the European Union
page looks at privacy legislation, reports and developments
in the European Union.
It covers -
During the 1970's Germany, France and much of Scandinavia
enacted comprehensive privacy legislation.
That legislation reflected the 1948 Universal Declaration
of Human Rights and other statements of principle discussed
earlier in this guide.
It built on enactments, from the Enlightenment onwards,
about surveillance, protection of postal and electronic
communications, and government use of data. Sweden's Parliament
for example devised an Access to Public Records Act
in 1777. Thirteen years later the French National Assembly
declared that the privacy of letters was inviolable. France
prohibited publication of "private facts" in 1858.
Bavarian legislation in 1861 provided for a mandatory one
year jail term for a telegrapher who disclosed the contents
of a telegram without authorisation. Norwegian legislation
in 1889 prohibited publication of information relating to
"personal or domestic affairs".
In 1968 the Council of Europe asked whether the 1950
European Convention on Human Rights (highlighted here)
and the domestic law of the member States offered adequate
privacy protection. An EC study in response to that
question concluded that existing national legislation
was inadequate although, as noted below, provisions
in some jurisdictions such as France were far-reaching.
The Council's Committee of Ministers accordingly adopted
a Resolution on Data Protection in 1973, establishing
principles of data protection for the private sector.
A second resolution in 1974 did the same for the public
The 1970s enactments were reflected in the suite of
information privacy guidelines
adopted in 1981 by the Organization for Economic Cooperation
& Development (OECD) and in the 1981 Council of
binding member countries to create legislation establishing
fair information practices.
As John Gaudin notes in his 1996 paper
The OECD Guidelines: Can They Survive Technological
Change?, those regulatory frameworks predated the
In 1992 the OECD released Guidelines for the Security
of Information Systems & Networks. A revised
was issued in August 2002 "to counter cyberterrorism,
computer viruses, hacking and other threats":
Guidelines are designed to develop a "culture of security"
among government, business and users in an environment
of worldwide expansion of communications networks, increasing
interconnectivity across national borders, converging
technologies and ever more powerful personal computers.
In 1995 the European Union (EU) passed a Data Protection
protecting personal information and harmonizing privacy
laws among its member states.
An Additional Protocol (AP)
adopted on 23 May 2001 requires the establishment of independent
The 1995 Directive, now in effect across the EU, has resulted
in enactment of legislation among all EU member states
- and many trading partners - that enshrines a high level
of privacy protection and ensures that privacy is on the
agenda in government policy making.
The Directive requires that the laws of member states
protect personal information in both the private and public
sectors. That legislation must feature provisions to block
transfers of information to non-member states that do
not provide an "adequate" level of protection.
It requires all data processing to have a "proper
legal basis", encompassing
interest of the data subject
the balance between the legitimate interests of those
controlling the data and the individuals on whom data
is held (the 'data subjects')
subjects have important rights, including
right of access to that data
a right to know where the data originated (if such information
a right to have inaccurate data rectified
a right of recourse in the event of unlawful processing
right to withhold permission to use their data in certain
circumstances (eg to opt-out free of charge from being
sent direct marketing material, without providing any
Directive establishes that sensitive data (eg an individual's
ethnic/racial origin, political or religious beliefs,
trade union membership or data concerning health or sexual
history) can only be processed with the explicit consent
of the individual, except in specific cases such as where
there is significant public interest (eg for medical or
scientific research) for which alternative safeguards
have been established.
At the beginning of 2002 the European Commission released
the final form (PDF)
of data privacy contractual clauses for the transfer of
personal data for processing outside the EU, for example
to Australia or to Bangalore.
The EU, in contrast to Australia and North America, has
not relied on self-regulation of ISPs
and commercial or other sites: Brussels is moving to ensure
compliance with mandatory EU-wide principles and operational
Other EU Directives include the European Union Telecommunications
outside the EU
The Data Protection Directive was the subject of
None of Your Business: World Data Flows, Electronic
Commerce & the European Privacy Directive (Washington:
Brookings 1998) by Peter Swire
and Robert Litan and Christopher Kuner's authoritative
European Data Protection Law, Corporate Compliance
and Regulation (Oxford: Oxford Uni Press 2007).
Swire highlighted particular issues in his 1998 paper
Of Elephants, Mice, and Privacy: International Choice
of Law & the Internet. There's a more negative
view in Joel Reidenberg's 2000 Resolving Conflicting
International Data Privacy Rules in Cyberspace (PDF)
and 2001 Ecommerce and Trans-Atlantic Privacy (PDF).
Perspectives are provided in The European Union as
a Global Actor (London: Routledge 1999) by Charlotte
Bretherton & John Vogler, International Relations
Law of the European Union (London: Longman 1997) by
Daniel McGoldrick, Colin Bennett & Charles Raab's
The Governance of Privacy: Policy Instruments in Global
Perspective (Cambridge: MIT Press 2006) and Lars
Ilshammar's 2007 'When Computers Became Dangerous: The
Swedish Computer Discourse of the 1960s' (PDF)
in 9 Human IT 1 (6–37) on Sweden's landmark
A discussion of principle and practice regarding EU bilateral
and multilaterial agreements concerning the Data Protection
Directive, in particular the EU-US Safe Harbor agreement,
While overall responses within the EU have been positive,
some critics argue that the Directive and new Directive-related
national legislation is unduly bureaucratic or used to
suppress freedom of speech.
A recent example is Jacob Palme's overstated paper
on Freedom of Speech, the EU Data Protection Directive
and the Swedish Personal Data Act and his less temperate
of Swedish regulation of the Web.
The essays by Mayer-Schoenberger and Bennett in Technology
& Privacy: The New Landscape (Cambridge: MIT Press
1997), edited by Marc Rotenberg & Philip Agre, are
of more value in assessing European developments and their
France's legislation, highlighted below, has faced particular
criticism for its chilling effect on media coverage of
political or business corruption and public figures.
The UK Data Protection Act 1998 is here.
Studies include Data Protection in the UK (London:
Blackstone's Press 2000) by Peter Carey and A Guide
to the Data Protection Act 1998 (London: Butterworths
Tolley 1998) by Ian Lloyd. For
a superb and broader view of the UK privacy regime see
Michael Tugendhat & Iain Christie's The Law of
Privacy & the Media (Oxford: Oxford Uni Press
The 1970 French enactment (amending article 9 of the Code
Civil) is encapsulated in the statement that "each
person has the right to the respect of his private life",
with a concept of privacy that is broader than that in
Australian and US legislation.
The legislation's authors and subsequent judicial decisions
have characterised a right of privacy that embraces all
aspects of an individual's spiritual and physical being,
including the individual's image (eg photographs), political
and religious beliefs, address, personal health and the
health of close family members, parental and marital status,
and romantic relationships. Each person, in principle,
has an exclusive power to define the boundaries of his/her
private life and the circumstances in which private information
may be publicly released.
As a moral right - like that of copyright
- the right to privacy under the legislation survives
death; family members may assert a privacy claim on behalf
of the deceased and an individual has some vicarious rights
regarding disclosure about a close family member.
The legislation has been amended to reflect the EU Directives
and - for example through the 1978 Data Protection Act
covering personal information held by government agencies
and private sector entities - technological developments.
The 1977 Data Protection Act was replaced by a Federal
Data Protection Act (FDPA)
in 1990. That enactment has been subsequently amended
to reflect EU Directives and court rulings; like much
privacy legislation it has been criticised as overly-complicated,
with calls for a comprehensive revision rather than ongoing
The Act provides coverage at the federal level, complemented
by state legislation. It applies to the collection, processing
and use of personal data by federal government agencies,
state agencies in instances where data protection is not
governed by state legislation and they give effect to
federal law, and private sector bodies unless the collection,
processing or use of the data is solely for personal or
It is complemented by a wide range of agency/industry-specific
legislation and protocols, such as the delicious Telekommunikationsdienstunternehmen
other EU states
David Flaherty's Protecting Privacy in Surveillance
Societies: The Federal Republic of Germany, Sweden, France,
Canada & the United States (Chapel Hill: Uni of
North Carolina Press 1992) dates from the early 1980s
but remains of value.
At the national level Scandinavia, Germany and the Netherlands
continue to set the pace for the rest of the EU.
and the Netherlands
have appeared in JILT.
The following sites are gateways for information about
next page (New