Information Privacy Law - Europe

Europe

The right to data privacy is heavily regulated and actively enforced in Europe. Article 8 of the European Convention on Human Rights (ECHR) provides a right to respect for one's "private and family life, his home and his correspondence", subject to certain restrictions. The European Court of Human Rights has given this article a very broad interpretation in its jurisprudence. According to the Court's case law the collection of information by officials of the state about an individual without his consent always falls within the scope of Article 8. Thus, gathering information for the official census, recording fingerprints and photographs in a police register, collecting medical data or details of personal expenditures and implementing a system of personal identification has been judged to raise data privacy issues.

Any state interference with a person's privacy is only acceptable for the Court if three conditions are fulfilled:

1. The interference is in accordance with the law
2. The interference pursues a legitimate goal
3. The interference is necessary in a democratic society

The government is not the only entity which may pose a threat to data privacy. Other citizens, and private companies most importantly, engage in far more threatening activities, especially since the automated processing of data became widespread. The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was concluded within the Council of Europe in 1981. This convention obliges the signatories to enact legislation concerning the automatic processing of personal data, which many duly did.

As all the member states of the European Union are also signatories of the European Convention on Human Rights and the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, the European Commission was concerned that diverging data protection legislation would emerge and impede the free flow of data within the EU zone. Therefore the European Commission decided to harmonize data protection regulation and proposed the Directive on the protection of personal data, which member states had to transpose into law by the end of 1998.

The directive contains a number of key principles with which member states must comply. Anyone processing personal data must comply with the eight enforceable principles of good practice. They state that the data must be:

1. Fairly and lawfully processed.
2. Processed for limited purposes.
3. Adequate, relevant and not excessive.
4. Accurate.
5. Kept no longer than necessary.
6. Processed in accordance with the data subject's rights.
7. Secure.
8. Transferred only to countries with adequate protection.

Personal data covers both facts and opinions about the individual. It also includes information regarding the intentions of the data controller towards the individual, although in some limited circumstances exemptions will apply. With processing, the definition is far wider than before. For example, it incorporates the concepts of "obtaining", "holding" and "disclosing".

All EU member states adopted legislation pursuant this directive or adapted their existing laws. Each country also has its own supervisory authority to monitor the level of protection.

Because of this, in theory the transfer of personal information from the EU to the US is prohibited when equivalent privacy protection is not in place in the US. American companies that would work with EU data must comply with the Safe Harbour framework. The core principles of data protected are limited collection, consent of the subject, accuracy, integrity, security, subject right of review and deletion. As a result, customers of international organizations such as Amazon and eBay in the EU have the ability to review and delete information, while Americans do not. In the United States the equivalent guiding philosophy is the Code of Fair Information Practice (FIP).

The difference in language here is important: in the United States the debate is about privacy where in the European Community the debate is on data protection. Moving the debate from privacy to data protection is seen by some philosophers as a mechanism for moving forward in the practical realm while not requiring agreement on fundamental questions about the nature of privacy.