Working Party on the Protection of Individuals with regard to the Processing of Personal Data

Contents:

1. Introduction
2. Legislative history of the relevant provisions of the directive
3. Current situation in national law
4. Conclusions

Introduction

Section IX of Chapter II of directive 95/46/EC on the protection of individuals with regard to the processing of personal data and the free movement of such data ('the directive') deals with notification of processing operations to the national supervisory authorities ('the authorities').

The working party, following the mandate laid down in art.30 1a) of the directive, started discussions during its second meeting on the possible implementation of the provisions of the directive on notification. Working Documents dealing specifically with simplification and exemption from the obligation to notify data processing to the authorities were presented by the French, Dutch and UK delegations.

In connection with simplification and exemption from the obligation to notify, the German delegation presented a working document on the role in Germany of the independent data protection official (in house data protection official) referred to in article 18 paragraph 2 of the directive. Discussion on this topic continued during the third meeting following a presentation of representatives of data protection officials from Germany.

It was recognised that the Working Party could usefully give some guidance on the interpretation of the relevant provisions of the directive. The experience of some delegations in applying current national provisions which bear a significant resemblance with the ones of the directive could provide an indication of the functioning of the different options set-out in the directive.

The discussion showed that the specification of purposes at the time of notification plays an important role on the application of the principle of purpose specification. The role of the 'notified purposes' in current national legislation varies in the different legal systems, and the level of detail in the description of such purposes varies not only between Member States but also within Member States.

The Working Party agreed to exchange models of notification forms to study the type of purpose specification in the different Member States. Such models were distributed during the third meeting.

An earlier version of the present paper was discussed at the fourth meeting.

Examples of description of the purpose of processing operations carried out by a bank a medical practice and a telephone company were exchanged at the fifth meeting and served as a basis for discussion.

The following section outlines the legislative history of the relevant provisions of the directive. Section three summarises some of the main features of the current legislative situation at national level. The final section draws some preliminary conclusions and some questions as to the way the working party should proceed in relation to notification.

Legislative history of the relevant provisions of the directive

The original Commission proposal contained two provisions dealing with notification: article 7 dealing with public-sector files and article 11 dealing with private sector files. Recital 13 made it clear that the aim of the two provisions was the same: ensuring the 'transparency essential to the exercise by the data subject of the right to access to data relating to him'. Notification was compulsory only in relation to files 'the data in which might be communicated'.

Several Parliamentary amendments substantially modified these provisions. The amended proposal, following the parliamentary amendments, restructured the whole system of notification.

The distinction between public and private sector was abolished and the rules on notification applied to all processing operations. The explanatory memorandum, however, underlined that the potential extension of the obligation to notify had to be read in conjunction with the introduction of exemptions from and simplifications to notification.

The overall aim of notification was also modified: it should serve as the basis for selective monitoring of the legitimacy of processing operations by the supervisory authority.

Several aspects of the modified proposal contribute in effect to limit unnecessary bureaucratic requirements. A single notification could cover a set of processing operations intended to serve a single purpose. Furthermore data controllers were not required to give excessive details as notification should only mention the categories of data subjects, recipients and data. Notification was not required for data processing relating to members and usual contacts by non profit seeking bodies mentioned in art. 8 2 d. Finally notification of non automatic processing of personal data was made optional.

The amended proposal did not however aim simply at limiting or simplifying the obligations to notify but, following the wishes of Parliament, aimed at establishing a three tier system which, while avoiding excessive bureaucratic requirements, would provide different levels of safeguards in relation to the risks posed by different types of processing operations.

A system of preventive authorisation was introduced in relation to processing operations presenting 'specific risks'. The explanatory report referred to the processing of sensitive data, to 'black lists' and to 'operations aimed at informing third parties of the solvency of individuals' as examples of processing operations which might require prior checking.

The final text of the provisions on notification maintained the overall structure of the amended proposal. However simplification and exemptions from the obligation to notify were added in relation to public registers and where the data controller appoints in compliance with national law an in house data protection official.

Recital 48 makes it clear that the purpose of the notification procedures is the disclosure of the purpose and the main features of the processing operation in order to monitor its compliance with data protection legislation.

Recital 52 states that ex post-facto monitoring is the ordinary form of monitoring by the authorities. Recital 53 and 54 confirm that prior checking represents a somewhat exceptional procedure to be used only in relation to specific risks.

Current situation in national law

Notification of data processing to the authorities currently exists in all national data protection laws. However the extent of the obligation to notify varies.

In Spain, Luxembourg, Austria, Portugal, Sweden and United Kingdom broadly all processing operations which fall within the scope of application of data protection law need to be notified to the data protection authorities.

Some of these countries are currently simplifying the notification requirements or introducing exemptions from the obligation to notify. The general systems of notification have in some cases proven to be very resource consuming for the data protection authorities. Furthermore it turned out to be difficult to perform any substantive monitoring on the basis of notifications.

In Belgium and in the Netherlands most current and less risky type of processing operations have been exempted from notification by means of an act of the government under the general data protection legislation. The exemptions cover a very large proportion of all data processing (estimates of about 80%).

In France most current and less risky type of operations are subject to a simplified notification in which the data controller simply declares to process data in accordance with a so called 'norme simplifiée' predefined by the Commission Nationale Informatique et Libertés (CNIL). Forty such 'normes simplifiées' have been defined so far and they cover a large majority of processing operations (75% of notifications for 1995 were simplified notifications).

In Italy, several exemptions from notification have been introduced by decrees adopted under the general data protection legislation. These exemptions apply to certain categories of processing operations and are subject the detailed conditions.

In Denmark, Germany, Ireland and Finland the obligation to notify covers only certain types of processing operations.

The notification is normally done by means of special paper forms. In Belgium it is also possible to notify on computer diskettes. In the UK the registration can be done partly over the phone, the applicant must however fill-in a pre-printed form giving complementary information. The notification forms can normally cover all types of processing operations. In the UK, however, special templates have been created. These templates are normal notification forms in which all the parts which are normally relevant for a given type of data controllers have been highlighted.

The notification forms normally include details of the data controller and of the processing operations such as type of data that are processed, purposes of the processing operations, persons who have access to the data etc.

A key element of the notification is the description of the purpose of the processing operation. The practice in relation to the specification of purposes varies in the Member States.

In Belgium and in the UK a list of pre-defined processing purposes is enclosed with the notification form. Data controllers would therefore normally choose one of these predefined purposes. However in neither country are data controllers obliged to refer to one of the predefined purposes. They may instead add a description of the purpose in free text.

The debates during the second meeting and the models of notification exchanged during the third meeting have shows that data controllers tend to give very short and often generic descriptions of the purpose of their processing operation.

In most of the Member States the analysis of the compatibility of the operation with the finality of the processing in a posteriori enforcement is not made in relation to the abstract description of the processing but with reference to the material purpose of the concrete operation at hand.

The indication of overly generic purposes at the time of notification deprives notification of its function. Generic description of the purpose does not allow the data protection authorities to ascertain whether a processing operation complies with the law, and has very little use for the members of the public consulting the public register of processing operations.

Conclusions

Notification contributes to the respect of the principles of the directive because the data controllers, in order to notify, must assess and describe their processing operations, define in advance what data are to be used and for which purpose. In order to perform adequately these functions and contribute to the transparency of data processing the given information must not be general but specific.

It is particularly important that the purposes of the processing operations be adequately specified. Too generic definitions of the purpose of the processing operations devoid the system of notifications of its usefulness. Neither the data subjects nor the supervisory authorities will be in a position to assess the notified operation nor the compatibility of the various operations planned or performed by data controllers with the purpose for which the data were originally collected or further processed.

Assessing the compatibility of any given operation with the purpose for which the data were originally collected and which may have had to be notified to the data protection authority is one of the most difficult and important tasks in supervising compliance with data protection legislation. The working party is determined to develop common methods for the assessment of the compatibility of the purpose of processing operations.

Significant divergences in the description of the purpose of the processing operations in the different Member States would not only represent a burden for data controllers but could jeopardise the equivalence of the level of protection within the Community. The analysis of the current national arrangements for notification shows that there are not fundamental differences of approach in the way the purpose is described in the Member States. However the type and the amount of details that are provided vary according to the various national procedures and according to the structure of the notification forms.

The experience of the Member States that have such arrangements shows that predefined lists of the most common purposes are appreciated by data controllers and simplify the handling of notifications by the authorities. The working party will keep studying the possibility of defining standardised description of the purpose of common processing operations to serve as a guidance to data controllers.

Excessively bureaucratic requirements in relation to notification not only represent a burden for business but undermine the whole rationale of notification by becoming an excessive burden for the data protection authorities. Several countries have introduced or have shown an in interest in simplified notification or in exemptions from notification. Under the directive simplified notification or exemptions from the obligation to notify can be granted in relation to processing operations which are unlikely to affect adversely the rights and freedoms of data subjects. Several elements must be specified in relation to such processing operations.

Simplified notification or exceptions can also be granted where the controller, in compliance with national law, appoints an in house data protection official. Such an official must ensure that the rights and freedoms of the data subjects are unlikely to be adversely affected by the processing operations. In order to do so according to the directive the official must at least ensure in an independent manner the application of the national provisions taken pursuant to the directive and keep the register of processing operations containing the items of information which would normally appear in the public register of processing operations. ²

The introduction of in house data protection officials limits the need of centralised supervision. The working party supports the introduction of such officials be it on a compulsory or on a voluntary basis. It is however necessary that such officials be given the means to perform their tasks in an effective manner. Should the powers and resources granted to in house data protection officials be insufficient to ensure that the rights and freedoms of the data subject are unlikely to be adversely affected, the derogations from the ordinary notification requirements would no longer be justified.

The effective independence of such officials in ensuring the application of data protection law is essential in guaranteeing the rights of the data subjects and in order to ensure compliance with data protection legislation. Adequate guarantees should be offered to ensure the of the data protection officials in the performance of their functions independence especially from management.

A certain degree of consistency exists in relation to the categories of operations which are unlikely to affect adversely the rights and freedoms of the data subjects. They include data processing in relation to payroll management, accounting, partners and shareholders, customers and suppliers etc.

The working party is determined to keep working towards the definition of a list of processing operations which, quite independently from the procedural arrangements adopted by the Member States for the transposition of the relevant provisions of the directive, could be used as reference in deciding which operations are less likely to affect adversely the rights and freedoms of the data subjects.

Notifying by other means than paper forms makes notification more efficient both for data controllers and for the authorities. The working party supports the use of such forms of notification as a way to reduce compliance costs for economic operators and allow for a less costly and more efficient supervision by the authorities.

One of the functions of notification is to inform the public about existing processing operations by means of the public register of processing operations. The working party considers it very important to make the register easily accessible to the public. The working party looks with interest to the projects making the public registers available via the world wide web. The working party notes the need to adopt adequate safeguards to avoid that the personal data included in the registers of processing operations be used improperly.