The Data Protection Directive39
Although the Single European Market in goods and services had been envisaged since the inception of the European Community, it was not until 1987 that the Single European Act set 31 December 1991 as the date for its intended completion. This led to a flurry of legislative activity at the European level and the adoption of many harmonizing directives in all sectors of the free market economy designed to remove the remaining barriers to trade40. Despite the phenomenon of convergence of data protection rules noted in Section 12.5, it was apparent that discrepancies in the protection offered in different jurisdictions could lead to problems with data flow between Member States. In turn this could have an inhibiting effect on the exploding European market in data and information services. In addition, there was an increasing tradition of the protection of fundamental human rights in the European Community, in parallel with that provided by the European Convention on Human Rights, and it is clear from the preamble to the directive that this aspect had an equal importance with business efficacy when the directive was drafted. The original proposal for the directive was made in 199041 but the final form of the directive was only adopted in 1995. The delay was the result of protracted negotiations during the various legislative stages and the final form of the directive was a much amended and augmented version of the original proposal containing a total of 72 recitals in the preamble. The scope of the individual protection offered by the directive is greater than that provided by the Data Protection Act 1984 in a number of significant ways. The practical effects of these changes will be considered in the discussion on the Data Protection Act 1998 which implements the directive in the UK. A summary of the major differences is given below. • The directive applies, not only to data processed automatically, but also to manual data provided it is contained in a "relevant filing system" or "accessible record". It is perhaps something of an irony that this has become a legal requirement at a time when computer records are much more the norm. The UK was concerned at the potential implications and impact of the inclusion of manual records and negotiated a long transitional period for many records of this type before the new legal regime is fully applicable. • Except under certain conditions, the consent of the data subject is needed before processing can take place (article 7). More stringent conditions are placed on the processing of so-called sensitive data and the directive gives Member States the option of prohibiting the processing of this type of data altogether (article 8). • The rights of data subjects are expanded. In addition to the right of subject access, rights in relation to automatic decision taking, rights to prevent processing likely to cause damage and distress, to prevent processing for the purposes of direct marketing, to compensation in the case of damage, and to take action to rectify, block, erase or destroy inaccurate data are included. • The scope of the directive is also greater than that of the 1984 Act in that a number of crucial definitions are expressed in wider terms including the definitions of personal data, data controller (user in 1984 nomenclature) and processing. • Registration is replaced by notification which concentrates on the fact of processing rather than the purpose of processing. In the absence of universal registration, oversight of the provisions is given to a Data Protection Commissioner. • In broad terms the exemptions are similar to those familiar with the 1984 Act but an important new exemption is contained in article 9. This is designed to balance the right to privacy of the data subject with the right to freedom of expression. Locating the appropriate balance between competing rights is never an easy task and the directive leaves it to individual Member...
Please join StudyMode to read the full document