Legislative Observatory
European Parliament
Please fill in this field to find a procedure

Personal data protection

1990/0287(COD)

The Commission's first report on the implementation of Directive 95/46/EC (please refer to the summary of 15/05/2003) contained a Work Programme for better implementation of the data protection

Directive. This Communication examines the work conducted under this programme, assesses the present situation, and outlines the prospects for the future as a condition for success in a number of policy areas in the light of Article 8 of the European Charter of Fundamental Rights, recognising an autonomous right to the protection of personal data.

The Commission considers that the Directive lays down a general legal framework that is substantially appropriate and technologically neutral. The harmonised set of rules ensuring a high standard of protection for personal data throughout the EU has brought considerable benefits for citizens, business and authorities. It protects individuals against general surveillance or undue discrimination on the basis of the information others hold on them. The trust of consumers that personal details they provide in their transactions will not be misused is a condition for the development of e-commerce. Business operate and administrations cooperate throughout the Community without fearing that their international activities be disrupted because personal data they need to exchange are not protected at the origin or the destination.

The Commission details the work that has been carried out under 10 action areas since the publication of the first report. This includes a “structured dialogue" with Member States on national transposition, and a detailed analysis of national legislation and discussions with national authorities aimed at bringing national legislation fully in line with the requirements of the Directive.

Overview of implementation of the Directive: the Commission states that implementation has improved. All Member States have now transposed the Directive. On the whole, national transposition covers all the main provisions along the lines of the Directive. The actions undertaken under the Work Programme have been positive and have substantially contributed to improving the implementation of the Directive throughout the Community. The decisive involvement of the national data protection supervisory authorities through their participation in the Working Party has played a major role. However, some countries have not yet properly implemented the Directive. One concern is respect for the requirement that data protection supervisory authorities act in complete independence and are endowed with sufficient powers and resources to exercise their tasks. These authorities are key building blocks in the system of protection conceived by the Directive, and any failure to ensure their independence and powers has a wide-ranging negative impact on the enforcement of the data protection legislation.

In some case divergences arise within the margin of manoeuvre of the Directive. However, a study shows that despite some divergences, the Directive has been implemented with modest costs for firms.

No evidence is found among the complaints received by the Commission that national divergences within the limits of the Directive may actually obstruct the proper functioning of the internal market or limit the free flow of data on grounds of a lack or inadequacy of protection in the country of origin or destination. Nor do constraints within their country of establishment distort competition between private operators. The Directive is therefore fulfilling its objectives: to secure the free flow of personal data within the internal market while ensuring a high level of protection in the Community. The Commission goes on to state that the legal solutions provided by the Directive, beyond achieving harmonisation, are themselves appropriate to the issues at stake. It considers the requirements imposed by public interests, such as theInternational Agreement with the US to address the use of passengers' PNR data and states its commitment to respecting the Charter of Fundamental Rights in all its proposals.

The way ahead: the Commission intends to pursue a policy characterized by the following elements:

- the Directive should not be amended, since the Data Protection Directive constitutes a general legal framework which fulfils its original objectives by constituting a sufficient guarantee for the functioning of the Internal Market while ensuring a high level of protection;

- the Commission will pursue proper implementation of its provisions at national and international level.

- it will produce an interpretative communication on some provisions. The problems identified in implementing particular provisions of the Directive that may lead to formal infringement procedures correspond to an understanding by the Commission about the meaning of the provisions in the Directive and about the correct way to implement them, taking into account the case law, as well as the interpretation work conducted by the Working Party. Such ideas will be clearly set forth in an interpretative communication;

- the Commission encourages all actors involved to endeavour to reduce national divergences.Different activities will be conducted for this purpose. The Work Programme will continue and the Working Party should improve its contribution to harmonising practice. The Commission will consider the challenges of new technologies. Where a particular technology is found to consistently pose questions as regards the application of the data protection principles, and its widespread use or potential intrusiveness is considered to justify more stringent measures, the Commission could propose sector- specific legislation at EU level in order to apply those principles to the specific requirements of the technology in question.

- the Commission considers the task ofproviding a coherent response to the demand for public interest uses, especially for security. In striking the important balance between measures to ensure security and protect nonnegotiable fundamental rights, the Commission makes sure that it protects personal data as guaranteed by Article 8 of the Charter of Fundamental Rights. The EU works with external partners also. In particular the EU and USA have a continuous transatlantic dialogue to discuss information sharing and the protection of personal data for law enforcement purposes. The Commission will consider the implementation of the Directive once again upon conclusion of the measures laid out in this Communication.

Lastly, it will continue to monitor the implementation of the Directive, work with all stakeholders to further reduce national divergences, and study the need for sector-specific legislation to apply data protection principles to new technologies and to satisfy public security needs.