Personal Data Protection; A European Perspective

Javier Truchero



    I. INTRODUCTION

Regulation is one of the main tools societies have to address the threats of new technologies for people's rights and liberties. However, legal operators find serious impediments in dealing with this area of law: lack of adequate expertise in the legal community, conflicts with other relevant interests, rapid evolution of technology, inadequacy of state law for global communications, etc.

Talking about regulation of technology in the US, I believe that an overview of the European regime will provide a useful input and will bring a comparative perspective into the conversation. The aim of this paper is to offer such overview and to provide basic resources for further research on particular topics or countries. Given the short nature of the paper, I will focus only on personal data protection, with minor comments on other issues.

    II. DATA PROTECTION IN THE EUROPEAN REGION

Where the U.S. approach has been to adopt specific and narrowly applicable legislation, in Europe there are unified policies for the region. European legislators have produced a comprehensive and very dense fabric of regulation on data protection, without distinction between public and private data users.

There are two important supra-national bodies in the European region that have acted on new technologies in general and on personal data protection in particular. The first is the Council of Europe (CoE), an international organization set up after the Second World War to help unite Europe, which hosts the European Court for Human Rights (ECHR). The second is the European Union (EU), which includes fewer states but sets up a much more comprehensive and influential supra-national union. All members of the EU are members of the CoE, though not the other way round. With regard to data protection, the EU regime has clearly superseded the Council's with regard to the EU members, but still effective for the 'larger Europe.' It also provides an interpretative template for national legislation and connects data protection with the European system of human rights. 

It is important to bear in mind that the regulation on personal data in Europe steams from the right to privacy, deeply embedded in the European tradition. Thus, the main problem has always been the potential conflict between privacy and freedom of information. To this respect see the ECHR decision in M.S. v. Sweden and the European Court of Justice decision in the Bodil Lindqvist case.

Before mapping out the basic elements of each of the two systems, let me try to draw the basic common framework. Despite the significant variations, most European national and regional regulations on personal data protection are structured around three main protections or components.

    1. Data Protection Agencies

Anyone wishing to collect or use personal data must register with, or obtain a license from, an independent authority, that maintains record of such data users. Those agencies are the cornerstone of the system of protection-in consonance with the bureaucratic tradition of Europe. Both regional regimes mandate states to develop such agencies, which normally have sanctioning power and regulation capacity.

Both the CoE and the EU keep track of the national authorities and work closely with them. Further, the EU has its own regional authority to monitor state's implementation.

    2. Data principles

The "data protection principles" impose general obligations on data users to ensure that data are processed and collected fairly and lawfully. They are intended to ensure certain minimum safeguards for individuals' privacy. Although relevant aspects have changed over time and differ among systems, there are some common general principles that all regulations embrace.

a. Proportionality. In general, only data that are adequate, relevant and not excessive in relation to the purposes for which they are stored can be collected and processed. Further, they can only be stored as long as it is required for the purpose for which were collected.

b. Legitimacy. Data must be obtained and processed fairly and lawfully and only for legitimate purposes.

c. Specificity. Data can only be collected and processed for specific purposes and can not be used in a way incompatible with those purposes. Note that different regulations adopt different formulations of this principle; the EU initially opted for a regulation that prohibited the use of data for different purposes, constraining data sharing. Market pressure has push for the incompatibility standard in many states and in recent regulations in the EU.

d. Accuracy. Data must be accurate, and, when necessary, kept up to date. That principle pervades all regulations and reflects the concern for the impact of patrimonial data on individuals' life.

e. Sensitive personal data. Processing of sensitive personal data, such as ideological or sexual preferences, race, etc, is generally forbidden unless domestic law provides appropriate safeguards. 

f. Security. Data users must adopt certain security measures. In pursuance of this principle, for instance, Spain has issued mandatory security measures for computer files containing personal data.

g. Consent. Although there are some exceptions, in general data subject's consent is required for data collection and processing. There are ongoing debates on the required consent for data sharing and the standard of information that is required to fulfill this right.

h. 'Habeas Data.' Many states have instituted a legal action under this name or other to formalize the rights of access to, and correction of, data in connection with the basic principles set out above.

    3. Transborder Data Flows

As much as privacy, the needs of the common market inform the regulation on data protection. Facilitating regional commerce is a driving motive for personal data regulation. Both the EU's and the CoE's regulation forbids member states from placing restrictions on transborder data flows. Conversely, they also prohibit-with some exceptions-flows of personal data to third states without 'adequate' levels of protection. Here, again, there is a noteworthy dispute over the 'adequate' versus the 'equivalent' standard requirement.

In order to make those provisions workable, the EU assesses data protection in other countries and issues transfer frameworks; see for example the Safe Harbor Principles with regard to the US. On the other hand, the CoS provides guidelines for national authorities, who ultimately decide on that matter. As a short come, widespread communication and data transfer via Internet may well render this provisions unworkable.

    III. THE COUNCIL OF EUROPE

The European Convention on Human Rights and Fundamental Freedoms states in article 8 that 'Everyone has the right to respect for his private and family life, his home and his correspondence.' Thirty years latter, in 1981, that provision inspired the Convention for the protection of individuals with regard to automatic processing of personal data-known as the Convention 108-,which is the first legally binding international instrument with worldwide significance on data protection.

The Convention establishes a Consultative Committee, which is responsible for interpreting the provisions and for ensuring improvement of the implementation of the Convention; It is its guardian and promoter. In 2001 the Committee adopted an Additional Protocol to Convention 108 on Supervisory Authorities and Transborder Data Flow, reinforcing the role of data protection agencies and prohibiting the transfer of personal data to States or organizations that do not provide for an adequate level of protection.

The technological expertise of the Council resides in the Project Group on Data Protection, set up in 1976. This committee is composed of experts from each of the 44 member states who are responsible for data protection in their respective countries-normally the data protection agencies-and issues recommendations and technical guidelines for Member States.

The Council of Europe maintains a web site on personal data protection with most of the relevant norms and jurisprudence. In particular, it is interesting the work of the Project Group, which is currently working on a report on the collection and processing of biometric data.

    IV. EUROPEAN UNION

Impelled by the Council of Europe’s framework and by the needs of the common market, the European Union has enacted a wide array of norms on data protection, and has done so from many different perspectives. Without any doubt, the foundational stone of the whole regime is the Directive 95/46/CE on the protection of individuals with regard to the processing of personal data and the free movement of such data. The directive sets the standards for personal data collection and processing around the issues of data quality, legitimate processing and the rights of the individuals with regard to their data. The European Court of Justice has interpreted the directive in two main decisions, judgment of may 20, 2003 and judgment on the Bodil Lindqvist case. Although the Court adopts a broad interpretation of the directive, both judgments reflect the extraordinary difficulties of implementing the regulation.

Technological development have force the EU to adopt particular regulations on personal data and electronic communications. The polemic Directive 2002/58/CE covers various issues on privacy, not only protection on personal data, and its been heavily criticized because its data retention policy. 

The mentioned Directive 95/46/CE creates a working group on Data Protection, which is named Article 29 Working Party after the directive's disposition that mandates it. Its reports are highly influential in policy-making decisions in the EU and its Members.

The EU has a web site with comprehensive information about personal data protection. The amount of information available shows the high priority given to the issue, yet it also evidences current failures to keep up a the standard of protection. There are various unsettling issues on discussion now, benign the most recent ones the Transfer of Air Passenger Name Record (PNR) Data to the US (See also the Statewatch report on the issue) and the debate on RFID technology.