Infosecurity

In partnership with:

July/August issue

Data protection in the new Europe

Following the accession of 10 new members, data protection laws in the EU are converging, but the new constitution may hold some surprises. SA Mathieson investigates.

When 10 countries joined the European Union on 1 May, it meant a big expansion in the area covered by Europe's data protection regime. All accession countries have had to sign up to all existing European directives, including the data protection directive known as 95/46/EC. The previous 15 member states had to enact this by 24 October 1998; the UK achieved it through its Data Protection Act of 1998.

The directive aims to grease the gears of the common market by allowing the transfer of personal data around the European Union under standardised regulation. It requires each country to appoint a data protection commissioner to look after the interests of “data subjects” (i.e. everyone who has personal data processed and stored) and register all “data controllers”. The latter must obey rules that provide for the fair and lawful processing of personal data, allow data subjects to rectify or erase inaccurate data and so on.

So does Europe now have a single data protection area that covers the 25 members? Up to a point. “As they are now members of the EU, it's a given that they have the same provisions as we have,” says assistant commissioner Jonathan Bamford of the UK's Information Commissioner's Office (ICO). “All the countries, to a greater or a lesser extent, have the same core. You should expect to see exactly the same.”

Harmonized regime

As one of the 25 national data protection commissioners, the ICO may take a diplomatic view, but it is one substantially shared by Microsoft. “We have a largely harmonised regime of laws in all 25 countries,” says Peter Fleischer, director of regulatory affairs at Microsoft's Europe, Middle East and Africa law and corporate affairs division. “The directive from 1995 sets the floor that all EU countries have to have. There are slight variations from country to country,” he notes, but adds that the similarities greatly outweigh the differences.

Fleischer points out that France and Germany have had data protection laws since the 1970s. Many of the 10 new members have introduced data protection laws over several years. “They were harmonised from 1 May at the latest, but many them were in place for many years before.” Having met several of the 10 new commissioners, Fleischer describes them as “uniformly professional and serious about data protection legislation”.

Poland, the largest of the 10, passed its Act on the Protection of Personal Data in August 1997. The Inspector General for Personal Data Protection, Ewa Kulesza, says the 1997 Act “mostly follows the rules established by the directive”. The Act was revised in January this year to provide full compliance from 1 May.

As a result of the 1997 Act, Kulesza has been in post for six years. In a written response to Infosecurity she says “The importance of the right to privacy has been proved several times by the judiciary of the Constitutional Tribunal, Supreme Court or the Supreme Administrative Court. The need to protect privacy is also very intense in the view of society. The activity of the Polish Data Protection Authority had a visible influence on the change of the citizens’ attitude and raising of citizens’ awareness with regard to the need to ensure privacy protection.

“It's obvious that other values such as security and economic freedom are contrasted with privacy. However, at present the need for the protection of privacy and personal data is hard to disregard.”

In the 15 original EU member countries, some developed reputations for certain kinds of data protection regimes. “Germany has a pretty strong regime, but that's for historical reasons left over from the war,” says data law expert Shelagh Gaskill, head of information law at UK law firm Masons. France has a fairly tough law, but it is rarely enforced. The UK tends to be self-regulating, as the ICO has a very strong sanction of forcing a business to stop processing personal data and recollect it, she adds.

Interview with Estonia's data protection chief, Urmas Kukk

Estonia sees itself as eastern Europe's tiger IT economy. It introduced a data protection law in 1996, and updated it last year. Urmas Kukk, director-general of the Data Protection Inspectorate of Estonia (www.dp.gov.ee), spoke to SA Mathieson about his organization's work.

Is Estonia's data protection law improved by last year's changes?
It's stronger. The Inspectorate has more power, including order-making powers. Finland only has an ombudsman, with not such strong powers as we have here.
If we saw someone breaking the rules, we can force by law the officials or institution to correct this, and if they don't, we can punish them with financial penalties. If they don't do anything, we can destroy databases as illegal. I think it's twice, we have used the financial power on police authorities - they couldn't regulate in the right time.” [They have both since complied.]

How was the law changed?
The law incorporates most of the regulations in the [EU] directive. Not all of them, because of our constitutional structure: the Data Protection Inspectorate is in the field of responsibility of the Ministry of Internal Affairs. The European Commission is not very happy about it: they have some concerns about full independence from the government.
The government is not very keen to resolve that problem. We have tried to explain how important it is to have a really independent body for data protection, but it takes time. The big concern is that the Director General is appointed not by parliament, but by government.

What does the public think about data protection?
It came up in the last election, with public officials. We had databases used to send party materials. With consumers, there was a supermarket card which sent customers information based on what they were buying. When he [the customer] signed for the card, he agreed that it could follow this buying and make suggestions, so the supermarket wasn't at fault.
People are not concerned, as usually they don't know what officials are collecting. The usual opinion is that government is collection, they think that they have the power collect that kind of data. We try to educate people that not everything that officials collect is right.
In Soviet times, they collected everything. Now we're asking, why are you collecting this, what is the purpose? It's something new for officials. People were just statistics, objects. Now, the law says people are not objects, but subjects of research. They have rights, for example to know who is collecting data and why.

How do you deal with Estonia's Soviet era records?
There are files the local branch of the KGB left here, but most of the files went to Russia. [Estonia, unlike Poland - see main feature - was part of the USSR.] All the files we have here in Estonia are not public. In Soviet times, there wasn't a law on data protection at all.

Does Estonia's developing IT sector affect your work?
I don't think so. We're more concerned with government institutions - they are underfinanced heavily. The private sector is interested that the data they have is not easily followed by unauthorised people. But civil servants usually think a bit differently. If we look at data protection and IT, it's not cheap at all. To follow all the laws is quite costly.

Tight times in Latin Euope

“The most difficult country to comply with is Spain,” Gaskill says. “They have swingeing powers to fine you, whereas [the UK] data protector has no power to fine.” Gaskill thinks Spain and other southern European countries including Italy, Portugal and Greece, have very tight laws. “The countries that don't make much money out of the manipulation of electronic data have really tough data protection regimes,” she says. In the UK, “which makes pots of money from it, the government tries to be more realistic”.

Bamford at the ICO acknowledges that Germany has a reputation for stronger data protection laws, but says this may be for reasons of overall legal structure. The common law system used in English-speaking countries means they generally pass laws to prohibit things. “In the German context, you can't do things unless it says you can. Their laws are more prescriptive than ours, but are not necessarily tougher,” he says. Furthermore, each of Germany's Länder (states) has its own data protection commissioner and law, as well as a national structure. “Just because you see lots of law, doesn't mean it's tougher law,” says Bamford.

Cutural differences

But Steve Mathews, chief executive of IT security specialist ArticSoft, points out that there are other cultural differences. “In Sweden, they see nothing wrong with making public your tax affairs. In England and France, that's absolutely intolerable,” he says. “In Germany, you can't keep a database of fingerprints that is directly linked to people's identities unless you're the police.” This is because the Gestapo used fingerprints to help identify non-Aryans in the Second World War, he adds. Meanwhile France's secular status means that your religion is protected data.

Is there a pattern to how the 10 new members approach data protection? Most were part of the Warsaw Pact until 13 years ago. Poland's Ewa Kulesza says that the country's history “did not weaken the shape of the personal data legislation adopted in Poland”.

She adds that this history presents specific issues, “in particular connected with the existence of many regulations which had not complied with the personal data protection legislation. In the public sector, the lack of the controllers’ awareness with regard to personal data protection was also a very important factor”.

A particular issue is the privacy infringements connected with access to the political police files in the former regimes, Kulesza adds. “The question concerns the rights of individuals (both victims and oppressors) with regard to dealing with the past”.

However, Microsoft's Fleischer says the level of harmonisation is high enough to allow Microsoft to use standard training and auditing processes across the EU, including the new 10 countries. It is also establishing a common online user interface and content on data protection. But the pages will appear in the home languages of the new countries. “Obviously that is easier,” he says.

Three pillars

Although EU data protection law flows from a single directive, there is relatively little central control. That is in the gift of the office of the European Data Protection Supervisor.

Joaquin Bayo-Delgado, the assistant European Data Protection Supervisor, divides the office's role into three. “One parallels the functions of the national authorities in the different countries to make sure that rules of data protection are protected and followed by the European institutions,” he says.

Secondly, “we have a general advisory role within the European institutions: the council, parliament and commission. When some legislative initiative is taken we give our opinion on it.

“The third function is that of co-operation with the third pillar authorities, namely police and criminal justice departments.” The “third pillar” also includes, for example, the Schengen agreement on open borders, in which only some European countries participate.

Bayo-Delgado says that the 1 May accession upgraded the 10 from observers to full members. “As far as I know, the national authorities are very active in promoting data protection,” he says, adding that Poland will host two data protection conferences over the next year.

Will things change when (or if) the European constitution becomes law? “The draft constitution means a lot for data protection,” says Bayo-Delgado. “It's the only right which is mentioned twice.” It appears both in article 50, which covers the transparency of European institutions, and in article 8 of the second section, which enshrines the European convention of human rights. “That means that in the new constitution, the right has a very high level of importance. That will reinforce the idea of data protection,” he says.

But the final effects are still unclear, Bayo-Delgado says. Most countries will have to adapt their data protection laws to acknowledge the reorganisation of European structures such as the replacement of the three pillars concept with a single pillar. “We'll have to wait until the constitution is a legal reality,” he says.

References
Guide to EU data protection: http://europa.eu.int/comm/internal_market/privacy/guide_en.htm.

Details of all EU data protection commissioners, as well as several other countries: http://europa.eu.int/comm/internal_market/privacy/links_en.htm.

Polish Bureau of the Inspector General for the Protection of Personal Data: http://www.giodo.gov.pl/168/j/en/.

Back to features index