Data Protection in the European Union: the role of National Data Protection Authorities
30
controller has appointed an internal data protection offi cer. It
appears that a signifi cant number of private companies that
are by law obliged to appoint data protection offi cers do not
comply with this obligation and that those companies that do
comply with the general obligation to appoint data protection
offi cers very often do not facilitate the effi cient and eff ective
work of those appointed. Also, it cannot be ignored that the
majority of medium-sized enterprises still display a range of
problems with data protection. This is due to the fact that the
appointed data protection offi cers – should they be appointed
at all – cannot initiate changes to practice that may be required
due to a lack of time either for relevant training to enable
them to do this or time to discharge of their responsibilities
adequately. Recent scandals, which have involved both private
and public institutions, highlight extensive and serious cases
of data and privacy violations on a large scale.
78
These cases
involve, amongst others, severe violations of privacy rights
through spying on or secretly observing employees by video, or
by computerized profi le searches against employees in the work
place. Others relate to data trading in unprecedented amounts
without the prior approval of data subjects.
79
The failure to
take appropriate measures such criminal prosecution often
exacerbates the problem.
4.2.2. Appointment of internal Data
Protection O cers
Regarding the appointment of internal data protection offi cers,
most of the national laws provide for general requirements with
no specifi c knowledge or expertise in the fi eld being required.
In Denmark, Italy and Greece, the legislation does not provide
for the appointment of data protection offi cers. In Belgium, the
relevant royal decree is silent on the policy of appointment of
internal data protection offi cers. In the explanatory statement
relating to the royal decree of 13 February 2001 executing
the Data Protection Act, the government explicitly states that
the idea of appointing such a person did not receive support
in Belgium. In Austria, the legislation does not create any
obligation to appoint internal data protection offi cers, but in
the public sector trade unions have promoted the appointment
of such internal data protection offi cers. In relation to the
remaining Member States these fall largely into two categories:
a) those whose national legislation provides for certain
requirements to be met and b) those that do not do so. The
national legislation of some Member States (Cyprus,
80
Bulgaria,
78
http://www.heise.de/tp/r4/artikel/28/28579/1.html (29.01.09),
http://www.dorstenerzeitung.de/nachrichten/politik/blickpunkt/
art302,350317(29.01.09), http://www.tagesschau.de/inland/
datenschutz110.html (29.01.09), http://www.sol.de/news/welt/tagesthema/
Datenschutz;art7325,2705543(29.01.09),
http://www.ruhrnachrichten.de/nachrichten/politik/blickpunkt/
art302,433610(29.01.09), http://ez.omg.de/?id=20&nid=29923(29.01.09),
http://www.handelsblatt.com/unternehmen/handel-dienstleister/rasterfahndung-
bei-der-bahn;2136145(29.01.09).
79
See http://www.aufrecht.de/news/view/article/illegaler-handel-mit-adress-und-
kontodaten-sprengt-alle-grenzen.html (29.01.09).
80
The data protection legislation in Cyprus contains a provision that the personnel
of the o ce of the national data protection authority in Cyprus shall possess the
quali cations to be prescribed by regulations. Such regulations have not up to now
been passed.
majority of cases the controllers comply. A prominent case of
non-compliance, which gave rise to serious concerns and a
public outcry, was the use by the Greek Police of CCTV systems
for fi lming political demonstrations despite binding decisions
to the contrary issued by the national authority regarding the
use of cameras in public places
73
while the ruling of the DPA was
pending before the Plenary of Council of State.
74
Additionally,
the auditors of the authority were not allowed to access the
premises of the police in order to control compliance with the
authority’s decisions. The Chairman and most of the members of
the authority subsequently tendered their resignations.
Regarding the United Kingdom, it has been reported that
the European Commission is investigating alleged failures to
implement eleven of the Directive’s thirty-four articles properly –
almost a third of its provisions.
75
Although the United Kingdom
Government still claims that it has implemented the Directive
fully, many defi ciencies have been pointed out.
76
Even more
problematic, the national Data Protection Authority has made it
clear that it feels that it is not its task to ensure that the national
law is interpreted in a way consistent with the EC Directive,
or to point out where national law might fail to meet the
requirements of the Data Protection Directive.
77
Germany has transposed the Data Protection Directive both in
federal and the Länder data protection laws. Non-public bodies
have a duty to notify automated data processing operations
prior to their implementation to the supervisory authority or
the competent Commissioner for Data Protection. Public bodies
of the Federation have to announce such operations to the
national authority. Obligatory registration does not apply if the
73
Decision58/2005of the national data protection authority (Αρχή Προστασίας
Δεδομένων Προσωπικού Χαρακτήρα),http://www.dpa.gr/portal/page?_
pageid=33,15453&_dad=portal&_schema=PORTAL (19.02.2008).
74
The Greek Ministry for Public Order made an application to the Council of State
seeking to overturn the Authority’s decisions.
75
‘Europe claims UK botched one third of Data Protection Directive’, Out-Law
News,17September2007, available at: http://www.out-law.com/page-
8472(26.01.2009). Although this is, as such, a media article, it is based on information
obtained directly from the authorities concerned under freedom of information law,
and both the UK Government and the Commission con rmed that various issues
were being discussed, without being speci c. However, the information obtained by
Out-Law showed that “the articles of the Directive which the Commission claims have
not been implemented properly are articles2,3,8,10,11,12,13,22,23,25and28...
These Articles relate to: the de nitions used in the Directive (e.g. the meaning of
personal data); the scope of the Directive’s application to manual les; the conditions
when sensitive personal data can be processed; the fair processing notices give to
individuals; the rights granted to data subjects; the application of exemptions from
these rights; the ability of individuals to seek a remedy when there is a breach; the
liability of organisations for breaches of data protection law; the transfer of personal
data outside European Union; and the powers of the Information Commissioner.’
76
E.g., D. Kor (2008) ‘UK Data Sharing: European Con ict’, in: Data Protection Law &
Policy, p.12 . Other issues were raised in the enquiry mentioned in the next footnote,
and in R. Thomas and M. Walport (2008) Data Sharing Review Report, available at:
http://www.justice.gov.uk/docs/data-sharing-review-report.pdf (26.01.2009).
77
As it was put by the Assistant Information Commissioner, Jonathan Bamford, in
answer to a question by a House of Commons Select Committee during hearings on
the Electronic Patient Record being introduced in the National Health Service, in a
session in May2007: ‘If there is any issue to do with whether the UK Data Protection
Act correctly implements the EU Data Protection Directive that is a matter for the
Ministry of Justice, as it is now, because that is the body which is responsible for
ensuring that we implement the Directive in UK law. If there is a concern about
a di erence it is for the Ministry of Justice to answer that point. The Information
Commissioner is charged with implementing the UK Data Protection Act...If you have
a real concern [about any failure of the Act to properly implement the Directive],
I believe it is important that you speak to the Ministry of Justice as part of this
inquiry.’ Answer to Question176at the Select Committee hearing on10May2007.
Full transcript available at: http://www.parliament.the-stationery-o ce.co.uk/pa/
cm200607/cmselect/cmhealth/422/7051002.htm (26.01.2009).