European data protection is on course, says Commission

Internal Market Commissioner Frits Bolkestein:

"European citizens have a right to privacy... Equally, without free movement of data across borders, Europe's economy cannot work properly. I am pleased that most businesses seem to appreciate that the Directive has made it easier to move data around and that maintaining the free movement of data depends on their meeting their data protection obligations. But EU law can only work if Member States implement it on time, so I deplore the long delays in many Member States. France still has not implemented the Directive. It must rectify that urgently."

The report concludes that results in terms of the free movement of personal data are broadly satisfactory. The Directive has achieved its aim of removing legal obstacles to the free movement of data that arose from differences in national legislation and from the fact that two Member States (Italy and Greece) had no data protection laws at all.

The free flow of personal information is essential for the efficient conduct of almost any economic activity on an EU-wide basis.

For example, before the Directive was adopted, businesses often faced difficulties transferring employee data to another Member State, which is necessary if a business works all over the EU but has its central personnel administration in one Member State.

Workers who had acquired pension rights in several Member States encountered difficulties when it came to the exchange of personal data needed for the actual accumulation of these rights. Conducting Europe-wide clinical trials for medical research was problematic, given the huge differences in data protection standards.

Only four Member States, including the UK, passed national laws implementing the Directive within the October 1998 deadline agreed by Member States themselves when they adopted the Directive in the Council.

The Commission decided in December 1999 to take France, Germany, Ireland, Luxembourg and the Netherlands to the European Court of Justice.

Germany and the Netherlands, along with Belgium, then implemented the Directive in 2001 and Luxembourg, after the Court found against it, implemented the Directive in 2002.

More than seven years after the adoption of the Directive and more than four years after the deadline for its implementation (October 1998), France has still not yet passed the legislation necessary to bring its old data protection law of 1978 fully into line with the Directive. Ireland has passed legislation recently, which has not yet been notified to the Commission.

The result of delays at national level is that experience with the implementation of the Directive is very limited. The report is a first step in analysing whether the Directive is achieving its objectives. It would be premature at this stage to propose amending the Directive.

However, the report sets out a work plan to narrow divergences between national legislation and between different national practices as regards application of the rules.

The proposed work plan focuses on improving implementation in the Member States and on a more consistent application and interpretation of the Directive. Progress will be reviewed in 2005.