Privacy
 
 
 
 
 
 
 
 
 

European Commission

Summary of European Commission Officials’ Responses
to U.S. Questions on the Right of Acess to Personal Data
 

The data subject's right of access to and rectification of personal data

For the EU, the right of access is the key mechanism through which an individual, who is experiencing a problem that he/she suspects may be caused by an inaccurate or incomplete personal record, can verify and, if necessary, rectify the situation.  In their view, the right of access requirement also provides a major incentive for those who process data to do so in a responsible manner, because they are aware that the accuracy of the data can be verified by the data subject and that any comment or opinion recorded on a personal file must be capable of being substantiated.
 

Exemptions and limitations

According to Commission officials, the EU directive, and all the Member State laws that preceded the directive envision certain exemptions and limitations to this access right. These exemptions, however, are tightly circumscribed and the need for the exemption must be demonstrated in each particular case in which it is employed.  The grounds for exemption (e.g., 'public order' grounds such as national security and the investigation of criminal offences) are set out in Article 13 of the directive.  Limitations on the right of access are permitted if they are necessary to protect the data subject or the rights and freedoms of others.  This provision could be used, for example, to prevent a terminally hospital patient from gaining access to his diagnosis if it was felt that this would be detrimental to his condition.  Inconvenience and cost are not legitimate justifications for an exemption.
 

How the right is exercised in practice

The experience in Member States shows that, in practice, organizations receiving a subject access request will sometimes find it difficult to locate all the information relating to the individual concerned.  As a result, the data controller may have to ask the data subject for additional information which will help in the location and retrieval of information (such as personal identity numbers or factual details such as the hospital in which a patient was last treated or the specific branch of a bank which handles a customer's account).  If some of the personal data concerned contains third party information, the data disclosed should be edited to screen out all references to an identifiable third party, unless the consent of this party can be obtained.
 

Cost

In response to the concerns raised on the issue of cost, Commission officials say that the experience from Member States suggests that the right of access tends to be exercised only relatively rarely by people who are genuinely confronted with a problem. In the UK, for example, only two sectors, the police and the credit reporting sector, experience levels of subject access which have any significant resource impact for the organizations concerned.  An independent cost-benefit study carried out in 1994 by Aston University on the likely impact of the then draft EU directive found that, although survey respondents were concerned about the costs of responding to access requests, they tended to assume a level of requests which was unrealistic on the basis of previous experience of national laws.  The study also concluded that there was little evidence in either of the two countries studied (the Netherlands and the UK) that the introduction of legislation granting individuals rights to scrutinise their personal records had added significantly to processing costs.

Commission officials take the view that the infrequent exercise of the data subject’sright of access should not be interpreted to mean that it has been limited in its impact.  They believe, on the contrary, that the existence of a legal right of access has required organizations to fundamentally alter their record-keeping culture from a closed system to an open and transparent one.  The relatively low number of formal access requests, they believe, probably disguises a much greater number of cases where access is given informally by, for example, simply turning a PC terminal on a counter around.
 

The possibility of charging

A certain investment of time and effort to locate and extract all the relevant data held by an organization, verify that it does not identify third parties, and submit it to the data subject together with an explanation of any unclear or confusing codes or abbreviations used.  As a result, some Member States plan to permit the data controller to be able to charge a fee.  According to Commission officials, this fee is considered as a contribution to the costs incurred by the data controller in responding to the request.  A maximum fee is generally laid down in law at a level that does not provide a disincentive to the data subject to exercise his rights.  The directive stipulates that the expense for the data subject should not be excessive.

Malicious or disruptive use

Commission officials say that concerns are occasionally raised that a legal right of access might be misused, for example, by an individual with an axe to grind against a particular organization by making large numbers of repeated access requests, or a competitor company organising a mass campaign of access requests destined for its rival.  They acknowledge that such actions have the potential for significant disruption.  They note, however, that there are no known examples of this, and that the directive stipulates that there should be a 'reasonable interval' between access requests.

Summary of European Commission Officials’ Responses
to U.S. Questions on EU Privacy Directive

Article 26 of Directive 95/46/EC 1

What is the definition of unambiguous consent ?

Will it allow the continuing transfer of employee personnel data to the US where the employee had been asked for consent at the outset of employment ?

What is the extent of discretion that Member States have in authorizing data transfers under these exemptions?

Commission officials draw attention to the definitions section of the directive, where consent is defined as follows: “the data subject's consent shall mean any freely given, specific and informed indication of his wishes, by which he signifies his agreement to personal data relating to him being processed."  In order for the Article 26 (1) (a) exception to apply, consent must be unambiguous -- that is, there must be no doubt that consent has been given.  Implied consent (e.g., an individual was made aware of the transfer and did not object) is insufficient to qualify for the exemption.  Data subjects must be properly informed of the particular risk that their data may undergo as a result of the anticipated transfer to a country lacking adequate protection. If this information is not provided, the exemption will not apply.

Transfer of employee data is possible, according to Commission officials, provided that consent, as defined above, is obtained at the outset of employment. The consent must not be so generally worded that data subjects do not know which of their data are being transmitted to another country, to whom and for what purpose. Repetitive transfers of the same type, however, do not require repetitive information and consent.

Commission officials point out that the transfer of certain employee data could also fall under the exception foreseen in Article 26 (1) (b) because it may be necessary for the performance of a contract between the employee and his/her employer. This would be the case, for example, for the transfer of data necessary for the payment of the individual's salary or other related benefits.

As a general rule Member States must recognize consent (as described above) as a lawful basis for a transfer to a country which does not provide adequate protection although their domestic law might provide otherwise for particular cases. One clear limitation that may be imposed by national legislation refers to special categories of sensitive data in relation to which the data subject's consent is not recognized as being sufficient. (i.e. revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, concerning the data subjects health or sex life).  Information on which Member States have such limitations in their legislation will not be available until implementation of the Directive is completed at the national level..
The “synthesis” paper adopted by the Article 29 group on 24 July contains some guidance in the interpretation of Article 26 exemptions which will help the development of a coherent view across all Member States.

Article 26 (d) allows for a derogation where the transfer is legally required or necessary on important public interest grounds.  Does the public interest here encompass information transferred from an EU Member State to the US because it is information required by regulatory bodies in the US?

The derogation refers to important public interest grounds as established in the national legislation of the EU Member State from which the transfer originates.   Public interest of a Member State or of the EC could, in the view of Commission officials, include the exchange of information to another country for purposes of prevention of crime, etc. The transfer of data towards a US regulatory body would normally take place on the basis of internationally agreed exchanges of information, mostly characterized by tight confidentiality requirements.

What about information required for accounting purposes and stock exchange rules and other arguably public interest but non-governmental requirements?

This type of transfer is likely to be regarded as legitimate, according to Commission officials.  International data transfers between tax or customs administrations or between services responsible for social security are cited in recital 58 as examples for the application of the derogation.  A simple public interest justification for a transfer, however, does not suffice; it must be a question of important public interest and a decision on the application of the derogation can only be taken on the basis of specific information about the nature of the data required and the conditions of the transfer.

What is the scope of Member State discretion in authorizing data transfers?

Member States are required to introduce all derogations listed in Article 26, paragraph 1, into their national law although they do have some discretion with regard to particular cases. The main limitation that may be imposed by national legislation refers to cases not recognized domestically as being "important public interest grounds". Supervisory tasks in the financial services sector, however, are usually co-ordinated at Community level. An example of this can be found in the first banking directive (77/780/EC, recently amended) which foresees the possibility for Member States to conclude bilateral agreements with third countries providing for exchanges of information to take place for the purpose of performing supervisory tasks. The information can be disclosed only if guarantees of professional secrecy are at least equivalent to those in the directive.

Article 25 of the Directive: permission prior to transfer

Under the Directive, can Member State law require that a company obtain before-the-fact permission from data protection authorities before transferring data out of the Member State to a third country ?
 If so, have any Member States enacted such a requirement ?

While Member States are required to achieve the same end results, they are free to develop their own methods for accomplishing those results.  In Article 25, the directive indicates a series of parameters that must be taken into consideration when making the assessment of adequacy, but the decision on exactly how or when this evaluation must be carried out is left entirely to the discretion of national authorities.  As a result, Member States may choose to introduce 1) a system of compulsory authorization prior to each and every transfer; 2) a simple notification to the supervisory authorities prior to the transfer; or 3) within a set of detailed guidelines, pass on to the controller the responsibility for checking whether or not the third country in question provides adequate protection.  Whatever system is chosen by the Member State, it must fulfill the obligations of Article 25.

Since the implementation process is not yet complete, Commission officials were not able to answer the question about which Member States had adopted requirements that a company must obtain before-the-fact permission from data protection authorities before transferring data out of the Member State to a third country.  They noted that, according to Law 2472 of 10 April 1997 on the Protection of the individual with respect to the processing of personal data, Greece requires that all data controllers must inform the supervisory authority in writing of their name, address, and a list of enumerated details regarding the processing in question, prior to a transfer of data to a third country which does not ensure an adequate level of protection.  These details are included in a public register kept by the Greek authority.  These provisions are apparently subject to a transition period and are not yet fully in force. Commission officials also noted that, prior to the entry into force of the Directive, most Member States had already adopted laws for the protection of personal data.  They cited Spain and Austria as examples of countries that had opted for a system of compulsory notification prior to the transfer of data to a third country.

Personal information pertaining to a business vs a personal capacity

Much personal information is collected in the course of evaluating business risks and opportunities, such as information about key executives, key sales’ staff, irresponsible staff, etc. The directive could have a serious impact on the ability to collect and use this type of information in, for example, credit reports.  Does the directive permit a distinction to be drawn between personal information that pertains to a person in his business capacity rather than in his personal capacity ?  Such a distinction would be extremely important to small and medium size companies where personal information about key employees/owners will often be the critical basis for evaluating business relationships.

Since the directive regards personal data as any information relating to an identified or identifiable person, Commission officials believe that it is not possible to make a distinction between personal data pertaining to a person's professional capacity or personal data pertaining to his/her private life.  In this view, though, the directive does not prohibit the collection and use of information about key executives, key sales staff, etc. provided that notice and consent are given.

They note also that the collection and processing of this data in the EU may be legitimate under the balance of interest clause in Article 7(f) of the Directive.  Moreover, the duty to inform data subjects about the processing does not necessarily need to be fulfilled if the data is collected from a third party and the provision of information would involve a disproportionate effort (Article 11 (2)).  The transfer of such data to a third country, however, would still be subject to the directive’s adequacy requirements.

The application of the directive to military and diplomatic personnel
 

The Directive is written broadly enough so that it appears to encompass personal information pertaining to foreign military and diplomatic personnel stationed in Member States. Would the directive implicate information transfers by the US Government from Europe to the US?

Commission officials took the view that the directive does not apply to personal information pertaining to foreign military and diplomatic personnel stationed in the European Union, processed by the US Government.  According to Article 3, the Directive does not apply to the processing of personal data in the course of any activity that falls outside the scope of Community law. However, data relating to military or diplomatic personnel that is processed in Europe for a commercial purpose (e.g., direct marketing or credit reporting) will be protected in the same way as data pertaining to European citizens.
 

Pharmaceutical and medical research
 

Are there any special rules that will govern pharmaceutical and medical research so that the Directive will not interfere with studies in those areas ?

Commission officials were aware of concerns expressed by pharmaceutical companies that the directive does not appear to permit collection of the kinds of information they need to conduct effective long-term research and that it would make it difficult to share such information with companies located outside the EU.  They noted that these concerns appear to be based on the limitations imposed by the purpose principle: when researchers are collecting medical data, they do not necessarily know in advance all the precise uses to which it will be put.

Commission officials saw the question as mainly concerning the application of the Directive in the EU and not the transfer of data to third countries. This issue is dealt with in Article 6. l(b) of the Directive, (similar provisions may be found in the Council of Europe's Convention N 108 and the OECD Guidelines):

"1. Member States shall provide that personal data must be ....(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered incompatible provided that Member States provide appropriate safeguards."

Commission officials believe the concerns raised by U.S. companies are unfounded and that there is no implication that secondary processing for one kind of pharmacological research of data collected for a different line of pharmacological research would be prohibited.

Commission officials also pointed out that health data fall into the special categories covered by Article 8, that are subject to more restrictive conditions for their processing.  They noted that, as a general rule, these data may only be processed under certain conditions.  They are: 1) when the data subject has given his explicit consent (8.2(a)) and 2) when processing of the data is required "for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment..." (8.3).

Member States may also lay down additional exemptions for reasons of substantial public interest, subject to the provision of suitable safeguards (8.4).  Commission officials pointed out that Recital 34 of the directive specifically mentions scientific research as an area which could be regarded as falling within the notion of "important public interest."

Regarding transfers of data to third countries, Commission officials believe that US business concern are  based on the mistaken assumption that it is likely that data transfers to the US will be blocked across the board unless there is a finding that data protection in the US is "adequate."  They hope that the pharmaceuticals sector in the US will put in place and implement a privacy code that can be judged "adequate" for the purposes of the Directive.  If companies did this, there would be no reason to expect any disruption in data flows between EU and US research partners.  If companies did not, a company could still transfer data from the EU to the US if it provided for the necessary safeguards through a contractual arrangement. Commission officials believe that there is nothing specific about the pharmaceutical sector as regards transfers to third countries. The usual considerations apply.