relating to them;
  • the recipients or categories of recipient to whom the data might be disclosed;
  • proposed transfers of data to third countries;
  • a general description of the measures taken to ensure security of processing.
This information is kept in a public register.