On 15 May 2003 the European Commission published its first report on the implementation of the Data Protection Directive (95/46/EC) (the "Directive"). The report is based on a review of Member States' legislation and wide consultation, including an online survey which generated over 10,000 responses.
The essential questions to be addressed by the report were whether the ways in which the Member States have transformed the Directive into national law achieve the ambitions of the Directive and, if not, what should be done to correct this, for example, should the Directive itself be amended? (Click here for a copy of the report).
The Commission expressed itself generally satisfied with the implementation of the Directive and there are no current plans to amend it. However, the Commission recognised that, so far as ensuring a level playing field for operators in different Member States and simplifying the regulatory environment, the differences between Member States' laws and the Directive are still too great. Amendments to national legislation are likely to be required in due course (this will be the subject of future reviews). The Commission has proposed a programme of work to address divergences in implementation and raise awareness (see below).
Specific Areas of Difficulty Identified by the Review
These included the following key findings:
Sensitive and non-sensitive personal data - greater clarity on the "legitimate interests" condition1 was sought; this allows processing of non-sensitive personal data by data controllers without the subject's consent, provided that the legitimate interests, rights and freedoms of the individual are not overridden. The Commission's view is that the absence of adequate safeguards means appropriate levels of protection for individuals are not being achieved.
Applicable Data Protection Law - this came in for heavy criticism by respondents as, currently, organisations with a presence in (or which merely "use equipment" to process personal data in) more than one Member State may have to comply with multiple national laws. Submissions received argued for a "country of origin rule", allowing multinationals to operate via one set of rules throughout the EU. The Commission agreed that this area, and the term "use of equipment" in particular, needed clarification.
Legitimate Processing Conditions - these have been implemented unsatisfactorily in a number of jurisdictions, raising issues concerning...