Data protection law is adequate, says European Commission

The Data Protection Directive does not need to be amended and has operated successfully according to a report conducted by the European Commission. But some countries' data protection supervisors are not independent enough of governments.

The Directive itself orders that the Commission produce reports on the workings of the legislation. The first of those, in 2003, reported that work had to be done in order to ensure that the Directive was working. The Commission has just reported on the progress of the work programme contained in that report.

"The Commission considers that the Data Protection Directive constitutes a general legal framework which fulfils its original objectives by constituting a sufficient guarantee for the functioning of the internal market while ensuring a high level of protection," said the report. "It gives shape to the fundamental right to protection of personal data; respect of its rules should ensure trust of the individuals on the way their information is used, a key condition for the development of the e-economy; it sets a benchmark for initiatives in a number of policy areas; it is technologically neutral and continues to provides solid and appropriate responses to these issues."

"Therefore, the Commission does not envisage submitting any legislative proposal to amend the Directive," said the report.

The report said that the Directive, which was groundbreaking when passed, has been a success. "It protects individuals against general surveillance or undue discrimination on the basis of the information others hold on them," it said. "The trust of consumers that personal details they provide in their transactions will not be misused is a condition for the development of e-commerce. Business operate and administrations cooperate throughout the Community without fearing that their international activities be disrupted because personal data they need to exchange are not protected at the origin or the destination."

The Commission reported that every European member state has now transposed the Directive into national law, but that some countries have not implemented it properly.

"Some member states have failed to incorporate a number of important provisions of the Directive. In other cases, transposition or practice has not been conducted in line with the Directive or has fallen outside the margin of manoeuvre left to member states," it said.

"One concern is respect for the requirement that data protection supervisory authorities act in complete independence and are endowed with sufficient powers and resources to exercise their tasks. These authorities are key building blocks in the system of protection conceived by the Directive, and any failure to ensure their independence and powers has a wide-ranging negative impact on the enforcement of the data protection legislation."

The Commission said that it would conduct a survey of countries' implementations and take action against countries which refuse to bring their law into line with the Directive.

"Some member states have acknowledged the existence of their legislative shortcomings and have committed themselves to introducing the necessary corrections, something the Commission strongly encourages," said the Commission's report. "Other problematic issues have been raised in complaints by citizens. Where a breach of Community Law remains, the Commission, as guardian of the Treaties, will open formal infringement procedures against the Member States concerned, in accordance with Article 226 EC. A number of such proceedings have already been opened."