The European Union Directive on Data Privacy
and Its Impact on Global Information Systems in
“...the Directive could have far-reaching effects on business practices
within the United States...organizations that have not paid close
attention to data protection laws may suffer rude shocks when
their standard practices turn out to violate European Law.”
Peter Swire and Robert Litan
“None of Your Business:World Data Flows,
Electronic Commerce, and the European Directive”
The European Union (EU) Directive on Data Privacy (The Directive) went into effect on October 25, 1998.The
Directive governs the movement of data between EU Member States and countries having both “adequate” and
“inadequate” levels of data protection regulation. Currently, the United States is likely to be categorized as offering
“inadequate” protection under The Directive.
After The Directive goes into effect, US companies may be prevented from processing personal data (information about
their employees, customers, or suppliers) in the US if it relates to EU employees, customers, or suppliers.This includes
processing of European data on a file server which resides in the US or any access to EU data from the US. It is not
limited to electronic data and includes manual reports. US companies face penalties that could include suspension of
business in EU Member States and the risks of lawsuits.
The Directive includes a number of alternate means to address these issues, and US companies should seek advice in
implementing the appropriate measures. Doing nothing is not an option.
In 1995, the Council and Parliament of the European Union adopted Directive 95/46/EC to harmonize the protection
of data privacy.The Directive had a three-year transition period, by which time it had to be implemented into the
national laws and regulations of each member bound by the European Community Treaty.The implementation date was
October 25, 1998.
The fifteen Member States of the European Union are Austria, Belgium, Denmark, Finland, France, Greece, Germany,
Ireland, Italy, Luxembourg, the Netherlands, Portugal, Spain, Sweden, and the United Kingdom. Both for practical
reasons and because of treaty or association agreements, many other European nations have already adopted data
privacy legislation. Other nations, both within Europe and in other regions of the world, are likely to look to The
Directive as a model.
Most of the EU Member States, with the exception of Greece and Italy, already have data privacy legislation and will
therefore be making amendments to their current laws to comply with The Directive. It is anticipated that all Member
States will have implemented The Directive by the end of 1999.
• Sweden recently passed legislation into its national data protection laws to be in compliance with The Directive.
• The United Kingdom’s new Act received Royal Assent on July 16, 1998, with the UK parliament announcing that
there will be a delay in transposing The Directive into the secondary legislation required to support it.The Act
will not be fully effective until January, 1999.
• Belgium, Denmark, and Finland have legislative processes for amendments to their statutes in progress that are
expected to be completed soon.
• Greece and Italy have recently passed legislation based on The Directive, although their administrative institutions
and detailed regulations are not yet in place.
• Austria, France, Germany, Ireland, Luxembourg, the Netherlands, Portugal, and Spain are not expected to have their
amendments in place until the 1st or 2nd Quarter of 1999. In Germany, the process could take even longer, as it is
anticipated that the socialist government will make structural changes to the current enforcement agencies.
The general objectives of European data protection laws are to ensure economic and social progress by common
action to eliminate the barriers which divide Europe, while respecting the fundamental rights and freedoms of its
citizens.These rights include the right to privacy, the right to contribute to economic and social progress, the right to
trade expansion, and the right to nurture the well-being of individuals.The European focus is on the protection of
privacy as a fundamental and civil right, best guaranteed by legislation and enforced by national protection agencies.
This is in contrast to the approach adopted in the US, where the attitude of the current administration is that data
privacy and protection should be achieved by industry self-regulation, rather than by legislation or federal policing.This
is one of the reasons why the US is unlikely to pass the adequacy requirements.
Data Privacy Elements Highlighted
by The Directive
• Processing of personal data is defined as any operation performed upon information relating to
an identified or identifiable natural person (data subject), whether or not by automatic means,
such as collection, recording, organization, storage, adaptation or alteration, retrieval, consulta-
tion, use, disclosure by transmission, or dissemination.
• Provisions are included to ensure that personal data being transferred to non-EU countries is
• There are rules for the processing of special personal data, i.e., racial or ethnic origin, political
opinions, religious or philosophical beliefs, trade union membership, health or sex life, and
• A distinction is drawn between the concept of a “data controller” (who is responsible for
determining how data will be processed and used), and a data processor (who acts under the
direction of the data controller).This distinction exists even if these are both entities within the
• It is the responsibility of the data controller, and in some cases the processor, to comply with
data protection rules.
• The data controller will be subject to the laws of the member country in which it is established,
or in which it collects or processes the data.
• There may be the need for “specific consent” from the individual to process certain types of data.
• There may be a requirement for anyone collecting or processing data to provide detailed
information about the uses to which data will be put.
• There may be a requirement for a contract between the controller and the processor of the data.
• Manual records are now within the scope of data protection, although existing manual files may
not be fully subject to the law for up to 10 years.
Article 25 of The Directive allows the transfer of data to third countries, provided the country in question
demonstrates an “adequate level of protection.” Adequacy has been defined by the EU in terms of the existence of
national data protection laws and a national agency to enforce such laws. Although there are ongoing discussions for
alternate mechanisms, the US does not have such measures and so is unlikely to be given the adequacy status required
to permit the transfer of personal data from EU countries into the US.
The international transfer of personal data may only take place freely when the country of destination guarantees a
level of protection similar to that offered by the sender’s legal status.There is currently no list of countries defined
as adequate, even though there are over 20 countries that currently have privacy laws.These include such non-EU
countries as Australia, Canada, Hong Kong, Hungary, Israel, New Zealand, the Czech Republic, Iceland, Norway, Slovakia,
Switzerland, Slovenia, and Taiwan. For any country defined to be inadequate (including the US), the transfer of data
could be deemed to be illegal after October 25, 1998.
Article 26 of The Directive allows for transfers to countries that do not pass the adequacy test in the following cases:
• Consent by the data subject (although there is considerable speculation on the nature of the disclosure and form
of consent required for proof of unambiguous consent);
• Performance of a contract with the data subject, or steps taken at the data subject’s request to enter into a contract;
• Performance of a contract with a third party in the data subject’s interest (e.g., an intermediary in processing
payments or deliverables);
• Legal requirements or the exercise or defense of legal claims;
• Protection of the vital interest of the data subject;
• Transfer from a public register, subject to the associated conditions; and
• Contractual or other adequate safeguards to protect the privacy of the data despite the lack of public law on data
However, when a Member State grants authority for data transfer to third party countries under the contractual
safeguards provisions of Article 26, it must notify the European Commission and the other Member States, which can
object to the transfer.
Many countries do not have uniform protection in all economic sectors; for instance, many countries have data
protection laws in the public sector but not in the private.This is exemplified in the US where specific laws exist in
certain areas, such as credit reporting and video rental records, but not in others. A further difficulty arises in
countries that have federal constitutions such as the US and Canada, where differences often exist among the various
states that make up the federation.
With few exceptions, Article 8 of The Directive generally prohibits the processing of personal data revealing one or
more of the following:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade-union membership;
- Health or sex life; or
- Criminal convictions.
• Article 17 requires that the processor of information must be governed by a contract or a legal act binding the
processor to the controller.
• Under Article 4, the data controllers are responsible for complying with the applicable laws where multiple
countries are involved, but it is the law of the data controller that will apply in matters concerning trans-border
• A “Working Party” set up under Article 29 acts in an advisory capacity to the EU as a discussion forum for
common issues among the national officials and the Commission.
• A committee established by Article 31 serves as a political check on any regulatory measures that might be
adopted by the Commission on recommendations from the Article 29 Working Party.The actions and decisions
of the Article 31 committee are binding on the Member States.
• A Directorate General XV (DG XV) at the European Commission ensures that the Member States are complying
with The Directive.
Exceptions and Other Processing Conditions
• Consent (explicit consent) – a Member State can choose to forbid certain kinds of processing of sensitive data
even with consent
• Obligations under employment law – when the national law also provides for adequate safeguards
• Vital interests of the data subject – when the data subject is not capable of giving consent
• Non-profit organizations – when carrying out their political, religious, or union activities, but not including
their disclosure of data to third parties without consent
• Information made public by the individual
• Health care – when processing is required for preventative medicine, diagnosis, or treatment by a professional
who is subject to professional secrecy laws or rules
• Other exemptions under national law – these must be established by Member States under notification to
the European Commission
• Criminal history information – may only be processed by the authorities or subject to specific safeguards
under their national law, again under notification to the European Commission
• Civil and administrative judgements – Member States may choose to limit processing
• National identification numbers – to be used only as directed under national law
Under the terms of the European Community treaty, European law takes precedence over domestic law, therefore
The Directive is enforceable by all members of the EU. Compliance, however, will be tested by each of the individual
laws of each country. Given the flexibility The Directive allows, it is anticipated that each country will interpret the
data protection laws in its own way.
There has been no opportunity to establish legal precedent for The Directive since its enactment on October 25, 1998
and so it is difficult to determine how the courts will interpret it. US companies are therefore only able to implement
solutions to minimize rather than eliminate the risk. It is clear from the dialogue between the US and the EU that
companies must act responsibly to recognize the EU stance on data privacy and that doing nothing is not an option.
A US company must also recognize that the way forward in globalization is to not to circumvent The Directive,
but to recognize the differences and the influences of geographic cultures and their social infrastructure, which are
fundamental components of any global information system.
The initial action that may be taken to ensure compliance is the blocking of all data transfers by the non-compliant
company. Any Member State, data protection authority, or the EU itself may prohibit the transfer. In addition, non-
compliant companies can also anticipate private suits and/or negative publicity.
The penalties will depend upon the nature of the personal rights affected, the volume of data concerned, profits
obtained, intent, repetition of the infringement, and the local data protection laws.The data protection agencies
generally do not act on their own accord, and will only take action if a data subject submits complaints.
Protection of data can be affected by the security policies applied by companies and also by the security features of
software used to process data.Weak or inadequate security measures may further exacerbate the situation and
encourage data protection authorities to adopt a more rigid approach.
Review of The Directive’s legal requirements indicates that it affects all sectors of industry where personal data is
gathered and processed, whether by electronic means or not.This includes human resources, auditing and accounting,
business consulting, calling centers, financial services, the press, non-profit organizations, educational institutions, non-
EU governments, pharmaceutical research, business and leisure travel, telephone networks, Internet service providers,
direct marketing, and information technologies.
The Directive treats privacy as a basic human right, and seeks to protect individuals against violations of that right. On
the international level,The Directive makes it clear that third countries seeking to do business with the EU must
respect The Directive’s protection of its subjects.
The Directive could have far-reaching effects on business practices within the US and other third countries (countries
not part of the EU). Mainframes and web sites in the US might be cut off from data from Europe. A range of marketing
and management practices that are now routine in the US might be disrupted.
There is also further concern that data protection rules, such as The Directive, can have the effect of excluding firms in
the US and other third countries from the European market. A potential way to comply with some of The Directive’s
requirements is to move data processing operations, and the accompanying jobs, into Europe.This is unlikely to be an
attractive option for many organizations.
Although some Member States have long had legal restrictions on trans-border data flows,The Directive will have
significant effects on US and other non-EU organizations in the following ways:
• Limits on trans-border flows will obviously affect international and global companies more than entirely domestic
ones, as only international actions involve the rules on transfers. Companies based in Europe will design their data
processing operations for the local conditions, and thus more routinely take The Directive into account. Companies
based elsewhere often will not establish their internal processing procedures with European regulations clearly in
• The central processing operations of US companies will often be based in the US. Management decisions will be made
there, and managers expect to have access to the underlying information needed for decisions.The restrictions on the
flow of personal information from Europe to the US will have significant impact in this respect.
The Directive sets out certain procedures which can be followed in countries whose data privacy laws do not meet
the adequacy test.These include contracts between a parent company and its subsidiary, supplier, and/or customer;
consent from employees; and codes of conduct. More recently, the approach of “safe harbor” under Article 25 now
offers an additional solution.These procedures are by no means clearly defined, and there is considerable room for
uncertainty and conjecture on interpretation.
In earlier discussions, the EU downplayed the contractual alternatives to US companies and the US government. But as
the US has made it clear that its fundamental approach is going to be one of industry self-regulation, the Europeans
have now indicated that the notion of a “model contract” may be acceptable under certain circumstances. Currently
there are three organizations that are developing model contracts projects for the flow of data across borders.These
are Privacy and American Business (P&AB),The International Chamber of Commerce (ICC) and The Confederation of
British Industry (CBI).
These contracts have not yet received endorsement since the EU is reluctant to move from its position of protecting
rights by way of legislation rather than by contract.This approach may force contracts that incorporate far-reaching
clauses, which may inhibit the way in which companies do business.The EU does not see the model contract approach
as the solution to all types of personal data flows.The approach may have increased acceptance if used in combination
with other available methods.
In recent months, the US Department of Commerce (DOC) has been engaged in informal discussions with the EU
concerning the application of The Directive on US companies.The DOC and the EU believe they are close to agreeing
on a “safe harbor” approach.This would enable US companies to self-certify that they comply with a set of accepted
standards and would therefore be entitled to a presumption of adequacy under Article 25.This would avoid prior
authorization requirements from the national protection agencies. However, it would not prevent those authorities
from investigating a company’s compliance with those standards, nor prevent individuals from filing complaints about
To qualify for the safe harbor, US companies would have to certify that they had implemented and complied with a set
of data privacy principles.The DOC data privacy guidelines are being used as the model for the proposed principles.
These guidelines may be further defined following the discussions.The EU obtained a mandate from the Member
States to proceed with refining this approach on September 30, 1998. If the safe harbor approach is adopted, it will be
binding on all Member States; however, at this stage, it is not clear whether all the Member States will support this
The principles of the safe harbor approach would include independent investigation of complaints and redress for
injured parties.These enforcement principles may be satisfied by recourse to regulatory bodies, self regulatory bodies
or by parties outside the EU agreeing contractually to cooperate with the investigations by the national data protection
authorities and to comply with their decisions. It is not yet clear which authority in the US would perform such
enforcement duties, as there are no government agencies or functioning self-regulatory bodies that currently perform
them.The DOC measures are primarily focused on the issues of data privacy on the Internet and in electronic
commerce. Human resources data and other kinds of data processing may not be covered by the self-regulatory
mechanisms.The DOC is therefore encouraging industry to employ contractual as well as institutional alternatives for
satisfying the enforcement principles of data privacy protection.
In an attempt to comply with data protection legislation, some companies have opted to gather a waiver or statement
of consent from employees and customers authorizing the collection and transfer of their personal data. However,
under Article 7 of The Directive, the consent must be “unambiguously given” and the definition of the “data subject’s
consent” is that it shall be freely given, specific, and an informed indication of his/her wishes. Obtaining consent is a
desirable, but difficult, solution; US companies must ensure that the terms of the consent are framed in such a way that
it authorizes both current and future defined uses to which the data will be put.
Codes of Practice
Codes of conduct or a set of industry standards may be acceptable as a means of complying with The Directive.This is
currently seen as the preferred option by some human resources professionals where the creation of standards for
managing and protecting employee data is seen as a natural step in the development of HR best practices. But the
agreement on a set of codes that will comply with business and industry standards will require extensive discussion
The Association for International Human Resource Information Management (IHRIM) Committee on Information Use
and Protection is currently producing a set of such standards, with the first discussion draft due for release to its
members at the end of October 1998.This is a first release that will require agreement among IHRIM members before
it can be presented to the EU for informal discussion. No one can predict the reaction of the EU to such a solution,
especially as there are currently no HR self-regulatory bodies currently in existence and it is not at all clear that
compliance with an industry code will allow the transfer of data to a non-EU country.
A basic level of compliance can be achieved by following these guidelines, which will assist an organization in evaluating
its data privacy position and enable it to comply with the data privacy regulations.
Know what information is being Ensure the organization adopts a proactive approach to personal
collected information and performs an audit of all business units to understand
what personal data is being collected, accessed, transferred, and
processed in the US. Determine the purpose of the collection and
determine where data subject consent may be obtained.
Understand specific country Understand the organization’s state of compliance with the local data
regulations under The Directive privacy requirements in each of the countries in which the organization
conducts business. Since data protection may be interpreted differently
throughout the EU, it is advisable to adopt a conservative approach to
the solution selected.
Know what to do when any data Register the data transfer, describe the nature of the transfer, and,
is being transferred outside the where necessary, get approval for the transfer from the originating
country country’s data regulator, using the appropriate approach for the data
type and business.
Know which employees have access Audit the company’s existing security systems to ensure that all
to personal data personal data is adequately secured and protected in its use.
are aware of their legal rights customers and employees.
Stay informed Work closely with the individual EU Member States’ regulators, legal
advisors, and external consultants to learn of best practices, regulatory
changes, and new legislation.
Cedar, Inc. offers industry-leading solutions to help clients maximize their enterprise system investments and more
effectively manage their overall business. Enterprise service areas are targeted to reflect key strategic initiatives within
today’s global enterprises, including: enterprise applications for the front-office and back-office; harnessing the power
of the Internet; and intelligently using knowledge to support business decisions.
Cedar offers the industry-leading solutions to help organizations
maximize the return on their enterprise system investments and
drive improved organizational performance.We assist public,
private, and not-for-profit sector organizations with strategy,
design, implementation, and support for technology
solutions across all enterprise functions.
We are focused on solutions that deliver results to maximize
the power of institutional systems and enhance competitive
advantage by connecting constituents and data in a
cost effective and service oriented manner.
Our experience, coupled with partnerships with world-class solutions,
provides us with unmatched expertise to serve our clients.
We are also closely aligned with premier industry analyst
organizations to monitor and shape the trends that will
bring about new levels of business transformation.
This report is one example of our commitment to industry
research as a means to assist our clients and partners.We
invite you to visit our website at www.cedar.com
for continued research news and information.
100 East Pratt Street, Suite 1600
Baltimore, Maryland 21202 USA
Tel: 410 576 1515
Fax: 410 752 2879
Offices in Principal Cities of the World