Directive 95/46/EC implemented by the Data Protection Act 1998
Freedom of Information Act 2000 ( The Freedom of Information Act gives an individual the right to obtain information held by public authorities unless there are good reasons to keep it confidential)
Privacy and Electronic Communications (EC Directive) Regulations 2003
The Information Commissioner’s Office www.ico.gov.uk
EC Directive on Privacy and Electronic Communications 2002
The EC Directive on Privacy and Electronic Communications 2002 was brought into force in the UK on 11 December 2003 under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“the Regulations”).
The Regulations set out requirements for EU Member States to introduce new laws regulating the use of:
unsolicited commercial communications, which includes spam
location and traffic data, and
publicly available directories.
Those affected by the Regulations are:
providers of public communications networks and services
businesses operating their own web sites
pure e-commerce companies.
Breach of the Regulations can result in regulatory investigations, fines, civil damages actions and criminal liability. Criminal sanctions may be imposed on company directors , as well as the company.
Case 43/75, Defrenne v. Sabena, 1976 E.C.R. 455.
Facts : the applicant brought an action before the Tribunal du travail, in Brussels for compensation for the loss she had incurred in terms of salary, allowance on termination of contract and pension in comparison with male members of the crew performing identical duties. The Belgian appeal court referred the case to the ECJ
Holding : The ECJ held that the equal pay provision of Article 119 had as its aims both economic and social functions. It ruled that article 119 EC "forms part for the social objectives of the Community, which is not merely an economic union, but at the same time intended, by common action, to ensure social progress and seek constant improvement of the living and working conditions".
Reasoning : the principle of equal pay for equal work would be binding not only upon member states but also, directly, upon private employers. So an individual can rely on some Treaty articles to enforce rights against another individual in the national courts.
Direct and overt discrimination can be identified by the criteria set out under Article 119 of equal pay for equal work, whereas indirect and covert discrimination can be identified by reference to more explicit implementing provisions of a Community or national character.
Direct forms of discrimination included discrimination that had their origins in legislative provisions or collective labor agreements that can be detected on the basis of a purely legal analysis of the situation
Indirect effect is a principle of European Community Law which compels national courts to interpret 'so far as possible' national legislation in accordance with the aims of a directive.
In the EU, a " directive " is a legislative order that requires implementation in every member state by the domestic government. While the member state has the freedom to draft their own implementing law, the law must comply with the aim of the original directives. As a result, implementation may take different forms across the member states.
This is in contrast to a " regulation ," a single law for the entire Union that is directly effective in every member state.
Implementation of the EU Data Protection Directive
UK - Data Protection Act 1998; all companies had to achieve full compliance as of 24 October 2001
Germany – Amendments to the Federal Data Protection Act (Bundesdatenschutzgestz) entry into force 23 May 2001
Obtaining, recording or holding information or data, or carrying out any operation or set of operations on the information or data, including –
(a) organisation, adaptation or alteration of the information or data,
(b) retrieval, consultation or use of the information or data,
(c) disclosure of the information or data by transmission, dissemination or otherwise making available, or (d) alignment, combination, blocking, erasure or destruction of the information or data Difficult to imagine any action which is not processing
The Data Protection Act 1998 provides the following definition of direct marketing:
“ the communication of any advertising or marketing material which is directed to particular individuals”
The following main statutory provisions regulate direct marketing in the UK
Data Protection Act 1998 (‘DPA’) together with 19 statutory instruments made pursuant thereto. The DPA was passed in order to comply with the UK’s obligations under Directive 95/46/EC, which required Member States to pass implementing legislation by 24 th October 1998.
Any contract concerning goods or services concluded between a supplier and a consumer under an organised distance sales or service provision scheme run by the supplier who for the purpose of the contract, makes exclusive use of one or more means of distance communication up to and including the moment at which the contract is concluded.
“ (1) An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.
(2) If the court is satisfied, on the application of any person who has given notice under subsection (1), that the data controller has failed to comply with the notice, the court may order him to take such steps for complying with the notice as the court thinks fit.
(3) In this section ‘direct marketing’ means the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.
A data subject has the right to prevent the data controller from taking evaluation decisions concerning him or her by automated means alone.
Additionally, where personal data are being processed automatically for the purpose of evaluating matters relating to the data subject and the processing has or is likely to be the sole basis of a decision significantly effecting the data subject, he or she is entitled to be informed by the data controller of the logic (save to the extent that is constitutes a trade secret) behind the decision taking.
An individual who suffers damage as a result of a contravention by a data controller of any provision of the Data Protection Act is entitled to compensation. Additionally, compensation for distress may be claimed in all cases where the individual has suffered damage.
Under section 42 of the DPA any person who feels that he or she is directly affected by the processing of personal data may ask the Data Protection Commissioner to carry out an assessment of the processing to determine whether or not it is being undertaken in accordance with the provisions of the Act. The Commissioner does not have discretion as to whether to carry out such an assessment.
However the Commissioner does have some discretion as to the manner in which an assessment is to be carried out and factors that can be taken into account in this regard are
the extent to which the request appears to raise a matter, of substance;
any undue delay in making the request;
whether or not the person making the request is entitled to make an application for data subject access
If a court is satisfied on the application of a data subject that personal data of which the applicant is the subject are inaccurate, the court may order the data controller to rectify, block, erase or destroy those data and any other personal data in respect of which he is the data controller and which contain an expression of opinion which appears to the court to be based on the inaccurate data.
The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom data is disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.