Chemin de navigation

Left navigation

Additional tools

Autres langues disponibles: FR DE


Brussels, 25th June 2002

Data Protection: Commission seeks views on privacy legislation

Should bosses be able to read the e-mails employees send and receive at work? Are customers who want to buy on-line confident that the personal data they give will not be used in ways they have not agreed to? Are businesses over-burdened by enquiries from people wanting access to the personal details companies hold about them? In an on-line consultation launched today, the European Commission is seeking views on these and other aspects of the protection of personal data. The survey is part of the Interactive Policy Making initiative (see IP/01/519). The results will feed into the Commission's report, due at the end of this year, on how the 1995 Data Protection Directive is being applied. To collect a wide range of views and to make it as easy as possible for everybody to contribute, the Commission has put two questionnaires on its website one for individuals and one for businesses that process people's data. Both can be found at Responses can be sent to the Commission from that site.

Internal Market Commissioner Frits Bolkestein said: "The Commission's job is to ensure a secure legal framework that allows the free movement of information in the Internal Market, while at the same time guaranteeing the fundamental right of individuals to have their privacy respected. There is of course no privacy without the protection of personal data. We have to keep the Data Protection Directive under review to ensure that it is working in the interests our citizens, businesses, public authorities and other interested parties."

There are many situations in which organisations need to process and retain personal data, in the interests of the people whose data is involved. For example, employers need bank and other details in order to pay employees. Doctors need to keep patients' medical records. Companies need customers' details in order to be able to send them goods they have purchased via mail order or on-line. Banks, mortgage lenders and insurance companies also need to keep customers' data to assess risks.

The aim of the Data Protection Directive is to set out a clear framework which takes these necessities into account while offering citizens the strongest possible protection of their privacy.

The Commission wants to know how well those affected think the Data Protection Directive is working and what changes they think may be needed. Hence the consultation just launched, which seeks the views of governments, public authorities, businesses of all sizes, and individual citizens. Everybody is welcome to participate.

The deadline for responding to the on-line questionnaires is 15 September 2002. Organisations wanting to send more detailed comments are asked to do so by 31 August because their replies will take longer to process. The results will be discussed with data protection experts at a Conference organised by the Commission on 30 September and 1 October in Brussels. The Commission's report on implementation of the Data Protection Directive in the Member States will be published late this year or early next.

To find out more about Data Protection in the European Union, you can visit the Commission's Europa website at:


The Data Protection Directive (see IP/95/822) entered into force on 24 October 1998 and has been implemented into national law by all Member States of the European Union except Ireland and Luxembourg. The Commission expects those two countries to finalise their implementation before the end of this year.

For further details, see:

The main principles behind the Data Protection Directive are:

  • personal data must always be processed fairly and lawfully

  • personal data must be collected for explicit and legitimate purposes and used accordingly

  • personal data must be relevant and not excessive in relation to the purpose for which they are processed

  • data that identify individuals must not be kept longer than necessary.

  • data must be accurate and, where necessary, kept up to date

  • data controllers are required to provide reasonable measures for data subjects to rectify, erase or block incorrect data about them

  • appropriate technical and organisational measures should be taken against unauthorised or unlawful processing of personal data

  • personal data must not be transferred to a country or territory outside the European Economic Area unless that country ensures an "adequate level of protection" for data subjects.

The Directive also requires each Member State to provide one or more independent supervisory authorities to monitor the application of the Directive. One responsibility of these authorities is to maintain an updated public register so that the general public has access to the names of all data controllers and the type of processing they do.

Specific issues related to electronic media such as the use of e-mail address lists to send "spam" e-mail are covered in a 1997 Directive dealing specifically with the telecommunications sector. A new Directive to update this is currently being finalised in the European Parliament and the Council (see IP/02/783).

Side Bar