The foundation of European data privacy is Directive 95/46/EC (the “Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data” to give it its full title).

 

As its name suggests the Directive requires EU Member States to protect the privacy of individuals and to facilitate the free flow of personal data between the EU's 27 members. It will be immediately apparent that privacy on the one hand and free movement between countries on the other are not always readily compatible. That, nevertheless, is what EU regulation sets out to achieve.

 

In the UK the Directive is implemented by the Data Protection Act 1998. However, since most business relationships that involve the sale, servicing or outsourcing of technology are international to at least some degree (and since all EU national laws are supposed in any case to follow the Directive) it is usually better to focus on the rules at EU level.

 

The Directive establishes nine mandatory data protection principles:

 

1. Purpose limitation

 

1. Data must be processed (which includes any type of use, storage and further disclosure) only for the purposes for which it was collected. It must not be kept for longer than necessary.
   

 

2. Data quality and proportionality

 

1. Data must be accurate and kept up to date. It must be adequate, relevant and not excessive in relation to the purposes for which it was collected.
   

 

3. Transparency

 

1. Individuals must be notified of the purposes for which data is collected and the identity of the data controller. Any other information which is necessary to ensure fair processing should also be provided.
   

 

4. Security and confidentiality

 

1. Technical and organisational security measures must be taken by the data controller appropriate to the risks associated with the processing. Any person acting under the authority of the data controller (including any data processor) must not process the data except on instructions from the controller.
   

 

5. Rights of access, rectification, erasure and redaction

 

1. Individuals must have a right of access to all data relating to them and the right to have data rectified, erased and redacted where it is incomplete or inaccurate. Individuals must also be able to object (on compelling legitimate grounds relating to their particular circumstances) to the processing of data relating to them.
   

 

6. Restrictions on transfers

 

1. Transfers of personal data to any country outside the European Economic Area (the 27 EU Member States plus Norway, Iceland and Liechtenstein) are prohibited, unless the importing country ensures an ‘adequate’ level of privacy protection or the transfer is covered by one of the derogations in Article 26 of the Directive.
   

 

7. Special categories of data

 

1. Where sensitive personal data is processes (i.e. data revealing racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; health or sex life; or relating to offences or criminal convictions), additional safeguards are required.
   

 

8. Direct marketing

 

1. Where data is processed for direct marketing, effective procedures are required allowing individuals to opt-out at any time.
   

 

9. Automated decisions

 

1. Individuals are entitled not to be the subject of a decision which is based solely on the automated processing of their data, unless other measures are taken to safeguard their legitimate interests. Individuals are entitled to know the reasoning behind activity which has legal consequences for them and which is based solely on the automated processing of their data intended to evaluate personal aspects such as performance at work, creditworthiness, reliability, conduct and so forth.
   

 

The UK Data Protection Act has eight principles rather than nine but they reflect the principles in the Directive. For clarity, it is worth noting that 'personal data' is data relating to a living individual (and includes information which, if combined with other information available to the controller, would identify the individual, such as an email address or national insurance number). 'Data subjects' are individuals who are the subject of personal data and there is an important distinction between data controllers and data processors, which I will explore in a later post.