Currently, the processing of personal data within the European Union is governed by the 1995 European Directive (95/46/EC) on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Directive). The Directive sets out the framework for data protection regulation in the European Union. It regulates the processing (including the collection, use, storage, disclosure, and destruction) of personal data about individuals.
Each of the EU member states has separately implemented the Directive into its own national law. The Directive was implemented in the UK via the Data Protection Act 1998. As the Directive was separately implemented by each country, both substantive and procedural data protection laws and regulations are rather fragmented and currently vary quite significantly between countries.
The Directive provides eight key data protection principles:
- Data should be processed fairly and lawfully and may not be processed unless the data controller can satisfy one of the conditions for processing set out in the Act.
- Data should be obtained only for specified and lawful purposes.
- Data should be adequate, relevant and not excessive.
- Data should be accurate and, where necessary, kept up to date.
- Data should not be kept longer than is necessary for the purposes for which it is processed.
- Data should be processed in accordance with the rights of the data subject under the Act.
- Appropriate technical and organisational measures should be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Data should not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
As technology rapidly advances and is increasingly relied upon in many aspects of life, we consequently live in an increasingly data driven world. This widespread use of technology and data driven content is a considerable change from the time when the 1995 Directive was established. The potential for personal data abuse, theft, loss and privacy breaches is significantly higher than it was just a couple of decades ago and so the need for a solid legal data protection framework is much more apparent. Taking this into account, the aim of the European legislators was to provide a much more harmonised legal framework for data protection across the member states and to protect all EU citizens from privacy and data breaches.
In April 2016, after nearly four years of negotiations, the European Parliament and the Council adopted the General Data Protection Regulation, which replaces the Directive and has direct effect in all EU member states from May 25, 2018 without the need for further implementing legislation.
The GDPR was designed to benefit both individuals and organisations by increasing legal certainty, reducing the administrative burden and cost of compliance for organisations that are active in more than one member state and, importantly, enhance consumer confidence in the single digital marketplace.
Whilst this has been achieved in part, during negotiations opinions differed on a number of matters within the Regulation and in order to reach political agreement there remain a number of areas covered by the GDPR where member states are allowed to legislate differently in their own national data protection laws. The UK will do this via the new Data Protection Act, currently a Bill going through Parliament.Therefore, whilst the Regulation does build a more harmonized framework, it is likely that there will continue to be significant differences in data protection laws and enforcement practice among member states once the GDPR is in force.