FIRST ANNUAL REPORT

Adopted by the Working Party on 25 June 1997

CONTENTS

• INTRODUCTION
• DEVELOPMENTS IN THE EUROPEAN UNION

• The directive

• Data Protection Working Party
• Transposition in national law and equivalence of the level of protection
• Compliance at the level of the European Institutions

• Developments in the field of data protection. Activity of the data protection authorities.

• National
• International

• Developments of the data protection policy of the European Union

• Community coordination in international fora
• Sectoral initiatives
• Data Protection and the Information Society
• Data protection in other Community Instruments
• Data protection in non Community Instruments

• Schengen
• Dialogue with third countries on data protection matters

• COUNCIL OF EUROPE
• MAJOR DEVELOPMENTS IN THIRD COUNTRIES

• European Economic Area.
• Countries of Central and Eastern Europe
• Other Third Countries

• OTHER DEVELOPMENTS AT THE INTERNATIONAL LEVEL

• International Labour Office
• Organisation for Economic Cooperation and Development OECD
• International Conferences and debates

THE WORKING PARTY ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA

set up by Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 , having regard to Articles 29 and 30 paragraph 6, having regard to its Rules of Procedure and in particular to articles 12, 13 and 15 thereof, has adopted the present annual report.

INTRODUCTION

The directive creates a European harmonised framework of rules in the area traditionally referred to as 'data protection'.

Article 29 of the directive created the Working Party for the protection of individuals with regard to the processing of personal data. The Working Party is required to transmit an annual report on the situation regarding the protection of natural persons with regard to the processing of personal data in the Community and in third countries to the Commission, the European Parliament and the Council. The report shall be made public.

The first report covers the major developments in the area of data protection in the year 1996. Section 2 summarises developments in the European Union both in the Member States and at Community level. Section 3 refers to the work of the Council of Europe. Section 4 refers to major developments in third countries and Section 5 refers to other international developments.

DEVELOPMENTS IN THE EUROPEAN UNION

The directive

The process of implementation of the directive got underway in 1996 in all the Member States and at European level. Section 2.1.1 outlines the functions of the Working Party and its activities in 1996, section 2.1.2 describes the procedures for transposition of the directive at national level and section 2.1.3 illustrates the actions undertaken by the European Institutions to comply with the rules of the directive.

Data Protection Working Party

The Working Party is composed of representatives of the national independent authorities in charge of data protection, of a representative of the Commission and will include a representative of the authorities in charge of data protection matters within the European Institutions, as and when these authorities are created.

Pooling the collective expertise of the national authorities the Working Party will foster a coherent approach in the application of the broad principles of the directive and advise the Commission on data protection matters. In particular it is required to give its opinion on the level of protection in the Union and in third countries and it can make recommendations on all matters relating to the protection of persons with regard to the processing of personal data.

The Working Party met for the first time on 17 January 1996. The early start to the work of the Working Party was in line with the request made by the national data protection authorities. Mr Peter J. HUSTINX, President of the Dutch data protection authority (Registratiekamer), was elected chairperson of the Working Party. Ms Louise CADOUX Member of the French data protection authority (Commission Nationale de l'Informatique et des Libertés) was elected vice-chairperson. The Working Party met four times in 1996. The debates focused on data transfers to third countries and the level of protection in third countries, on the procedures for notification, on the exceptions to the fundamental data protection rules and on the application of data protection law to the Media in the light of the directive's requirement to strike a balance between freedom of expression and the right to privacy. A recommendation on this issue was subsequently adopted in 1997.

Transposition in national law and equivalence of the level of protection

The present section seeks to make a progress report of the transposition of the directive into national law.

In Belgium the Parliamentary procedures for transposition of the directive into national law have begun. An opinion on the draft law produced by the Ministry of Justice was given by the data protection authority (Commission de la protection de la vie privée / Commissie voor de bescherming van privaat levenssfeer). Several royal decrees implementing the 1992 Act were adopted in 1996. These royal decrees already take into account insofar as is possible the requirements of the directive.

In Denmark the Minister for Justice set up a committee in 1996, which is to draft a proposal for legislation to transpose the directive. The committee, which is made up of representatives of private organisations and public authorities, is to complete its work by 1 July 1997 if possible. The intention is to present a proposal in autumn 1997. The Danish data protection authority [Registertilsynet] is represented on the Committee.

The Spanish Ministry of Justice created a Committee in charge of the work for the transposition of the directive into national law. In October 1996 the data protection authority (Agencia de protección de datos) convened a meeting of experts which studied specific aspects relating to the transposition of the directive. These included: the impact of the directive on the Spanish legal order, comparison between the principles and rights enshrined in the current data protection act (organic law 5/1992) and the ones of the directive, and computer freedom and regulation of international transfers of personal data.

The Federal legislator is primarily responsible for the transposition of the directive into German law. This responsibility extends not only to the public area of the Federation, but also to the non-public area, where most changes are to be expected, on the basis of the legislative power under Article 74 of the Basic Law. The Federal Ministry of the Interior has a leading role in the transposition. Not only Federal law, but -chiefly in the public sector- also the Land data protection laws are to be brought into line with the provisions of the directive. In addition to the general data protection laws a large number of both Federal and Länder regulations in specific areas of data protection law have to be examined. The Federal Commissioner, the Land Commissioners for data protection and the supervisory authorities for the non-public sector have dealt with the impending amendment of the German data protection law as part of their respective responsibilities. In the meantime the Federal Government has drafted a submission for a draft law.

The Greek data protection law (Law 2472/97 on the protection of individuals with regard to the processing of personal data) has been approved by the Hellenic Parliament on 26.03.1997 and published on 10.04.1997. It is already in force in so far as it relates to the appointment and the organisation of the data protection authority. In relation to the processing operations, the rights of the individuals etc. the law will come into force after the appointment of the members of the Data Protection Authority. According to the provisions of the law the President of the Authority (ex officio a judge of the Supreme Court) will be appointed by the Government and the six members by the Parliament. These appointments should take place within 60 days after the publication of the law i.e. by 10.06.97.

In France the Government has the task of preparing the draft law and is currently studying the subject. The results of these reflections and the timing of the new legislation are not yet known. The French data protection authority, Commission Nationale de l'Informatique et des Libertés (CNIL) will be consulted by the Government on early drafts of the law as soon as the Government has determined more precisely its policy.

In Ireland legislation on data protection is the responsibility of the Minister for Justice. The Minister has stated that the legislative measures needed to give effect to the directive, which will involve changes to the Data Protection Act, 1988 will be brought forward as soon as possible with a view to enactment prior to October, 1998.

In Italy the Government put draft data protection legislation before Parliament in June 1996. The act was adopted on 31 December 1996. The act entered into force on 8 May 1997. The Parliament authorised the Government to legislate by means of statutory instrument in order to modify and complement the data protection act by July 1998.

In Luxembourg, the Ministry of Justice is in charge of the transposition of the directive in national law. Actually a bill is under preparation and will be discussed with main representatives of the public and private sectors before adoption by the Government. The subsequent Parliamentary procedures are foreseen, if possible, for the end of 1997 of at latest beginning 1998.

The Dutch government has indicated its intention to replace the present Data Protection Act, effective since 1 July 1989, with a completely new Data Protection Act which conforms to the directive. In September 1996 a preliminary draft bill was submitted for comment to a number of organisations, including the Data Protection Authority (Registratiekamer). It is expected that an amended version of the bill will be submitted to the Council of State in the spring and will be laid before Parliament during the autumn of 1997.

The Austrian Federal Chancellery (Österreichisches Bundeskanzleramt) is currently working on a draft for transposition of the directive into national law, which will then be discussed in the Data Protection Council and should be submitted to Parliament by the end of 1997.

The Constitution of the Portuguese Republic includes provisions on data protection which in some cases are more restrictive than the ones of the directive. The revision of the Constitution is therefore required for the transposition of the directive. Further to a request by the parliamentary committee for the revision of the Constitution, the Portuguese data protection authority (Comissão Nacional de Protecção de Dados Pessoais Informatizados, CNPDPI) has presented a proposal for the amendment of the relevant provision of the Constitution. The agreement of the political parties on the amendments of the constitution is expected in the beginning of 1997.

In Finland an ad hoc committee for the transposition of the directive (Henkilötietotoimikunta) started work in October 1995 with the aim to conclude its work by March 1997.

In Sweden the committee in charge of the official examination of the data protection law (Datalagskommittën) will propose new data protection legislation which transposes the directive by March 1997.

The Home Office in the United Kingdom published a consultation document on the implementation of the directive in March 1996. The consultation closed on 19th July 1996. The UK Data Protection Registrar also published a series of papers, "Questions to Answer", in April 1996 to stimulate debate and provide background information to those who wished to respond to the Home Office consultation. Nearly 3000 copies were distributed to interested parties. The Registrar's formal response to the Home Office consultation document, "Our Answers", has also been widely distributed since July. The Home Office has published a summary of the responses to its consultation paper. A Data Protection Bill has been promised for the 1997-98 session of Parliament.

Compliance at the level of the European Institutions

The European Institutions, and the Commission in particular, routinely process personal data in the framework of their institutional activities. The Commission exchanges personal data with the Member States in the framework of the Common Agricultural Policy, in the administration of the customs system, in the managing of the structural funds etc. In order not to create a gap in the protection in Europe, the Commission, when proposing the directive in 1990, declared that it would also comply with the directive's principles.

At the time of the adoption of the directive, the Commission and the Council undertook in a public declaration to comply with the directive and invited the other Community Institutions and bodies to do likewise.

In the intergovernmental conference for the revision of the Treaties, the issue of the application of data protection rules to the European Institutions was raised by the Dutch and Greek Governments.

The European Parliament called upon the Commission to establish an independent data protection supervisory body in its resolution number 41 on the 1997 Commission Work Programme.

For its part, the Commission has taken various measures to ensure that protection principles are applied to the personal data which it processes:

ñ first, it should be noted that the Commission regards itself as bound by the principles enshrined in the Directive, and that its departments are therefore obliged to apply them whenever they process personal data. This protection applies to all individuals, be they Commission officials or third parties such as service providers, officials from a Member State dealing with the Commission or any other individual involved in implementing Community policy. This undertaking on the part of the Commission was made public with the publication of the aforementioned statement in 1990 and with the joint statement issued with the Council in 1995;

ñ by memorandum dated 9 October 1995, the Secretary-General of the Commission transmitted to all departments guidelines designed to facilitate the putting-into-practice of the principles laid down in the Directive. The document shows how these principles relate to the Commission departments' specific needs. The Secretariat-General is currently conducting an awareness-raising initiative with the departments. Since these guidelines were conceived as an internal document setting out organisational arrangements for the departments' work, no special arrangements have been made to publish them;

ñ each directorate-general or department is invited to put the principles laid down in the Directive into practice. Obviously, this takes place within the context of existing measures, such as the security measures for data-processing networks within the Commission and the articles governing protection in the Staff Regulations. DG XV ("Internal Market and Financial Services") has appointed an in-house data protection officer to monitor the correct application of protection rules for personal data processed under its responsibility.

The Secretariat-General of the Council of the European Union prepared internal rules to ensure that the Directive's principles are applied to personal data processed under its responsibility.

Developments in the field of data protection. Activity of the data protection authorities.

The present section out-lines the major developments in the field of data protection with specific reference to the work of the national data protection authorities both at the national and at the international level.

National

The presents section outlines some of the main questions addressed by the national data protection authorities in the application of current data protection legislation. Further information can be obtained by consulting the data protection authorities which publish substantial annual reports.

The Belgian data protection authority (Commission de la protection de la vie privée / Commissie voor de bescherming van privaat levenssfeer) rendered some thirty opinions in application of the data protection act of 8 December 1992 and other laws containing data protection provisions. Several of these opinions referred to the national register of individuals. The authority issued one recommendation to data controllers, dealt with several hundreds requests for information and with some forty complaints. One of the main activities in 1996 was the managing of new notifications. The deadline to notify existing processing operations was 1st June 1996. More than 7500 notifications were received on top of the existing 2000.

In Denmark a minor amendment to the Law on records held by public authorities came into effect from 1 January 1997, extending the right of public authorities to pass on to private credit-rating agencies data on debts owing to such authorities.

A particularly important case dealt with by the data protection authority in 1996 involved the use by public authorities of the Internet for the disclosure of ownership, addresses, property and assessment data for all immovable property in Denmark. The Authority took the view that publication on the Internet was not in breach of data protection legislation and accepted the publication on the Internet of data already accessible to the public. The view taken in arriving at the decision was that publication on an Internet Webpage was equivalent to publication by any other means.

The Authority gave its opinion on new legislation, including a proposal for a law on the use of health data in employment matters, on the Europol Convention, on the draft for the Eurodac Convention and on the Council of Europe Convention on human rights and biomedicine. Lastly, the Authority carried out some 50 inspections on private businesses and public authorities.

In Germany the utilisation of the telecommunications services by private teleservice providers, as a consequence of liberalisation in the telecommunications sector, made it necessary to create the appropriate legal bases with regard to data protection law. A statute on information and communication services was adopted by the Federal Parliament on 13 June 1997. According to it the design and selection of technical installations for teleservices must be geared to the objective of avoiding to collect or to process personal data at all or as much as possible. It is regrettable that data protection audits which were originally envisaged have been dropped. The telecommunications law which entered into force in August 1996 transferred data protection supervision for all companies providing telecommunications services to the Federal Data Protection Commissioner. This has substantially extended his advisory and supervisory role (already more than 1.100 firms at the beginning of 1997).

New areas are creating growing concerns in Germany. Genome analysis is becoming increasingly important as an additional method of forensic investigation in the case of the prosecution and punishment of crimes. In 1996 the German law of criminal procedure was extended by rules on genetic fingerprinting. However, DNA analyses are a significant invasion of privacy. The automatic storing of genetic fingerprints therefore continues to be problematical, but the law is silent on this point. Similarly the general use of chip-cards has serious consequences for the protection of privacy.

The activities of the Spanish data protection authority (Agencia de protección de datos) increased substantially in 1996. 1.152 complaints were dealt with (+245% if compared to 1995), 268 inspections of files took place (+160%), 90 disciplinary proceedings were commenced (+200%) and 534 administrative proceedings were initiated to enforce the rights to access, rectification and cancellation (534%). 600 written request for information and more than 8.000 oral request were dealt with by the special service for relations with citizens. 37 data transfers abroad were authorised in 1996.

In France the Commission Nationale de l'Informatique et des Libertés (CNIL) dealt with various proposals aimed at curbing health expenses and with the national register of individuals covered by social security. The CNIL contributed to the work of the International Labour Office on 'guidelines on data protection for workers'. As far as it concerns the use of new technologies the CNIL gave opinions on the capturing of images on motor-ways, on recording of all movements of manual workers in the framework of ISO 9000 quality certification and in relation to certain applications of electronic voting and electronic money. In 1995 CNIL set standards for the posting of directories on the Internet and in 1996 has started considering various questions concerning on-line services, collection of data for measurements of the audience of web-sites, functioning of news-groups, special conditions for the opening of the Prime Minister's homepage etc.

The Irish data protection Commissioner had extensive discussions with Telecom Eireann, the Irish national telephone company, about their plans to introduce calling line identification. He stressed the privacy considerations which should be taken into account and the measures necessary to do so. These discussions are continuing. In 1996, the Commissioner was consulted by the health authorities before the introduction of a pilot project in the use of smart cards for health data. These consultations resulted in full compliance by the Irish health authorities with the requirements set out by the Commissioner. A Government report making proposals for data-sharing between Government Departments, using citizens' RSI (Revenue and Social Insurance) numbers as an identifier, was published in 1996 and the Commissioner responded with expressions of concern about the privacy implications. These concerns were extensively reported in the news media. A number of complaints from individuals related to the way in which personal information is increasingly obtained by telephone, particularly by companies in the banking and insurance sectors. The Commissioner took steps to make the companies involved aware of the obligation of fair obtaining, and commented on this matter in his Annual Report. Enquiries to the Commissioner's Office during 1996 indicated a steadily growing level of awareness of data protection issues on the part of data controllers. The number of contacts from individual citizens, either for information or for help with particular difficulties, also continued to rise.

Under the data protection regime actually still in force (Act of 31 March 1979), Luxembourg does not have an independent data protection authority, but a commission whose legal missions consist in: a)giving opinions to the Government on requests for obtaining a licence to operate data banks; b)informing the Government on possible breaches of legislation. In 1996 the main task of the Commission consisted in analysing possible problems in relation with privatisation of the telecommunication sector, notably the publishing of the directories of subscribers by a private firm.

The Dutch data protection authority (Registratiekamer) was involved in the development of a Code of conduct for the use of multifunctional smart cards. It published reports on genetic data, on the recording of telephone calls at the work place and on the video surveillance of areas open to the public. Other major subjects related to the privatisation of social security and the increasing use of personal identification numbers. The Registratiekamer has been active in the development of standards for information security and in promoting the use of privacy-enhancing technologies (PET's). It carried out privacy audits in a psychiatric hospital, a credit information bureau, and the criminal information system of a major police force. In each case, the conclusions of these audits resulted in further activities aimed at the relevant sectors and executed jointly with sector institutions.

Regarding the numerous complaints brought forward to the Austrian Data Protection Commission - which is competent only for controlling the public sector - there are no specific issues which could be considered as focal points of data protection problems in the public sector. It seems, however, interesting to mention that after a decision by the Data Protection Commission, considering illegal files on mentally ill persons kept manually by the police, (as a consequence of their assistance in cases of forceful detainment of persons in mental hospitals), new legislation abolished these files.

The Portuguese data protection authority (Comissão Nacional de Protecção de Dados Pessoais Informatizados, CNPDPI) has been active in raising the awareness of the public on data protection matters in particular through regular contacts with the press and participation in conferences and debates. The enforcement of the current legislation especially in response to complaints has focused on direct marketing companies, banks, fiscal and health authorities. The CNPDPI has given its opinion at the request of government on draft laws on medical data, on a national health service card, on processing of data relating to convictions and the processing of personal data by fiscal authorities. The CNPDPI delivered authorisations for the processing of sensitive data by data controllers not belonging to the public services sector.

The Finnish data protection Ombudsman has had to deal with questions relating to Internet services, plans for electronic money and smart identity cards.

Amendment in 1995 of the 1973 Swedish data act has allowed the data protection authority (Datainspektionen) to issue administrative regulations relating to common processing operations in various sectors thus exempting these operations from the obligation to obtain a permission by the data protection authority. Nine such regulations have been issued and the number of applications for permissions has gone from about 7000 per year to about 5000 per year.

In the United Kingdom organisational measures within the Registrar's office have simplified the process of notification. There was a rising trend of registrations, the current number of register entries being over 200 000. A consultation paper on further changes in registration was issued in May 1996, and a review of responses from data users has now been made. The number of prosecutions in 1996 was 39. Among these was a case which was the first to reach the House of Lords since the passage of the legislation in 1984. The use of the Internet was intensified; the Data Protection Register is now available on the Internet as are all the main guidance and publications. The Registrar hosted three conferences; the EU Data Protection Commissioners' 1996 Spring Conference, a "Privacy at Work" Conference in April and a "Data Matching" Conference in December. Apart from publications on the directive, the office produced guidance notes on security for financial services providers responding to telephone enquiries, credit referencing, direct marketing and document image processing. In addition the Registrar submitted her response to the government's proposals for introducing a voluntary national identity card. Work continued on looking at developments in electronic government. The Registrar submitted her response to a green paper entitled "Government direct" in February 1997. In her response she encouraged the use of privacy enhancing technologies.

International

Apart from the meetings of the Data Protection Working Party held under Article 29 of the directive, the EU Data Protection Commissioners continue to meet as a body twice yearly. The 1996 Spring conference was held in Manchester in April, and the autumn meeting at the time of the International conference in Ottawa in September. The group currently consists of 13 countries; Italy and Greece are likely to join once they have established independent data protection authorities.

Following the 1996 Spring conference, the UK Data Protection Registrar is providing the standing conference secretariat. The secretariat provides administrative support, seeks to alert the EU Data Protection Commissioners to developments that require joint action, prepares draft position papers, and generally facilitates the joint action of the Commissioners. The Commissioners currently have a small number of working groups: a working group on police, customs and related matters, a working group on telecommunications, and the GERI group which looks at questions related to the Internet and on-line services. There are also ad hoc committees on consumer credit and road transport. In 1996 the Commissioners also held a workshop on public relations and marketing issues.

As regards common positions, the EU Data Protection Commissioners adopted statements on Europol and the ISDN directive, and reaffirmed their statement from 1995 regarding data protection and the European Union institutions. They also submitted comments on the ILO draft Code of Practice on the Protection of Workers' Personal Data, and were represented as observers at the ILO meeting discussing this Code in October.

The UK Registrar has also had observer representation at the meetings of the OECD Ad hoc Group of Experts on Cryptography Policy Guidelines on behalf of all Data Protection and Privacy Commissioners.

The EU Data Protection Commissioners also submitted a response to the Green Paper on Living and Working in the Information Society and adopted a Paper on Telecommunications and Privacy in Labour Relationships.

Developments in the data protection policy of the European Union

Although the directive is the centre piece of the European data protection policy it is complemented by a number of other initiatives with the aim of guaranteeing a coherent framework of protection for the citizen.

The present section outlines developments in the European Union both within the competence of the EC (3 following sub-sections) and under title VI of the Treaty on European Union.

Community coordination in international fora

The Member States of the EC must take into account their Community obligations when negotiating engagements in international fora. When the Community enjoys an exclusive competence the Member States must act jointly and coordinate their positions. The adoption of the directive obliged the Community to act in such a coordinated fashion in the negotiation in the Council of Europe of recommendations on data protection.

The Commission has obtained a mandate from the Council to negotiate on behalf of the Community in the bodies of the Council of Europe competent for the adoption of the recommendation on data processed for medical purposes and data processed for statistical purposes.

Sectoral initiatives

The Council of Ministers adopted its common position for a 'directive concerning the processing of personal data and the protection of privacy in the telecommunications sector, in particular in the Integrated Services Digital network (ISDN) and in digital mobile networks' on 12 September 1996.

The text intends to ensure the free movement of data and of telecommunications equipment and services in the Community by harmonising the level of protection of subscribers and users of public telecommunication services in relation to the processing of personal data in the telecommunications sector.

The Directive will specify, for the telecommunications sector, the general rules as laid down by directive 95/46/EC and it will enhance the protection of privacy of individuals and of the legitimate interests of subscribers (including legal persons).

The European Parliament adopted 11 amendments to the text on 16 January 1997. The Commission has announced that it cannot accept four of these amendments. A conciliation procedure is likely to begin in 1997.

Data Protection and the Information Society

Some technological developments and in particularly the emergence of the so called 'Information society' are often seen as a source of privacy concerns. Increasing amounts of personal information can be processed in a very sophisticated fashion with techniques such as 'data warehousing' and 'data mining' which are potentially more intrusive to individuals' privacy than traditional processing techniques. Moreover the introduction of new technologies for a whole range of services causes concern because of the sheer amount of so called 'transactional data', often compared to an electronic trail which each individual leaves behind.

These concerns were voiced in the Information Society Forum established by the Commission and in particular in the report of the second Working Group.

However technological solutions can contribute to the protection of privacy. A joint report of the Dutch and Canadian Privacy authorities underlined the importance of so called 'Privacy Enhancing Technologies' (PETs). Such technologies involve organising and engineering the design of information and communication systems and technologies with a view to avoiding, or at least, minimising, the use of personal data.

Examples of applications are identity protectors, Internet-kiosks providing for anonymous access, anonymous payment means such as prepaid cards, anonymous browsing tools, filtering technology etc. Such a 'privacy friendly' approach calls for the revision of existing IT systems or data bases with a view to analysing the need for personal data processing according to data protection principles.

The Commission actively promotes the development and use of such technologies. The Commission therefore decided in the First Action Plan for Innovation in Europe to promote Privacy Enhancing Technologies in the 5th Research and Technological Development Framework Programme with a view to demonstrating that new technologies can enable users to exercise more effectively their right to privacy.

Data protection in other Community Instruments

In various instruments of secondary Community legislation the Commission has been given certain specific tasks in connection with the processing of personal data. With the aim of protecting the fundamental rights and freedoms of the individuals concerned by such processing, the Commission has also been invited, for the purpose of applying the relevant Community rules, to develop data protection mechanisms. One such example is Council Regulation (EC) No 1469/95 of 22 June 1995 on measures to be taken with regard to certain beneficiaries of operations financed by the Guarantee Section of the EAGGF. For the purpose of implementing this Regulation, which provides for an information-exchange mechanism between the Commission and the Member States, the Commission has established various protection measures for processing carried out by its departments.

The European Custom authorities exchange personal data with their counterparts in third countries in the framework of Mutual assistance agreements signed by the Communities and third countries.. At the request of the European side such agreements include special provisions ensuring the respect of the data protection principles.

Data protection in non Community Instruments

Several instruments adopted or in the process of being adopted under title VI of the Treaty of European Union (Cooperation in the field of Justice and Home Affairs) imply the processing of personal data. Specific data protection provisions are therefore inserted in these instruments and in implementing regulations. The competent bodies of the Council of the European Union worked on detailed data protection rules for Europol which are to be part of implementing regulations likely to be adopted in 1997. Detailed rules were also discussed for the draft Eurodac Convention on fingerprints of asylum seekers.

Such instruments adopted under title VI of the Treaty on European Union do not use the data protection arrangements designed by the directive but rely on specific solutions which do not grant the same rights to individuals or judicial remedies and do not rely on the same form of independent supervision.

Schengen

The majority of EU Member States take part to the Schengen Agreement, which provides for cooperation in the field of police, customs and immigration in order to compensate the elimination of border control at their internal borders. An essential element of these compensating measures is the establishment of a common information system, the Schengen Information System (SIS). In this context the Agreement also contains provisions on data protection, including a Common Control Authority, consisting of representatives of the national supervisory authorities in the Schengen countries. The Common Control Authority has recently published a report on its activities during the first two years (March 1995-1997). The report underlines the importance of an independent control authority with sufficient powers and resources to fulfil its task in an appropriate way. It also stresses the need for transparency of the information process for the citizen.

Dialogue with third countries on data protection matters

The directive not only regulates the processing of personal data within the EU but also includes provisions on the transfer of data to third countries (arts. 25 and 26). The basic principle is that Member States should only permit such transfers where an adequate level of protection for the data is ensured. There is clearly the possibility that there will be cases where adequate protection is not assured and, assuming none of the relevant exemptions applies, transfers will be blocked.

Such a turn of events could cause significant disruptions to world-wide flows of personal data and, as a consequence, to international trade. Although Article XIV of GATS (General Agreement on Trade in Services) would permit the blocking of personal data transfers, it would nevertheless be preferable if this could be avoided. A far better solution would be for those third countries to whom data are regularly transferred to improve their level of protection to a level which could be considered adequate.

The EU negotiates general agreements which provide a framework for relations (cooperation, trade relations) with a particular third country. Such agreements usually cover a broad range of topics ranging from foreign policy and security concerns to trade and economic development issues. Since the adoption of the data protection directive the Commission's services have been seeking to include privacy and data protection either directly or indirectly in such agreements, as and when they come to be negotiated.

Certain countries might be attractive "data havens" for economic operators seeking lower data processing costs, the objective in agreements between the Community and these countries has been simply an exchange of information, (a kind of "early warning") together with a recommendation that the country in question considers how they might be able to ensure adequate protection in respect of transfers from EC countries. Data protection has thus far been raised in this way with Mexico and Pakistan. The list is an expanding one.

Data protection was discussed at several meetings of the Information Policy Working Group (IPWG), a forum which brings together the Commission's services with representatives of Japan's ministry for industry (MITI). A data protection law covering the public sector, albeit one which includes some rather wide exemptions, already exists. The Japanese authorities are considering how best to develop privacy rules for the private sector.

A major exercise redefining and relaunching the EU-US relationship culminated at last December's 1995 Madrid summit with the signing of the New Transatlantic Agenda. A key part of this agreement was an Action Plan describing a number of specific actions and goals. As part of the Action Plan the two sides agreed to discuss data protection and privacy issues "with a view to facilitating flows of personal data while addressing risks for privacy". Several rounds of general discussions on privacy and data protection have indeed taken place between the Commission's services and the US administration in the context of the broader dialogue on the Information Society. As a result of these discussions a dedicated dialogue on data protection was established and several meetings took place from May 1996 onwards. Discussions looked at the differences of approach to privacy protection in a number of specific sectors, as well as covering more strategic questions regarding possible international solutions.

The framework agreement with Canada signed in December 1996 provides for the same type of discussions between the European and the Canadian authorities on privacy issue.

Naturally the logical long-term solution to problems of international flows of personal data would be a multilateral agreement on a set of binding data protection rules. Commissioner Sir Leon Brittan mentioned the need to address these issues in the future in his speech at the Singapore WTO Conference of December 1996.

The directive is due to be incorporated in the European Economic Area agreement which binds the Community with Iceland, Liechtenstein and Norway. Discussions to that effect have started in 1996 between the Commission's services and the services of the EFTA.

Beyond these specific actions the Commission aimed at developing a coherent policy in view of the application of the directive's provisions on data transfer to third countries. A study on the methodology for the assessment of such data transfer was Commissioned to the 'Centre de Recherche Informatique et Droit' of the University of Namur in Belgium. This work has served as a basis for the discussion on these issues within the Working Party.

COUNCIL OF EUROPE

The Council of Europe continued its steady work on data protection issues. The Project Group on Data Protection (CJ-PD) and its specialised sub-groups discussed recommendations on specific issues to be adopted by the Committee of Ministers representing all the Member States of the Council of Europe. On the other hand the Consultative Committee created by Convention 108 (T-PD) gathers representatives of the 17 States which adhere to the Convention.

The organs of the Council of Europe have been working on three recommendations. One concerning the use of medical data was finalised by the CJ-PD at the end of 1996 following the coordination of the Member States of the European Union. The text which was subsequently adopted on 13 February 1997 by the Committee of Ministers replaces the 1981 Recommendation on the same subject. Work is fairly advanced within the CJ-PD on a recommendation dealing with the processing of statistical data which partially replaces the 1983 Recommendation on scientific research and statistics. The text should be finalised in 1997. The CJ-PD is also considering a draft recommendation on insurance data. Finally a working group has been discussing the implications of the use of certain new technologies.

The Consultative Committee of Convention 108 discussed about the processing of sounds and images and the processing of data relating to deceased persons.

MAJOR DEVELOPMENTS IN THIRD COUNTRIES

European Economic Area

The directive is due to become effective also in the framework of the European Economic Area once incorporated in the EEA agreement. Work in view of the transposition has already started in the non EC Members of the agreement. Norway and Iceland already adhere to Council of Europe Convention 108 and have data protection legislation in force. Representatives from the data protection authorities of these two countries were invited to attend the meetings of the Working Party as observers.

In Norway the Data Inspectorate has responsibility for ensuring enforcement of the Personal Data Registers Act of 1978. In 1996 6049 cases were dealt with by the Data Inspectorate. The Data Inspectorate processes applications for licences for personal registers and other activities that are subject to licensing according to the act. In 1996 2713 licences were granted.

The Inspectorate is active in managing the flow of information to the outside world. It receives a large number of enquiries from the media and plays an active role in spreading information. It is also responsible for preparing information material and an annual report, and is publishing the magazine SPOR quarterly.

A committee has started considering the need for amendments to the Norwegian Personal Data Registers Act in the light of the directive. In spring 1997, the committee will submit its proposal for a new Act.

Countries of Central and Eastern Europe

The Commission in its White Paper establishing a pre-accession strategy for the EU candidate countries from Central and Eastern Europe recommended accession to Council of Europe Convention 108 as a first step in the data protection field. A number of these countries have data protection legislation (Hungary, Estonia and Slovenia in particular) and most of the others are in the process of adopting such legislation. These countries participate in the Council of Europe's work on data protection.

Other Third Countries

1996 saw a renewed debate on privacy issues in several third countries. Technological developments and in particular the Information Society most of all have pushed governments, consumers groups, business and academics to reassess the existing privacy policies and discuss new policies for the future. The adoption of the European directive has added additional impetus to this debate.

Such developments were particularly noticeable in the United States where several government agencies considered data protection issues. The Federal Trade Commission (FTC) organised a Workshop on 'Consumer privacy on the Global Information Infrastructure' in June 1996 and launched a study on 'On-line look-up services'. The National Telecommunications and Information Agency (NTIA) issued a white paper on 'Privacy and the National Information Infrastructure' in October 1995 and continued their study of privacy issues. The White House noted the importance of privacy issues in the preliminary report 'Framework for Global Electronic Commerce' issued in December 1996.

Provisions on the protection of privacy were scattered in a number of drafts presented to Congress. Such provisions were adopted in the Telecommunications Act 1996, which restructures the US regulatory regime for telecommunications and imposes several specific privacy obligations to service providers. It requires confidentiality of customer information (Customer Proprietary Network Information) including transactional data. Implementing regulations will be issued by the FCC.

The protection of privacy in on-line services featured at the centre of the controversies linked to the Communication Decency Act 1996 and the US Government policy on cryptography.

In Australia the Government issued a white paper in 1996 which considered the advisability of extending privacy legislation to the private sector. The current legislation only affects the public sector.

At the International privacy Conference in Ottawa in September the Canadian Justice Minister announced the Government plan to extend privacy legislation to the private sector. the current federal legislation only affects the public sector. Legislation of the province of Quebec also covers the private sector.

Hong Kong has passed a Personal Data (Privacy) Ordinance. This is a comprehensive piece of legislation affecting both the private and the public sector. This legislation is not expected to be affected by the return of Hong Kong to Chinese rule. The Privacy Commissioner for Personal Data is in charge of the application of the Ordinance.

OTHER DEVELOPMENTS AT THE INTERNATIONAL LEVEL

1996 saw a lively debate on data protection matters in international organisations (sections 5.1 and 5.2) and in international conferences (section 5.3).

The International Labour Office

The International Labour Office adopted a Code of Practice on the protection of Workers' privacy. The Code of practice which is the fruit of years of work gives detailed rules on the processing of data relating to employees, applicants and former employees. The Code of practice, a non-binding instrument, is directly addressed to employers who are invited to abide by its rules.

Organisation for Economic Cooperation and Development OECD

The OECD elaborated during 1996 guidelines on cryptography policy. These guidelines regulate inter-alia the access to encrypted messages for legitimate reasons by the authorities. The guidelines support the adoption of systems of Trusted Third Parties to which copies of cryptographic keys must be entrusted. During the debates privacy issues were raised also in relation to the rules established by the directive in relation to access to personal data by the authorities. At the time of the final approval of the guidelines (March 1997) the European Commission made it clear that if the EC Member States intend to enforce the guidelines they shall do this respecting the rules of the directive.

International Conferences and debates

Every year an international conference on privacy is organised by one of the national authorities in charge of data protection and privacy. In 1996 the Conference was organised in Ottawa by the Canadian Privacy Commissioner. The main points on the agenda were North America and the European directive, the Global village issues and problems, identification in government services & health information, consumer surveillance and technological and legislative options to protect privacy.

A conference on Electronic Money organised in September by the US Treasury addressed several privacy issues.

An international conference on data protection in the Information Society was organised in Brussels by the University of Namur and sponsored by the EC Commission and the Council of Europe. It was attended by policy makers from North America and Europe.