Caslon Analytics elephant logo title for Privacy guide
home | about | site use | resources | publications | timeline   spacer graphic   Ketupa




Aust law

EU law

New Zealand

Asia law

N America





other writing


















related pages icon




related pages icon



section heading icon     the European Union

This page looks at privacy legislation, reports and developments in the European Union.

It covers -

subsection heading icon     background

During the 1970's Germany, France and much of Scandinavia enacted comprehensive privacy legislation. 

That legislation reflected the 1948 Universal Declaration of Human Rights and other statements of principle discussed earlier in this guide.

It built on enactments, from the Enlightenment onwards, about surveillance, protection of postal and electronic communications, and government use of data. Sweden's Parliament for example devised an Access to Public Records Act in 1777. Thirteen years later the French National Assembly declared that the privacy of letters was inviolable. France prohibited publication of "private facts" in 1858. Bavarian legislation in 1861 provided for a mandatory one year jail term for a telegrapher who disclosed the contents of a telegram without authorisation. Norwegian legislation in 1889 prohibited publication of information relating to "personal or domestic affairs".

In 1968 the Council of Europe asked whether the 1950 European Convention on Human Rights (highlighted here) and the domestic law of the member States offered adequate privacy protection. An EC study in response to that question concluded that existing national legislation was inadequate although, as noted below, provisions in some jurisdictions such as France were far-reaching.

The Council's Committee of Ministers accordingly adopted a Resolution on Data Protection in 1973, establishing principles of data protection for the private sector. A second resolution in 1974 did the same for the public sector.

The 1970s enactments were reflected in the suite of information privacy guidelines adopted in 1981 by the Organization for Economic Cooperation & Development (OECD) and in the 1981 Council of Europe Convention binding member countries to create legislation establishing fair information practices.

As John Gaudin notes in his 1996 paper The OECD Guidelines: Can They Survive Technological Change?, those regulatory frameworks predated the web. 

In 1992 the OECD released Guidelines for the Security of Information Systems & Networks. A revised version (PDF) was issued in August 2002 "to counter cyberterrorism, computer viruses, hacking and other threats":

The Guidelines are designed to develop a "culture of security" among government, business and users in an environment of worldwide expansion of communications networks, increasing interconnectivity across national borders, converging technologies and ever more powerful personal computers.

subsection heading icon     the Directives

In 1995 the European Union (EU) passed a Data Protection Directive protecting personal information and harmonizing privacy laws among its member states. 

An Additional Protocol (AP) adopted on 23 May 2001 requires the establishment of independent supervisory authorities.

The 1995 Directive, now in effect across the EU, has resulted in enactment of legislation among all EU member states - and many trading partners - that enshrines a high level of privacy protection and ensures that privacy is on the agenda in government policy making.

The Directive requires that the laws of member states protect personal information in both the private and public sectors. That legislation must feature provisions to block transfers of information to non-member states that do not provide an "adequate" level of protection.

It requires all data processing to have a "proper legal basis", encompassing

  • consent
  • contract
  • legal obligation
  • vital interest of the data subject
  • the balance between the legitimate interests of those controlling the data and the individuals on whom data is held (the 'data subjects')

Data subjects have important rights, including

  • a right of access to that data
  • a right to know where the data originated (if such information is available)
  • a right to have inaccurate data rectified
  • a right of recourse in the event of unlawful processing
  • a right to withhold permission to use their data in certain circumstances (eg to opt-out free of charge from being sent direct marketing material, without providing any specific reason).

The Directive establishes that sensitive data (eg an individual's ethnic/racial origin, political or religious beliefs, trade union membership or data concerning health or sexual history) can only be processed with the explicit consent of the individual, except in specific cases such as where there is significant public interest (eg for medical or scientific research) for which alternative safeguards have been established.

At the beginning of 2002 the European Commission released the final form (PDF) of data privacy contractual clauses for the transfer of personal data for processing outside the EU, for example to Australia or to Bangalore.

The EU, in contrast to Australia and North America, has not relied on self-regulation of ISPs and commercial or other sites: Brussels is moving to ensure compliance with mandatory EU-wide principles and operational standards. 

Other EU Directives include the European Union Telecommunications Directive (here).

subsection heading icon     outside the EU

The Data Protection Directive was the subject of None of Your Business: World Data Flows, Electronic Commerce & the European Privacy Directive (Washington: Brookings 1998) by Peter Swire and Robert Litan and Christopher Kuner's authoritative European Data Protection Law, Corporate Compliance and Regulation (Oxford: Oxford Uni Press 2007).

Swire highlighted particular issues in his 1998 paper Of Elephants, Mice, and Privacy: International Choice of Law & the Internet. There's a more negative view in Joel Reidenberg's 2000 Resolving Conflicting International Data Privacy Rules in Cyberspace (PDF) and 2001 Ecommerce and Trans-Atlantic Privacy (PDF).

Perspectives are provided in The European Union as a Global Actor (London: Routledge 1999) by Charlotte Bretherton & John Vogler, International Relations Law of the European Union (London: Longman 1997) by Daniel McGoldrick, Colin Bennett & Charles Raab's The Governance of Privacy: Policy Instruments in Global Perspective (Cambridge: MIT Press 2006) and Lars Ilshammar's 2007 'When Computers Became Dangerous: The Swedish Computer Discourse of the 1960s' (PDF) in 9 Human IT 1 (6–37) on Sweden's landmark Data Act.

A discussion of principle and practice regarding EU bilateral and multilaterial agreements concerning the Data Protection Directive, in particular the EU-US Safe Harbor agreement, is here.

subsection heading icon     criticisms

While overall responses within the EU have been positive, some critics argue that the Directive and new Directive-related national legislation is unduly bureaucratic or used to suppress freedom of speech.  

A recent example is Jacob Palme's overstated paper on Freedom of Speech, the EU Data Protection Directive and the Swedish Personal Data Act and his less temperate view of Swedish regulation of the Web. 

The essays by Mayer-Schoenberger and Bennett in Technology & Privacy: The New Landscape (Cambridge: MIT Press 1997), edited by Marc Rotenberg & Philip Agre, are of more value in assessing European developments and their wider implications. 

France's legislation, highlighted below, has faced particular criticism for its chilling effect on media coverage of political or business corruption and public figures.

subsection heading icon     the UK

The UK Data Protection Act 1998 is here.

Studies include Data Protection in the UK (London: Blackstone's Press 2000) by Peter Carey and A Guide to the Data Protection Act 1998 (London: Butterworths Tolley 1998) by Ian Lloyd.
For a superb and broader view of the UK privacy regime see Michael Tugendhat & Iain Christie's The Law of Privacy & the Media (Oxford: Oxford Uni Press 2002)

subsection heading icon     France

The 1970 French enactment (amending article 9 of the Code Civil) is encapsulated in the statement that "each person has the right to the respect of his private life", with a concept of privacy that is broader than that in Australian and US legislation.

The legislation's authors and subsequent judicial decisions have characterised a right of privacy that embraces all aspects of an individual's spiritual and physical being, including the individual's image (eg photographs), political and religious beliefs, address, personal health and the health of close family members, parental and marital status, and romantic relationships. Each person, in principle, has an exclusive power to define the boundaries of his/her private life and the circumstances in which private information may be publicly released.

As a moral right - like that of copyright - the right to privacy under the legislation survives death; family members may assert a privacy claim on behalf of the deceased and an individual has some vicarious rights regarding disclosure about a close family member.

The legislation has been amended to reflect the EU Directives and - for example through the 1978 Data Protection Act covering personal information held by government agencies and private sector entities - technological developments.

subsection heading icon     Germany

The 1977 Data Protection Act was replaced by a Federal Data Protection Act (FDPA) in 1990. That enactment has been subsequently amended to reflect EU Directives and court rulings; like much privacy legislation it has been criticised as overly-complicated, with calls for a comprehensive revision rather than ongoing piecemeal reconstruction.

The Act provides coverage at the federal level, complemented by state legislation. It applies to the collection, processing and use of personal data by federal government agencies, state agencies in instances where data protection is not governed by state legislation and they give effect to federal law, and private sector bodies unless the collection, processing or use of the data is solely for personal or domestic activities.

It is complemented by a wide range of agency/industry-specific legislation and protocols, such as the delicious Telekommunikationsdienstunternehmen Datenschutzverordnung.

subsection heading icon     other EU states

David Flaherty's Protecting Privacy in Surveillance Societies: The Federal Republic of Germany, Sweden, France, Canada & the United States (Chapel Hill: Uni of North Carolina Press 1992) dates from the early 1980s but remains of value.

At the national level Scandinavia, Germany and the Netherlands continue to set the pace for the rest of the EU. 
Perspectives from Denmark, Belgium, Eire, Sweden and the Netherlands have appeared in JILT.

The following sites are gateways for information about national regimes:



Czech Republic
















icon for link to next page    next page  (New Zealand)

this site
the web



version of June 2007
© Bruce Arnold | caslon analytics