Brussels, 16th May 2003
Data protection: Commission report shows that EU law is achieving its main aims
The 1995 Data Protection Directive has broadly achieved its aim of ensuring strong protection for privacy while making it easier for personal data to be moved around the EU, according to a European Commission report published today. However, late implementation by Member States and differences in the ways the Directive is applied at national level have prevented Europe's economy from getting the full benefit of the Directive. The report proposes a work plan to reduce those differences, based on co-operation among Member States and between Member States and the Commission, followed by a review in 2005 of whether amendments to the Directive are necessary. The free flow of personal information throughout the EU is essential for the efficient conduct of almost any economic activity on an EU-wide basis. The report is based on wide consultation, including an international conference and an online survey to which over 10,000 responses were received.
Internal Market Commissioner Frits Bolkestein said: "European citizens have a right to privacy. This report shows that the Data Protection Directive has helped make sure that they can enjoy that right in practice. Equally, without free movement of data across borders, Europe's economy cannot work properly. I am pleased that most businesses seem to appreciate that the Directive has made it easier to move data around and that maintaining the free movement of data depends on their meeting their data protection obligations. But EU law can only work if Member States implement it on time, so I deplore the long delays in many Member States. France still has not implemented the Directive. It must rectify that urgently. "
Internal Market objectives broadly met
The report concludes that results in terms of the free movement of personal data are broadly satisfactory. The Directive has achieved its aim of removing legal obstacles to the free movement of data which arose from differences in national legislation and from the fact that two Member States (Italy and Greece) had no data protection laws at all.
The free flow of personal information is essential for the efficient conduct of almost any economic activity on an EU-wide basis.
For example, before the Directive was adopted, businesses often faced difficulties transferring employee data to another Member State, which is necessary if a business works all over the EU but has its central personnel administration in one Member State.
Workers who had acquired pension rights in several Member States encountered difficulties when it came to the exchange of personal data needed for the actual accumulation of these rights. Conducting Europe-wide clinical trials for medical research was problematic, given the huge differences in data protection standards.
Late implementation by several Member States
Only four Member States passed national laws implementing the Directive within the October 1998 deadline agreed by Member States themselves when they adopted the Directive in the Council.
The Commission decided in December 1999 to take France, Germany, Ireland, Luxembourg and the Netherlands to the European Court of Justice.
Germany and the Netherlands, along with Belgium, then implemented the Directive in 2001 and Luxembourg, after the Court found against it, implemented the Directive in 2002. More than seven years after the adoption of the Directive and more than four years after the deadline for its implementation (October 1998), France has still not yet passed the legislation necessary to bring its old data protection law of 1978 fully into line with the Directive. Ireland has passed legislation recently, which has not yet been notified to the Commission.
Divergences between Member States call for a range of solutions
The report confirms that the way in which the Directive has been implemented has left important divergences both between Member States' laws and between the ways they are applied in practice. Since these divergences have different causes and consequences, they also call for a range of differentiated solutions. In some cases they result from incorrect implementation of the Directive and create a divergence that must be remedied by the modification of the Member State law in question. Other divergences may be the legitimate result of correct implementation by a Member State that has taken a certain option within the margin of manoeuvre allowed by the Directive, but still make it difficult for economic operators to operate Europe-wide data processing systems and thus to take advantage of the benefits of the Internal Market.
Low level of awareness, compliance and enforcement
On the basis of nearly 10,000 responses to the Commission's on-line survey and other evidence gathered, the report expresses concern over insufficient levels of awareness and compliance with the legislation and a failure to enforce national law with sufficient rigour or resources.
Working towards better implementation of the Directive
The result of delays at national level is that experience with the implementation of the Directive is very limited. The report is a first step in analysing whether the Directive is achieving its objectives. It would be premature at this stage to propose amending the Directive.
However, the report sets out a work plan to narrow divergences between national legislation - where necessary by amending that legislation and between different national practices as regards application of the rules.
The proposed work plan - for completion by the end of 2004 - is based on dialogue between the Commission and the Member States and on co-operation among the national data protection authorities (in particular in the working party set up by the Article 29 of the Directive). The main focus is on improving implementation in the Member States and on a more consistent application and interpretation of the Directive. Making compliance less complicated will help to improve compliance standards.
In 2005 the Commission will review the results of the work plan and decide whether it is necessary to make proposals for amendments to the Directive.
Article 33 of the Directive requires the Commission to make regular reports on implementation at national level. This first report has been postponed until now as a result of the delays in the implementation of the Directive.
The report is based on a broad consultation exercise during 2002 in line with the Commission's "participative" approach to European governance. All interested parties - governments, institutions, business and consumer associations, individual companies and citizens - have had the chance to express their views.
The organisation of an on-line consultation and an international conference were the highlights of a public debate that has considerably enriched the sources and findings of the report. Two on-line questionnaires addressed respectively to data subjects and data controllers brought a total of over 10,000 responses. The 441 participants in the conference filled the Commission's biggest meeting room for two days and 200 other people had to be turned away.
In addition, the Commission received more than 70 high quality written contributions, mostly from businesses, which have helped to ensure that the review has taken into account practical concerns on the ground. Both the on-line consultation and the contributions received indicated a shift in business opinions from outright hostility to data protection legislation to constructive efforts to make the rules work in a more business-friendly and less burdensome way an objective which the Commission shares.
The full text of the report, a technical analysis of implementation in the Member States, full details of the international conference and the results of the on-line survey can be found at:
More general information about Data Protection in the EU is available on the Commission's website on data protection: