Implementation of the European Data Protection Directive:
The View from Denmark
by
Professor Peter Blume
[email protected]
Contents
Download
This is a refereed article.
Date of publication : 31st January 1996
Citation : Blume, P (1996) 'Implementation of the European Data Protection Directive: The View from Denmark', 1996 (1) The Journal of Information, Law and Technology (JILT). <http://elj.warwick.ac.uk/elj/jilt/dp/1danish/>. New citation as at 1/1/04: <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1996_1/blume/>
Current law confronting the directive
In current Danish law there exists a multitude of statutory rules regulating use of personal data. The main rules are contained in the two data protection acts covering the private sector and public administration (both central and local government).
Other important rules can be found in the acts on creditcards, title to land, the mass media and public archives. Furthermore single rules are placed in many statutes and it is in itself a demanding task to locate all of these rules. This regulation on statutory level makes it a very complex and difficult task to implement the EU data protection directive into Danish law.
Many substantial and technical/legal questions have to be answered. As the directive leaves considerable freedom to the member states it is certain that a major legal policy dispute or battle will occur in Denmark during the next 3 years.
In the following I will first briefly outline some of basic problems that are expected to be at the centre of the Danish debate. Second, the likely legislative procedure leading to implementation will be described. Finally, this contribution closes with some remarks concerning the necessity of international co-ordination during the implementation process. These remarks concern the general EU consequences of the directive.
Main policy issues
Although a key idea in the directive is that data protection rules should be the same in the public and private sector, there are several basic differences between the two sectors and accordingly it is also to a certain degree diverging legal policy questions that must be considered.
In the public sector the basic problem is whether there should be improved/freer possibilities of matching data from different files and more generally whether public administration (local/central government) should be viewed as one entity allowing personal data to flow between those authorities which at some stage have an interest in using them. Based on the report Info-society 2000 (The Ministry of Research 1994) the Danish government published an action plan for the development of the information society in March 1995. In this plan it is argued that personal data should be shared within public administration and that they should be utilized to a much larger degree than has previously been the case. These aspirations do not fully correspond with the directive (e.g. article 6, subsection 1b ) and there is little doubt that this area will become the main legal policy battleground with respect to the public sector.
In the private sector the main questions will concern the possibilities of matching within affiliated companies, use of the personal identity number and use of personal data with respect to direct marketing. In particular the last mentioned topic is likely to lead to much controversy and very heated discussions. With respect to third party use of data for marketing purposes, current Danish law is based on an opt in solution whereas the directive ( article 14 ) provides for an opt out model. This will constitute a fundamental change in Danish law and there are very strong feelings regarding both modes of regulation.
In general, Danish law takes its starting point in the concept of a file while the directive is founded on processing of personal data. The current data protection rules concernthe filing of data and communication of filed data, whereas the directive covers all stages of processing. It will be a major problem how the directive with its broader scope must and should influence the statutory regulation. Many technical questions with respect to the drafting of the new rules and the substantial consequences of these rules will have to be answered during the implementation process. It must be added that manual data are regulated in the present Danish law and such processing will accordingly not be a significant problem in the legal policy debate.
Legislative procedure
The Ministry of Justice is responsible for implementation of the directive. Before the end of this year a committee will be set up. The task of the committee is to prepare the new legislation, and it is to present a report at the latest by 1 July 1997 as a bill has to be presented to Parliament in its session 1997/98 in order to have a new statute (or new statutes) enacted before this session closes in June 1998.
The committee will have 16 members representing both the public and private sector. Its agenda is not restricted to implementation of the directive but all issues of importance for an updated statutory regulation can be considered. Among these issues are the consequences of networks, bulletin boards etc. for protection of personal data. The theme is how data protection can be organized in cyberspace. In general it is emphasized that the committee should balance the interest of controllers (data users) and data subjects.
As indicated, the end result is expected to be one or several new acts. Within the Danish tradition there is no doubt that implementation of the directive must be decided in Parliament and that it is not possible to use statutory instruments as the mode of implementation. For this, in my opinion very sound, reason the timelimits are very demanding and the next three years must be expected to be eventful.
International co-operation
The directive leaves much freedom to the member states at the same time as it provides for free flow of personal data within the community. There is a clear risk that the level of protection in different countries can become too divergent creating dangers for the legal protection of the individual citizen. Accordingly it is very important that the member states during the implementation process share information about their procedures and interpretation of the different rules in the directive. The Commission should be active in this respect. It is important and in many respects essential that the directive both on a national and on an EU level provides an acceptable protection and that the end result is a legal regulation that sustains an information society which is civilized and in accordance with the core of the rule of law.