Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, commonly cited as Directive 95/46/EC; sets comprehensive regulations for protection of personal data in the European Union. It officially came into force on 24 October 1998, the last date given to member states to transpose the law into their domestic legal systems.778 Also important to bear in mind is that the Directive has been incorporated into the 1992 Agreement on the European Economic Area (EEA) such that states which are not EU members but are party to the EEA Agreement (i.e. Norway, Iceland and Liechtenstein) are legally bound by the Directive.779
The adoption of the Directive was largely attributed by the deficiencies in the Council of Europe Convention 108/1981. Peter Blume asserts that the purpose of the Convention is the promotion of
776 See, Comments submitted by the Computer Law and Security Review(CLSR) together with the International Association of IT Lawyers(IAITL) and the Institute for Law and the Web(ILAWS) in response to the Expert Committee’s public on the document titled ‘BEFORE THE EXPERT COMMITTEE SET UP UNDER THE CONVENTION 108: MODERNISATION OF CONVENTION 108’, p.1.,
http://www.soton.ac.uk/ilaws/newsandevents/2011/CONVENTION_108-CLSR.pdf last visited 29/12/2011; see also European Privacy Association(EPA), ‘FEEDBACK TO THE MODERNISATION OF CONVENTION 108’,
http://www.europeanprivacyassociation.eu/public/news/Contribution%20-%20Modernisation%20108%20-%20final%20for%20EPA%20and%20%20APEP.pdf last visited 29/12/2011; CoE, ‘THE CONSULTATIVE COMMITTEE OF THE CONVENTION FOR THE PROTECTION OF INDIVIDUALS WITH REGARD TO AUTOMATIC PROCESSING OF PERSONAL DATA: MODERNISATION OF CONVENTION 108 PROPOSALS’, T-PD-BUR(2011)27_en, Strasbourg, 15 November 2011,
http://www.coe.int/t/dghl/standardsetting/dataprotection/tpd_documents/T-PD-BUR_2011_27_en.pdf last visited 29/12/2011.
777 Ibid, (CLRL),(IAITL),(ILAWS).
778 Directive 95/46/EC, Art 32.
779 Bygrave, p.31, note 503, supra.
157
transborder data flow on the basis of equivalent levels of protection in the different countries. 780 For many reasons this purpose has not been fulfilled to a satisfactory extent, and as personal information has become more and more internationalized, the necessity of more efficient legal instruments has become clearer. Accordingly, the adoption of Directive 95/46/EC was just a step in that direction. Blume’s assertion finds support of Charles Raab and Colin Bennett, who, in their joint article observe:-
‘However, practice has revealed several drawbacks to the Convention itself as an adequate basis for protecting privacy across borders. Many questions about definition and scope have taxed the minds of data protectors. Divergences among countries in the enactment and implementation of common principles, as well as uncertainties about which country’s jurisdiction should apply in particular instances, increasingly present problems for international activity. In general, then, however influential the Convention has been, it has not effected a closer harmonization in practice amongst ratifying countries.’781
The correctness of the above assertions is reflected in the Directive’s own provisions which state, ‘the principles of the protection of the rights and freedoms of individuals, notably the right to privacy, which are contained in the Directive, give substance to and amplify those contained in the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Data Processing of Personal Data.’782 Yet, harmonization problems pinpointed in the preceding paragraphs need not be exaggerated. The reason is that even after the adoption of the Directive 95/46/EC such problems have never been resolved as empirically observed by Karen McCullagh who argues that although the Directive aimed at promoting harmonization of data protection within EU, preliminary findings suggest that such aim remains much more apparent than real.783 It is largely because of this that the Directive is in the reform of being overhauled and replaced by the Regulation of the European Parliament and the Council on the protection of individuals with regard to the free movement of such data (General Data Protection Regulation).784 Subsequent reference to this instrument shall be Regulation or GDPR
780 Blume, P., ‘Privacy as a Theoretical and Practical Concept’, International Review of Law Computers &
Technology, 1997, Vol.11, No.2, pp.193-202, at p.199.
781 Raab, C.D and Bennett, C.J., ‘Protecting Privacy across Borders: European Policies and Prospects’, Public Administration, 1994, Vol.72, pp.95-112, at pp.101-102.
782Directive 95/46/EC, Recital 11.
783 McCullagh, note 499, supra.
784 Note that this instrument is still a work in progress. In December 2011 the researcher got the final draft of the proposed law which was leaked to the press in the beginning of December 2011 prior to its official publication by
158
to ease citation. Yet, despite the proposed reform of the European data protection law, this thesis proceeds to offer a detailed discussion of the Directive and only a general discussion of the Regulation for the following reasons:-
First, although the Directive is proposed to be repealed by the Regulation, the latter law retains most of the general principles of data protection in the former. Hence the case law developed by the ECJ on the Directive and other practices by Data Protection Authorities in member states continue to be relevant. Second, it will take sometime for the Regulation to be formerly put in practice. Initially it was proposed that the Regulation would come into force in 2014. However, it is unlikely for the new law to be operational at that date as the Regulation is still under intense debate by EU member states.Because of this, any detailed and deeper analysis of the Regulation at this stage is pre-mature as the practice of the law is yet to be observed. Third, since the Regulation came about as a result of the mischief which befell the Directive, it is likely that in the implementation and interpretation of the former the latter law be considered as the starting point. Fourth, during transition period, the Directive will continue to be in force.
In order to maintain focus, the Directive is considered first then the Regulation follows. This helps to appreciate the problems and challenges which necessitated the repeal of the former law.
Also, it facilitates to clearly understand the proposed law: what is proposed, what has been retained, and what has been discarded.
a.) Philosophical Basis
Like the Council of Europe Convention 108, Directive 95/46/EC has its foundation in the human rights treaties and national constitutions of member states. This is reflected in various recitals of the preamble to the Directive which frequently refer to the European Convention for the Protection of Human Rights and Fundamental Freedoms for its normative base.785 Moreover the philosophical basis of the Directive in the human rights can further be derived from the object and purpose clause in Art 1(see 3.3.1.6 c).
the European Commission; see Version 56 of 29/11/2011; see also, Linkomises, L., ‘EU regulation planned to harmonise national laws’, Privacy Laws & Business International Report, 2011, No. 114, pp. 1, 3-4.
785 See, e.g., Directive 95/46/EC, Recitals 1, 2,3,10,33,34,37.
159 b.) Structure and Nature
Compared to Convention 108 and OECD Guidelines, the Directive is the longest and more detailed text. The latter has a preamble of seventy two recitals. Its substantive provisions are contained in seven chapters comprising a total number of thirty four articles. The length of details contained in the preamble has served as a reference point in making interpretation of the substantive provisions of the Directive.786 The Directive lacks explanatory memorandum or report similar to those accompanying the Convention and the Guidelines. As a result the travaux préparatoires to the Directive have served significant role as interpretation references.
Directive 95/46/EC is a legally binding instrument just like the Convention 108. Hoewver, to amplify its binding character, the Directive is enforceable at the European Court of Justice (ECJ). Although in this case the ECJ’s jurisdiction is limited to determination of references by member states for preliminary rulings, it has given the Directive a far greater margin of its enforcement compared to the Convention.787
c.) Objectives and Scope
The Directive has two objectives. First, is to ‘protect the fundamental rights and freedoms of natural persons and in particular their right to privacy with respect to the processing of personal data.’788 The second objective of the Directive is to promote free flow of personal data within the European Union.789 It is formulated in the negative, ‘member states shall neither restrict nor prohibit the free flow of personal data between member states for reasons connected with the protection afforded under paragraph one.’790 Reference to ‘the protection afforded under paragraph 1’ means that member states should not impede the free flow of personal data by advancing reasons related to implementation of the first objective. The second objective appears
786 It is interesting to note that in the English common law legal system preambles to constitutions are not considered as part and parcel of the substantive provisions of such constitutions unless expressly provided to the contrary (see e.g., notes 126,128,129,130,131 and 132, supra). Hence courts do not rely on such preambles as interpretative aids to constitutions.
787 A preliminary ruling is a decision of the European Court of Justice (ECJ) on the interpretation of European Union law, made at the request of a court of a European Union member state. The name is somewhat of a misnomer in that preliminary rulings are not subject to a final determination of the matters in question, but are in fact final determinations of the law in question. Preliminary rulings can also be made, in certain circumstances, by the European General Court, although most are made by the ECJ, http://en.wikipedia.org/wiki/Preliminary_ruling last visited 30/12/2011.
788 Directive 95/46/EC, Art 1(1).
789 Ibid, Art 1(2).
790 Ibid.
160
to outweigh the first. In any case it serves to offer evidence that the Directive is ultimately concerned with realizing the effective functioning of the EU’s internal market, and only secondarily with human rights.791
Similar to the OECD Guidelines but contrary to Convention 108, the initial scope of application of the Directive is broad. First, it applies to processing of personal data in both public and private sectors.792 Yet, it does not apply in public sector on matters falling outside the Community law793 such as those relating to processing of personal data in the context of public security, defence, state security and the activities of the state in areas of criminal law.794 Also, the Directive excludes its application from the domain of the private sector involving processing of personal data by a natural person in the course of a purely personal or household activity.795 The expression ‘in the course of purely personal or household activity’ was interpreted by the ICJ in Lindqvist796 to mean the processing of personal data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, correspondence and the holding records of addresses but does not include say, for example, publication on the Internet so that those data are made accessible to an indefinite number of people.797
Apart from the public-private coverage, the Directive applies to both automatic and manual processing of personal data.798 However, it limits this scope to the structured ‘filing systems’
excluding unstructured and any other categories of manual files.799 By ‘personal data filing system’ or simply ‘filing system’ it means any structured set of personal data which are accessible according to specific criteria, whether centralized or dispersed on a functional or geographical basis.800 Also worth to note is to whom the Directive intends to protect. The initial scope is limited to the ‘identified or identifiable natural person.’801 However the Directive does not affect in any way legislation in member states which concern processing of data relating to legal/juristic
791 Bygrave, p.32, note 503, supra.
792 Directive 95/46/EC, Recital 25.
793 There is, strictly speaking, a distinction between European Community law ( EC law) and the European Union law(EU law). The former covers primarily matters pertaining to the internal market; it does not extend to police and judicial co-operation in criminal matters or to common foreign and security policy. The latter range of matters falls, however, under two other ‘pillars’ of the EU system; see Bygrave, p.34, note 503, supra.
794 Directive 95/46/EC, Art 3(2).
795 Ibid; see also Recital 12.
796 See note 21,supra.
797 Ibid, Paras 46 and 47 of the Judgement.
798Directive 95/46/EC, Recital 27.
799 Ibid.
800 Ibid, Art 2(c).
801 Ibid, Art 2(a); see also detailed discussion in 2.2 of this thesis.
161
person.802 The other point setting the limit of the application of the Directive is expressed in the form of obligations placed on ‘controller,’803 ‘processor’804 and ‘third party’805 in relation to
‘processing’806 of personal data.
d.) Data Protection Principles
The basic principles in the Directive parallel those laid down in the other international codes, especially the Council of Europe Convention 108.807 Yet many of the principles in the Directive go considerably further than those in the other codes.808 As such, discussion made over such codes is also relevant here although it is not reproduced. Generally, the Directive contains similar eight data protection principles. While such principles are not numbered in the Directive the present thesis numbers them only to facilitate their analyses and discussion.
The first principle requires that personal data must be processed fairly and lawfully.809 For the processing of data to be fair, the data subject must be in a position to learn of the existence of a processing operation and, where data are collected from him, must be given accurate and full information, bearing in mind the circumstances of the collection.810 The ‘lawfully’ criterion relates to the authorization of the data processing either by law or data subject’s consent.
The second principle states that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.811 Further processing of data of historical, statistical or scientific purposes shall not be considered
802 Directive 95/46/EC, Recital 24; see also detailed discussion in 2.2 of this thesis.
803 ‘Controller’ means a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by the national or Community law, see Directive 95/46/EC, Art 2(d); see also detailed discussion in 2.2 of this thesis.
804 ‘Processor’ means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller, see Directive 95/46/EC, Art 2(e); see also detailed discussion in 2.2 of this thesis.
805 ‘Third party’ means a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process data, see Directive 95/46/EC, Art 2(f).
806 ‘Processing of personal data or processing’ means any operation or set of operations which is performed upon personal data, whether or not by automatic means such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, see Directive 95/46/EC, Art 2(b); see also detailed discussion in 2.2 of this thesis.
807 Bygrave, p.35, note 503, supra.
808 Ibid.
809 Directive 95/46/EC, Art 6(1),(a).
810 Ibid, Recital 38.
811 Ibid, Art 6(1),(b).
162
as incompatible provided that member states provide appropriate safeguards.812 This principle is otherwise known as the purpose specification. It is important to mention that Art 7 lists the purposes for which the processing of personal data are considered to be legitimate. These criteria are listed in the alternative, if, (a) the data subject has unambiguously given his consent; or (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or (c) processing is necessary for compliance with a legal obligation to which the controller is subject;
or (d) processing is necessary in order to protect the vital interests of the data subject; or (e) processing is necessary for the performance of a task carried out in the public interest or in the existence of official authority vested in the controller or in a third party to whom the data are disclosed; or (f) processing is necessary for the purpose of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1(1). The criteria laid down in Art 7 do not put very clear limits to the processing of personal data.813 Yet the last two clauses are worth noting, because in Art 14, the data subject is given the right to object the processing of personal data under conditions (e) and (f).814 The processing of personal data for commercial purposes is a central example of group (f).815
It is instructive at this juncture to introduce the most recent judgment of the European Court of Justice interpreting Art 7(f) of Directive 95/46/EC. The context of interpretation was prompted by the Spanish Tribunal Supremo which lodged a reference for a preliminary ruling to the ECJ on 28th September 2010 at the instance of Asociación Nacional de Establecimientos Financieros de Crédito(ASNEF) v Administración del Estado.816 The gist of ASNEF’s complaint was that Spanish law adds, to the condition relating to the legitimate interest in data processing without the data subject’s consent, a condition, which does not exist in Directive 95/46, to the effect that data should appear in public sources.817 In the Tribunal’s view, that restriction constitutes a barrier to the free movement of personal data that is compatible with Directive 95/46 only if the interest of the fundamental rights and freedoms of the data subject so require.818 Hence the only way to
812 Ibid.
813 Elgesem, p.285, note 427, supra.
814 Ibid.
815 Ibid.
816 ECJ, C-468/10 and C-469/10).
817 Ibid, Paragraph 17; see also generally Burgos, C and Pavón, B., ‘Spanish Supreme Court provides Limited Relief for Data’, Computer Law & Security Review, 2011, Vol.27, No. 1, pp.83-85.
818 Ibid, Paragraph 20.
163
avoid a contradiction between Directive 95/46 and Spanish law is to hold that the free movement of personal data appearing in files other than those listed in Article 3(j) of Organic Law 15/1999819 infringes the interest or the fundamental rights and freedoms of the data subject.820 However being uncertain of its interpretation, the Tribunal Supremo referred two questions to the ECJ:-
1. Must Article 7(f) of Directive 95/46/EC of the European Parliament and the Council of 24 October 1995, on the protection of individuals with regard to the processing of personal data be interpreted as precluding the application of national rules which, in the absence of the interested party’s consent, and to which processing of his personal data that is necessary to pursue a legitimate interest of the controller or of third parties to whom the data will be disclosed, not only require fundamental rights and freedoms not to be prejudiced, but also require the data to appear in public sources?821
2. Are the conditions for conferring on it direct effect, set out in the case-law of the Court of Justice of the European Union, met by the above-mentioned Article 7(f)?822
2. Are the conditions for conferring on it direct effect, set out in the case-law of the Court of Justice of the European Union, met by the above-mentioned Article 7(f)?822