Navigation path

Left navigation

Additional tools

Other available languages: FR DE DA ES NL IT PT EL

A Common Position on  a Directive  on the protection  of personal data  was
formally adopted today by  the Council of Ministers.  The  proposal was put
forward by the  Commission on 18 July  1990 and amended in  1992, following
the opinion of the  European Parliament. "This decision represents  welcome
progress towards making the Community  a reality for citizens,  by ensuring
a  high level of  protection for the privacy  of individuals  in all Member
States" commented  Single Market Commissioner  Mario Monti. "The  Directive
will  also  bring  major  advantages  for   business,  particularly  as  it
constitutes an  essential  element for  the free  flow of  services in  the
Information  Society by  fostering  consumer  confidence. And  besides  the
development of these new markets,  business competitiveness stands to  gain
considerably from the  efficiency gains made possible by the application of
these services" he added.

Once adopted,  the Directive will  establish a clear  and stable regulatory
framework  necessary to  guarantee free  movement of  personal  data, while
leaving  individual  EU  countries  room  for  manoeuvre  in  the  way  the
Directive  is implemented. Free movement  of data is particularly important
for all  services with a  large customer base  and depending on  processing
personal  data,  such  as  distance  selling  and  financial  services.  In
practice,  banks  and  insurance  companies  process  large  quantities  of
personal data  inter alia on such highly sensitive issues as credit ratings
and credit-worthiness.  If each Member  State had its  own set of rules  on
data protection,  for  example  on  how  data  subjects  could  verify  the
information held on them,  cross-border provision of services, notably over
the  information superhighways,  would  be  virtually impossible  and  this
extremely valuable new market opportunity would be lost.

Political agreement on the proposal  was reached at the 8 December Internal
Market Council (see IP/94/1177) after  nearly five years of  negotiations. 
Formal adoption of the Common Position  in advance of the G7 summit  on the
information  society gives  a  signal to  the  EU's trading  partners, such
as Canada, Japan and the United States,  of the importance the EU  gives to
the  protection  of the  individuals'  rights  in  the  application of  new
technological developments.

The legislative  text aims  to  narrow divergence's  between national  data
protection laws  to the extent  necessary to  remove obstacles to  the free
movement of  personal data within  the EU.   As a result,  any person whose
data are processed in  the Community will be  afforded an equivalent  level
of  protection  of   his  rights,  in  particular  his  right  to  privacy,
irrespective of the Member State where the processing is carried out.

Until  now, differences between national data protection laws have resulted
in obstacles  to transfers  of personal  data between  Member States,  even
when these States  have ratified the 1981  Council of Europe Convention  on
personal data  protection.    This  has  been  a  particular  problem,  for
example, for  multinational companies wishing  to transfer data  concerning
their employees between their operations in different Member States.

Such obstacles to data transfers  could seriously impede the  future growth
of  Information Society  services.  As the  Bangemann  Group report  to the
Corfu European  Council remarked: "Without  the legal security  of a Union-
wide  approach, lack  of consumer confidence  will certainly  undermine the
rapid  development of  the information society".   As  a result,  the Corfu
European  Council called  for  the rapid  adoption  of the  data protection
Directive. 

To prevent  abuses  of personal  data  and ensure  that data  subjects  are
informed of the  existence of processing operations, the Directive will lay
down common rules,  to be observed by  those who collect, hold  or transmit
personal data as part of their economic  or administrative activities or in
the  course of the  activities of their association.   In particular, there
will be  an obligation  to collect  data only  for specified,  explicit and
legitimate purposes, and  to be held only  if it is relevant,  accurate and
up-to-date.   

The Directive  will  also establish  the  principle  of fairness,  so  that
collection  of   data  should  be   as  transparent  as  possible,   giving
individuals the  option of  whether they  provide the  information or  not.
Moreover, individuals  will be entitled to  be informed at  least about the
identity of  the organisation intending to process data  about them and the
main purposes  of such  processing.   That said, the  Directive will  apply
different rules according  to whether information can be easily provided in
the normal  course of  business  activities or  whether the  data has  been
collected  by  third  parties.   In  the  latter  case,  there  will be  an
exemption  where the  obligation to  provide information  is  impossible or
involves disproportionate effort.

The  Directive will  require  all data  processing to  have a  proper legal
basis.   The six legal  grounds defined in  the Directive will be  consent,
contract,  legal obligation,  vital  interest of  the  data subject  or the
balance  between  the legitimate  interests of  the people  controlling the
data and  the people  on whom  data  is held  (i.e. data  subjects).   This
balance will give  Member States room for manoeuvre in their implementation
and application of the Directive.

Data subjects will  be granted a number  of important rights  including the
right of access  to that data, the right to  know where the data originated
(if  such information  is  available), the  right  to have  inaccurate data
rectified, a right of  recourse in the event of unlawful processing and the
right to withhold  permission to use  their data  in certain  circumstances
(for  example, individuals will  have the right  to opt-out  free of charge
from being sent direct  marketing material, without providing  any specific
reason).

In  the case of  sensitive data, such as  an individual's  ethnic or racial
origin, political  or religious  beliefs,  trade union  membership or  data
concerning health or sexual  life, the Directive will establish that it can
only be  processed with the explicit  consent of the individual,  except in
specific cases such  as where there is  an important public interest  (e.g.
for  medical or  scientific research),  where  alternative safeguards  will
have to be established.

As  the  flexibility of  the  Directive  will  mean  that some  differences
between national  data protection regimes  persist, the Directive will  lay
down the principle that the law of the Member State where a  data processor
is established  applies in cases  where data is  transferred between Member
States.

The  Directive   will  also  establish   arrangements  for  monitoring   by
independent data supervisory authorities, where  necessary acting in tandem
with each other.  For cases where data is transferred to non-EU  countries,
the  Directive will include provisions  to prevent the  EU rules from being
circumvented.

In the  specific case of  personal data used  exclusively for journalistic,
artistic or literary  purposes, the Directive will require Member States to
ensure appropriate exemptions and  derogations exist which strike a balance
between   guaranteeing  freedom   of   expression   while  protecting   the
individual's right to privacy.

The  Common Position will be sent by the Council to Parliament for a second
reading and adoption under the co-decision procedure.

* * *

Side Bar