European Union law related to data protection

This essay will attempt to examine the leading principles that form the European Union law in relation to data protection and evaluate their efficiency and adequacy in the context of information society. The discussion begins with a brief reference to today’s information-based reality. Firs of all, the importance and necessity of the use of data in today’s world as well as the role of technology towards a faster and more effective data processing will be stressed. Then, the basic principles of the Directive and the basic ways by which they are implemented will be listed and evaluated in relation to the challenges that data protection law is facing today. After a critical comparison between the EU and US approach in relation to Data Protection, the paper will go on and examine whether it is wise or not to have a Data Protection legislation at all. Finally, some recommendations will be suggested as to the improvement of the law surrounding the protection of Data.

Undoubtedly, personal information, that is, any information that can be linked to a specific person [1] , is more and more becoming an invaluable commodity in our society [2] . Data about us is processing everywhere on the web [3] . The average European is tracked in around 500 different databases [4] . Personal data can are certainly the lifeblood of the information-driven economy, being the most powerful asset, a leading organising principle and a critical enabler for business competitiveness in today’s world [5] . Information is inherently and unavoidably global and does not respect any geographical boundaries [6] .

Digital technology has facilitated in a great level the ability to easily and quickly obtain, process, store, transfer and manipulate data to third parties [7] . As a result of the digital-based society that we experience, it is much easier for people to be tracked and monitored. Instead of their personal identities, they can now be identified through proxies, a series of information such as passwords, and user identities, bank or credit card information, email addresses, and personal data such as the date of birth or place of birth; information that if put together will create an individual [8] .

On the light of this technological reality, the European Union, which has always been concerned about privacy of information and its importance on the reassurance of democracy, had enacted the Directive 95/46/EC on the protection of Data. In general, a data protection law aims on giving rights to individuals as to how data tracking them is processed and to subject such processing to a certain set of safeguards [9] . The Directive imposes a set of rules on the collection, processing and transfer of personal Data within the EU and between of members of the EU with third countries. Its purpose was to provide the individual with a ‘high level of protection’ as well as to enable the free flow of data [10] .

However, technology will never stop moving forward. The Data Protection Directive was intended to cope with problems in relation to data processing, as they were understood in 1995. [11] Indeed massive changes have taken place since 1995 in our globalised information society. Today, the legislation in relation to Data Protection is called upon to face the Internet revolution, the emergence of ambient intelligence and the growth capacity of the computers [12] . Even if the EU Directive is technologically neutral, the question whether it is effective on protecting the individual in the 21st century without creating too many restrictions on the essential circulation of data in the networked society remains uncertain. This is a question to be answered through an evaluation of the main principles of the Directive on the background of the information, globalised society that we experience today.

The core principles of the EU Directive on Data Protection are to be found in Article 6. In particular, it states that personal data must be processed fairly and lawfully, collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes, that the data obtained and processed is adequate, relevant and not excessive in relation to the purposes for which they are collected; that it is accurate and, where necessary kept up to date; that the information is kept in a manner which allows for identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. [13] 

Consequently, the Directive does not actually seek to stop the data processors or data controllers from collecting information. Rather, it attempts to create a set of rules so as to ensure that there is lawfulness, transparency and proportionality throughout the procedure of collection and circulation of data in relation to an individual.

Article 7 of the Directive, sets out the circumstances under which data processing is legitimised. The most important criterion for making such a process lawful is that ‘the data subject has unambiguously consented to the processing’ [14] . On the one hand, one might think that leaving it to the discretion of the data subject to decide whether or not he wishes his data to be shared sounds perfectly fair and reasonable.

However, on the other hand the relevance and appropriateness of ‘consent’ as the basis to legitimise data processing is heavily questioned in the context of information society and the Internet. Due to the extremely interactive nature of the web, consent is given in order to receive piffling advantages, but beyond this it is very unlikely, even ‘abnormal’ somehow for a data subject, that is the particular individual, to refuse consent, and therefore pushes the user to give it in the vast majority of cases. [15] At a pragmatic level, individuals are more willing to choose or even required to give up their informational privacy in order to receive commercial or other benefits in exchange, like when purchasing goods online. [16] In some circumstances, if they refuse to submit their personal information, the may be excluded of even prejudiced [17] . Although the aforementioned right of choice as to whether or not to surrender personal information seems like an ideal solution in theory, it breaks down when put into practice.

Article 2(h) of the Directive provides further guidance as to the interpretation of the concept of ‘consent’. In particular it provides that 'the data subject's consent' shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed. However, companies have provided evidence that access to privacy policies by the consumers is extremely rare [18] . This means that even if the Directive wishes to promote transparency and enrich the individual’s awareness as to how, where and for what purpose his information is circulated, this cannot be realised, if the data subjects do not take any time at all to assess terms and conditions [19] .

Another important right that the Directive has attributed to the individual is the right to access the data collected in relation to him and verify them if necessary [20] . This means that even if the data subject does not have the power to stop the data processor from collecting his personal data, he does have the right to make sure that it is accurate, secure and up to date. This is essentially the difference with the totalitarian systems where the state’s aim was to collect as much data as possible in relation to people without being concerned about the quality of data. However, it is not possible for a right to be useful if the people who are entitled to it are not aware of its existence. According to a Eurobarometer research, only 32 % is aware about their right to access, correct or erase data concerning them [21] .

The EU Directive in attempting to offer a ‘high level of protection did not only give rights to the data subjects but also imposed a number of obligations to the data controllers. Under Article 10, the data collector is required to give notification to the data subject in relation to the collection and the use of data [22] . Moreover, Article 17 requires the data controllers to protect personal data against risks using the appropriate technical and organisational measures.

However, such requirements would be of no value if it were not enforced in reality. According to the findings of another Eurobarometer poll in relation to the compliance with the rules of the Directive from the part of the data controllers, businesses appear to have no valuable interest whatsoever in complying with the requirements of the law due to the very few complaints made by their customers in respect of data security and also due to the very low detection risk as a result of the weak enforcement measures adopted by the Data Protection Authorities [23] .

It can therefore be said that the Directive tried to introduce complex and formal requirements, which in reality are of limited consideration and of negligible enforcement. Certainly, it is admitted that especially in today’s information society the implementation of principles relating to Data Protection is not an easy task. However, if the European Union wishes to ensure a high level of informational privacy of the individual then it needs to introduce measures that are realistic, practicable and understandable to both data subjects and data controllers [24] .

When it comes to state security, public safety, defence, the State’s activities in relation to the prevention of crime and taxation purposes, the EU Directive exempts from its scope of application the processing of personal data [25] . It is generally accepted that the individual should not only waive his right to informational privacy in receiving back a commercial benefit, but also for reasons that benefit the society as a whole [26] . However, the power given to the States through the above exceptions is extremely wide and the individual cannot object to the collection of his personal information by the state for these legitimate purposes. The states tend to exploit their right to derogate from the provisions of the Directive to a degree that is disproportionate. Thus, the Directive does not protect the individual as far as state intrusion is concerned.

Article 25 deals with the extra-territorial transfer of data. In particular, it provides that data transfers exporting data for circulation is to be permitted by Member States only if the third countries ensure an ‘adequate level of protection’ [27] . At first glance, it seems encouraging that the Data Protection Directive recognises that data circulation is necessary for the expansion and flourishing of global trade and attempts to form a standard of protection when it comes to transfer of data between the European Union and the rest of the world. However, its attempt to impose onerous, strict and complex requirements for the regulation of trans-border data flow does not seem to be a wise idea since they do not seem to have any realistic application in the online world. As professor Gunasekara argues, ‘in an increasingly globalised world, where the market for goods and services spans national borders, national safeguards and regimes for the protection of personal data or information about individuals are of little value, as technology allows the information to be whisked out of the jurisdiction at the proverbial click of a mouse’ [28] . In this context therefore, it can be argued that any legislation in relation to data transfer is of little value due to the borderless nature of the Internet.

Moreover, the Commission failed to sufficiently interpret the word ‘adequate protection’, as the criteria given are vague and unclear [29] . What the Directive states in terms of explaining adequacy is that it will be evaluated in the light of all the circumstances surrounding a data transfer operation, whereby particular consideration shall be given to such factors as the nature of the data, and the purpose and duration of the processing operation [30] . Therefore, not only does the Directive attempt to impose draconian measures in relation to extra-territorial data transfer, but also the power and enforcement of those measures in reality is questioned since the digital reality seems to have no space left for such complex, formal and long procedure rules.

Seven years after the enactment of the Data Protection Directive, the European Union appeared to have concerns in relation to the risks that the sector of electronic communications entails and this led to the enactment of the Directive 2002/58 on the processing of personal data and the protection of privacy in the electronic communications sector. It should be noted that the e-privacy Directive is just supplementary and complementary to the general Data Protection Directive; the latter is a lex generis and applies to the processing of data unless the former, the lex specialis, determines otherwise [31] . Furthermore, while the Data Protection Directive is only applicable to natural persons, the 2002 Directive also embraces subscribers who are legal persons [32] , whose traffic and location data are also to be protected [33] .

In evaluating the relevance and adequacy of the European Data protection law in the context of information society, a critical comparison between the European and the American approach should be of considerable assistance. Unlike the Europeans, which as we saw are following a sui generis protection, that is recognising the importance of data protection per se, Americans appear to be quite hesitating and sceptic in recognising a general privacy right in information and therefore unwilling to set up a Data Protection regime [34] . The US, rather preferred to follow a selective legislative approach as far as data protection is concerned, based on the argument that if the government interferes in the regulation of information, there will be an undue intervention in the free flow of the market [35] . They therefore tend to favour a self-regulatory model in respect of data protection with the belief that such an approach achieves a high quality of data security without adversely affecting the free flow of the market.

It is obvious that there is diversity of views as to the value and importance of the protection of privacy and that it is assessed upon different set of criteria. On the one hand the European Union claims that informational privacy is not just an interest, but a ‘fundamental right’ [36] and sets out a long and detailed legislation in order to offer a high level of protection to the individual, on the other hand the U.S. appear to have no intention to enact a data protection legislation on the fear that this will block the expansion of businesses and commerce.

At the European level, privacy and the protection started becoming so cardinal in character especially after the aftermath of the Second World War where totalitarian states had been creating large databases of personal data in order to segregate populations, target minority groups and facilitate genocide [37] . However, not everyone feels that classing informational privacy as a priceless and inalienable right is still relevant or can be realistically applicable within the context of our today’s information-based society. According to Professor Bergkamp, the EU Directive on Data Protection is a fallacy in that it imposes an onerous set of requirements on all sectors of industries, without holding at hand any empirical data on privacy risks and demand [38] . As noticed before, in general, there is little interest from the part of the individual protecting their data, ‘such an important asset’. He therefore criticises the Directive on the basis that its enforcement is expensive, and even ‘anti-consumer’ and believes that the European industry survives under such a strict regime only because enforcement is very lax [39] . According to his words ‘if the EU Data protection regime were abolished in todo tomorrow, very few citizens and consumers would be any worse off, and many would be benefit significantly’ [40] .

On the other hand, a complete sweeping away of Data Protection legislation is regarded as too an extreme view by others. When deciding whether it is better to keep or dispose Data Protection legislation, one should bear in mind that the protection of our personal data and therefore of our private lives are essential conditions for the safeguard of liberty and democracy [41] . On this basis, Cate and Staten argue that just because personal information plays an important and critical role in today’s world ‘essential infrastructure’, this does not mean that “privacy of information is unimportant or unprotected" but it must be balanced – as consumers do in their choices every day – with the benefits that they enjoy because of the responsible use of personal Data" [42] . A way therefore needs to be found

In conclusion, as illustrated from the above analysis of the EU Data Protection Directive, the European law in relation to privacy of information failed to operate sufficiently in today’s information society. In general, it has not been successful in striking a fair balance between the free flow of information and the rights of the data subject as it imposed too rigid restrictions on the transfer and exchange of data. Moreover, its principles may in theory provide the data subject with a high level of protection, however when put into practice, their fruitfulness is considerably limited.

On the light of the inadequacy of the Directive, certainly the law regarding Data Protection within the European Union should be revised and adapted into today’s realities. However, the question that arises at this point is whether there is any law at all that is capable of protecting the data subject and its personal data within the continuously growing information society that we experience. Arguably, a traditional piece of legislation that creates an organisational culture and focuses on meeting formalities to create paper regulatory compliance [43] , would be of valuable assistance when it comes to regulation of the protection of Data, especially in the context of challenges posed by the development of technology. Many commentators believe that technology will continue to “outpace…the imagination of even the most clever law-makers" [44] . It may therefore appear essential for the legislatures to ‘stop thinking like lawyers’ if they wish to promote a data protection practice that works effectively today [45] . A co-operation between law and technology might be the best way to ensure that the individual is protected in practice whilst at the same time the free flow of Data which is of so vital importance in our society is secured.