Wednesday, May 31, 2006

Interesting article

I came across an interesting article that was published in the latest issue of the Computer Law and Security Report. The title of the article was on the Directive 95/46/EC: Ten years after. Yes, it is correct. It has been 10 years since the Data Protection Directive 95/46/EC was passed. A quick glance at the abstract will show this:

A birthday offers a unique opportunity to remember what has already been achieved along the way and to envisage what comes net, taking into account the lessons of the past. This paper offers some reflections on 10 years of experience with the Data Protection Directive. The following comments are offered in the knowledge that they will cover the whole picture and may well be considered partial.

For anyone who has studied data protection, undoubtedly, 10 years is a remarkable achievement for the Data Protection Directive 95/46/EC (hereafter "DPD") with all the member states of the European Union having implemented the DPD within their national laws. However, and there comes the "But", there are still areas that the DPD does not adequately address. Indeed, the article picks up on some of the points.

1) Is the Directive effectively applied? According to the Privacy Eurobarometers survey in 2003, the results indicate that if 'privacy is a concern, the legal guarantees and requirements are broadly being ignored and are not, therefore, very effective.

2) The role of the data protection authorities - Again, the Eurobarometers survey show that the lack of impact that data protection authorities have had. One should note that the survey was back in 2003, so it is not clear whether this situation has improved. In my view, however, I do not entirely agree with this. If one considers the work of the UK Information Commissioner (IC), the office has been quite proactive in raising the attention of businesses to comply with the Data Protection Act 1998. Furthermore, the IC has recently called for stricter penalties for those who obtain personal data without permission of the data subject.

3) Increasing role of the Art. 29 Working Party - The Art. 29 Working Party was established under the Data Protection Directive and is responsible for giving advice and recommendations to European institutions on privacy issues. It has produced a number of opinions including the application of data protection to RFID; internet issues and so on.

I could go on, but 10 years is an achievement, but also a cause for reflection. This is particularly the case, when looks at the recent judgment by the European Court of Justice in Lindqvist. Certainly, there have been tensions between the protection of privacy and the freedom of expression and one would even say that it is felt more in Sweden. There is still more work that needs to be done to raise the awareness of data protection issues.

Finally, one should not underestimate the impact of the DPD. Already some countries (outside the EEA) have introduced laws that are similar to the DPD. Examples include Hungary and Switzerland. On the Asian side, Hong Kong already has data protection laws; Japan has introduced privacy laws and one awaits to see whether Singapore will do the same.

No comments: