Data Protection in Europe
Stephens, David O., Records Management Quarterly
In 1973, the Swedish national government implemented the Data Protection Act, a law - the first of its kind in Europe - that had (and continues to have) far reaching effects on recordkeeping and records management in Europe. For more than 200 years, Sweden had had a freedom of information law that granted citizens free access to all unclassified government documents. The 1973 data protection law was enacted during the days when computers were just beginning to be used for a wide variety of recordkeeping systems, many of which contained data of a "personal" nature, that is, data related to individual employees or citizens. The law was based on concerns about the privacy of information in these new electronic recordkeeping systems or "data banks," as they were frequently referred to at that time. Sweden's law predated by one year the passage of similar legislation in the United States- the Privacy Act of 1974.
Many European countries, including Austria, Denmark, Germany, Norway, Belgium, Luxembourg, the Netherlands, and the United Kingdom have also had data protection laws for some years. France has a very stringent data protection law, and in Spain and Portugal, data protections are incorporated into the constitutions. Most of these laws reflect, to one degree or another, the provisions of the Council of Europe's Data Protection Convention of 1981.
The member states of the European Union (EU) are about to implement a new directive that will significantly expand and strengthen the concept of data protection. Companies and their information managers throughout Europe are now in the process of preparing for the new directive, which takes effect October 24, 1998. This article reviews the new EU directive, and outlines its information management ramifications, not just among the European information management community, but for information managers of multinational companies here in North America as well.
The new EU data protection directive was one of the hottest topics of discussion at the recent Fourth International Records Management Congress in Edinburgh, Scotland. European information managers wondered how they could help their employers comply with the directive in a manner that would minimize the legal liabilities associated with possible litigation from employees or other parties. Britain's Data Protection Act has been one of the major factors influencing records management since it was enacted in 1984, and most observers believe this influence will only increase with the new EU directive. European businesses owned by multinational corporations in the United States are looking to information managers at their corporate headquarters for advice about what personnel records must be retained and for how long, as well as other issues concerning the management of these recordkeeping systems. Thus, European data protection is relevant to records management practice in the United States.
In brief, European data protection laws are about access and disclosure of information in "personal" recordkeeping systems. As is true anywhere, when records and information are required to be disclosed, those who own it must be concerned about what information is retained and for how long, particularly if the disclosure has a strong potential for resulting in significant liabilities. This is indeed the case with the EU's new data protection directive.
European Data Protection Law: Basic Principles
The existing data protection laws of most European countries embody the following legal principles:
* The laws specify rules for access, disclosure, and other aspects of managing information contained in "personal" recordkeeping systems, generally construed to mean systems (paper-based, computerized or both) containing information on individual employees and/or citizens.
* Some laws apply only to personal recordkeeping systems maintained by government, while others apply to those maintained by private organizations. …