This is the third part of a three part post.  In this part Aidan O’Neill considers EU secondary legislation on data protection

The Data Protection Directive 95/46/EC was passed by the EU legislature under what is now Article 16(2) TFEU. It has been supplemented by: the Data Protection (Telecommunications) Directive 97/66/EC which regulates the processing of personal data in the telecommunications sector; and by  Privacy (Electronic Communications) Directive 2002/58/EC  which prohibits, in principle, the storage of electronic data by persons other than users, without the consent of the users concerned.

The only exceptions relate to persons lawfully authorised in accordance with Article 15(1) of that directive and the technical storage necessary for conveyance of a communication.

The Data Protection Directives create provisions which parallel – for Member States when acting within the sphere of EU – the provisions of Regulation (EC) No 45/2001 which apply to activities of the EU institutions.   The Data Protection Directives have the same dual aim as the EU Data Protection Regulation: of protecting the fundamental rights and freedoms of natural persons – and in particular their right to privacy with respect to the processing of personal data – while allowing for the continued free flow and processing of personal data EU-wide.

Article 3(2) provides that the Directive’s provisions do not apply to Member States data processing activity in the field of public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law (see Case C‑524/06 Heinz Huber v. Germany [2008] ECR I-9705).  And even where the data processing activity falls within the ambit of the Directive, Article 13(1) allows for restrictions to be imposed on the subject’ rights of access and information may be imposed by Member States in so far as they are necessary to safeguard, for example: national security (Joined Cases C-317/04 and C-318/04 European Parliament and the European Data Protection Supervisor (EDPS) v Council and Commission [2006] ECR I-4721), defence, public safety; as well as criminal investigations and prosecutions and action in respect of breaches of ethics in regulated professions.

The Court of Justice has held that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary (See Case C‑73/07 Satakunnan Markkinapörssi and Satamedia [2008] ECR I‑9831, paragraph 56).  It has also held that no automatic priority can be conferred on the objective of transparency over the right to protection of personal data, even if important economic interests are at stake (See Case C‑28/08 P Commission v Bavarian Lager 29 June 2010, paragraphs 75-9)    The Grand Chamber of the EU Court has held a measure disclosing personal data of and on an individual (as distinct from a legal corporation since “the seriousness of the breach of the right to protection of personal data manifests itself in different ways for, on the one hand, legal persons and, on the other, natural persons” Joined Cases C‑92/09 and C‑93/09 Volker und Markus Schecke GbR v Land Hessen 9 November 2010 at paragraph 87) may yet be determined to be proportionate and hence lawful where there is an specific decision which expressly considers and seeks to balance that individual’s claim to privacy and confidentiality against such general consideration as the principle of transparency of public acts or the open and proper expenditure of public funds (Joined Cases C‑465/00, C‑138/01 and C‑139/01 Österreichischer Rundfunk and Others [2003] ECR I‑4989)

Otherwise the Data Protection Directives seek to ensure that there is a common level of protection of the rights and freedoms of individuals with regard to the processing of personal data which is equivalent in all Member States.   The Directives do not seek a minimal base level harmonisation of Member States laws but are, instead, aimed at harmonisation which is generally complete so as to allow for free movement of data throughout the EU which is consistent with respect for the protection of private life.    The Directives allow therefore relatively limited scope for variation in the implementation of their provisions within the Member State.   And as the European Court of Justice has observed in Criminal Proceedings against Bodil Lindqvist in relation to the Data Protection Directive 95/46/EC:

“[I]t is for the authorities and courts of the Member States not only to interpret their national law in a manner consistent with [the] Directive … but also to make sure they do not rely on an interpretation of it which would be in conflict with the fundamental rights protected by the Community legal order or with the other general principles of Community law, such as inter alia the principle of proportionality.  …

[T]he provisions of Directive 95/46/EC do not, in themselves, bring about a restriction which conflicts with the general principles of freedom of expression or other freedoms and rights, which are applicable within the European Union and are enshrined inter alia in Article 10 of the ECHR. It is for the national authorities and courts responsible for applying the national legislation implementing Directive 95/46/EC to ensure a fair balance between the rights and interests in question, including the fundamental rights protected by the Community legal order.” ([2003] ECR I-12971 at paragraphs 87, 90)

Article 1 of Directive 95/46/EC identifies the objective of the Data Protection Directive as being “to protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data”.    It is therefore primarily a privacy protection measure, rather than a general “freedom of information measure”, although the principle of public access to official documents to be taken into account by Member State when implementing the principles set out in the Directive (see Recital 72).   The purpose of the right of access to information held on an individual is primarily in order to verify in particular the accuracy of the data and the lawfulness of the data processing (Recital 41).    And even then the interests or the rights and freedoms of the data subject are not overriding.  (See Case C‑112/00 Schmidberger [2003] ECR I‑5659, para 80).

Article 2(a) of Directive 95/46/EC defines “personal data” as meaning “any information relating to an identified or identifiable natural person”.  Again, as with the EU Data Protection Regulation, its provisions do not apply to anonymous (or properly anonymised) data (see Recital 26).    Article 3(1) of Directive 95/46 states that the provisions of the directive “shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.”    The directive therefore makes a distinction between automatic processing of data held on computer the manual processing of hard copies.    While it is necessary for hard copy data to be part of a relevant structured filing system relating to individuals to be covered by the Data Protection Directive, any data which is in fact stored electronically will fall within the Data Protection Directive regardless of whether it forms part of a relevant filing system.

Like the EU Data Protection Regulation substantive data protection provisions of Article 6 of Directive 95/46/EC also effectively mirror the general principles already set out in the Council of Europe Data Protection Convention 1981, by requiring that personal data be: obtained and processed fairly and lawfully; stored for specified and legitimate purposes and not used in a way incompatible with those purposes; adequate, relevant and not excessive in relation to the purposes for which they are stored; accurate and, where necessary, kept up to date; and preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored.

Article 9 of the directive seeks to reconcile two fundamental rights: the protection of privacy and freedom of expression by requiring Member States are required to provide for a number of derogations or limitations in relation to the protection of data (and, therefore, in relation to the fundamental right to privacy) for journalistic purposes or the purpose of artistic or literary expression, which fall within the scope of the fundamental right to freedom of expression.   The Grand Chamber of the EU Court has observed that:

“[I]n order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary, first, to interpret notions relating to that freedom, such as journalism, broadly. Secondly, and in order to achieve a balance between the two fundamental rights, the protection of the fundamental right to privacy requires that the derogations and limitations in relation to the protection of data provided for in the chapters of the directive referred to above must apply only in so far as is strictly necessary.” (See Case C‑73/07 Satakunnan Markkinapörssi and Satamedia [2008] ECR I‑9831, paragraph 56)

Article 12(a) of the Data Protection requires Member States to ensure a right of access to information on the recipients or categories of recipient of personal data and on the content of the data disclosed not only in respect of the present but also in respect of the past.   The Court of Justice has held that rules which limit the storage of information on the recipients or categories of recipient of personal data (and on the content of the data disclosed) to a period of one year – and correspondingly limit access to that information – do not in principle appear to strike a fair balance in relation to the privacy interests of the data subject (Case C‑553/07 Rijkeboer [2009] ECR I-3889).

Finally, Article 28 of the Directive requires that properly independent supervisory authorities be set up in each Member State to ensure compliance with the Data Protection Directive’s provisions. And Article 23 of the Data Protection Directive gives data subjects the right to seek damages in respect of a breach of the data protection requirements as regards that individual.

In Johnson v Medical Defence Union Ltd [2007] 3 CMLR 9, EWCA the Court of Appeal of England and Wales opined that the word ‘damage’ in the directive had to go beyond its root meaning of pecuniary loss, nor did the directive envisage that compensation must be available for every type of loss.   This may be contrasted with Case T-48/05 Yves Franchet and Daniel Byk v. Commission ([2008] ECR II-1585) brought against the EU by the former Director-General and the former Director of Eurostat (Statistical Office of the European Communities) under Article 340 TFEU (formerly Article 288 EC) in which the General Court refused the claim for compensation insofar as based on material damages but made an award for non-material damages, noting (at paragraph 411):

“The applicants experienced feelings of injustice and frustration and that they sustained a slur on their honour and their professional reputation on account of the unlawful conduct of OLAF and of the Commission. Taking account of the particular circumstances of the present case and of the fact that the applicants’ reputation was very seriously affected, the Court evaluates the damage, on an equitable basis, at EUR 56 000.”

This is an edited extract from a forthcoming book “EU Law for UK Lawyers” by Aidan O’Neill QC, to be published by Hart in Spring 2011,  Aidan O’Neill QC is a Member of Matrix Chambers