See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/228120853

The Data Protection Directive 95/46/EC: Idealisms and Realisms

Article  in  International Review of Law Computers & Technology · January 2012

DOI: 10.1080/13600869.2012.698453

CITATIONS READS

4 1,092

1 author:

R. Wong
Nottingham Trent University
23 PUBLICATIONS   75 CITATIONS   

SEE PROFILE

All content following this page was uploaded by R. Wong on 04 June 2014.

The user has requested enhancement of the downloaded file.

 The Data Protection Directive 95/46/EC: Idealisms and
Realisms

Dr Rebecca Wong*

Following proposals to consider revising the Data Protection Directive 95/46/EC

(“DPD”) in 2011, has the changes achieved the main areas of concern that have been the
focus of much discussion? These include the application of the Directive in the online
age particularly to social networking sites and cloud computing; the
minimum/maximum standard approach by the EU Member States to data protection;
the relevance and application of the data protection principles. These are some of the
issues that were considered in the recent Art. 29 Working Party’s Opinion on the Future
of Privacy. The article will use this as a starting point of discussion to identify the extent
to which impending proposals to revise the Data Protection Directive are closely aligned
to the Opinion and consider the recent European Commission Communication (6/2010)
on the comprehensive approach on personal data protection in the European Union.
According to the Art. 29 Working Party, the level of data protection in the EU can benefit
from a better application of the existing data protection principles in practice. This
paper will attempt to address some of the difficult questions and consider the challenges
that lay ahead to implement the changes introduced by forthcoming revisions to the
DPD.

Keywords: idealisms; realisms; data protection

Introduction

The aim of this article was to examine the impending proposals to the Data
Protection Directive 95/46/EC. As the revisions of the Data Protection Directive
(hereinafter “DPD”) are unlikely to be forthcoming until the next few months,1
the article will therefore revisit the Art. 29 Working Party’s Opinion on the
Future of Privacy2 and the recent Opinion submitted by the European
Commission on the Comprehensive approach to personal data protection in the
European Union,3 followed by a brief analysis of issues surrounding cloud
computing, which will serve as a platform for discussion and provide an
introduction into the likely areas to be addressed in the impending Directive in
the forthcoming months.
Before the issues are looked at, the background to the Data Protection
Directive (“DPD”) will be considered to set the scene for this article, followed by
a closer examination of the key issues detailed by the Art. 29 Working Party in its
opinion.
The background to the DPD needs no introduction. The DPD is a relatively
new piece of legislation when compared with other laws such as the European
Convention of Human Rights. Enacted back in 1995, it was originally modelled on
the Council of Europe Convention on data protection. The DPD could be regarded
as the first piece of legislation to harmonise the data protection laws within the
European Union. It took several years before Member States changed their laws
to implement the Directive.4 However, there are still outstanding issues
surrounding the interpretation of legal concepts by national courts and national

Page | 1
Data Protection Authorities on whether the national laws have fully
implemented the Directive.5
The DPD was originally passed to deal with the processing of personal
information held in large computerised databases6 and among the changes,
introduced new concepts of “data controller” and “data processor” (replacing
inter alia, the UK archaic term of “data users”; “Data Registrar”)7. The DPD
further introduced rules governing the processing of sensitive data that required
explicit consent under Art. 8 of the DPD and introduced rules dealing with the
transfer of personal data to non-EU countries (laid down under Art. 25 and 26 of
the DPD). Whilst most of the EU Member States have managed to implement the
DPD by introducing new laws or amending their data protection laws, the
application of the DPD and interpretation of legal concepts has resurfaced before
the national courts beginning with the well-known case of Lindqvist8 that was
brought by the Swedish courts before the European Court of Justice, a case that
was about to test the extent in which the DPD can be applied online. Whilst the
ECJ has clarified the scope of the Data Protection Directive, its decision was not a
popular one. It led to changes made to the existing data protection laws within
Sweden by using the existing exceptions provided under the Swedish Personal
Data Act to amend their laws and adopt the misuse-orientated approach.9
The main aspects from the ECJ decision in Lindqvist was:

1) Its interpretation or application of the DPD online

2) Its application of transborder data flows under Art. 25 of the DPD
3) Its interpretation of “sensitive data” online

These issues have been considered elsewhere10 and therefore will not be dealt
with here. Suffice it to state that the application of the DPD has left many internet
users surprised at the overreaching application and enforcement by some Data
Protection Authorities for activities regarded by them to be the social norm such
as the use of photos of Church members on a personal website accessible to
anybody.11
The next landmark case was Productores de Musica de Espana
(Promusicae) v Telefonica12 whereby Promusicae, a non-profit making
organisation of producers and publishers of musical recordings asked the
Spanish Court to order Telefonica to disclose the identities and physical
addresses of certain individuals who were using P2P applications such as Kazaa.
The Court of Justice considered several Directives in relation to the preliminary
reference ruling including Directive 2002/58/EC for deciding the case. It held
that the Directive did not preclude the possibility for the Member State to lay
down an obligation to disclose the personal data in the context of civil
proceedings. The Court of Justice was able to conclude that the Directives in
question did not require Member States to communicate personal data in order
to ensure effective protection of copyright in the context of civil proceedings. A
fair balance needed to be drawn between the various fundamental rights that are
protected by the Community legal order. The implications of this case are that it
reinforces the need to protect the privacy of its users and that this should not be
compromised at the expense of other rights. The key to this is whether there are
other means without having to disclose information of other users by looking at
the proportionality test. Is it proportionate to the means?

Page | 2
 In another parallel case, LSG-Gesellschaft zur Wahrnehmung von
Leistungsschutzrechten GmbH v Tele2 Telecommunication GmbH13 LSG, a
collecting society responsible for enforcing copyright for the exploitation of
recordings in Austria. LSG applied for an order to require Tele 2 to send it the
names and addresses of the persons to whom it provided an internet access
service and IP addresses. Tele2 refused, holding the view that it was not an
“intermediary” within Directive 2001/29/EC. The Commercial Court of Vienna
granted LSG’s application that Tele2 was an “intermediary”. A preliminary ruling
reference was made to the Court of Justice on the definition of an “intermediary”
within Art. 5(1)(a) Directive 2001/29/EC on the harmonisation of certain
aspects of copyright and related rights in the information society. The Court of
Justice referred to the Promusicae case reiterating the view that Art. 15(1) of
Directive on Privacy and Electronic Communications 2002/58/EC did not
preclude the Member State from imposing an obligation to disclosure personal
data in the context of civil proceedings, nor did it obliged them to impose such an
obligation. The national courts should, according to the Court of Justice make
sure they do not rely on an interpretation of those directives which would
conflict with those fundamental rights or with other general principle of
proportionality, when deciding between the protection of privacy and the right
to property. The Court of Justice took the view that access providers (as in Tele2)
which provided users with Internet access rather than other services such as
email, FTP or file-sharing services or exercised any control, whether de iure or de
facto, over the services which users make use of, would be regarded as
‘intermediaries’ within the meaning of Article 8(3) of Directive 2001/29. The
case reinforces the application of Promiscae and there is more certainty on the
direction of the Court of Justice when dealing with the disclosure of users’ data
and that of privacy in the context of intermediaries.
A slightly different case but provides a definition of “journalistic”
purposes was decided by the Court of Justice in Tietosuojavaltuutettu v
Satakunnan Markkinapὅrssi Oy and Satamedia Oy (Satamedia).14 The Court of
Justice held the view that activities in relation to questions referred to under a
preliminary ruling relating to data from documents which are in the public
domain under national legislation were activities involving the processing of
personal data carried out “solely for journalistic purposes”. It was for the
national court to determine data on the earned and unearned income and the
assets of natural persons to be interpreted as “processing of personal” within the
meaning of the DPD.
Whilst there are some issues that continue to test the legal waters, the ECJ
has provided some guidance on the application of the DPD online. What
continues to remain a controversial issue (amongst data protection practitioners
and policymakers) is the interpretation of the notion of “personal data”. Should
the European approach be followed by embracing the broad notion of “personal
data”, guidelines which have been provided by the Art. 29 Working Party15 or
should the national courts’ approach be followed, which have limited this notion
for example to one where this is “biographical” and more than “putative” (as
interpreted by the English Courts)? More likely than not, the English Court’s
approach (Court of Appeal) is likely to be applied.16 The Information
Commissioner (“ICO”) has given some guidance17 on this. For instance, the
recent Personal Information Code published by the UK ICO took the view that an

Page | 3
IP address was only personal data if it related to a PC or other device that has a
single user.18 IP addresses and cookies could not be connected to a single user
where there was a single household PC which would have different family
members.19
This is indicative of how the issues of personal data are applied in
practice.

Art. 29 Working Party’s Opinion on the Future of Privacy

1. Introduction

The Opinion20 was published in December 2009 and focussed on several issues
during the lead up to the revision of the DPD in 2011. More specifically, it set out
to achieve the following:

1) The clarification on the application of some key rules on data protection.

2) Innovate the (data protection) framework by introducing additional
principles.
3) Strengthening the effectiveness of the system by modernising
arrangements in Directive 95/46/EC.
4) Including the fundamental principles of data protection into the
comprehensive legal framework.

The Art. 29 WP was of the view that there was room for flexibility and
differences between the sectors, provided they fit within the notion of a
comprehensive framework and comply with the main (data protection) precepts.
As the author has previously written on this21, the main salient points will
therefore be considered here:

1) Application of the DPD

2) International transfers
3) Privacy by design principle

Each point will be dealt with below.

2. Application of the Directive 95/46/EC

Art. 4 laid down the rules governing the application of the Directive and is
relevant as this is likely to be revised under the DPD following calls from the
European Justice Commissioner, Viviane Reding to have this part of the Directive
amended, so that data protection laws are more effective when dealing with
social networking sites.22
Currently, the Directive applies to organisations or individuals who are
based within one or more of the EU Member States. The Member States’ national
data protection laws would therefore apply. For example, if the data controller
was based in France, then the data controller would be expected to comply with
the French Data Protection laws. The Art. 29 Working Party’s recent opinion23
attempts to clarify several questions relating to the application of the law.

Page | 4
According to the Guidelines, the main criteria in determining the applicable law
is the location of the establishment of the controller and the location of the means
or equipment being used when the controller is established outside the EEA
rather than the nationality or place of habitual residence of data subjects. One of
the scenarios raised by the Art. 29 Working Party24 is worth mentioning:

Controller is established in Austria, in the context of activities of which he processes

personal data collected on its website – the website is accessible to users in various
countries. The data protection law applicable will still be the law of Austria, where
the establishment is situated independently of the location of users and of data
(emphasis added).25

Whilst it gives some certainty over the law to be applied, it raises several
problems. If an online user (X) from country A purchases items from data
controller who is based in country B, the data protection laws of B would apply.
To amplify the example, the data controller has suffered from a data security
breach resulting in the loss of personal information including data belonging to
X. Although the data protection laws of B apply, yet recourse or remedy would be
difficult in practice to apply without X having first to complain to the data
controller in the first instance. If this fails, then the next step would be either to
complain to their own Data Protection Commissioner in their own country or
instigate legal proceedings against the data controller (based in country B) in the
event of a data security breach for an appropriate remedy. This illustrates the
complexities of the data protection law and the administrative hurdles that exist
for a data subject to seek further recompense.
The second scenario given as an example by the Art. 29 Working Party
further reinforces the point of administrative hurdles:

In the fourth scenario, the controller established in Austria opens a representation office in
Italy, which organizes all the Italian contents of the website and handles Italian users'
requests. The data processing activities carried out by the Italian office are conducted in
the context of the Italia establishment, so that Italian law would apply to those activities.26

From the perspective of the data subject, leaving aside whether the law conforms
to the Data Protection Directive, there are administrative burdens to overcome
when users enforce their rights online from an EU data controller (not based in
the UK). If a non-UK EU data controller experiences a security setback, the
effectiveness of the data protection law may be undermined if data subject(s)
experiences problems in enforcing their rights (in applying for compensation
etc) without having to take this up with the UK Supervisory Authority (ICO). The
argument is not about data controllers that have the appropriate mechanisms in
place to deal with data protection complaints, but rather the hurdles that online
users may have to overcome in exercising their rights provided under the Data
Protection Directive (or in this instance the Data Protection Act 1998).
With impending rules to amend the DPD, this section is likely to be
revised such that (a) the DPD would apply irrespective of where the data
controller is based and (b) the Data Protection Authorities would be given
powers to investigate against non-EU data controllers who target EU citizens.
One recommendation is why not allow online users who have
experienced data security setbacks from the loss of their data (if applying
through the data controller would be difficult), to be able to follow the Product
Page | 5
Liability model, where the law to be applied would be where the damage has
occurred, so that this would make it easier for data subjects to be able to enforce
their rights.27 This would make the Data Protection Directive more effective. This
is not to indicate that there are no proposals to strengthen the data subject’s
rights (under the forthcoming changes to the Data Protection Directive) which
are discussed later in this article, but this is one way to address this area.
It should further be added that the Rome Regulation II 864/2007 on the
law applicable to non-contractual obligations28 held that the law that applies
would be the country where the damage has occurred. Currently, the Rome
regulation excludes violations of privacy and rights relating to personality
including defamation from its remit29 (see Art. 1(g) of the Rome Regulation
864/2007). However, as the Rome Regulation II is likely to be under review, this
should be reconsidered to provide a reinforce rights conferred to users as data
subjects. Given the limitation of this article and the breadth of the Rome
Regulation, this is not considered here30.
As the Data Protection Directive is likely to be amended, several actors are
likely to be involved. Namely:

1) Data Protection Authorities

2) Individuals as data subjects
3) Organisations in their role as either the data controller or the data
processor

Before addressing some of the likely changes, one significant case that
exemplifies the misuse of personal information in a social networking
environment is Applause Store Productions ltd and Anor v Raphael31 where a
businessman had brought legal proceedings against a former friend for posting a
false profile on Facebook. The case was based on the legal ground of defamation
and misuse of private information. The High Court held the defendant liable for
defamation and misuse of personal information. It took the view that

As far as the tort of misuse of private information is concerned, I accept Mr Firsht's

evidence that it caused him, a very private person, great shock and upset. The
information which has been conceded to be private, or which I have held in the private
annex to this judgment to be private, related to his supposed sexual preferences, his
relationship status (single or otherwise), his political and religious beliefs, and his date of
birth. It seems to me that the most important information is that which relates to his
32
supposed sexual preferences.

Although this was not based on data protection, this case confirms the
alternative yet very effective grounds to protect personal information under
these circumstances.
Another recent example is that of the Irish Privacy Commissioner which
recently audited Facebook to consider the extent to which Facebook adhered to
the data protection rules. Whilst the results of the audit appeared to be more
favourable to Facebook, it did recommend widespread changes that Facebook
would need to implement to improve privacy on Facebook,33 including more
informed choices for Facebook users on who their information is used and
shown on the website and increased transparency and controls over how their
personal data is used for advertising purposes and transparency and control for

Page | 6
users through data held about them as part of their everyday interaction.34
According to the report, it did find that Facebook was entitled to use customer
data for advertising purposes, but that more control for users for people to
decide whether linking should be made to their profile information.35
Whether individuals are likely to take a proactive approach by exercising
their rights to protect their privacy laid down under their data protection laws is
another question. The impending changes of the Directive and its extent is likely
to raise questions over the paternalistic approach by the EU in protecting users
their right to use SNS and SNS’s responsibility in complying with the DPD. For
the few who use the SNS, the changes under the DPD is likely to be welcome in
reinforcing the broad scope of the legislation to bring this up to speed with
technological developments, but for some, perhaps, an inconvenience if changes
go too far to affect the day to day workings of what has become the norm for
those in using SNS to communicate. A balance in the use of SNS is what is called
for and a wakeup call for those who are either over reliant on SNS in the
excessive disclosure of the personal information about themselves or others.

3. International transfers

Art. 29 WP was of the view that the “adequacy” principle should be redesigned.
The “adequacy” principle is based upon Art. 25 of the DPD whereby personal
data cannot be transferred to non-EU countries without satisfying the adequacy
standards laid down under Arts. 25 and 26 DPD. The Art. 29 WP further
recommended redefining the criteria for the legal status of “adequacy”.
To date, only a handful of countries36 including Hungary, Switzerland,
Canada (PIPEDA) and very recently Israel have achieved adequacy status and the
use of contractual terms by organisations transferring personal data to non-EU
countries is likely to be the most appropriate way to deal with the transfer of
personal data to non-EU countries.37

4. Privacy by Design Principle

This is not new, but was considered after the first review of the DPD back in
2003.38 The idea behind the “Privacy by Design” principle is to introduce this
under the new framework for DPD. As the need arises, there will be further
regulations aimed at specific technologically contexts. It would bind technology
designers and producers and data controllers when using ICT technology such
that “privacy by default” would become the norm and not the exception. This
could also be considered as an initiative on the part of the Data Protection
Authorities and even the European Commission to encourage industry players to
start embedding privacy enhancing technologies. It has to be added that some
countries already have privacy enhancing technologies (PETs). Germany is one
example that has embraced this39. There maybe some problems surrounding the
understanding of this concept. How is to be understood? Other issues include the
cost involved and whether consumers may need to be educated or made fully
aware of what PETs stands for.

Page | 7
European Commission: Comprehensive Approach to Data Protection

The European Commission recently published its own opinion40 detailing its
approach in the run up to the revision of the Data Protection Directive. Some of
the issues raised in its opinion reiterate that of the Art. 29 Working Party’s
Future of Privacy. It concentrates on four main areas:

1) Strengthening individual’s rights

2) Enhancing the internal market’s dimension
3) Revising the data protection rules in the area of police and judicial
cooperation in criminal matters
4) Global dimension of data protection

For brevity, the first two points will be considered in brief, which will give
some indication of the direction in which the changes to the impending Directive
is likely to take.

1. Strengthening Individual’s rights

In terms of strengthening individual’s rights, the Commission is considering of

introducing a general principle of transparent processing of personal data to
ensure that individuals are informed on “who” and “why” their data is being
processed. Looking at the Data Protection Directive, it could be submitted that
this is already provided under the current provisions, but the Commission
appears to be concerned with the ambiguity in which information is provided to
data subjects. It has indicated that information to users should be made
accessible and easy to understand in clear and plain language.
Secondly, the Commission is considering of extending the remit of data
breach notifications beyond that which is currently covered under the new
changes to the Directive on Privacy and Electronic Communications 2002/58/EC
(through the Citizen’s Directive 2009/136/EC) which only applies to the
electronic communications sector. Only electronic communications sector have
to notify of data security breaches. The Commission recognises that there are
risks posed in other sectors beyond the electronic communications such as the
financial sector and therefore is considering the possibilities of extending this to
other sectors. This should not, according to the Commission have any effect on
the changes to be made to the DPEC, which applies to the electronic
communications sector.
Thirdly, the Commission is considering enhancing control of data by
users. Two preconditions were highlighted. Namely, the limitations of the data
controller’s processing in relation to its purposes and the retention by data
subjects of an effective control of their data. An example of social networking
(“SNS”) was given, in which individuals were not able to have access to their
personal data from online service providers. Whilst there was a need to reinforce
the data subject’s ability to control the data that is held, there is a certain degree
of doubt over how this could be applied in practice particularly, when an
individual’s data is intertwined with data of others (such as group photos, family
and friends and so forth). It remains doubtful how this can be workable, other

Page | 8
than reinforcing the rights of individuals to access their data particularly in a SNS
context. Furthermore, if the view is that SNS is a public rather than a private
environment, the question is whether there is a societal view to regulate SNS
(Regan and Raab) or take an individualistic view, from which there is no need or
a consumer approach?41 Furthermore, the ability to control data is likely to bring
into question how this can be balanced with the right of others to be able to use
this for various reasons (legitimate) such as the freedom of information or
within a domestic context (ie. family or friends scenario)?
Other ways of strengthening the individual’s rights, include plans to
examine the principle of data minimisation; improving the modalities for the
exercise of rights of access, rectification, erasure or blocking of data; complement
the rights of data subjects by ensuring “data portability” and clarifying the right
to be forgotten principle.
On the principle of the “right to be forgotten”, this principle has not been
met with much enthusiasm from the ICO nor some experts. For example, in the
context of news archive, to what extent would this principle apply whereby
information about an individual was in the public interest? According to Walker,

There may be examples of stories that appear about individuals that do not need to
be kept accessible in the public interest around the time they are published, but
which 10 years later, perhaps because the individual has in the meantime become a
public figure, should be publishable in the public interest.42

This is a valid point, and it remains unclear how this is likely to be applied in
practice. Walker further adds that

Distinguishing between what is in the public interest and what is simply of interest
to the public is not always easy and the inherent conflict between the right of free
speech and the right to privacy will remain a difficult one to reconcile under this
proposed regime. Of course that’s not to say that just because it is difficult means it
should not be implemented in the new data protection regime.43

In view of Art. 9 of the Data Protection Directive (exemptions from the

processing of personal data on the grounds of artistic, literary and journalistic
purposes), it is likely to be a balancing act. Furthermore, it should be
remembered that there is national legislation which gives the Member States
some degree of manoeuvre, so if one were to hypothesise; this is likely to be a
matter for the national courts and national legislation to determine the
circumstances how this is likely to apply (as with the Court of Justice case of
Lindqvist44 when determining the criterion for “journalistic purposes”). On the
same principle, the ICO took the view that the “right to be forgotten principle”
could “mislead individuals and falsely raise their expectations, and be impossible
to implement and enforce in practice. There are implications for freedom of
expression and questions as to how far individuals should be able rewrite their
own or others’ history.”45 The ICO further adds that it wants EU laws to "clarify
the relationship between transparency and consent and be realistic about the
levels of individual control".46 It is unclear at this stage, how this is likely to be
applied in practice, but clearly these questions are likely to bring into sharper
focus over the likely problems that might come into play in the event of
individuals who decide to exercise their “right to be forgotten”. Whilst the

Page | 9
principle should be welcomed, there should be clearer guidelines how this can be
applied from national Data Protection Authorities, for instance to prevent the
potential for misuse of this right or the potential of influx of claims to delete
personal data on a specific website. Will there, for example, be exceptions to the
“right to be forgotten” as in the processing of ordinary or “sensitive data”
conferred under Art. 7 and 8 of the Data Protection Directive respectively?
Would the “right to be forgotten” principle apply to anyone (general right)
irrespective of where they are based? In other words, information about
individuals who are based in a non-EEA country that are processed by EU data
controllers and how can this be applied?
Raising awareness of the risks on the processing of personal data were
also themes that were raised in the Commission’s opinion.
Other ways of strengthening rights of individuals include clarifying and
strengthening the rules on consent. Currently, there are differences in the
interpretation of “consent” ranging from a general requirement of written
consent by some Member States to the acceptance of “explicit” consent. Calls for
clarification were needed from the European Commission particularly in the
context of behavioural advertising whereby internet browser settings delivered
the user’s consent. It is doubtful, however, how the users’ level of understanding
of the internet settings could be set. In other words, does one expect a
reasonable level of comprehension in the use of the internet or a much lower
standard? It is submitted that with the wide use of websites such as Amazon,
Facebook47 and Google, the level of users’ understanding of the internet is
reasonably high, but whether this could be correlated with their level of
understanding of internet security is not completely clear.48
The Commission also plans to revisit the “sensitive data” category and
consider whether other categories such as genetic data should be added within
the scope of “sensitive data”. It could be submitted that genetic data is a form of
“health data” under Art. 8, so it is questionable why there is a need to make an
express reference to this. There are other forms of data such as financial data of
a user or clickstream data that should be considered in this review.49
Finally, the Commission plans to make remedies and sanctions more
effective. This would mean that the Commission would consider whether it
would be possible to extend powers of the Data Protection Authorities and
relevant associations representing data subjects to bring an action before the
national courts for data protection breaches. Class actions were one form that
was considered, so it is not clear whether this was what the Commission had in
mind. The Commission also plans to consider strengthen the existing provisions
on sanctions such as criminal sanctions for serious data protection violations. It
should be added, however, that the current national framework (UK)50 does
provide for strong remedies to be used in light of data security breaches, so this
is likely to reinforce and bring to focus the underlying aims and rationale of data
protection laws.

Enhancing the internal market dimension

In the context of the internal market dimension, the European Commission will
examine how to revise and clarify the existing provisions on applicable law

Page | 10
including the current determining criteria in order to improve legal certainty,
clarifying Member State responsibility for applying data protection rules and
ultimately provide for the same degree of protection of EU subjects irrespective
of the geographic location of the data controller.

There are five areas that the European Commission will address:

1) Ways to achieve further harmonisation of data protection rules at EU

level.
2) Revise and simplify the current notification system for data protection.
3) Clarify and revise the rules on the applicable law and Member State’s
responsibility to improve legal certainty.
4) Enhancing data controller’s responsibility.
5) Encourage self-regulatory initiatives and explore EU certification
schemes.

The first four points would be explored with a brief discussion.

1. Harmonisation

The European Commission was of the view that there were differences between
the national laws implementing the Directive which run counter to one of its
objectives, namely the free flow of personal data laid down under Art. 1(2) of the
Data Protection Directive 95/46/EC. For example, the processing of personal
data in the employment context or public health. Therefore, The European
Commission plans to examine the means to achieve further harmonisation of
data protection rules at EU level. It did take note that the Directive’s
harmonisation of national data protection laws were not limited to minimal
harmonisation but rather complete harmonisation. This could mean the
Commission issuing further guidelines on the application of the Directive or
specific provisions to be introduced within the forthcoming Directive for more
clarity.

2. Notification system

One of the points raised by the European Commission was to reduce the current
administrative burdens placed on data controllers. One way of achieving this
would be to revise and simplify the current notification system whereby data
controllers would have to inform their data protection obligations to the Data
Protection Authorities. The European Commission plans to examine ways to
simplify and harmonise current notification system which may include the
drawing up of a uniform EU-wide registration form. This further illustrates the
realistic approach to the application of the Data Protection framework and the
extent to which this can be achieved effectively and the recognition of the
setbacks the current data protection has.

Page | 11
3. Applicable law

On this issue, it was noted by the Commission that the law to be applied (under
Art. 4 of the Data Protection Directive 95/46/EC) was becoming increasingly
complex particularly in the light of globalisation and technological
developments. The deficiencies highlighted in the Commission’s first report on
the implementation of the Data Protection Directive in 2003 did not appear to
have been resolved or improved. For instance, according to the European
Commission, a data controller could be subject to different requirements from
different Member States when a multinational company was established in more
than one Member State. With this problem in mind, the Commission aims to
revise and clarify the existing provisions on applicable law. As discussed earlier,
this rule could be simplified if the stance from the Electronic Commerce Directive
(satisfy one of the member states’ data protection rules would be sufficient to
satisfy) were to be adopted.

4. Data controller’s responsibility

The Commission was of the view that data controller’s responsibility and
obligations should be expressly defined within the legal framework and would
explore ways to enable data controllers put in place effective policies and
mechanisms to ensure compliance with data protection rules. This may mean
introducing the “accountability” principle, but the Commission was clear to note
that this would not increase the administrative burden on data controller but
rather focus on establishing safeguards and mechanisms to make data protection
compliance more effective.
To further reinforce the data controller’s responsibility, the Commission
would further consider making the appointment of an independent Data
Protection Officer mandatory51; an obligation to be imposed on data controllers
to carry out a data protection impact assessment in specific cases. This should be
differentiated from a Privacy Impact Assessment, where the former deals with
certain types of processing that involves specific risks including profiling or
video surveillance.
The Commission would also promote the use of Privacy enhancing
technologies (“PETS”) and the explore ways to implement the concept of
“Privacy by design”. This could include means to minimise the processing of
personal data using anonymous and pseudonymous data such as the use of
encryption tools and automatic anonymisation after a specific time.

The Cloud

In this section, the author wishes to address an area that has been the subject of
much topical debate and likely to do so in the forthcoming months in the lead up
to the revision of the Data Protection Directive 95/46/EC. There appears to be
some recognition at a European level that the “cloud” should be brought within
the scope of the data protection framework. Not only, is this a recognition of the
overreaching application for the better application of the data protection rules to
evolving technologies. As the definition of the cloud has been discussed in much

Page | 12
literature52, the author will not consider this in any great detail. For the purposes
of this section, reference to the cloud is taken to means services and/or
applications that operate on the internet (such as Software as a Service; Platform
as a Service model; Infrastructure as a Service etc).
Arguments submitted recently in an article by Hon, Millward and
Walden53 suggests that the current data protection is neither realistic or
practical for the data protection framework to apply to cloud computing and that
the definition of “personal data” under the DPD should be based on a realistic
risk of identification and the data protection rules should therefore be based on
the risk of harm and its likely severity.54 In the second part of their article, the
authors argue that cloud computing providers should be considered as mere
neutral intermediaries and immunity from data protection obligations should be
similar to those covered under the Electronic Commerce Directive 2000/31/EC55
(which provides exemptions for internet service providers from liability through
specific defences that apply).
It further indicates the symptomatic problem, whereby the Data
Protection Directive is having catch up with new technologies, or to put it
metaphorically the “new wines into old wineskins” scenario.
In a recent article entitled “Can a cloud be really secure? A socratic
dialogue” Dhillon and Kolkowska56 highlight the difficulties of imputing
responsibility in a cloud environment:

I think dealing with “responsibility” in the cloud is extremely “difficult”. We have

cloud service providers, cloud customers (companies and individuals) and those
that regulate the cloud. Today, it is unclear how responsibilities should be divided
between these different actors….For example who should be responsible for
compliance with Data Protection regulators such as the European Union directive
95/46/EC? This is just one example of ambiguousness where organisations are
unable to differentiate between who is responsible, who is accountable, who has
authority and when things go wrong, who is to be blamed.57

The authors made some recommendations towards the current cloud system,
security of a cloud should include, amongst other things information security
practices needs to be contextualised.58 Depending on the context, information
security objectives needs to be reformulated. According to the authors, each and
every context is different. Whilst the authors make a number of
recommendations, they also took the view that trust in relationships needed to
be inculcated and good ethical principles defined.
Whilst the boundaries of the regulatory framework to the cloud is not
always as clear cut, Poullet (et. al) in “Data protection in the clouds”59 further
remark that

Cloud computing seems closer to fog than cloud and it might constitute a real
danger for the users and data subjects whoever they are (legal entities,
individuals.60

One of the features of the cloud which the authors highlight is the loss of control
of data for cloud computing. The data is somewhere “in the cloud”. Several issues
were raised by the same authors in the context of the cloud including the
problem of exercising control by users of their data in a cloud environment and

Page | 13
whether a cloud computing service provider could be classified as a “data
controller” within the data protection legal framework.

The obligations of cloud service providers under the Data Protection

Directive and its scope and its responsibilities (if any) to users is likely to be
further discussed in the upcoming months leading to the revision of the Data
Protection Directive. It would be beyond the scope of this article to discuss this
in more depth, but consider this as one example where the Data Protection
Directive will have to adapt to challenging technologies which may raise
information security and privacy risks to the user.

Concluding Remarks

Although the Directive is likely to be amended in the coming months, it must not
be forgotten that when the Data Protection Directive was introduced in 1995,
there were shortcomings in the application and understanding of the Directive
through the national data protection laws. Much focus and discussion at a
European level has been to streamline, clarify and strengthen the current Data
Protection framework.
Undoubtedly, there will be opaque areas over the application of the
forthcoming Directive to issues such as behavioural advertising and cloud
computing and the limits in which this can be applied. If the Directive is to be
applied in the most cohesive way, the application ought to be applied in the most
“realistic” manner by Data Protection Authorities (through the use of their
discretion) recognising the balance between protecting individuals’ personal
information and on the other hand, organisations’ role in ensuring data security
of individuals.
Although changes to the Data Protection Directive are long overdue, the
application should be given a fluid interpretation so that the definitions are not
applied so narrowly or restrictively to data controllers. It is a further wakeup call
towards data controllers of the significance of protecting users’ data against
potential privacy risks that maybe brought through developments by the social
networking era, cloud computing and behavioural advertising and reinforced by
proposals to strengthen data protection remedies available to users (as data
subjects).
There is likely to be much toing and froing in the discussions both at
European and national level amongst regulators, Data Protection Authorities,
organisations affected and individuals. It will also remind users again, the
important question, what are the reasonable expectations of privacy for users
online?
To revisit the remark that McNealy stated a while back that “privacy is
dead get over it”, then the current legal developments is surely the converse by
demonstrating that protecting privacy is still very much a current topical issue.

* Correspondence: Rebecca Wong, Senior Lecturer, Nottingham Law School, Burton Street,
Nottingham, NG1 4BU, UK, E-mail: R.Wong@ntu.ac.uk. Any errors, omissions remains with the
author. The author would like to thank the participants of the Cyberlaw Stream of the Society for
Legal Scholars, September 2011 for their feedback

Page | 14
otes
1
Proposals to revise the European Data Protection Directive are anticipated in early 2012.See
Data Guidance. EU: Privacy proposal to amend EU Directive to be issued end of January
2011 available at http://www.dataguidance.com/news.asp?id=1655, dated 11 November 2011
and EUROPA. Stronger data protection rules at EU level: EU-Justice Commissioner Viviane
Reding and German Consumer Protection Minister Ilse Aigner join forces available at
http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/11/762&type=HTML, dated
7 November 2011.
2
The Art. 29 Working Party. The Future of privacy (WP 168) adopted 1 December 2009
available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/wp168_en.pdf.
3
See European Commission, Communication from the Commission to the European
Parliament, the Council, the Economic and Social Committee and the Committee of the
Regions: a comprehensive approach on personal data protection in the European Union,
COM(2010) 609 available at http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0609:FIN:EN:PDF, dated 4
November 2011.
4
See European Commission. Report from the Commission. First report on the
implementation of the Data Protection Directive COM/2003/0265 final available at
http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52003DC0265:EN:HTML, last
accessed 29 August 2011.
5
Ibid.
6
See P. Seipel ‘Sweden’ In: P. Blume, ,ordic data protection law, 2001, pp. 115-151.
7
See PRIVIREAL: UK Data Protection at http://www.privireal.org/content/dp/uk.php and I.
Lloyd Information Technology Law, 4th ed. p.104.
8
C-101/01 Lindqvist [2004] 1 C.M.L.R. 20
9
To the author’s knowledge, the misuse-oriented approach has not been adopted by other
Member States, but discussion has centred on the current data protection model which adopts
a “processing” model. For background information, see Palme, J. Swedish attempts to regulate
the internet available at http://people.dsv.su.se/~jpalme/society/swedish-attempts.html, last
accessed 29 August 2011 and Seipel, P. In: Blume, P (ed.) ,ordic data protection law, pp.
115-151; S. Őman ‘Implementing Data Protection in Law’ In: P. Wahlgren IT Law, 2004, pp.
389-403 at http://www.sorenoman.se/Implementing.pdf; M. Klang ‘Technology, speech, law
and ignorance: the state of free speech in Sweden’ Hertfordshire Law Journal, 1(2) pp. 48-63,
2003.
10
This is not an exhaustive list but a glance at the recommended references demonstrates the
significance of this case and likely implications on data protection online. See I. Lloyd
Information technology law, 4th ed., pp. 97-98, C. Kuner ‘Data protection law and
international jurisdiction on the internet: Part 2’ International Journal of Information Law and
Technology, 227-247. 2010; P. Leith ‘The socio-legal context of privacy’ 2(2) International
Journal of law in context, pp. 105-136, 2006; R. Wong ‘A conceptual analysis of a data
controller’ 14(5) Communications Law pp. 142-149, 2009.
11
Ibid.
12
C-275/06 Productores de Música de España (Promusicae) v Telefónica de España SAU
[2008] ECR I-271.
13
C-557/07 LSG-Gesellschaft zur Wahrnehmung von Leistungsschutzrechten GmbH v Tele2
Telecommunication GmbH, [2009] ECR I-01227
14
C-73/07 Tietosuojavaltuutettu v Satakunnan Markkinapὅrssi Oy and Satamedia Oy
(Satamedia) [2008] ECR I-09831
15 th
Art. 29 Working Party. Opinion 4/2007 on the concept of personal data, WP 136, dated 20 June
2007 available at
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2007/wp136_en.pdf, adopted on 20
June 2011.
16
See decisions subsequent to Durant v FSA such as Common Service Agency v Scottish
Information Commissioner [2008] UKHL 47. The latter case was concerned with the NHS’s
refusal of a FOI request for statistics about child leukaemia on the basis that this would
infringe the relevant data protection laws if personal data was revealed. The House of Lords

Page | 15
 allowed the appeal on the basis that information was “held” by the CSA and that it would not
qualify as “personal data” if no data could be identified as a result of barnardisation, a process
to anonymise personal data. Furthermore, the House of Lords held that barnardisation
effectively anonymises the data, condition 6(1) Sch. 2 would be satisfied (processing
necessary for the purposes of legitimate interests and not unwarranted by prejudice to the data
subject).
17
See ICO, Personal Information Online – Code of Practice available at
http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/online.aspx, dated July
2010.
18
Ibid., at p. 10.
19
Ibid.
20
Art. 29 Working Party. The future of privacy, adopted on 1 December 2009, available at
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/wp168_en.pdf; See also R.
Wong ‘The future of privacy’ Computer Law and Security Review 27(1), pp. 53-57, 2011.
21
Wong, R. op. cit. n. 20.
22
T. Espiner ‘Facebook and Google ‘must follow’ EU privacy rules’ available at
http://www.zdnet.co.uk/news/regulation/2011/03/17/facebook-and-google-must-follow-eu-
privacy-rules-40092179/, dated 17 March 2011.
23
Art. 29 Working Party. Opinion 8/2010 on applicable law, WP 179 adopted on 16 December
2010 at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp179_en.pdf..
24
Ibid., p. 13.
25
Ibid.
26
Ibid.
27
See Product Liability Directive 85/374/EEC available at
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31985L0374:EN:HTML.
28
This is available at
http://europa.eu/legislation_summaries/justice_freedom_security/judicial_cooperation_in_civi
l_matters/l16027_en.htm.
29
This is available at
http://europa.eu/legislation_summaries/justice_freedom_security/judicial_cooperation_in_civi
l_matters/l16027_en.htm.
30
See also Conflict of Laws.net, Rome II Regulation applicable in EU, dated 11 January 2009
available at http://conflictoflaws.net/2009/rome-ii-regulation-applicable-in-eu/ and
A. Dickinson The Rome II Regulation: the law applicable to non-contractual obligations,
(Oxford: 2010).
31
[2008] EWHC 1781.
32
Ibid., at para. 80.
33
See BBC News. Irish privacy watchdog calls for Facebook changes available at
http://www.bbc.co.uk/news/technology-16289426, dated 21 December 2011. Details of the
report can be found on the Irish Privacy Commissioner website at
http://dataprotection.ie/viewdoc.asp?DocID=1182&m=f, dated 21 December 2011.
34
BBC News, op. cit. n. 34.
35
Ibid.
36
See European Commission. Commission decisions on the adequacy of the protection of
personal data in third countries available at
http://ec.europa.eu/justice/policies/privacy/thridcountries/index_en.htm. For an in-depth
discussion, see also C. Kuner ‘Regulation of transborder data flows under data protection and
privacy law: past, present and future’ TILT Law and Technology Working Paper, No.
016/2010, October 2010 available at
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1689483.
37
See Art. 29 Working Party. Opinion on the draft Commission Decision on standard clauses
for the transfer of personal data to processors established in third countries, under Directive
95/46/EC, WP 161 adopted on 5 March 2009 available at
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/wp161_en.pdf and Model
contracts for the transfer of personal data to third countries available at
http://ec.europa.eu/justice/policies/privacy/modelcontracts/index_en.htm, last accessed 23
May 2011.
38
See European Commission. Commission’s first report on the transposition of the Data

Page | 16
 Protection Directive available at
http://ec.europa.eu/justice/policies/privacy/lawreport/report_en.htm, last accessed 23 May
2011.
39
See Schleswig-Holstein which has developed a number of projects dealing with
protection of data online including the anonymity project at
https://www.datenschutzzentrum.de/index.htm. For an extensive report into the economic
benefits of PETS, the European Commission has recently published a report, which is
available at
http://ec.europa.eu/justice/policies/privacy/docs/studies/final_report_pets_16_07_10_en.pdf.
July 2010.
40
European Commission, Communication from the commission to the European Parliament,
the Council, the Economic and Social Committee and the Committee of the Regions: A
comprehensive approach on personal data protection in the European Union, COM(2010)
609, dated 4 November 2011.
41
See L. Edwards and I. Brown ‘Data control and social networking: irreconcilable ideas’
In: A. Matwyshyn Harboring data: Information security, law and the corporation, 2009, pp.
202-227.
42
Outlaw news. “Expert says ‘right to be forgotten’ could cause problems for publishers”
Available at http://www.out-law.com/en/articles/2011/november/expert-says-right-to-be-
forgotten-could-cause-problems-for-publishers/, dated 10 November 2011.
43
Ibid.
44
C-101/01. The latter part of the judgment at para. 100 (5) stated that when balancing
between the freedom of expression and other rights with the rights conferred under the Data
Protection Directive, it was for “the national authorities and courts responsible for applying
the national legislation implementing Directive 95/46 (emphasis added) to ensure a fair
balance between the rights and interests in question, including the fundamental rights
protected by the Community legal order.”
45
Outlaw news. “Unenforceable” right to be forgotten should not be included in new EU
Data law” available at http://www.out-law.com/en/articles/2011/november/unenforceable-
right-to-be-forgotten-should-not-be-included-in-new-eu-data-laws-ico-says/, dated 17
November 2011.
46
Ibid.
47
For example, according to the latest statistics, Facebook has more than 800 million active
users with more than 50% of active users logging on in any given day (see
http://www.facebook.com/press/info.php?statistics). This is not to conclude that users’ level of
understanding and awareness of internet security is necessarily the same or higher, but is
indicative of their use. The latest Eurostat release seems to indicate that 31% of users who
used the internet in the 12 months prior to the survey had caught a computer virus or infection
(see http://epp.eurostat.ec.europa.eu/cache/ITY_PUBLIC/4-07022011-AP/EN/4-07022011-
AP-EN.PDF, dated 7 February 2011). See ICO. “Students concerned that information online
might affect their careers” at http://www.ico.gov.uk/news/latest_news/2011/students-
concerned-that-information-online-might-affect-their-careers-26102011.aspx, dated 26th
October 2011 available at http://www.ico.gov.uk/news/latest_news/2011/students-concerned-
that-information-online-might-affect-their-careers-26102011.aspx (found that four out of ten
students online (42%) are concerned that personal information available about them online
might affect their future employment prospects). In the context of social networks, see also T.
Kang and L. Kagal ‘Enabling privacy-awareness in social networks’ available at
http://dig.csail.mit.edu/2010/Papers/Privacy2010/tkang-rmp/paper.pdf, last accessed 19
November 2011.
48
Eurostat, op. cit. n. 47.
49
See K. Mc Cullagh ‘Data sensitivity: resolving the conundrum’ available at
http://www.bileta.ac.uk/Document%20Library/1/Data%20Sensitivity%20-
%20resolving%20the%20conundrum.pdf, last accessed 19 November 2011; For more on the
arguments on “sensitive data” see S. Simitis ‘Revisiting sensitive data’ at
http://www.coe.int/t/dghl/standardsetting/dataprotection/Reports/Report_Simitis_1999.pdf,
last accessed November 2011. R Wong ‘Data Protection online: Alternative approaches to
sensitive data’ Journal of International Commercial Law and Technology, 2.1 pp. 9-16, 2007.
50
See s 55 of the UK DPA 1998 and s 77 Criminal Justice and Immigration Act 2008 where

Page | 17
 the ICO powers have been increased so that organisations that breach data security maybe
fined up to £500K maximum. See Information Commissioner’s Guidance about the issue of
monetary penalties prepared and issued under s 55(1) of the Data Protection Act 1998
available at
http://www.ico.gov.uk/for_organisations/guidance_index/data_protection_and_privacy_and_e
lectronic_communications.aspx#monetary.
51
Whether Data Protection Officer role is similar to the German model is not yet clear. See also
Privacy and Human Rights Report 2003 Federal Republic of Germany available at
http://www.pi.greennet.org.uk/survey/phr2003/countries/germany.htm, last accessed 26
November 2011.
52
A good starting point into the discussion on cloud computing is a collection of essays in
S. Gutwirth (ed.) (et. al). Computers, privacy and data protection: an element of choice, 2011,
pp. 345-457. See also ENISA, Cloud computing risk assessment, dated 20 November 2009
available at http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-
assessment and NIST definition of cloud computing at
http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf, dated September 2011 and
NIST, Final version of ,IST cloud computing definition published, dated 25 October 2011
available at http://www.nist.gov/itl/csd/cloud-102511.cfm.
53
W.K. Hon, C. Millard and I. Walden ‘Who is responsible for “Personal Data” in Cloud
Computing’ available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1783577 and
W.K. Hon, C. Millard and I. Walden ‘Who is responsible for “Personal Data” in Cloud
Computing?, Part 2’, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1794130
54
Ibid.
55
See Arts. 12 “mere conduit” defence; Art. 13 “caching” and Art. 14 “hosting” defences
provided to ISPS, if they can satisfy the criteria laid down in each of these provisions within
the Electronic Commerce Directive 2000/31/EC available at http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000L0031:en:NOT.
56
Dhillon and Kolkowska, “Can a cloud be really secure? A socratic dialogue” In: S. Gutwirth,
et al Computers, privacy and data protection: an element of choice, 2011, pp. 345-379.
57
Ibid., at p. 353.
58
Ibid., at p. 357.
59
See Y. Poullet (et. al). ‘Data Protection in clouds’ In: S. Gutwirth (ed.) (et al). Computers,
privacy and data protection: an element of choice, pp. 377-409, 2011.
60
Ibid., at p. 378.

Page | 18

View publication stats