As required by the Data Protection Directive (95/46/EC), the European Commission have produced a report on the implementation of the Directive. The report was published in May 2003.
In preparing the report the Commission sought the views of Member States' Governments and national data protection supervisory authorities by means of questionnaires. Below are the two parts of the United Kingdom Government's response to the Commission's questionnaire. The first part (the answers to Questions 1-18) was submitted to the European Commission on 14 June 2002, the second part (the answer to Question 19) on 13 September 2002. The second part includes a paper submitted jointly to the Commission in the names of Austria, Finland, Sweden and the United Kingdom.
QUESTION 1. Please indicate national laws, regulations and administrative provisions brought into force to comply with Directive 95/46/EC (with identification, if applicable, of its date of notification to the European Commission) [or otherwise substantially related to the protection of the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data].
A1. Directive 95/46/EC was transposed in the United Kingdom by the Data Protection Act 1998. Notification to the Commission of the transposition of the Directive into UK law was given in the letter of 8 March 2000 from Stuart Gill at the UK Permanent Representation to John Mogg. Some amendments to the 1998 Act are made by the Freedom of Information Act 2000. A list of subordinate legislation made under the 1998 Act is at Annex A. The European Commission have previously been provided with a copy of each Act and the subordinate legislation. Following a change in Ministerial responsibility for data protection policy in June 2001, references in the 1998 Act to the Secretary of State have been changed by Order in Council to references to the Lord Chancellor.
QUESTION 2. Where substantial provisions concerning privacy are to be found in laws, regulations or administrative provisions other than the national law transposing the Directive in your Member State, either approved before or after that law, we would be obliged if you could identify them. We would be similarly obliged if you could identify those provisions of the Directive which have not been properly implemented yet in your Member State and provide some explanations and/or identify possible solutions.
A2. Not applicable.
QUESTION 3. Please indicate which authority/ies in your Member State is/are pursuant to Article 28 of the Directive responsible for monitoring the application within its territory of the provisions adopted by your Member State. Please indicate in particular those authorities which may have a say on data protection questions and have not been set up by the Data Protection Law transposing Directive 95/46/EC. In those cases where more than one authority has been provided, please indicate what are the rules on the sharing of their respective attributions and their co-ordination.
A3. The independent supervisory authority set up pursuant to Article 28 of the Directive is the Information Commissioner. Other than the Information Tribunal (which is the appellate authority) and the courts, no other authority has responsibility for determining the way in which the 1998 Act applies.
QUESTION 4. What experience do you have of compliance with the requirement that controllers not established on Community territory making use of equipment situated on the territory of this Member State designate a representative established in the territory of your Member State?
A4. The Government has no such experience. Enforcement of the 1998 Act is a matter for the Information Commissioner. However, in the Government's view the relevant provision (Article 4.2 of the Directive) is of limited usefulness given difficulties in enforcing extra-territorial provisions of this kind.
QUESTION 5. How has your Member State determined more precisely the conditions under which the processing of personal data is lawful (Article 5 of the Directive) [Endnote 1]?
A5. The precise meaning of Article 5 of the Directive is unclear. There are many ways in which the 1998 Act makes more precise the provisions set out in the Directive. As regards the lawfulness of the processing of personal data, please see in particular the provisions setting out the statutory interpretation of the data protection principles in Part II of Schedule 1 to the 1998 Act.
The following comments apply to the points raised in the endnote to this Question.
The safeguards (in section 33(1) of the 1998 Act) are:
that the data are not processed to support measures or decisions with respect to particular individuals, and
that the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be caused to any data subject.
Power for the Lord Chancellor to make an order specifying circumstances in which the test is, or is not, satisfied.
Power for the Lord Chancellor to make an order excluding processing or to set conditions (Paragraph 2 of Schedule 3 to the 1998 Act).
No elaboration.
Section 7 of the Act, and the Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 (as amended in 2001), impose limits on both the time for responding to a subject access request and the fee which may be charged for responding. Under these provisions, the "standard" rule is that requests must be complied with promptly and in any event within 40 days of receiving the request and the required fee. Requests relating to educational records must be complied with within 15 school days. The "standard" maximum subject access fee is £10. In respect of certain requests for health records and educational records the maximum fee is £50.
No elaboration.
Section 10 of the 1998 Act gives individuals the right to prevent processing which is likely to cause unwarranted substantial damage or unwarranted substantial distress.
Article 5 of the Directive does not apply to Article 23.
QUESTION 6. Has your Member State laid down exceptions in addition to those laid down in Article 8.2 (see Article 8.4)? If so, please indicate them.
A6. Paragraphs 7 and 9 of Schedule 3 to the 1998 Act, and the provisions of the Data Protection (Processing of Sensitive Personal Data) Order 2000 have been brought forward in reliance on Article 8.4 of the Directive.
QUESTION 7. Has your Member State granted derogations to the principle that the processing of data relating to offences, criminal convictions or security measures may be carried out only under the control of the official authority? In that case, please indicate also what are the safeguards provided for under national law.
A7. The 1998 Act treats the categories of data mentioned in the question as "sensitive personal data" (see the definition in section 2 of the 1998 Act.) This means that the processing of such data may be carried out in any of the circumstances specified in Schedule 3 to the 1998 Act and in the Data Protection (Processing of Sensitive Personal Data) Order 2000, subject to the safeguards set out in those provisions. (The drafting of Article 8.6 of the Directive causes doubt about the status of the categories of data mentioned in the question. It suggests that Article 8.5, which refers to the categories of data mentioned in the question, provides derogations from Article 8.1. However, Article 8.1 makes no reference to the categories of data concerned. It is unclear, therefore, how these categories of data should be treated.)
QUESTION 8. Has your Member State determined the conditions under which a national identification number or any other identifier of general application may be processed? If so, please say in what terms.
A8. Not applicable.
QUESTION 9. What are the exemptions or derogations from the provisions of Chapter II of the Directive provided for by your Member State for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression necessary to reconcile the right to privacy with the rules governing freedom of expression?
A9. The relevant exemption is found in section 32 of the 1998 Act, and its associated provisions.
QUESTION 10. In which cases is the recording or disclosure of personal data expressly allowed by law within the meaning of Article 11.2 of the Directive (and therefore Article 11.1 would not apply) and what are the safeguards provided for?
A10. General provision, which covers all relevant common law or statutory provisions, is made by paragraph 3 of Part II of Schedule 1 to the 1998 Act. The safeguards are set out in the Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000.
QUESTION 11. Please indicate the exemptions and restrictions adopted in your legislation pursuant to Article 13 of the Directive, in particular as regards their necessity to safeguard the interests listed in this provision. We would be particularly interested in those exemptions and restrictions taken to safeguard "the protection of the data subject or of the rights and freedoms of others".
A11. The provisions adopted pursuant to Article 13 of the Directive are found mainly in Part IV of and Schedule 7 to the 1998 Act. The exemptions are not expressly linked to particular provisions of Article 13. In many cases they relate to more than one of the provisions of that Article.
QUESTION 12. Where appropriate, please indicate the measures taken by your Member State to ensure that data subjects are aware of the existence of the right referred to in the first subparagraph of Article 14 b) of the Directive (right to object).
A12. Information about the right not to have one's personal data processed for the purposes of direct marketing is included in guidance material provided by the Information Commissioner.
QUESTION 13. May individuals obtain administrative remedy before a body other than the data protection supervisory authority? We would be particularly interested in the arrangements for dealing with data protection complaints on the processing of personal data by the Public Administration.
A13. If by "administrative remedy" the question is intended to cover remedies other than those available from a court, the answer to this question is "no". Individuals may seek judicial remedies in respect of failing to comply properly with: the subject access arrangements (Article (12)); the right to object (Article 14(a)); the direct marketing provisions (Article 14(b)) and the right to object to automated decision-taking (Article 15). Individuals who suffer damage because of contravention of any provision of the Act are entitled to seek compensation in a court. The 1998 Act applies the same rules to all data controllers irrespective of whether they are in the public sector or the private sector.
QUESTION 14. Could administrative remedy provide compensation for individuals or is it limited to ensuring compliance with data protection legislation?
A14. Compensation is only available from a court. The Information Commissioner has the power to issue enforcement notices requiring data controllers who contravene the data protection principles to change their practice to make it compliant with the 1998 Act.
QUESTION 15. What practical arrangements does your Member State take to ensure that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection?
A15. The relevant statutory provision is made in the eighth data protection principle, in Part I of Schedule 1 to the 1998 Act. Enforcement of that provision is the responsibility of the Information Commissioner.
QUESTION 16. Does your government play a role in authorising data transfers to third countries within the meaning of Article 26 (2) (ad hoc contract or other national authorisations)? If that is the case, please give the number of authorisations and the destinations.
A16. No. The Information Commissioner has the power to authorise such transfers (see paragraphs 8 and 9 of Schedule 4 to the 1998 Act).
QUESTION 17. Where appropriate, what safeguards have been provided for by your Member State pursuant to Article 32.3 of the Directive?
A17. The provision giving effect to Article 32.3 of the Directive is found in Part IV of Schedule 8 to the 1998 Act. The safeguards are those found in section 33(1) of the 1998 Act (see paragraph 15 of Schedule 8).
They are:
that the data are not processed to support measures or decisions with respect to particular individuals, and
that the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject.
QUESTION 18. What experience have you had with the application of the provisions adopted pursuant to Directive 95/46/EC to the data processing of sound and image data relating to individuals?
A18. As noted above, responsibility for enforcing the 1998 Act is the responsibility of the Information Commissioner. She would be best placed to answer this question. For its part, the Government may wish to return to this question at a later date (see Q19 below).
QUESTION 19. In conclusion, we would be obliged if you could summarise the most important difficulties detected in the implementation process in your Member State and what should in your view be the data protection issues on which the Commission's forthcoming report and/or future Community action should focus?
A19.
Introduction
1. The United Kingdom earlier submitted its response to the first eighteen questions in the Commission's questionnaire. This paper deals with the final question.
2. The data protection rules in Directive 95/46/EC are based upon but go further than those in the 1981 Council of Europe Data Protection Convention (the Convention). The Convention was drawn up at a time when the rôle of computers in society was much less sophisticated than that which they play now. The Directive was first brought forward as long ago as 1990 and finally adopted in 1995. The developments in information technology since then, in particular the establishment of the Internet and the facilities it provides for processing personal data, were not foreseeable when the Directive was elaborated. They have changed beyond recognition the technological as well as the social framework in which the activities which the Directive is intended to regulate take place.
3. The United Kingdom recognises that the Directive, like the Convention, is intended to be technology neutral. However, in the United Kingdom Government's view, the range, scale and rapidity of the developments in information technology in recent years, which is unlikely to slacken in the future, make the concept of "technology neutrality" a difficult one to sustain. The core principles (in Article 6), upon which the Directive, like the Convention, is based, remain sound. The questions which technology raises go to the manner in which they are applied. Specifically the elaboration of those principles which the Directive, and to a lesser extent the Convention, contains makes compliance more complicated in an environment of rapid technological change.
4. The United Kingdom therefore believes that the Commission should take the opportunity to make a reappraisal of the Directive to identify how it needs to be amended to make it more readily applicable in the current state of technology, whilst bearing in mind that the recent rapid advances are likely to continue. It is desirable to avoid the rigid application of rules in circumstances to which the rules are inherently unsuited, or where there is no substantive risk. Such an approach would merely impose unnecessary extra burdens on data controllers, with no countervailing added data protection value for individuals. In this connection, the United Kingdom notes the proposal made by Sweden for a radically simplified model of data protection for certain routine and inherently non-intrusive processing operations. However, there are a series of practical issues which need to be resolved to ensure that the model provides full safeguards for individuals. The United Kingdom believes that Sweden's proposed "misuse" model could offer the prospect of creating effective data protection by the application of simple rules. While the detail of the proposal raises a number of questions, the United Kingdom hopes that the Commission will give the proposal its most careful consideration.
5. In discussion among themselves, a number of Member States have reached agreement on proposals for amending the Directive. These are attached to and form an integral part of this response of the United Kingdom to the Commission's questionnaire. Though the United Kingdom supports the proposals in this paper, there are two points which require clarification. Paragraph 6 of the explanatory note may give the impression that all processing of images should be removed from the added protection given to sensitive personal data. The proposed amendments to recital (33) make it clear that the special protection for sensitive personal data should be accorded wherever the processing of such data is particularly likely to infringe fundamental freedoms or privacy. It is the effect of the proposed amendment which the United Kingdom supports. Paragraph 9 of the explanatory note states that processing of personal data should be able to take place without the consent of the data subject, where the vital interests of another person are concerned. To achieve this aim the qualification that such processing may take place only where the data subject is physically or legally incapable of giving his consent should be removed. The proposed Article 8.2(c), however, goes further than is proposed in the explanatory note and has the effect of removing the qualification in cases where the data subject's own vital interests are concerned. In this case, it is the proposal in the explanatory note which the United Kingdom supports.
6. The following paragraphs of this paper identify other points to which the United Kingdom believes attention should be given. In some respects they go beyond the specific proposals set out in the joint paper. In all cases, they should be read in the context of the remarks made above about the need for a reappraisal of the Directive in the light of technological developments. They draw on the United Kingdom Government's post-implementation appraisal of the Data Protection Act 1998, which transposes the Directive in the United Kingdom, that was carried out in autumn 2000. Certain of the proposals would require changes to be made to the Convention. Where this is the case, the United Kingdom believes that the necessary steps should also be taken to secure the amendment of that instrument.
Definitions
7. The definitions of "personal data" and "personal data filing system"
help to determine the scope of the Directive. The first is unduly wide.
Even with the commentary in recital (26) (which is itself unclear) it means
that a data controller must treat as personal data information from which
he himself cannot identify the data subject. This imposes upon him duties,
such as the requirement to give subject access, which he cannot discharge.
The second definition, even as elaborated in the recitals, is also imprecise.
This gives rise to wide divergence of application in practice.
The Commission should review both the definitions in order to make them more precise and capable of being applied consistently in practice.
8. The definition of "processing" also gives rise to problems. Its meaning
varies according to the provision of the Directive in which it is used.
In some provisions the context suggests that it means a particular processing
operation (e.g. making a disclosure); in others the context gives it a wider
meaning (e.g. doing anything at all with personal data). Using a single
term to convey several meanings is unsatisfactory since it gives rise to
uncertainty and confusion.
The Commission should review the definition of "processing" and the way the term is used in the Directive.
9. Personal data need protection only when they are processed specifically
in relation to the individual to whom they relate. In some cases, in particular
business applications, while individuals are identified, their identity
is irrelevant to the purpose of the processing. For example, the company
secretary of one business might wish to send a formal letter to the company
secretary of another business. It is normal practice for the letter to be
addressed to the recipient by name. This brings the processing needed to
prepare and send the letter within the scope of the Directive. But it is
irrelevant to the person sending the letter whether he is dealing with Mr
X or Ms Y. He is only interested in the letter getting to the company secretary.
The former United Kingdom legislation dealt with this problem by limiting
the scope of the Act to processing done "by reference to the data subject."
The Commission should review the case for including processing not done "by reference to the data subject" within the scope of the Directive.
National Law Applicable
10. Article 4 of the Directive establishes the rules for determining which
Member State's law applies to processing. To avoid loopholes and dual application
it is important that the rules be interpreted and applied in the same way
in all Member States. Article 4 also provides for a Member State's law to
apply where the controller is established outside the EU. As noted in the
United Kingdom's answer to Question 4, this provision, which purports to
give extra-territorial effect to the Directive, is difficult to enforce
and thus of limited usefulness. It is also unclear how Article 4 should
be applied in the legally complex situations which can be created by Internet
use.
The Commission should review Article 4.
Sensitive data
11. Subject to the qualifications in paragraph 5 above, the United Kingdom supports the proposals relating to sensitive data made in the joint paper. It is important that EU citizens are satisfied that there is strong protection in practice for their most sensitive data. However, the "sensitivity" of any data is determined by the circumstances in which the data are processed rather than by the nature of the data themselves. Requiring all personal data in particular categories always to be dealt with according to special, more demanding rules irrespective of whether their processing would in fact pose special risks, may well not reflect the actual sensitivity of the data in practice. In many situations, the processing of data in the categories listed in Article 8.1 could pose no greater threat to privacy than those posed by the processing of data not designated as sensitive. The converse is also true where the processing of personal data which are not included in the sensitive data categories might be particularly sensitive in practice. The flexibility of the data protection principles allows the protection that they afford to be matched to the degree of risk involved in processing. Given that the data protection principles provide the degree of protection according to the risk posed by the circumstances of the processing, the Commission should review the way "sensitive data" is defined in the Directive and the application of the special rules relating to them.
Subject Access
12. The United Kingdom supports the proposals relating to subject access
made in the joint paper. It recognises the force of the point made in the
explanatory note to that paper that subject access is one of the cornerstones
of data protection. However, it believes that technological developments
have had a huge impact upon the way in which the exercise of that right
affects data controllers. It is no longer the case that data controllers
can discharge their obligations by simply down-loading data from centrally
held databases. The prevalence of personal computers giving access to a
range of electronic services from each desk has made data controllers' task
in dealing with subject access requests immeasurably more complex, time-consuming
and costly. This is a good time to review the balance between individuals'
entitlement to gain access to their data, and the burdens imposed on data
controllers in providing the data. But this must be done in such a way as
not to reduce effective protection for the legitimate interests of data
subjects.
The Commission should review the subject access arrangements to ensure that they strike the right balance between the interests of data subjects and those of data controllers.
Security of processing
13. The general rule set by Article 4 is that a data controller must comply
with the data protection rules of the Member State in which the data controller
is established. Curiously, Article 17 makes different provisions for processors.
It provides that they must comply with the security provisions of the Member
State in which they are located, which may not be the Member State to whose
law the data controller is subject. This anomaly is curious and difficult
to justify. Article 17 also seems to leave a loophole, since it makes no
mention of the position of processors situated outside the EU.
The Commission should review the requirement for processors to be bound by the security provisions of the law of Member States in which they are established.
14. Article 17 provides that a processor must always be bound to his data
controller by a contract in writing or equivalent form. Given the very wide
nature of the functions that could constitute acting as a processor, (e.g.
a supporter of a small voluntary organisation collecting personal data on
behalf of the organisation) this provision is unnecessarily restrictive.
The Commission should review the requirement for processors to be bound to their data controllers by written (or equivalent) contracts.
Notification
15. The United Kingdom supports the proposals relating to notification
in the joint paper. The United Kingdom is aware that the burdens imposed
by notification are a source of concern to many organisations. The burdens
are perceived as being disproportionate to any added value that they may
bring to data protection. The proposals in the joint paper will help reduce
those burdens. Some organisations that are established in more than one
EU Member State are also concerned about the multiple burdens that fall
on them by having to notify separately in each of those Member States. They
believe that it should be sufficient for them to notify in one Member State.
The Commission should review the need for multiple notifications by organisations established in more than one Member State.
Transfers of personal data to third countries
16. The United Kingdom supports the proposals in the joint paper which
relate to the transfer of personal data to third countries. In the United
Kingdom's view, experience with the operation of Articles 25 and 26 of the
Directive, including the discussions that have taken place in the context
of the Commission's decisions under those provisions, clearly show that
those Articles are difficult to operate in practice. Neither of the concepts
on which the Articles are based (i.e. "transfer" and "adequacy") are defined.
The Articles envisage a centralised decision-making process, both within
Member States and within the EU. The first runs strongly against the approach
to data protection which the United Kingdom has traditionally favoured;
and the second is inflexible and unrealistic.
The Commission should review Articles 25 and 26 and bring forward a simpler and more flexible set of proposals for managing the transfer of personal data to third countries.
The Data Protection Act 1998 (Commencement) Order 2000. (SI 2000 No.183(C.4))
The Data Protection (Corporate Finance Exemption) Order 2000. (SI 2000 No.184)
The Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000. (SI 2000 No. 185)
The Data Protection (Functions of Designated Authority) Order 2000. (SI 2000 No. 186)
The Data Protection (Fees under section 19 (7)) Regulations 2000. (SI 2000 No. 187)
The Data Protection (Notification and Notification Fees) Regulations 2000. (SI 2000 No. 188)
The Data Protection (Notification and Notification Fees) (Amendment) Regulations 2001. (SI 2001 No. 3214)
The Data Protection (International Co-operation) Order 2000. (SI 2000 No. 190)
The Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000. (SI 2000 No. 191)
The Data Protection (Subject Access) (Fees and Miscellaneous Provisions) (Amendment) Regulations 2001. (SI 2001 No. 3223)
The Data Protection (Subject Access Modification) (Health) Order 2000. (SI 2000 No.413)
The Data Protection (Subject Access Modification) (Education) Order 2000 (SI 2000 No.414)
The Data Protection (Subject Access Modification) (Social Work) Order 2000. (SI 2000 No.415)
The Data Protection (Crown Appointments) Order 2000. (SI 2000 No. 416)
The Data Protection (Processing of Sensitive Personal Data) Order 2000. (SI 2000 No. 417)
The Data Protection (Designated Codes of Practice) (No.2) Order 2000 (SI 2000 No. 1864)
The Data Protection (Miscellaneous Subject Access Exemptions) Order 2000. (SI 2000 No. 419)
The Data Protection (Miscellaneous Subject Access Exemptions) (Amendment) Order 2000. (SI 2000 No. 1865)
The Data Protection Tribunal (Enforcement Appeals) Rules 2000. (SI 2000 No. 189)
The Data Protection Tribunal (National Security Appeals) Rules 2000 (SI 2000 No. 206)
There are many places in the Directive where more precision by the Member States is considered compulsory by the Directive or at least further precision by the Member States seems to be advisable. See for example:
3.1. The safeguards provided for pursuant to Article 6.1.b) of the Directive (further processing of personal data for historical, statistical or scientific purposes), when appropriate.
3.2. The safeguards laid down for personal data stored for longer periods for historical, statistical or scientific use (Article 6.1.e).
3.3. The criteria for making data processing legitimate under Article 7 f) of the Directive.
3.4. The safeguards laid down within the meaning of Article 8.2.b) of the Directive (processing of sensitive data in the employment area).
3.5. The guarantees within the meaning of Article 8.2.d) of the Directive (processing of sensitive data for non-profit-seeking organisations).
3.6. Further information that controllers shall provide to data subjects within the meaning of Articles 10 c) and 11 c) of the Directive.
3.7. The terms "without constraint at reasonable intervals and without excessive delay or expense" (exercise of the right of access by individuals, Article 12 a) of the Directive).
3.8. The terms "impossible" and "disproportionate efforts" in Article 12 c) of the Directive.
3.9. The term "a justified objection" within the meaning of Article 14 a) of the Directive.
3.10. The term "damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive" (Article 23 of the Directive).