On 24 October 1995, the European Parliament and the Council adopted Directive 95/46/EC concerning the protection of individuals with regard to processing personal data and the freedom of movement of this data (designated hereafter by "the directive").

Article 29 of the directive instituted the Working Party on the Protection of Individuals with regard to the Processing of Personal Data. This Working Party was required to provide the Commission, the European Parliament and the Council with an annual report on the state of the protection of individuals with regard to processing personal data in the Community and in third countries. This report had to be published.

The first report was adopted on 25 June 1997, and covered the main new facts observed in 1996 in the field of data protection. This second report covers 1997, and essentially follows the structure of the first report, in order to facilitate analysis of developments: the second part is thus devoted to developments in the European Union, both in the Member States and at the Community level. The third part addresses the work of the Council of Europe. The fourth part deals with the main developments in third countries and the fifth part introduces other developments at the international level.

At the Community level, 1997 was marked by several major developments:

Moreover, the process of transposing Directive 95/46/EC entered the crucial phase, and the Council of Europe's Convention 108 saw the accession of two new countries (Switzerland and Hungary).

The process of implementing the directive was begun in 1996 in all Member States and at European level. Part 2.1.1 recalls the Working Party's attributes and activities in 1997, part 2.1.2 describes the procedures for transposing the directive at the national level and the part 2.1.3 highlights the measures taken by the European institutions to conform to the directive's rules.

The Working Party was comprised of representatives of the independent national authorities who are responsible for data protection, a Commission representative and will include a representative of the authorities responsible for issues connected with data protection within the European institutions, from the date this authority is established (see part 2.1.3).

By sharing the experience of the national authorities, the Working Party encourages the adoption of a coherent strategy for applying the general principles stated in the directive and advises the Commission on issues linked to data protection. In particular its role consists in delivering its opinion on the level of protection in the Union and in third countries, and in issuing recommendations on any issue concerning the protection of individuals with regard to the processing of personal data.

The Working Party met for the first time on 17 January 1996. This early beginning for the Working Party's work was at the request of the national authorities responsible for data protection. The Working Party is chaired by Mr Peter J. HUSTINX, Chairman of the Dutch authority responsible for data protection (Registratiekamer). Since Greek and Italian legislation on the protection of personal data came into force, the Working Party now assembles the supervisory authorities of all Member States.

In 1997, the Working Party met four times and examined an increasing number of issues. In particular, discussions begun in 1997 allowed the following documents to be adopted:

It is appropriate to stress that all the documents adopted by the Working Party are available on the European Commission's "Europa" site, and can be consulted at the following address :

This part summarises the progress made in transposing the directive into national law during 1997 and takes into account developments to 30 June 1998.

In Belgium, the Bill to transpose the directive, revised following the opinion of the Council of State, was submitted to Parliament in April 1998.

In Denmark, the Bill was submitted on 30 April 1998, and Parliament finished its first reading in June.

In Spain, the preliminary Bill amending current legislation on data protection (organic law 5/1992) was submitted to the Council of State for opinions and should be discussed by Parliament during summer 1998; however, most of the provisions have already been transposed by the "Ley Organica" 5/1992 of 29 October 1992 on the automatic processing of personal data

In Germany, it was the federal legislator who was primarily responsible for transposition of the directive. This responsibility - which comes under the its legislative powers according to Article 74 of the Constitution - covers not only the public domain of the Federation but also the non-public domain where the majority of changes should occur. Nevertheless- mainly in the public sector - the data protection laws of the Länder also have to be standardised so as to conform with the directive's provisions. In addition to the general laws on data protection, a large number of both federal and regional Regulations regarding specific areas of the legislation on data protection have to be examined. The Federal Commissioner and the Commissioners of the Länder charged with data protection, and the monitoring authorities responsible for the non-public sector treated the issue of the forthcoming amendment to German law on data protection as part of their respective responsibilities. The Ministry of Interior, which is in charge of the legislation procedure, has submitted a bill on 1 December 1997,on which the Federal Data Protection Commissioner made comments on 30 January 1998 A new bill of 8 April 1998 has not been dealt with further because of the national election on 27 September 1998. Due to the constitutional principle of incontinuity of legislation, a new draft bill has to be submitted to the Parliament in the new legislative period.

The Greek law on data protection (law 2472/97 on the protection of the individuals with regard to the data processing of a personal nature) was ratified by the Greek Parliament on 26.03.1997 and was published on 10.04.1997. In accordance with the provisions of the law, the Chairman of the authority (who has to be a Judge at the Supreme Court) was nominated by the government and the six members were appointed by the Parliament. These appointments were made in 1997, and the authority is now operational.

In France, a report was sent to the Prime Minister in March 1998 and will be followed by a new report on telematic networks. The French authority responsible for data protection, the Commission Nationale de l'Informatique et des Libertés (CNIL) will be consulted concerning the preliminary bill, which was not however available at the time of the drafting of this report.

In Ireland, the Justice Minister is responsible for legislation on data protection. The legislation necessary to apply the directive, which will include amendments to the law of 1988 on data protection, is being drafted.

In Italy, the law on the protection of personal data was adopted on 31 December 1996; it entered into force on 8 May 1997. Parliament authorised the government to legislate by regulatory way to amend and supplement the law for transposition of the directive.

In Luxembourg, transposition of the directive into national law falls to the Ministry of Justice. A bill was drawn up in 1997, but was later withdrawn. A new bill will be examined by Parliament in September 1998.

The Netherlands government had announced its intention to replace the current law on data protection, in force since 1 July 1989, with an entirely new law on the same subject, in accordance with the provisions of the directive. On 16 February 1998, a bill was submitted to Parliament to that end. The relevant parliamentary subcommittee gave its opinion in June 1998, and the debate in plenary session is expected to take place before the end of this year. .

The Austrian federal chancellery (Österreichisches Bundeskanzleramt) prepared a draft for transposition of the directive into national law, which was examined by the Council responsible for data protection; a revised version should be submitted to Parliament in autumn 1998.

In Portugal, the Constitution was revised by constitutional law N░ 1/97 of 20 September 1997 in order to be able to transpose the directive. Indeed, the Portuguese Constitution includes provisions on data protection which, in certain case, are more restrictive than those of the directive. The Portuguese authority for data protection played an important role in the Working Party created by the Minister for Justice in order to write the preliminary bill transposing the directive. This preliminary bill was distributed for consultation and was published on the Ministry of Justice's Internet site. The draft law was submitted to Parliament on 2 April 1998; it should be adopted by 24 October 1998.

In Finland, an ad hoc committee responsible for the transposition of the directive (Henkilötietotoimikunta) completed its work in 1997. The bill was submitted to Parliament in July 1998.

In Sweden, the new legislation on data protection was adopted by Parliament on 16 April 1998. Some further measures will be adopted by regulatory means in September 1998.

In the United Kingdom, the bill on data protection was submitted to Parliament on 14 January 1998, and was adopted in July 1998 (Royal Assent was given on 16 July 1998). Secondary legislation is the subject of public consultation until 30 September. It is not expected that the law will come into force before early 1999.

The European institutions and the Commission in particular frequently deal with personal data in their activities. The Commission exchanges personal data with the Member States within the framework of the Common Agricultural Policy, for the management of customs procedures, of the Structural Funds, etc. In order that protection in Europe did not suffer from weaknesses, the Commission, when it proposed the directive in 1990, stated that it would also respect its principles.

At the time of its adoption, the Commission and the Council undertook, in a public declaration, to comply with the directive and asked the other institutions and Community bodies to follow suit.

During the intergovernmental conference for revision of the Treaties, the question of applying the rules of data protection to the European institutions was raised by the Dutch and Greek governments. At the end of negotiations, the Treaty signed in Amsterdam introduced a specific provision to this end. In the final numbering of the treaty, this is Article 286, which is formulated as follows:

Article 286 therefore stipulates that from 1 January 1999 Community institutions and bodies should apply Community rules on the protection of personal data, as fixed by Directive 95/46/EC. It also stipulates that before that date, according to a proposal by the Commission, the European Parliament and Council should create an independent supervisory authority responsible for ensuring the rules referred to above are correctly applied by Community Institutions and that all necessary measures are taken.

Prior to ratification of the Treaty, the Commission departments prepared a preliminary draft Regulation, the relevant Working Party was consulted for opinions on 16 March 1998.

This part highlights the principal developments in the field of data protection, and is particularly concerned with the work of the national authorities' which are responsible for data protection. Additional information can be obtained from these authorities who publish detailed annual reports.

The Austrian Federal Chancellery (Österreichisches Bundeskanzleramt) has prepared the draft of a new Data Protection Act that will transpose the directive into national law. In addition to transposing the directive, the draft addresses a number of other problems, including that of responsibility for databases set up by several Data Controllers.

In 1997, the Austrian Data Protection Commission settled more than 30 complaints lodged by individual citizens, 90 cases concerning licences to export data to third countries and approximately 80 registration cases.

The staff of the office of the Data Protection Commission was - just as in recent years - very busy in giving legal advice to citizens in many cases, both in writing and over the telephone. Since the liberalisation of telecommunication in Austria, the office has noted a sharp increase in requests for information on privacy issues regarding telephone billing systems, along with many other requests on subjects like data protection and direct marketing, social security and employment.

The complaints brought before the commission concerned for instance the right of a foreign employee not to let his employers know more about his legal status in Austria than what is contained in his official permit of residence. The commission also decided that a (public) telecommunication operator had no right to print a secret telephone number on monthly invoices to a bank, even if the financial institute had been given the number by the data subject earlier.

It appears worth mentioning that the commission has noticed an increased trend towards cross-border data flow for medical consultation as well as personnel management and computer system maintenance by multinational companies. Remote maintenance across national borders, in particular, appears to be one of the more important issues for the more immediate future.

In 1997, the Belgian Commission put forward about forty opinions, mainly at the request of official authorities but also on its own initiative. These opinions referred to the application of the fundamental principles of the protection of privacy with regard to processing personal data. In 1997, almost 45% of these opinions concerned the national Register of individuals.

The Belgian Commission is competent to examine complaints submitted to it. The majority of letters concerning individuals' complaints are actually requests for information. In 1997, the Commission effectively dealt with about fifty complaints.

As regards Consumer credit, the number of complaints remained unchanged at approximately 500.

Concerning the request for indirect access to Information Department and Police Force files, the Commission had to deal with 34 requests.

The Commission fulfils a role of public information. In 1997, the Commission received almost 700 requests for written information and answered numerous questions by telephone.

In 1997, more than 7 000 cases of data processing were referred to the Commission, 30% of those referred to the health care sector. The number of request for information on the public register held by the Commission including these declarations rose significantly.

The Belgian Commission also took part in various scientific and information meetings at the national and international level and organised the 19th international conference of data protection commissioners, which was held in Brussels from 17 to 19 September.

In 1997, the Data Protection Commissioner dealt with more than 2,000 new cases in the public and private areas. Over the same period, the Commissioner has performed more than 70 inspections of public authorities and private companies.

The Commissioner gave an opinion to the Ministry of Research on a draft proposal for a Law on digital signatures. The Commissioner in general is in favour of the draft since legislation in this area could contribute to the development of digital communications and to improving security of communications in this area.

The Commissioner expressed the opinion that for sensitive information on a patient to be transmitted through the Internet between public authorities in the health sector, this information must be encrypted, and that this should result in the necessary high level of protection. In connection with this case, the Commissioner stated that, in his opinion, sensitive personal information should not be kept on computers that can be connected to the Internet if the necessary safeguards against unauthorised access have not been established.

In another case, the Commissioner has expressed concern in relation to the setting up by an hospital of a database to which doctors were to have access through the Internet in order to supply or search personal information. In the opinion of the Commissioner, access to such databases should be established through closed networks.

Concerning the issue of encryption of information on the Internet, the Commissioner gave his opinion on the draft Communication of the European Commission concerning electronic signatures and encryption. In particular, the Commissioner stressed the paramount importance of ensuring the right to privacy and the confidentiality of communications, and considered that restrictions to cryptography violate these principles.

The Commissioner has also dealt with the question of the so-called "cookies" on the Internet. According to his opinion, the use of cookies may represent a threat to privacy, but this is not necessarily the case. The most important issue is that the users of the net are aware of the phenomenon so that they can take adequate countermeasures.

Also, a minor amendment to legislation on data files held by public authorities entered into force on 1 January 1997; it extended the official authorities' right to communicate data on their debtors to private financial assessment organisations.

In Finland, the Personal Data Commission, appointed by the Ministry of Justice for the reform of the Personal Data Files Act, submitted its report on 16 May 1997. Comments on the report were called for; thereafter the preparation of the new "Personal Data Act" was continued in the Ministry of Justice. The objective is to implement, by the deadline of 24 October 1998, the provisions of Directive 95/46/EC. Another relevant reform is being prepared by the Ministry of Justice: the draft proposal for a new Act on Open Government includes inter alia provisions on the personal data filing systems processed by public authorities and the definition of good practice in information management.

The Europol Convention and the pertinent legislative amendments were adopted by the Parliament at the end of 1997. The Data protection Ombudsman was designed as the national supervisory Authority. The provisions of Directive 97/66/EC on data protection in the telecommunications sector are intended to be implemented by the new act on the protection of privacy and data security in telecommunications, under preparation in the ministry of Transport and Telecommunications. A number of other sectors have seen the launch of legislative projects involving, among other things, the requirements of Directive 95/46/EC.

A working party set up by the Ministry of Justice in 1997 has looked into the regulatory needs relating to digital signatures and certification bodies. A working party set up by the Ministry of Health and Welfare in 1997 is looking into the use of technologies in health care and the need to take data protection issues into account. In connection with this work, the need for, and the opportunities offered by, a health care customer card will be studied. Finally, a working party set up by the Ministry of Employment in 1997 has looked into the issues of privacy of employees in relation with personnel selection and testing.

In Finland, public prosecutors must hear the Data Protection Ombudsman before bringing charges for a data file offence or a data file violation. Correspondingly, the Court must give the Ombudsman an opportunity to be heard. The requests for statements have steadily increased, and so have the court cases (in 1997 there were 12 such requests). In most cases, the matter has been the illegal use of personal data stored in a computer system: a person in the service of the register keeper utilised the data for personal gain in one manner or another.

Within the available resources, the office of the Data protection Ombudsman made a special effort to improve its information services. The main channel for information is the Data Protection Newsletter. In 1997, the office opened its own home pages on the WWW. At the same time, an information package on citizens' rights and how to use them was produced. In practical terms, the operations of the office focused on the fields of health care and employment. More and more resources were allocated on data protection issues arising from the increased use of computer technology and networking (including the Internet).

In Finland, the permission of the Data Protection Board is required for data transfers to third countries if the personal data is transferred as a mass delivery or as a sensitive sample to a country whose level of data protection legislation does not meet the Finnish standards. Other mass transfers of personal data must be notified to the Data Protection Ombudsman.

Notifications of transfers to third countries have mainly been of two types:

Firstly, names and addresses have been transferred to the United States for purposes of printing and mailing of direct advertising materials. The US operator has given an undertaking of the securing of the data and of the data not being used for other purposes. After the operation, the data have been returned to Finland.

Secondly, the Finnish subsidiaries of foreign companies have notified transfers of personnel data to the central personnel management system of the Working Party or venture. The data are to be used only in personnel management and careers planning; they are available to the companies of the Working Party operating in various countries. The Data protection Ombudsman has instructed that the personnel is to be informed of the transfer and that appropriate data security measures are undertaken.

France

In 1997, 4.452 cases were referred to the Commission Nationale de l'Informatique et des Libertés (CNIL), including 821 requests for advice and 2.348 complaints. It also received 2.724 requests for opinions on the processing of personal data in the public sector, out of a total of 67 136 cases on the processing in the public and private sectors. The main fields in 1997 are given below

Social Security reform and the aim of better control of health expenditure have led France to set up the largest intranet network on which particularly sensitive data on health can circulate. Every member of the social security scheme and every health professional will be provided with a smart card by the year 2000 which will allow the transfer of data necessary for refunding health care by Social Security organisations, after this date no paper documents will be used in this area. The computerisation of health professionals, the implementation of this network, the distribution of smart cards to members of the social security scheme and health professionals, the constitution of national files of professionals and members of the social security scheme (not only parents but also their children, from birth), and the new use of coding of all possible pathologies has mobilised the national data protection authority which worked in close co-operation with organisations representing health professionals and patients. The CNIL has pronounced its reservations on the subjects which the French government approached it about, reservations which for the most part, were taken into account. In February 1997, however, the CNIL wished to adopt a general recommendation on health networks, which was given a warm welcome (OJ of 12 April 1997).

The emergence of behavioural mega-databases drawn up using questionnaires comprising almost two hundred questions, and distributed by several private companies, caused numerous complaints to the CNIL. In this context, the subcommittee adopted a recommendation intended to specify the conditions in which individuals had to be informed in a clear and honest way of the commercial purpose of collected data and of their rights. Indeed, the operators concerned used ambiguous expressions which could give reason for thinking that they were exclusively statistical surveys performed on behalf of the state. The CNIL also addressed a warning to one of these operators which had omitted from their questionnaires the box to be marked by individuals objecting to their data being transferred to third parties. In a judgement on 30 July 1997 the Conseil d'Etat, the highest administrative jurisdiction in France, confirmed the cogency of this warning. This was the first judicial decision which related to a warning addressed by the CNIL to a company responsible for data files.

In the banking sector, the significant number of complaints about which it was approached has led the subcommittee to carry out control missions at the largest banking establishments, in the aim of better managing banking information used for establishing profiles. These controls have to be supplemented by on the spot visits to credit organisations to check the conditions of using of "credit scoring". It has emerged that for equal financial status, the criterion of nationality could enable these establishments to discriminate between French nationals and nationals of another European Union country, or French nationals and nationals of a third country.

In order to facilitate the application of the law to Internet activities, the subcommittee drew up a standard model regulating the processes used for the various ministries' Internet sites. This model, together with the guide distributed to all those responsible for websites, repeats the recommendations drawn up in co-operation with individuals concerned, pertaining to the principal uses of Internet, electronic messaging, discussion fora, on-line data collection as well as the diffusion of personal information. In the latter case, the subcommittee on the one hand particularly stressed the right of those concerned to object beforehand or at a later date to the diffusion of data concerning them, on the other hand it reminded users of sites about the ban on using personal data distributed in this way for other purposes, in particular for commercial ends. So, in France the following rights are currently recognised:

Lastly, the CNIL, in the early days of 1998, celebrated the twentieth anniversary of the "Information Technology and Freedom" Law of 6 January 1978. On this occasion, it gave " Information Technology and Freedom " prizes to six people or organisations which had particularly shown their concern for data protection, and it launched its Internet site (http:/www/cnil/fr) which included a particular function which enabled all users to become aware of the "traceability" of their navigation on Internet.

Following the 1983 ruling by the Federal Constitutional Court concerning the Census Law, which was of significance for data protection legislation, it became necessary, among other things, to establish a legal basis for the numerous official communications from courts and public prosecutors' offices, especially in criminal proceedings, to other public bodies such as public-sector employers. The amount of material involved meant that it was not until 26 June 1997, following protracted preparations, that the Law on Judicial Communications (Justizmitteilungsgesetz) was promulgated. The Law lays down a broad framework for situations where data transfers of this kind are permissible provided that they are regarded by the transmitting body as being necessary for the performance of the recipient's responsibilities and provided that it is not clear for that body that the person concerned has an overriding, protectable interest in preventing such transfers. The provision of extensive information on such communications to those concerned, which was sought by the data protection agencies, remains - unfortunately - very limited, and this with a view to alleviating the administrative burden. Once supplemented by administrative regulations determining those judicial communications that will generally be permissible, the Law on Judicial Communications entered into force on 1 June 1998.

Genome analysis became increasingly important in criminal proceedings in 1997. The Federal Data Protection Commissioner strongly urged that there should be statutory authorisation for the planned, central storing and processing of the results of DNA analyses at the Federal Criminal Office.

From a German viewpoint, the Law ratifying the Europol Convention is not only an important milestone in preparation for Europol's involvement but also contains important rules on, among other things, the qualifications and independence of the German representative on the complaints Commission of the joint control body at Europol.

With the liberalisation of the telecommunications market, a large number of new suppliers are now operating in Germany. During the review period, therefore, further sectoral regulations had to be adopted, and these contain important provisions on data protection. In June 1997 the Information and Communication Services Law (Informations- und Kommunikationsdienste-Gesetz) was adopted. It lays down rules on data protection in connection with the utilisation of telecommunications services. It was accompanied by the Signature Law (Signaturgesetz), which creates the legal environment for secure digital signatures. The Telecommunications Customer Protection Decree (Telekommunikations-Kundenschutzverordnung) was promulgated in December 1997 and entered into force in January 1998. In 1997 the Federal Data Protection Commissioner assumed responsibility for monitoring compliance with data protection rules by firms providing telecommunications services.

The Postal Services Law (Postgesetz), which entered into force in January 1998, is an important step towards full liberalisation of the market in postal services. Under that Law, all firms supplying postal services must observe secrecy with regard to their activities and must comply with the traditionally higher data protection standards in the postal sector than those that apply under general data protection legislation. The Federal Data Protection Commissioner has also been granted new supervisory powers for this sector.

The legislative procedure for introducing acoustic surveillance of residential premises made significant progress in the review period; The new rules, which were approved in March 1998, permit infringements of the basic right to the inviolability of residence. They represented an acceptable compromise between protection of an individual's private life in the narrowest sense and an important instrument to tackle organised crime. Following a judicial ruling, technical means may be used for the acoustic surveillance of residences which it is reasonable to assume are occupied by the accused. This, however, is permissible only for the investigation of particularly serious criminal offences. Compliance with the statutory provisions, under which the surveillance measure can be applied only as a last resort in criminal proceedings, is monitored by a court. Moreover, Parliament has to be informed each year of all surveillance operations. Since the parties concerned also have to be informed once this is possible without jeopardising the purpose of the investigation, they may have recourse to the courts to verify the legality of the surveillance measure taken.

With law 2427 of 10 April 1997 on the Protection of the Individual with respect to the Processing of Personal Data, Greece was the last member State to adopt a law on data protection but the first to transpose the framework directive, well ahead of schedule.

The President and the six Members of the Hellenic Data Protection Authority with their alternates were appointed in October 1997 in accordance with the procedure provided by Article 16 of the new Law (government nomination and parliamentary confirmation). The Authority started operating on 10 November 1997 and devoted its 1997 sessions to practical issues such as the adoption of its internal rules and regulations, the hiring of specialised and secretarial personnel and the purchase of the necessary equipment. Moreover, the President and the members of the Authority participated to numerous conferences and seminars on data protection issues. The Authority is expected to fully assume its duties by fall 1998.

The Department of Health consulted the Data Protection Commissioner about a proposal to establish a population register to assist a national Cervical Cancer Screening Programme. It was proposed that data in the register would be obtained from the then Department of Social Welfare, the General Medical Services (Payments) Board and the Voluntary Health Insurance Board. The Commissioner took the view that such disclosure of data by any of these agencies was beyond their legal capacity as data controllers. The outcome was the Health (Provision of Information) Act, 1997, which enabled data controllers to make the necessary disclosures in specific circumstances and under specified controls. The Commissioner publicly expressed his approval for the level of privacy protection contained in the legislation.

The Commissioner expressed concern, on the other hand, about section 15 of the Housing (Miscellaneous Provisions) Act, 1997. This was a measure designed to reduce the likelihood of individuals with records of criminal or anti-social behaviour being placed in local authority housing, by enabling information about them to be disclosed by the police and other agencies to the housing authorities. The Commissioner was consulted when this legislation was being drafted. He questioned whether the provision was necessary at all, given that section 8 of the 1988 Data Protection Act permitted disclosure of personal data if non-disclosure would prejudice the prevention, detection or investigation of an offence. He furthermore commented that in his view the proposed section 15 was open to challenge on the grounds that it was excessively broad and lacking in proportionality. Notwithstanding the Commissioner's comments, however, the provision was enacted.

While appeals against a decision by the Commissioner on a complaint, and an Enforcement Notice which he issued to a health insurance company, remain before the Courts no new case law was established by the Courts during 1997. The Commissioner welcomed the introduction by the Irish Direct Marketing Association of a Mailing Preference Service by which individuals can have themselves excluded from all mailing lists kept by the Association's members. This is a voluntary service which enhances the individual's existing right under section 2(7) of the 1988 Data Protection Act to require a data controller to cease using his personal data for direct marketing purposes.

During 1997, discussions continued between the Commissioner and Telecom Eireann, the Irish national telephone company, about their plans to introduce calling line identification. The Commissioner took the view that when CLI was introduced, subscribers should be able to choose with equal ease from a full range of options. An accommodation was reached with Telecom Eireann as follows :

a) On the introduction of the service and until they indicate a preference, all ex-directory subscribers will have their CLI withheld by default while other existing subscribers will have it presented, though the Commissioner's expressed preference was for CLI to be withheld at the outset for all subscribers. He reserved the right to raise this issue again after an initial trial period.

b) This arrangement was conditional on the demonstration by Telecom Eireann of a very high level of transparency in the information material which would be provided to telephone users before CLI was introduced. Such material would be submitted to the Commissioner in draft for his comments.

Complaints and enquiries to the Commissioner's Office during 1997 rose by some 10% over the previous year, indicated a continuing growth in the level of awareness of data protection issues on the part both of data controllers and of individual citizens.

No cases arose which requested the Commissioner to make an assessment of the level of protection in any given third country. The Commissioner received a number of enquiries from data controllers wishing to transfer data to third countries û generally from Irish subsidiaries of US-based multinational corporations which were asked to transfer data to their parent corporations. In such cases the Commissioner advises that in the event of a complaint relating to the use or disclosure of personal data in the third country, his investigation will commence with an examination of the measures taken by the Irish data controller to ensure that data transferred abroad will not be used or disclosed other than in keeping with the terms of the consent given by the data subject at the time the data were obtained.

Laws 675 and 676 of 31 December 1996 on persons' protection with regard to the personal data processing aimed to transpose Directive 95/46/EC either directly (law 675) or by attributing a delegation to the Government, instructed to adopt the necessary measures (law 676). Law 675 also introduced the necessary provisions to implement Convention n░ 108 of the Council of Europe: the instruments for ratification of this Convention were introduced on 29 March 1997 and the Convention entered into force in Italy on 1 July of the same year. In comparison with the directive and the Convention, the scope of Italian legislation is wider in that it covers any manual or automated processing of data on natural or legal persons. The four members of the Supervisory Authority ("Guarante per la protezione dei dati personali") were appointed by Parliament in March 1997, the Authority being operational since the day law 675 entered into force (8 May 1997).

Other legislative instruments were introduced by decree (decrees 123 of 9 May 1997 and 255 of 28 July 1997) concerning information and simplified notifications.

Among the legislative instruments governing related matters, it is worth mentioning the law ratifying the Europol Convention (which gave the Authority for data protection the responsibility for the personal data contained in its national files) and the law instituting the Autorita per le garanzie nelle Comunicazioni, which envisaged the coordination of the supervisory authorities' activities and the possibility for the National Users Council to submit its opinions and suggestions to the Authority for personal data protection.

Law 675 lays down the obligation of previously informing the person concerned by data processing. Decree 123 stipulates that this information can be given orally, following suggestions from the Supervisory authority.

The Authority had to deal with several problems concerning the principle of assent; the first case concerned the banking sector, and in particular a form sent to customers of a large national bank: in its first version, the form required "general" assent for a very broad range of processing operations, and mentioned closing current accounts, and even cancelling the contract, of customers who would not give their general assent. Several complaints were submitted to the Supervisory authority, and on the basis of the evidence gathered, it adopted a decision asking the bank to amend the form and not to take into account the declarations received. Consultation was developed with the Bank Association and the Bank of Italy in order to settle numerous problems.

The Supervisory authority prepared a model form (in Italian and bilingual Italian-German) in order to facilitate notification of processing, the date of notification being set at 31 March 1998.

Processing of sensitive data was given particular protection: if a public entity were responsible for processing the data, it had to be authorised by an explicit statutory provision, specifying the data which could be dealt with, the operations permitted and the final aim in the public interest. The law stipulates however that for a period of transition û set at 7 May 1998 but liable to be extended by six months ûpublic authorities can continue processing data received before the law entered into force, on the basis of communication with the Supervisory authority; if a person governed by private law were processing the data, sensitive data can only be processed with the written assent of the person concerned and with prior authorisation of the supervisory authority. There were 8,889 requests for authorisation.

In accordance with Article 41(7) of law 675, the supervisory authority adopted "typical authorisations" intended for certain categories of auditors or processors. The six authorisations, adopted on 31 December 1997, concern:

One of the most delicate problems concerns data processing for the purposes of journalism or artistic or literary expression. The supervisory authority promoted the adoption of a deontological code in this field, by developing broad consultations with representatives of the category concerned. In December 1997 the Council of the Journalists' Order adopted a draft code on which the Supervisory Authority made its comments.

The Supervisory authority exercised its powers of investigation by having access to the Ministry of the Interior's centre for compiling data (the office for public security).

During 1997 further steps were taken in The Netherlands in order to implement the European data protection directive into domestic law.

In February of this year the Dutch Data Protection Authority (Registratiekamer) delivered a very extensive opinion on the Draft bill produced by the Ministry of Justice. The conclusion of its opinion was that the new law would bring about an adequate protection of personal privacy with regard to the processing of personal data and an improvement of the personal rights of the data subjects.

The Registratiekamer proposed some amendments and clarifications to the present text which have been taken into account to a great extent in the bill which was put before the Parliament in February 1998.

The Dutch Data Protection Authority has also given a critical opinion regarding another legislative development having impact on the personal privacy of the data subjects : the new telecommunications law. This law extends the powers given to the police and other investigation bodies regarding telephone tapping and obliges telephone companies to store all traffic data and keep them available for police and justice bodies.

In its opinion, the Registratiekamer pleaded for the protection of the right of anonymity in the telecommunications sector. To this end, the use of pre-paid cards should be possible. Another concern of the Registratiekamer was the wish of the Dutch government to regulate and restrict the use of cryptography.

Other developments: codes of conduct, publications and presentations.

The Dutch Data Protection Authority (Registratiekamer) was involved in the development of a code of conduct for the insurance sector. It published reports on several issues such as video-surveillance, registration of prostitutes by the police, central registration of patients for medication monitoring, unofficial information exchange between investigative bodies and third persons, working of municipal social services, etc.

The Registratiekamer has also participated in numerous conferences, seminars and workshops dealing with topics such as the protection of workers' privacy, international organised criminality, etc. It has also held various presentations for the promotion of Privacy Enhancing Technologies (PETs) and has been involved in the development of the first commercially developed information system in the heath sector where PETs have been applied.

A privacy audit was carried out in the Dutch part of the Schengen Information System; preliminary steps have been also taken for privacy-audits in different municipal administrations.

A technology assessment research dedicated to the phenomenon of datawarehousing and datamining (also known as knowledge discovery of databases) deserves to be mentioned as well.

The Registratiekamer has answered during 1997 almost 5,000 questions through its telephone helpdesk. It has given assistance to data subjects in 136 cases where mediation was asked and 238 complaints.

The Registratiekamer has given advice to the government in more than twenty occasions. It has received 971 registrations of data processing activities from the public sector and 1,220 from the private sector. At 31 December 1997 the total number of registrations was 56,663.

The Data protection Authority (CNPDPI) continued to play an active role in raising awareness of the legal provisions being drafted in the field of personal data protection. It succeeded in persuading the Government that all government departments should declare to it any personal data processing carried out by them. It also continued to attend conferences and symposia and is in regular contact with the press. In November it held a well-attended symposium at which the main issues connected with transposing the directive into national law were discussed.

The CNPDPI carried out a growing number of checks, notably in connection with direct marketing, banking and health services.

In response to a large number of requests for the transfer of personal data concerning the workforce of multinational firms to offices located in countries without any data protection legislation, the CNPDPI decided to authorise such transfers provided not only that the data owners gave their express consent but also the data controller agreed that only data necessary for overall personnel management would be transferred, that the data would not be used for any other purpose or transferred to third parties and that the level of protection afforded in the country of destination would not be lower than that available under Portuguese law.

A Data Protection Bill implementing Directive 95/46/EC in the UK was published in January 1998. In July 1997 the Government published its proposals for the new law and the Registrar advised ministers, officials and members of Parliament on points under discussion. Work on the arrangements for a notification scheme to meet the requirements of the Bill has also begun although the notification regulations, which are to be implemented in the form of secondary legislation have still not been made public .

The work on the new Bill has taken up much of the time of the Registrar's Office but the office has still been able to produce guidance to data users in relation to the 1984 legislation. Guidance Notes published in the last year include Guidance for Homeworkers, Financial Services Intermediaries and Debt Tracing and Collection Agents. A guidance note on the production of Codes of Practice on Data Matching was produced and issued in July 1997. In addition to producing its own guidance the office also endorsed the Code of Data Matching practice published by the Audit Commission in November 1997.

The Registrar has also been continuing with her publicity campaign to promote data protection awareness through advertising both on regional and satellite television. Following the broadcasting of the advertisement the number of enquiries and complaints to the office increased and this trend was reflected in a general increase in the number of complaints received over the year. A total of 4173 complaints were received during 97-98. There were also 21,591 new registrations bringing the total number of register entries to 224,909 ; five enforcement notices were served and there were 38 prosecutions under the Act. All the registrations and guidance notes are also made available on the ODPR website.

Although the directive constitutes the key element of European policy as regards data protection, it was supplemented by a number of other initiatives which aim to guarantee the citizen a coherent framework of protection.

This part will present developments in the European Union, with regard to the aspects falling within the competence of the EC (sub-sections 2.3.1 to 2.3.3) and those which involve the Title VI of the Treaty on European Union (sub-section 2.3.4).

On 15 December 1997 the European Parliament and the Council adopted the directive on the processing of personal data and the protection of privacy in the telecommunications sector, in particular in Integrated Services Digital Networks (ISDN) and the public digital mobile networks.

This directive had the aim of guaranteeing the freedom of movement of data and telecommunication equipment and services in the Community by harmonising the level of protection for subscribers and users of public telecommunication services with regard to processing personal data in the telecommunications sector.

The directive stipulates the general rules stated in Directive 95/46/EC, for the telecommunications sector, and it strengthens the protection of privacy and the legitimate interests of subscribers (including legal persons).

The Commission submitted the original proposal for this directive in June 1990 and considerably revised its proposal in July 1994. A common position was reached by the Council in September 1996 but formal adoption by the European Parliament and the Council was only possible after a conciliation procedure. The directive is closely linked to the General Directive on data protection (adopted in October 1995) in the sense that it specifies for the telecommunications sector the general rules which were already established. However, the specific directive is broader than the general directive in two respects, namely in its coverage of the rights / legitimate interests of both natural and legal persons and in its coverage of privacy issues which are not directly linked to data processing.

- security of information transmitted over public telecommunications networks

- confidentiality of communications

- limitations in scope and time to processing of traffic and billing data by service providers

- privacy options regarding the transmission of calling and connected line identification

- tracing of malicious and nuisance calls

- privacy concerns for automatically forwarded calls

- right of subscribers not to appear in public directories

- protection of privacy with regard to unsolicited calls

Ensuring trust and confidence is a key issue for the development of the Information Society, and growing doubts about online privacy are on the top of Internet users' concerns: all market surveys and opinion polls carried out in the past year confirm this assumption. On 16 April 1997, the Commission adopted a " European Initiative in Electronic Commerce " (COM (97)157), which aims at establishing a common European position to achieve global consensus through international negotiations. As a follow-up to this document, the Commission adopted a Communication on Digital Signatures and Encryption, that highlights the role of Directive 95/46 in addressing the legitimate concerns about privacy. For example, the directive includes specific provisions on data security and confidentiality, in particular when the processing involves the transmission of data over a network.

The protection of personal data in the Information society was a main issue of discussions in the meetings of the Working Party established by Directive 95/46 (see section 2.1.1). On 3 December 1997, the Working Party adopted a specific Recommendation concerning " Anonymity on the Internet " (WP 6 -Recommendation 3/97).

By several secondary legislation instruments, the Commission was conferred certain specific missions connected with processing personal data. In order to protect the fundamental rights and freedoms of individuals concerned by data processing, the Commission was also invited to develop provisions for data protection, for the application of the relevant Community rules. An example was provided by Council Regulation (EC) n░ 1469/95 of 22 June 1995 relating to the measures to be taken with regard to the beneficiaries of operations financed by EAGGF, "Guarantee" Section. For the application of this Regulation which envisaged a system for the exchange of information between the Commission and Member States, the Commission set up several protective measures with regard to data processing carried out by its departments.

European customs authorities exchange personal data with their counterparts in third countries under the agreements of mutual assistance concluded between the Community and third countries. At the request of the European Community, these agreements include specific provisions which guarantee that the principles relating to data protection are respected.

Several instruments adopted or in the process of being adopted in accordance with the Title VI of the Treaty on European Union (cooperation in the areas of justice and home affairs) relate to processing personal data. Specific provisions concerning data protection are consequently included in these instruments and in the regulations on application. For example, detailed rules on data protection have been prepared for Europol, and other rules have been examined for the draft Eurodac convention on asylum seekers' fingerprints. This type of instrument adopted under the terms of Title VI of the Treaty on European Union did not rely upon the provisions for data protection under the directive, but were based on specific formulae which do not grant individuals the same rights or appeals procedures and did not rely on the same form of independent control. In addition, the Convention on forfeiture of the right to drive does not even include provisions for the protection of personal data.

The majority of EU Member States adhered to the Schengen agreement which envisages cooperation between police and customs and on the matter of immigration, to compensate for the suppression of internal border controls. An essential aspect of these measures lays in the implementation of a common information system, the Schengen Information System (SIS). In this respect, the agreement also contains provisions on data protection and in particular envisages the creation of a common supervisory authority composed of representatives of national supervisory authorities of the signatory countries of the Schengen agreement. This supervisory authority recently published its second report, which covered the period March 1997 û March 1998.

The Treaty of Amsterdam and the texts annexed to it stipulate that the Schengen acquis should be integrated into the framework of the European Union. The intergovernmental Conference hoped that the Council would adopt all the necessary measures to this end at the time the new treaty entered into force, and that necessary preparatory work would be undertaken at the appropriate time. This also applied to the provisions concerning data protection contained in the Convention for implementing the Schengen Agreement of 14 June 1985.

The directive not only regulates processing personal data in the EU but also comprises provisions on the transfer of data towards third countries (Articles 25 and 26). The basic principle is that Member States should permit this type of transfer only when the third countries concerned ensure an appropriate level of protection. It could obviously be the case that an appropriate protection level cannot be ensured, and on the assumption that none of the exceptions envisaged would apply, Member States would prevent these transfers.

This type of situation could cause significant disturbances to flows of personal data throughout the world, and therefore to international trade. Although it is possible to prevent transfers of personal data by referring to Article XIV of the AGCS (general Agreement on service trade), it would be preferable to avoid resorting to this type of action. A much more satisfactory solution would be that these third countries towards to which data is regularly transferred, set up a level of protection which could be considered satisfactory.

The EU negotiated general agreements which envisaged a framework governing relations (cooperation, trade) with a given non-member country. These agreements in general cover a broad range of areas which go from foreign policy and security issues to commercial aspects and problems of economic development. Since the adoption of the directive on data protection, the Commission departments have sought to include the question of protection of privacy and data in these agreements, directly or indirectly, at the time of their negotiation.

The Council of Europe continued the work that it regularly carries out on the issue of data protection. The Committee of Ministers adopted two recommendations which had taken several years to prepare. These involved on the one hand Recommendation N░ R (97) 5, adopted on 13 February 1997, relating to the protection of medical data and Recommendation N░ R (97) 18 adopted on 30 September 1997 concerning the protection of personal data which is collected and dealt with for statistical purposes.

The Committee on data protection (CJ-PD) continued its examination of a draft recommendation concerning the protection of personal data collected and dealt with for the purpose of insurance. In addition it adopted draft guidelines on data protection with regard to gathering and processing personal data on the information highway. This project, which should be adopted by the Committee of Ministers at the beginning of 1999, has already been made public for consultation by interested parties. It can be consulted on the Council of Europe's Internet site.

For its part, Convention 108 saw the accession of two new countries: Switzerland and Hungary. This, coming after the accession of Slovenia, brings the number contracting parties to the Convention to 20.

The Convention's Consultative committee (T-PD) started work aiming to evaluate the need to revise the Convention in the light of the developments of recent years, particularly in the technological field. Moreover, following the European Community's request to open negotiations with a view to allowing its accession to the Convention, the Committee drew up a draft Protocol amending Convention 108 to this end.

The Community, represented by the Commission, is now able to intervene within both the CJ-PD and the Consultative Committee when the items under discussion fall within the external competences resulting from Directives 95/46/EC and 97/66/EC. This was the case for the texts referred to above which have recently been adopted or are in preparation. This cooperation with the Council of Europe aims to ensure full compatibility with Community directives.

The directive should also apply in the European Economic Area once it is integrated into the EEA Agreement. Work for transposition has already begun in the non-Community countries party to the agreement. Norway and Iceland already adhere to Convention 108 of the Council of Europe and have legislation on data protection. Representatives of the authorities responsible for data protection in these two countries were invited to take part in the Working Party's meetings as observers.

In Norway, "Data Tilsynet", the Inspectorate of Information Technology aims to ensure correct application of the 1978 law on data files of a personal nature. The Inspectorate plays an active role in managing the flow of information intended for overseas. It received a large number of requests from the media and plays an active role in distributing information. It is also responsible for drawing up information documents and an annual report and it publishes the SPOR quarterly review.

In 1997, debate on issues connected with the respect of privacy was lively in several third countries. Technological developments and especially the development of the information society encouraged governments, consumers' associations, companies and academics to re-examine existing policies on the matter and discuss new policies for the future. The adoption of the European directive provided a new impetus to this debate.

These developments were particularly felt in the United States where several public bodies considered the issues affecting protection data. The Federal Trade Commission has taken an increasing interest in privacy issues during 1997 and the first part of 1998, particularly with regard to the Internet and electronic trade. This cumulated in July 1998 with a call for legislation for the protection of data related to children collected over the Internet and a recommendation regarding adult privacy that if self-regulation had not improved by the end of the year then a legislative approach should also be taken there.

The first part of 1998 has seen White House policy on data protection and privacy move further forward. On 31 July Vice-President Gore announced a series of steps in the direction of an Electronic Bill of Rights which included support for regulation in the areas of medical and financial data, identity theft and children 's privacy and for industry self-regulation with effective enforcement mechanisms in other areas.

The White House stressed the importance of these questions in its report published in June 1997 and entitled "Framework for Global Electronic Commerce". Several bills were submitted to Congress and implementation regulations were published by the FCC under the law of 1996 on telecommunications. This law imposed several specific obligations on service providers regarding respect of privacy. It stipulates the confidentiality of information concerning subscribers (Customer Proprietary Network Information), including data on transactions. The protection of privacy in on-line services was at the heart of discussions raised by the Communication Decency Act of 1996 and the American administration's policy on cryptography. The judgement delivered by the Supreme Court was favourable to the ideas of "privacy advocates".

In Australia, the government examined the follow-up to be given to the White Paper in 1996 and, in particular, the advisability of extending legislation on privacy to the private sector. Current legislation only concerns the public sector. In February 1998, the first part of a " National Privacy Scheme " for Australia was agreed with the adoption of a set of principles for the fair handling of personal information, while the State of Victoria has moved ahead in early 1998 with plans for "default" privacy legislation to cover those sectors and companies that fail to develop appropriate self-regulatory initiatives.

In Japan, the work started by the MITI (Ministry of Trade and of industry) in cooperation with the private sector is likely to improve the level of data protection in this country, although efforts are especially aimed at promoting the self-regulation.

The OECD drew up guidelines governing cryptography policy in 1996. These guidelines regulate access to coded messages granted to the authorities for legitimate reasons. They recommend the adoption of a system of "confidence" levels to which copies of cryptographic keys could be entrusted. During the debates, the issue of confidentiality was also raised in connection with the rules fixed by the directive for access to personal data by the authorities. At the time of the final approval of the guidelines (in March 1997), the Commission specified that if EC Member States intended to apply these guidelines, they had to do so in compliance with the rules set out in the directive.

I. Studies carried out for the European Commission in the field of Data Protection