Data protection law should, in theory, have been harmonised across the EU’s 15 member states. In practice, however, individual governments have tailored rules – and enforcement – to suit their perceived national interests. By Tony Coad
The EU created its data protection directive in order to guarantee citizens a right to privacy and to create a level playing field for inter-state commerce.
All might have gone to plan, had individual states not taken advantage of the European Commission’s prevailing mood of tolerance towards subsidiarity and decided to do things their own way.
By framing idiosyncratic legislation to implement the directive, the 15 member states succeeded in achieving an almost complete lack of uniformity.
This has left data controllers struggling to comply with 15 different sets of national laws and has scuppered the commission’s dream of achieving unhampered data movement around Europe.
To complicate the issue further, individual governments have also chosen to implement different national enforcement criteria. What might be regarded as a minor misdemeanour, worthy of merely a slapped wrist, in the liberal UK could easily result in a Ã¢âÂ¬1m (£675,000) fine in Spain.
Also, the commercial prospects of large organisations from Australia and the US, in particular, (as well as other countries where data protection laws fall short of EU standards) are being significantly damaged by the European legislation, because they are denied a free data flow with EU member states.
Unsurprisingly, the directive has sparked protests from around the globe.
The US has criticised the legislation as “lofty law”, because although Article 25 does not apply EU law to foreign activity, external countries which want to trade within Europe are effectively forced to comply with EU rules.
For instance, if a US data controller places a cookie on the hard drive of an individual in Europe, he or she is deemed to be making use of equipment within Europe and is thus obliged to comply with EU law.
Multinational organisations are being forced to cope with these anomalies at the very time when the internet is revolutionising both their marketing and their international internal communications.
Paul Hayes, general manager of News International, the UK arm of which owns The Times, The Sun and the News of the World, says: “News Corporation businesses worldwide are becoming increasingly aware of the importance of personal data to business and of the erosion of national barriers that internet marketing implies. Given this globalisation of data-based marketing, we are worried that data protection legislation seems to be going the other way and fragmenting in its application.
“For instance, in the US – in the absence of national legislation – we have ad hoc law evolving from state legislation and federal court judgments.
“In Europe, we have ostensibly one data protection framework – the European Data Protection Directive – but in practice, there are noticeably different national applications of these European principles.
Hayes believes that data protection law would benefit from some kind of international consensus, at least of principle. This would earn it more respect from those expected to implement it.
Corrida de multinationals
Meanwhile, multinational organisations such as Readers Digest and Microsoft have already fallen foul of EU law and been fined Ã¢âÂ¬1m (£675,000) each by the tough Spanish Data Protection Authority, for keeping data longer than they should. Another company has been fined E36,000 (£24,000) for not properly identifying its data controller.
Spain, along with several other European countries, has passed very severe data protection legislation. It carries out many audits and its rigour has resulted in a 20 per cent national decrease in infringements.
In comparison, UK legislation is relatively liberal – possibly because the UK makes five times as much money from electronic data as all the other 14 member states put together, while Spain makes very little from data.
Looked at in this light, the tough Spanish implementation laws and penalties could be interpreted as protectionist, because they undoubtedly succeed in deterring foreign companies from seeking to trade within its borders.
France and Ireland, on the other hand have not passed the necessary legislation at all to date, partly because both countries have very slow legal systems. Also, both have tough existing data protection acts which are so little out of step with the directive that they don’t view full compliance as a matter of urgency.
All of the above illustrates the lack of uniformity in the implementation of the directive and the disparity between member states’ enforcing criteria. This has completely overthrown the directive’s desired harmonising effect.
The European Commission’s vision of a single, simple set of rules allowing an unhindered flow of data throughout the EU, (let alone the rest of the world) is in complete disarray.
An invisible shield
To add insult to injury, most ordinary people in the EU have no idea that data protection laws have been strengthened to give them greater control over how their personal information is collected and used, because the legislation has been applied inconsistently by under-resourced national authorities.
This means that, while marketers are obliged to abide by complicated and expensive data control procedures, their companies are not enjoying the payback which they could reasonably have expected to flow from customers’ appreciation of what is being done on their behalf.
Shelagh Gaskill, data protection legislation expert at London-based international law firm Masons, says: “Many people are still nervous about buying or giving information online, because they believe it exposes them to the risk of having their credit cards used fraudulently. They would probably feel more comfortable about e-commerce if they knew about the safeguards contained in this new law.”
So what will happen next?
Gaskill says: “There is mutual recognition when it comes to the free movement of goods though member states, so there is no reason why there should not be similar agreement about the free movement of data. If the commission’s original draft of the directive had been allowed to go ahead, there would have been much greater harmonisation. Member states’ divergent interpretations of it are causing the disharmony.
Gaskill adds that the next steps should be to harmonise legislation and inform people of their rights.
Although most direct marketers and companies have at least started to come into line with the legislation, governments’ supervisory authorities – created to protect the rights of individuals – have occasionally come into conflict with their political masters.
For instance, the UK Government has been less than comfortable with the law and is at loggerheads with its supervisory authority. The Government wants to force telecommunications companies to keep call data for long periods, although the companies themselves would prefer to comply with the directive and get rid of it within the stipulated time-frame.
The press also accused the Government of “Big Brother” tactics when it tried to give government departments access to each other’s databases – another move which would have contravened data protection legislation.
When the Government itself seems ready to flout the law, it is easy to see how the interests of the individual could be ignored or sidelined unless supervisory authorities are given the power to enforce compliance.
Their arms might be strengthened if more money were invested in informing ordinary people of their rights and in enlisting their backing and support. But national governments are unlikely to be enthusiastic about allocating budgets to support a cause that thwarts their own plans to make use of personal data.
So what does this mean for the practical direct marketer seeking to take advantage of the single European market? The theory is that marketers within the EU can use their national rules when addressing the single market, but the reality is rather less simple.
For instance, methods for obtaining consent to data use vary significantly between the UK and Germany. A mailing sent out using UK rules would almost certainly be unacceptable to the Germans.
This state of affairs is acknowledged by the European Commission. Commissioner Frits Bolkestein admitted, in closing a conference on data protection in October: “Divergences in data protection legislation and the way it is applied in member states are creating problems for the free movement of data. These difficulties damage the competitiveness of our enterprises, because they are prevented from operating effectively on a European scale.
“This is a matter of serious concern for the commission – as it should also be to member states. It makes no sense to invest huge efforts in developing and delivering an ambitious programme to create a single market for financial products and services in the EU, just to discover that the idea of European products or services trips up on obstacles that prevent companies from running personal databases on a European basis.”
The Brussels-based Federation of Direct Marketing Associations (Fedma) is set to come to the rescue – but not yet. It is producing a set of practical rules to help cross-border marketers in Europe to operate within national law and practice.
This code of practice is in the early stages of development and will have to be approved by the commission before it is useful, but there is concern that it will have to reflect the most onerous elements of European law to be accepted.
Direct Marketing Association legal and public affairs executive James Millington says: “This situation makes a mockery of the European market. To operate across borders, marketers will have to check local markets and operate to the national laws of each country.”
Marketers may look to the 2002 Privacy and Electronic Communications Directive, due to enter UK law by November 2003, to help clarify the current mess – but given recent history perhaps they should not hold their breath.
Tony Coad is chairman of subscription and CRM database consultancy CCB-Profits from Data