economic evaluation en

8/4/2019 Economic Evaluation En

1/81

Rambll Management

Nrregade 7A

DK-1165 Kbenhavn KDenmark

Economic Evaluation ofthe Data ProtectionDirective 95/46/EC

Final Report

May 2005


2/81

Table of contents

1. Executive summary 41.1 Objectives and methodology 41.2 Results of the analysis 51.3 Conclusion 62. Introduction 92.1 Content of the report 93. Methodology 103.1 Case studies 103.2 Cost structure 103.3 Selection of cases to study 113.4 Specific case selection criteria 123.4.1 Case matrix 154. Cross country analysis 164.1 Divergences in national implementation of the Data Protection Directive 165. Cross sector analysis 205.1 Relative costs of implementing the directive 226. Analysis of evaluation questions 236.1 Evaluation question 1: Does the national implementing legislation meet therequirements of the Directive in the most economic way? 236.1.1 Exemption from and simplification of notification 236.1.2 Annual notification 236.1.3 Appointment of data protection officer 246.1.4 Transfer to third countries 246.2 Evaluation question 2: If not, what are the alternative means of complying

with the minimum requirements of the Directive in a most cost-effective

way? 246.2.1 Exemption from and simplification of notification 246.2.2 Notification requirement 256.2.3 Transfer to third countries 256.3

Evaluation question 3: From the reactions of the data controllersinterviewed, can we assess that the objectives of the Directive have been

achieved at a reasonable cost and are still relevant? 266.4 Evaluation question 4: What is their general perception with regard to the

national Data Protection Law? 276.5 Evaluation question 5: Do the impacts achieved by the Directive correspond

to the needs identified and the problems to be solved? 287. Interviews with national supervisory authorities 297.1 Prior legislation and goldplating 297.1.1 Denmark 297.1.2 France 29


3/81

7.1.3 Germany 307.1.4 Italy 307.1.5 The United Kingdom 307.1.6 Differences identified among the five countries 307.2 Enforcement of the national data protection act 317.2.1 Denmark 317.2.2 France 327.2.3 Germany 327.2.4 Italy 337.2.5 The United Kingdom 338. Case studies 348.1 Pharmacies 358.1.1 Sector profile 358.1.2 Data collected 358.1.3 Differences in national legislation 358.1.4 Handling of data 368.1.5 Value chain perspective 368.1.6 Quantitative impact 368.1.7 Assessment of the relevance and effectiveness of achieving the objectives of

increased privacy 408.1.8 Assessment of the relevance and effectiveness of achieving the objectives of

improved free movement of personal data 418.1.9 General perception of the national data protection legislation 418.1.10 Impacts/problems to be solved 418.2 Retail 428.2.1 Sector profile 428.2.2 Data collected 428.2.3 Differences in national legislation 428.2.4 Handling of data 438.2.5 Value chain perspective 438.2.6 Quantitative impact 438.2.7 Assessment of the relevance and effectiveness of achieving the objectives of


improved free movement of personal data 478.2.9 General perception of the national data protection legislation 478.2.10 Impacts/problems to be solved 488.3

NGO 49

8.3.1 Sector profile 498.3.2 Data collected 498.3.3 Differences in national legislation 508.3.4 Handling of data 508.3.5 Value chain perspective 508.3.6 Quantitative impact 518.3.7 Assessment of the relevance and effectiveness of achieving the objectives of


improved free movement of personal data 548.3.9 General perception of the national data protection legislation 54


4/81

8.3.10 Impacts/Problems to be solved 548.4 IT service provider 558.4.1 Sector profile 558.4.2 Data collected 558.4.3 Differences in national legislation 558.4.4 Handling of data 568.4.5 Value chain perspective 568.4.6 Quantitative impact 568.4.7 Assessment of the relevance and effectiveness of achieving the objectives of


improved free movement of personal data 598.4.9 General perception of the national data protection legislation 608.4.10 Impacts/problems to be solved 608.5 Customs authorities 618.5.1 Sector profile 618.5.2 Data collected 618.5.3 Differences in national legislation 628.5.4 Handling of data 628.5.5 Value chain perspective 638.5.6 Quantitative impact 638.5.7 Assessment of the relevance and effectiveness of achieving the objectives of


improved free movement of personal data 678.5.9 General perception of the national data protection legislation 688.5.10 Impacts/problems to be solved 689. Conclusion 69Annex I: List of respondents 719.1 National supervisory authorities 719.2 Pharmacies 719.3 Retail sector 719.4 NGOs 729.5 IT service provider 729.6 Customs authorities 72Annex II: References 73

Annex III: Interview guides 74Interview guide 1 - Authorities 74Interview guide 2 Data controllers (companies or organisations) 77


5/81

4

1. Executive summary1.1 Objectives and methodology

This report is the Economic Evaluation of the Data Protection Directive 95/46/EC, which has

been commissioned by the European Commission, Internal Market Directorate-General andprepared by RAMBOLL Management.

In 2003 the Commission published its First report on the implementation of the DataProtection Directive (95/46/EC), which evaluates the transposition of the Directive into na-tional law and the objectives reached so far. The objective of the Economic Evaluation of theData Protection Directive (95/46/EC) is to supplement the evaluation of the Data ProtectionDirective initiated by the Commission by measuring the economic impact of the Directive ondata controllers.

More specifically, the aim of the economic evaluation is to answer the following five evaluationquestions:

Questions related to efficiency:

1. Does the national implementing legislation meet the requirements of the Directive inthe most economic way?

2. If not, what are the alternative means of complying with the minimum requirements ofthe Directive in a most cost-effective way?

Questions related to effectiveness/relevance:

3. From the reactions of the data controllers interviewed, can we assess that theobjectives of the Directive have been achieved at a reasonable cost and are stillrelevant?4. What is their general perception with regard to the national Data Protection Law?

5. Do the impacts achieved by the Directive correspond to the needs identified and theproblems to be solved?

The economic evaluation of the Directive is based on case studies of the following five sectors:pharmacies, retail, NGOs, IT service providers and customs authorities. The cases selectedrepresent different types of organisations. The analysis is conducted in five EU Member States:Denmark, France, Germany, Italy and the United Kingdom.

The case studies detect the additional cost resulting from compliance with the Directive byidentifying, analysing and evaluating the costs of compliance measures that entities must takein order to fulfil the Directives objectives. Additionally, the case studies include evaluation ofthe following additional costs necessary to comply with the directive:

Costs linked to learning about the requirements of the Directive Costs in adjusting the internal organisation to comply with the Directive Running costs of compliance Quantity and costs of Human Resources involved in the compliance Costs of external advice and support

A value chain perspective has been applied in the case studies to minimise differences as aresult of differences in set-up between the countries.

Furthermore interviews have been conducted with the national data protection authorities inthe five countries.


6/81

5

Analysis across countries and sectors has been undertaken. These identify the differentchoices of implementation among the countries included in the study and the variations incosts among organisations from different sectors.

1.2 Results of the analysisThe below table summarises the total additional costs associated with compliance with the

national legislation implementing the Directive for companies and government institutions inthe five sectors.

Table 1: Total costs of complying with the Data Protection Directive in thefive sectors

Total one-off costs Total running costs (yearly)

Internal External Internal External

Pharmacy(France)

0 0 0 0

Pharmacy(Germany)

216 Euro 0 0 0

Pharmacy(United Kingdom)

204 Euro 140 Euro 609 Euro 260 Euro

NGO(France)

113 Euro 0 0 0

NGO(Germany)

2 674 Euro 0 2 417 Euro 0

Customs authority(United Kingdom)

506 Euro 50 Euro 6 312 Euro 4 350 Euro

Customs Authority(Denmark)

213 Euro 135 Euro 550 Euro 0

IT service provider(Denmark)

6 131 Euro 135 Euro 8 666 Euro 0

Retail (Italy) 1 057 Euro 10 000 Euro 1 739 Euro 0

Retail (France) 0 0 0 0Retail (Germany) 0 2 000 Euro 0 0

Total* 11 000 Euro 12 000 Euro 20 000 Euro 5 000 Euro

Average cost*per institution / companyExcl. IT service provider1

500 Euro 1 200 Euro 1 200 Euro 460 Euro

* Total and average costs are round off to two significant digits

The table above shows that, in the sample of 10 companies, the average cost one-off costsare approximately 1.000 Euro for companies in internal costs (wages) and 1.100 Euro inexternal costs. The running costs are 1.200 Euro a year internally and 460 Euro a yearexternally. The figures indicate that for companies in the five sectors examined, the cost ofcompliance is limited, especially for small companies and institutions. The comments from the

large companies indicate that the costs level stated do not represent a significant economicburden2.1 The figures from the IT service provider is excluded in calculation of average costs as these operate

systems on behalf of clients, thus technically included in the external costs of other government institu-

tions and companies.2A study shows that the total direct spend on privacy varies considerably across 44 large U.S. basedorganisations. The spending ranges from less than $500k to over $22 million dollars in annual budgeted

dollars (IBM and Ponemon Institute, 2004). These figures comprise all costs related to data protection

whereas the present study includes the additional costs of a specific regulation in a specific geographical

region (EU).


7/81

6

Another study shows that the cost of privacy increases as companies advance from early stageactivities to later stage activities (IBM and Ponemon Institute, 2004). Hence the studysuggests that as the corporate program matures, more dedicated resources are allocated toformal privacy compliance activities. This tendency is not confirmed by the present study,which shows that the majority of respondents experience higher one-off costs than therunning costs.

No quantitative data has been collected on the total costs of complying with both previous andEU data protection regulation, but the majority of the respondents found that the nationallegislation implementing the Directive did not impose significant additional costs comparedwith the previous legislation in the area. Most of the organisations already had the necessarytechnological and organisational safeguard measures in place and thus did not experience highadditional costs in these areas.

The cost figures only apply for companies which are comprised by the national legislation. Asthe data processings in these five sectors are similar to the majority of the comprised businesssectors in Europe, it seems reasonable to conclude that the costs per company are limited fora significant part of affected business sectors. It should be added that the study is not all-embracing, and that some specific sectors might experience higher burdens, e.g. the financialsector.

National differences in implementation of the Directive may have an impact on the costsexperienced by data controllers. Hence in the case studies and interviews with the nationalsupervisory authorities, national differences in the implementation of the Directive wereidentified in order to make a comparison with the costs experienced by the respondents.National differences were identified in the following areas:

Initial notification Annual notification Notification fee Exemptions from notification Simplification of notification Appointment of data protection official Security requirements Prior checks of processing operations Authorisation of transfer to third countries

The low compliance costs and the limited sample of companies and institutions make it difficultto identify a significant correlation between costs of complying and differences inimplementation. For instance, it is not clear from the estimated costs whether or not themeasure of appointing a data protection officer as replacement of notification is imposing atotal extra cost on data controllers or if it represents a saving. The only clear correlation isfees for initial or annual notification, which is a direct cost imposed on data controllers.

As also mentioned in its first report on the implementation of the Directive (EuropeanCommission 2003a), national deviations may impede organisations based in more MemberStates from fully benefiting from the Directive. Hence the case studies show that multinationalcompanies experience additional costs especially related to different rules on authorisation oftransfer to third countries and differences in notification requirements across EU MemberStates.

1.3 ConclusionBased on the case studies of the five sectors and the interviews with the supervisoryauthorities, the below conclusion summarises the findings of the country and sector analysisand the answers of the five evaluation questions.


8/81

7

The case studies show that the costs of compliance with the national legislation implementingthe Directive are relatively low for the sectors examined. Most companies, except themultinational companies (CSC and Benetton Italy) and large public institutions (customsauthorities), experience modest costs. The figures indicate that for companies in the fivesectors examined, the cost of compliance is limited, especially for small companies andinstitutions.

The comments from the large companies indicate that the costs level stated do not representa significant economic burden. In addition the costs on multinational companies and largepublic administrations are minor related to the size and turnover of these organisations.

The interviews with the national supervisory authorities showed that some additionalrequirements have been introduced by the national legislations mainly with the objective ofmaintaining the level of protection offered by the previous national legislation and with theobjective of increasing the safeguard of the individuals right for privacy.

Due to the limited compliance costs, it is difficult to identify any significant correlation betweencosts of complying and differences in implementation. Hence the country and sector analysisidentified only one deviation from the Directive, which clearly has consequences for the costsimposed on data controllers, i.e. the fees on notification (three countries) and the annualnotification (the United Kingdom). It is not clear if the organisational measure of appointing a

data protection officer is increasing or decreasing costs on the data controllers.

Furthermore the country and sector analysis found that divergences in notificationrequirements might impose extra costs on multinational data controllers.

Based on the analysis, the five evaluation questions are answered below.

Evaluation question 1: Does the national implementing legislation meet the requirements ofthe Directive in the most economic way?

The analysis shows that the Directive has largely been implemented into national law in a costeffective way. However, a number of areas have been identified in which simplifications orharmonisations are possible in order to increase the cost-effectiveness of the nationalimplementations of the Directive. This regards for instance the notification obligation (article18), including possible notification fees, and the provisions on transfer of personal data tothird countries (article 25-26). Both are implemented differently across Member States. Thefailure by some countries to make use of the exemptions and simplifications provided for inthe Directive causes unnecessary additional costs for data controllers. Furthermore, thenational divergences in notification requirements and authorisation of transfer to thirdcountries impose unnecessary costs on companies operating in more Member States.

Evaluation question 2: If not, what are the alternative means of complying with the minimumrequirements of the Directive in a most cost-effective way?

A number of simplifications and harmonisations can be undertaken in order to make theimplementation of the Directive more cost-effective:

Harmonise notification requirements and case handling in the member states. Facilitate the transfer of personal data to third countries for multinational companies

operating in several Member States by harmonising the rules on transfer of data tothird countries.

Make use of the possibility to exempt processing operations from notification, includingthe possibility to appoint a data protection officer.

Limit the notification requirement to new processing operations instead of requiring anannual renewal of all notifications. This would also remove possible costs related toannual renewal-fees.


9/81

8

Evaluation question 3: From the reactions of the data controllers interviewed, can we assessthat the objectives of the Directive have been achieved at a reasonable cost and are stillrelevant?

The Directive has fulfilled its twofold objective of removing barriers to the free movement ofpersonal data between Member States while at the same time ensuring a high level ofprotection of the individuals fundamental right for privacy (First Report on the Implementation

of the Data Protection Directive (95/46/EC), 10).

The case studies show that the Directive has been implemented with modest costs for firms inall the sectors included in the study, indicating that the objectives have been achieved at areasonable cost. However, national differences in the implementation impose someunnecessary costs on data controllers, and multinational companies operating in severalMember States experience additional costs due to the lack of harmonisation of theimplementation of the Directive in the Member States.

Evaluation question 4: What is their general perception with regard to the national DataProtection Law?

The data controllers interviewed largely perceive the respective national Data Protection Lawsto be reasonable and relevant and the majority think that they would carry out similar

safeguard measures in the absence of the Directive.

Furthermore, the data controllers interviewed find the extra costs of complying with thenational Data Protection Law to be negligible compared to the costs of complying with theprevious legislation. This even applies to the Italian data controllers, even though Italy did nothave any similar legislation in the area of data protection prior to the implementation of theDirective.

Data controllers operating across national borders calls for further harmonisation in EU of therules as regard notification and transfer of data to third countries.

Evaluation question 5: Do the impacts achieved by the Directive correspond to the needsidentified and the problems to be solved?

The impacts achieved by the Directive for the most part correspond to the needs identified andthe problems to be solved when looking at the five sectors and five countries in theevaluation. However, further harmonisation in some areas will enhance the positive impact ofthe directive.

The most important impact of the directive is that movement of data internally in EU has beenimproved due to the fact that all Member States now per definition ensure an adequate levelof protection.


10/81

9

2. IntroductionPrior to the adoption of the Data Protection Directive on 24 October 1995, differences innational data protection laws and the fact that Italy and Greece did not have any legislation atall constituted legal obstacles to the free movement of personal data. Hence, the Data

Protection Directive was adopted with the objective of ensuring the protection of theindividuals fundamental right for privacy, while at the same time improving the freemovement of personal data across Member States.

In 2003 the Commission published its First report on the implementation of the DataProtection Directive (95/46/EC), which evaluates the transposition of the Directive into na-tional law and the objectives reached so far. The objective of the current study is tosupplement the evaluation of the Data Protection Directive initiated by the Commission bymeasuring the economic impact of the Directive on data controllers.

More specifically, the aim of the evaluation is to answer the following five evaluationquestions:

Questions related to efficiency:

1. Does the national implementing legislation meet the requirements of the Directive inthe most economic way?

2. If not, what are the alternative means of complying with the minimum requirements ofthe Directive in a most cost-effective way?

Questions related to effectiveness/relevance:

3. From the reactions of the data controllers interviewed, can we assess that theobjectives of the Directive have been achieved at a reasonable cost and are stillrelevant?4. What is their general perception with regard to the national Data Protection Law?

5. Do the impacts achieved by the Directive correspond to the needs identified and theproblems to be solved?

2.1 Content of the reportThe content of the report is the following:

Section three outlines the methodology of the study Section four presents a cross country analysis of the collected data Section five presents a cross sector analysis of the collected data Section six provides answers to the five evaluation questions based on the five case

studies Section seven presents the findings from the interviews with the national supervisory

authorities Section eight presents the five case studies Section nine provides the conclusion on the evaluation Annex I lists the organisations, which have participated in the evaluation Annex II is the references Annex III contains the two questionnaires used for the interviews with data authorities

and data controllers respectively.


11/81

10

3. Methodology3.1 Case studies

In accordance with the task specifications developed by DG Internal Market, the evaluationshould be based on five case studies.

According to the task specifications the main objective of the case studies is to analyse theadditional costs resulting from compliance with the Directive. The case studies shouldidentify, analyse and evaluate the cost of compliance measures that entities must take inorder to fulfil the Directives objectives. Further, according to the task specifications the casestudies should include evaluation of the following additional costs necessary to comply withthe directive:

Costs linked to learning about the requirements of the Directive Costs in adjusting the internal organisation to comply with the Directive Running cost of compliance Quantity and costs of Human Resources involved in the compliance Cost of external advice and support

The case study approach holds a number of advantages compared with a survey basedapproach. Particularly, case studies allow us to deal with differences in the context and set-upin the individual countries (e.g. differences in which entities are handling data in the differentcountries). As part of the case studies, a value chain perspective was applied in the interviewsto minimise differences as a result of variations in business structure and organisationbetween the countries.

3.2 Cost structureAs mentioned above, a key activity of the evaluation is to identify, analyse and evaluate thecosts of complying with the Data Protection Directive.

Using the terminology of the so called standard cost methodology, the total costs ofcompliance with legislation consist of financial costs, substantive compliance costs, andadministrative burdens (Ministry of Finance/Legislative Burden Department, 2003). All tree

cost elements can be divided into one-off costs (the initial investment needed to comply withthe regulation) and running costs (the on-going operational cost). Each of the three elementsare shortly described below.

Financial costs are the result of a concrete and direct obligation to transfer a sum of money tothe Government or the competent authority. An example of a financial cost that is derivedfrom the Data Protection Directive is the fee for notification charged by some of the nationaldata protection authorities.

Substantive compliance costs are the costs that businesses have in order to comply with thecontent obligations that legislation and regulations require of a production process or aproduct. In the case of data protection regulation an example of substantive compliance costsis the investment in technology protection personal data.

Administrative burdens are the costs on businesses of complying with the informationobligations resulting from legislation and regulations. An example of administrative burdensthat are imposed by the Data Protection Directive is the requirement to notify national dataprotection authorities of processing operations (Ministry of Finance/Legislative BurdenDepartment, 2003).

The costs measured in the present study are the total costs associated with compliance withthe national legislation implementing the directive. Hence the study comprises financial,substantive and administrative costs.


12/81

11

A mapping of the Data Protection Directive and national legislations implementing theDirective has identified the following activities as potentially imposing costs on data controllers(companies and organisations):

Table 2: Cost elements related to compliance with the Data Protection

Directive

Activities

One-offcosts

Gather knowledge about the requirements of the Directive Initial training of staff Initial notification of authorities of existing processing operations Payment of potential fee for notification Initial application for processing operations requiring specific permission (e.g.

sensitive data)

Investment in technology protecting personal data Adjustment of existing IT systems Creation of organizational measures, e.g. appointment of data protection officer

Running

costs

Notification of authorities of processing operations Payment of potential fee for notification Application for processing operations requiring specific permission Authorisation and notification of transfer to third country Handling access requests by data subjects Handling rectification, erasure and blocking based on complaints from data

subjects

Provide information to data subjects Provide information to data subjects regarding data obtained by other sources Obtaining consent from data subjects to processing Obtain permission from data subjects to transfer data to third countries Checking mailing preference services before using direct marketing Manage a register of processing operations Maintenance and adjustment of data protection technology Dissemination of information to internal staff Training of staff

As illustrated above, we divide the costs of compliance with the national legislation

implementing the Directive on internal (in the company) and external costs (outside the

company).

In the interviews with data controllers, internal costs have been estimated by respondents in

man hours and later calculated into euro based on Eurostat labour cost statistics (see annex II

on case studies for further details on calculation method). External costs, which are the costs

of contracting out, have been estimated in euros by the respondents.

3.3 Selection of cases to studyThe selection methodology has taken into consideration the recommended case selection

approach in the MEANS collection. This framework recommends considering the following

different strategies for selection of cases:


13/81

12

Table 1: Questions addressed through case studies

Which questions can be answered? Basis of selection

What happens at the extremes?

What explains these differences?

Contrasting cases

What explains the effectiveness of a project? The best cases

Why does a project not function? The worst cases

How can the different types of project be compared? By sub-sets

Among the examples chosen to represent significant

variations, what happens and why?

Representative cases

On a typical site, what happens and why? Typical cases

In these specific circumstances, what happens and why? Particular cases

Source: Evaluating Socio Economic Development, SOURCEBOOK 2: Methods & Techniques, Case studies,

www.evalsed.info.

The standard cost methodology applied in this study (Ministry of Finance/Legislative BurdenDepartment, 2003) aims at identifying the costs for normally efficient companies and

institutions. The cases selected in the study all operate in business sectors which are affectedat an average or above average level in terms of costs of compliance with the data protectionlegislation. Furthermore, the sample have a higher than average frequency of companieswhich distribute and manage personal data across national borders. These will facesignificantly higher compliance costs than others.

The case selection strategy is thus representative with a bias towards particular (high costs ofcompliance) cases.

Analysing private or public organisations which are unaware if and how they comply with theDirective will not provide input to the analysis of the costs resulting from compliance with theDirective, and are thus not relevant for the evaluation.

The case selection strategy allows us to answer the question: In these specific circumstances,what happens and why. Sub questions can be formulated as:

What happens when implementing the Directive? What are the main factors and determinants, which influence the costs? What are the critical factors which influence the costs? How has the legislation been transposed into the national legislation?

3.4 Specific case selection criteriaThe overall case selection criteria have been identified as follows:

The country dimension The business sector dimension The organisational type dimension (i.e. micro, small, medium and large)

The selection of countries was conducted in accordance with the task specification: Denmark,France, Germany, Italy and UK. Among these countries significant variations exist as to levelof data protection before the implementation of the Directive, time of transposition andchoices of implementation.

As the only of the five countries, Italy did not have any legislation in the area of dataprotection prior to the adoption of the Directive. Both in Germany, France and Denmark thefirst legislation in the area was adopted in 1978, whereas the United Kingdom adopted thefirst law in 1984 (source: interviews with national supervisory authorities).


14/81

13

The first of the five countries to implement the Directive into national law was the UnitedKingdom in 1998. Denmark implemented the Directive in 2000, Germany and Italy in 2003and France in 2004 (European Commission, 2002b and interviews with national supervisoryauthorities).

The five countries included in the study represents different choices of implementation of the

Directive, for instance in time of transposition, prior level of data protection andimplementation of the provisions on notification. This variation means that the designatedcountries are found to be representative. Thus, the study of the five countries allows us to seedifferences in costs due to late implementation, goldplating and existence of legislation in thearea prior to the adoption of the Directive.

In accordance with the task specifications, the sectors needed to be determined. In theEurobarometer survey on Data Protection (Special Eurobarometer 196, 2003), the followingorganisations holding critical personal data were identified:

Medical services and doctors Insurance companies Credit card companies Banks and financial institutions Employers The police Social security Tax authorities Local authorities National authorities Credit reference agencies Mail order companies Non-profit organisations Market and opinion research companies

All of the sectors above are potentially relevant for the evaluation. We selected five sectorswith different types of organisation and data being processed. Furthermore, we selectedsectors which were expected to be affected at an average or above average level in terms ofcosts of compliance with the data protection legislation. The five sectors selected were: thehealth sector, the retail sector, the NGO sector, IT services and customs authorities. Thesectors and the selected companies and organisations are shortly presented below:

Health sector small firms - pharmaciesIn the health sector pharmacies were selected to represent small firms. Pharmacies collectpersonal information for various purposes. Like other businesses, pharmacies collect personalinformation for staff administration and for the keeping of records and accounts. However thecollection of health related information distinguishes pharmacies from other organisations andmakes pharmacies interesting from a data protection perspective as health related data aresensitive data.

The selection of pharmacies took into consideration the impact of the data protection

legislation on pharmacies in the five countries. Hence three pharmacies were selected in theUnited Kingdom, Germany and France respectively as these countries represent three differentchoices of implementation causing different requirements on pharmacies.

Retail sector Multinational companies - Benetton and Adler

As other sectors, retail sector businesses collect personal information for the administration ofthe staff, for the keeping of accounts and records and for advertising and marketing purposes.


15/81

14

A special feature of fashion retailers is the collection and storage of personal information oncostumers, which is collected from the use of membership cards and the sharing of personalinformation among different chains and countries.

In the retail sector the multinational fashion retailers Benetton (Italy and France) and Adler(Germany) were selected. Being located in more Member States these companies potentiallyface problems relating to differences in implementation of the Directive across Member States.

Furthermore Benetton and Adler represent different practices as to the use of membershipcards.

NGO sector Amnesty International

The term NGO can be applied to any non-profit organisation which is independent fromgovernment. NGOs are typically value-based organizations which depend, in whole or in part,on charitable donations and voluntary service. Although the NGO sector has becomeincreasingly professionalized over the last two decades, principles of altruism and voluntarismremain key defining characteristics (http://docs.lib.duke.edu/igo/guides/ngo/ define.htm).

NGOs collect personal information from employees, members, donators, complainants,victims, correspondents and enquirers. The information is collected for different purposes andmay be transferred to other countries depending on the organisational structure of theorganisation. Characteristic for NGOs is the collection of personal information for the

administration of membership records and fundraising and for conducting research in theconcerned field (e.g. human rights).

In the NGO sector Amnesty International was selected as case. National divisions of AmnestyInternational are located in several Member States and the International Secretariat is locatedin the United Kingdom. Sensitive data is hold for the campaigning activity of the NGO andpersonal data on members and donators are processed.

IT services and outsourcing - CSCCharacteristic for the IT service and outsourcing sector is the processing of personal data onbehalf of other companies. Thus IT service companies conducting outsourced functions forother companies are faced with issues of data protection as they are representative for datacontrollers. The Data Protection Directive also affects the transfer of data between nationalbranches of the IT service company in different Member States and the execution ofoutsourced services in third countries.

CSC is designated as case in the IT service and outsourcing sector. CSC process employeedata and provides services for many sectors handling sensitive data. Additionally CSC is also amultinational company, which may face issues of data protection similar to the issues found inthe retail sector.

Public administration Customs authorities

In the public administration customs authorities have been selected as case. Customsauthorities collect personal information in relation to the assessment, payment and collectionof customs. Additionally they collect information related to staff administration, and othercommon purposes.

Customs authorities in Denmark and the United Kingdom have been selected as cases. Thesize of the administrations of these authorities varies significantly and they represent differentchoices in organisation of data protection in the administration.
http://docs.lib.duke.edu/igo/guides/ngo/%20define.htmhttp://docs.lib.duke.edu/igo/guides/ngo/%20define.htmhttp://docs.lib.duke.edu/igo/guides/ngo/%20define.htmhttp://docs.lib.duke.edu/igo/guides/ngo/%20define.htmhttp://docs.lib.duke.edu/igo/guides/ngo/%20define.htm


16/81

15

Data protection authorities

In addition, interviews with representatives from the supervisory authorities in all the fivedesignated countries have been carried out.

3.4.1 Case matrixThe below matrix shows which interviews were conducted.

Table 2: Case matrix

* CSC and the Customs authorities in Italy were invited to participate in the study, but did not respond

within the time frame of the study.

Country/Sector,Organisation

Denmark TheUnited

Kingdom

Germany Italy France

Health, Small firmsPharmacies X X X

Fashion retail,Multinational companyBenetton and Adler

X X X

NGOAmnesty International X X

IT services andoutsourcingCSC

X (*)

Public administrationCustoms authorities X X

(*)


17/81

16

4. Cross country analysisThe Commissions first report on the transposition of the Data Protection Directive from 2003concludes that in spite of the late implementation of the Directive by Member States - thetwofold objective of the Directive broadly has been achieved. The main barriers to the free

movement of personal data between Member States have been removed as all Member Statesnow have adopted Data Protection legislation. Furthermore adoption of the Directive hasensured an equal level of protection of the individuals right for privacy.

However the report also concludes that differences in the national implementation of theDirective prevent the European economy of getting full benefit from the Directive. Forinstance, development of pan-European policies on data protection by multinational or-ganisations is impeded by national disparities (European Commission, 2003a).

This cross country analysis covers the following Member States: Denmark, France, Germany,Italy and United Kingdom. The analysis identifies the disparities that were prevalent in theinterviews with data controllers and supervisory authorities. The identification is notexhaustive, but a further analysis of some of the national differences described in the technicalanalysis accompanying the Commissions first report. Additionally, it is analysed whether or not

the national disparities have an economic impact on data controllers. This identification isbased on a comparison between the costs estimated in the case studies and the disparities innational implementation of the Directive.

4.1 Divergences in national implementation of the Data Protection DirectiveMember States are committed to transpose the minimum requirements prescribed by theDirective into national legislation. However Member States have the possibility to introduceadditional requirements as long as these are in compliance with the Directives procedures.The considerable margin of choice for transposition of the Directive into national law causesnational deviations. Additionally, divergences may arise from different practices in interpreta-tion of the laws by supervisory authorities and from wrongful transposition (EuropeanCommission, 2003b).

The below table compares the divergences in national law, which were prevalent in theinterviews with data controllers and supervisory authorities. The table also shows the provisionof the Data Protection Directive.


18/81

17

Table 3: Differences in implementation of the Data Protection Directive

Denmark France Germany Italy The United

Kingdom

Data

Protectio

n Di-

rectiveInitial notification X

135 euro

X Only

processing

of personaldata

permanently

to third par-

ties

Only some

specified

processing150 euro

X

50 euro

X

Annual

notification

-- -- -- -- X

50 euro

--

Exemptions from

notification

Medium Some High High Some X

Simplification of

notification

-- X -- -- -- X

Appoint data

protection official

-- Voluntary,

replaces

notification

Obligatory,

replaces

notification

-- -- Voluntary,

replaces

notification

Detailed security

regulations for

the public sector

X -- -- -- -- --

Prior checking of

specific

processing opera-

tions

X X Prior

checking is

the

responsibilit

y of the data

protection

official

X A possibility,

but no

processing

are made

subject to

prior checks

X

Authorisation of

transfer to third

countries

X X X X X X

Source: Interviews with national supervisory authorities and European Commission, 2002a

X = the concerned provision is implemented in the national legislation. Some, medium, and high indicates

to which level the provision is made use of.

-- = the provision is not implemented in the national legislation.

Below, each of the activities and divergences are explained:

Initial notificationThe extent to which processing of personal data needs to be notified to the supervisoryauthority varies from country to country. This also applies to initial notification of existingprocessing operations when the Directive was implemented into national law.

Notification of existing data operations at the time the directive was implemented wasrequired by Denmark, Germany, Italy and the United Kingdom. Organisations in France havenot been required to notify their existing processing operations.

For companies and organisations in Denmark, Italy and the United Kingdom the initialnotification was and is associated with a fee of 135, 150 and 50 euro respectively.


19/81

18

Annual notificationThe notification requirement differs from country to country. Some countries require an annualrenewal of the notification whereas others only require that new processing operations andchanges to existing operations are notified to the supervisory authority.

Of the five countries examined, the United Kingdom is the only one which requires an annualrenewal of the notification. The remaining countries only require that new processing

operations and changes to existing operations are notified to the supervisory authority. Therenewal of the notification in the United Kingdom is associated with an annual fee of 50 euro.

Exemption from notification

The study shows differences in transposition of article 18 (2) of the Directive on the obligationto notify the supervisory authority. The provision lay down that Member States may providefor exemption from notification. The margin of manoeuvre left by this provision implies thatthe five countries included in the study all to a various extent have exempted some kind ofprocessing of personal data from the notification requirement.

Denmark, England, France, Germany and Italy all make more or less extensive use of thepossibility to grant exceptions (European Commission, 2003b). This is confirmed by theinterviews, which also shows that Italian and Danish legislation to a wider extent than Englishand French legislation exempts data controllers from notification. In France, however, the

majority of the notifications have been simplified.

Simplification of notificationArticle 18 (2) of the Directive also provides for the simplification of the notificationrequirement. Some of the countries included in the study make use of this possibility.

Appointment of data protection officialAccording to article 18 (2) of the Directive Member States may provide that notification isreplaced by the appointment of a data protection official. This person can be either an em-ployee or an outside expert.

This possibility is also used to a various extent in the examined countries. In Germanynotification is replaced by the appointment of a data protection officer, which is obligatorywhen 5 or more persons are employed with processing of personal data. In France, datacontrollers are also exempt from notification if a data protection officer is appointed. Howeverit is voluntary to do so (http://www.cnil.fr/index.php?id=1577&print=1 ).

Security of processing detailed security regulationsArticle 17 (1) of the Directive lays down that Member States shall provide that data controllersimplement appropriate technical and organisational measures to protect the personal data.Based on this article, Denmark has implemented detailed security regulations for processing inthe public sector. None of the other countries in the study have implemented correspondingrequirements.

Prior checksArticle 20 of the Directive prescribes that Member States shall determine which processingoperations that are likely to present specific risks to the rights and freedoms of the datasubject and that these processing operations shall be subject to a prior check before beingstarted. Among the countries examined, there are differences regarding which processingoperations are subject to such a prior check. The United Kingdom is the only of the examinedcountries which do not require some processings to be subject to prior checking andauthorisation by authorities, even though the English data protection act does provide for thepossibility (section 22 of the English Data Protection Act). In the remaining countries it varieswhich processing operations need authorisations.
http://www.cnil.fr/index.php?id=1577&print=1http://www.cnil.fr/index.php?id=1577&print=1http://www.cnil.fr/index.php?id=1577&print=1http://www.cnil.fr/index.php?id=1577&print=1


20/81

19

AuthorisationArticle 26 (2) of the Directive provides that Member States may authorise a transfer ofpersonal data to a third country, which do not ensure an adequate level of protection, if thedata controller adduces adequate safeguards. Such safeguards may in particular result formcontractual clauses. The application of this provision differs from country to country.

All of the countries examined in this study have implemented provisions on authorisation of

transfer to third countries based on article 25 and 26 of the Directive. However therequirement for authorisation varies from country to country. This is confirmed by the Com-missions First Report on the Implementation of the Directive (95/46/EC), which concludesthat some Member States adopt a lax attitude toward authorisation, whereas other MemberStates submit all transfers to authorisation (European Commission, 2003a:18).

The low compliance costs and the limited sample of companies and institutions make it difficultto identify a significant correlation between costs of complying and differences inimplementation. For instance, it is not clear from the estimated costs whether or not themeasure of appointing a data protection officer as replacement of notification is imposing atotal extra cost on data controllers or if it represents a saving. The only clear correlation isfees for initial or annual notification, which is a direct cost imposed on data controllers.

As mentioned in its first report on the implementation of the Directive (European Commission

2003a), national deviations may impede organisations based in more Member States fromfully benefiting from the Directive. Hence the case studies show that multinational companiesexperience additional costs especially related to different rules on authorisation of transfer tothird countries and differences in notification requirements across EU Member States.

The issues related to differences in notification requirements are also recognised in the FirstReport on the Implementation of the Directive (European Commission 2003a), which calledupon the Article 29 Working Party to contribute to a more uniform implementation of theDirective. Hence the Task Force Simplification of Notification Requirements was set down bythe Article 29 Working Party with the purpose of identifying best practices as regards the dutyof notification and exploring a possible system of simplification for organisations with morethan one establishment in the EU (Article 29 Working Party, 2005).

It should also be noted that divergences in implementation, which do not impose extra costson data controllers who operate on a solely national basis, might impose extra costs onmultinational data controllers. As recognised by the analysis and impact study on theimplementation of the Directive EC 95/46 in Member States, multinational organisations haveto comply with different national laws and thus do not fully benefit from national exemptionsand simplifications (European Commission, 2003b:28). This applies especially to variations innotification requirements and requirements for transfers to third countries.

As regards the issue of late implementation, the case studies have not identified a clearquantitative relation between costs and time of implementation of the Directive by MemberStates. However, companies operating across countries have highlighted the significant costsof a non-harmonised regulation. The late implementation impedes the free movement of dataand decreases the benefits of the directive for the European economy.


21/81

20

5. Cross sector analysisAs part of the study, data controllers from pharmacies, NGOs, customs authorities, IT serviceproviders and the fashion retail sector have been interviewed. The below table shows whichkind of personal information the various sectors collect and process.

Table 4: Data processed in the five sectors

Personalinformation col-lected on:

Pharmacies

NGOs Customsauthorities

IT serviceproviders

Retail

Employees X X X X X

Clients/customers X X X

Suppliers X X X

Members/donators X X

Victims X

Suspect/defendants

X

Importers andexporters

X

Domestic traders X

Third parties X

Each sector faces different issues in relation to data protection depending on the kind ofinformation they process and the purpose of the processing. However all sectors included inthe study process personal data on their employees.

The handling of data also varies among data controllers. The majority of the data controllershandle the activities themselves whereas only one, the French pharmacy, has outsourced thehandling and notification of the processing.

Depending on the sector various IT systems are subject to the data protection law. The two

pharmacies, which have not outsourced the processing, both have one IT system, where allkind of personal information is stored. One of the NGOs uses two IT systems: one for staffadministration and one for administration of members, donators and customers, whereas theother NGO uses one integrated system. All three retailers handle the personal information inone IT system. Both the customs authorities and the IT service provider have several ITsystems, which are subject to the data protection law. The IT service provider differs from theother respondents as they are both data controller (employee data) and processors on behalfof other data controllers.

The below table summarises the total one-off costs and running costs estimated byrespondents in the five sectors. Both one-off and running costs are divided on internal andexternal costs.


22/81

21

Table 3: Total costs of complying with the Data Protection Directive in the

five sectors

Total one-off costs Total running costs (yearly)

Internal External Internal External

Pharmacy(France)

0 0 0 0

Pharmacy(Germany)

216 Euro 0 0 0

Pharmacy(United Kingdom)

204 Euro 140 Euro 609 Euro 260 Euro

NGO(France)

113 Euro 0 0 0

NGO(Germany)

2 674 Euro 0 2 417 Euro 0

Customs authority(United Kingdom)

506 Euro 50 Euro 6 312 Euro 4 350 Euro

Customs Authority(Denmark)

213 Euro 135 Euro 550 Euro 0

IT service provider(Denmark)

6 131 Euro 135 Euro 8 666 Euro 0

Retail (Italy) 1 057 Euro 10 000 Euro 1 739 Euro 0

Retail (France) 0 0 0 0

Retail (Germany) 0 2 000 Euro 0 0

Total* 11 000 Euro 12 000 Euro 20 000 Euro 5 000 Euro

Average cost*per institution / companyExcl. IT service provider3

500 Euro 1 200 Euro 1 200 Euro 460 Euro

* Total and average costs are round off to two significant digits

The table above shows that, in the sample of 10 companies, the average cost one-off costsare approximately 1.000 Euro for companies in internal costs (wages) and 1.100 Euro in

external costs. The running costs are 1.200 Euro a year internally and 460 Euro a yearexternally. The figures indicate that for companies in the five sectors examined, the cost ofcompliance is limited, especially for small companies and institutions.

The comments from the large companies indicate that the costs level stated do not representa significant economic burden. When related to the size of the company, the costs experiencedby the larger companies and organisations in the study are relatively low. Hence when thecosts of complying with the national legislation implementing the Directive are related to thenumber of employees, the relatively highest costs are experienced by the English pharmacyand the German NGO whereas the relatively lowest costs are experienced by the largeorganisations and multinational companies. Thus some economies of scale exist.

The costs estimated by the English pharmacy differ from the costs estimated by the Germanand French pharmacy. However this difference is partly explained by the above mentioned

national differences in implementation of the Directive, i.e. the requirement for annualnotification in The United Kingdom. Pharmacies are some of the most trusted organisationsholding personal information; 84% of EU citizens trust medical services and doctors to makecorrect use of their personal data (Special Eurobarometer no 196, 2003). The level of trustmay have an impact on the number of access requests and complaints received from datasubjects and thus on the costs imposed on pharmacies.

3 The figures from the IT service provider is excluded in calculation of average costs as these operate

systems on behalf of clients, thus technically included in the external costs of other government institu-

tions and companies.


23/81

22

The case study of the NGO in France shows close to no costs, whereas the German branch ofAmnesty has experienced increased cost but also a higher security level. This difference maybe caused by the fact that France just recently transposed the Directive into national law.Hence the French NGO may not be fully aware of the requirements of the Directive and maythus not have experienced the fully running costs related to the Directive yet.

The difference in costs for customs authorities is explained by the fact that the Englishcustoms authority is significantly larger and differently organised than the Danish customsauthority. Furthermore, as there is only one customs authority per Member State, the one-offand running costs are very small even at EU level.

The IT service provider experiences some other costs than the remaining data controllers dueto the fact that it is a multinational organisation with more cross border data exchange andthat it is managing data on behalf of clients. The majority of the costs are related to theemployment of a data protection manager on European level to coordinate data protectionactivities. Additionally, the requirements on data transfer to third countries affect transfer offor instance employee data from one branch of the company to the headquarters, and about1/5 of the running costs are imposed by activities related to international transfer.

Benetton, a large multinational company, experienced relatively modest costs. The main cost

was an external consultant who worked on the topic in 1997 when the first law in the field wasadopted in Italy. The consultant mapped all data processing activities in the organisation. Thecost was of 20 million Italian lire (about 10.000 euro). The yearly running costs inheadquarters are estimated at less than 2.000 Euro in running costs. Likewise, the compliancecosts for Adler in the retail sector have also been limited. As regard Benetton France, noadditional costs have been experienced.

Data processings in these five sectors are similar to the majority of business sectors inEurope. Hence it seems reasonable to conclude that the costs are limited for a significant partof European business sectors. It should be added that the study is not all-embracing, and thatsome specific sectors might experience higher burdens, e.g. the financial sector.

5.1 Relative costs of implementing the directiveThe majority of the respondents found that the national legislation implementing the Directivedid not impose significant additional costs compared with the previous legislation in the area.Most of the organisations already had the necessary technological and organisationalsafeguard measures in place and thus did not experience costs in these areas.

This applies for instance to the English customs authorities, who estimates that the total costof data protection is 2 staff year spend by senior managers and middle managers and 3years spend by Business Information Managers and their staff. According to the respondentsfrom the customs authorities, these figures have remained largely unchanged since prior tothe introduction of the current Act, as the implementation of the Directive has had a negligibleimpact on the way in which the authority manages data (interview with Customs authorities inthe United Kingdom).

As the only of the five countries included in the study, Italy did not have any legislation in the

area of data protection prior to the implementation of the Directive. Thus the costsexperienced by the Italian data controller indicate the total cost of data protection. The Italiandata controller, Benetton, estimates that the total one-off costs were 11 057 euro and thetotal running costs are 1739 euro.


24/81

23

6. Analysis of evaluation questions6.1 Evaluation question 1: Does the national implementing legislation meet the

requirements of the Directive in the most economic way?

Member States are committed to transpose the minimum requirements prescribed by theDirective into national legislation. However Member States have the possibility to introduceadditional requirements as long as these are in compliance with the Directives procedures. Asshown previously in the cross country analysis, the margin of choice for transposition of theDirective into national law causes national deviations, which in some cases impose additionalcosts on data controllers.

In order to assess whether or not the national implementing legislation meets the requirementof the Directive in the most economic way, it is necessary to establish the most economic wayto meet the requirements. This is done by imposing the lowest possible costs on datacontrollers, while at the same time increasing the benefits to society and individuals resultingfrom data protection. Data protection al though imposing costs on data controllers alsopotentially creates benefits for data controllers in form of increased customer trust andpromotion of good practices in data management (Masons, 1998:9f4). In other words: data

protection legislation shall strike the balance between providing a sufficient level of securityfor employees, customers, consumers etc. and at the other does not introduce unnecessaryrequirements. Generally this will mean not to go beyond what is required in the Directive,while at the same time exploits the margin of choice, which the Directive leaves, to makeexemptions and derogations from the general requirements.

In the cross country analysis a number of areas have been identified in which nationaldeviations in the implementation of the Directive imposes additional costs on data controllers.These deviations are mainly related to the provisions on notification and transfer to thirdcountries. The national deviations that were found in the case studies to be imposingunnecessary costs are outlined below.

6.1.1 Exemption from and simplification of notificationThe cross country analysis shows that the United Kingdom to a lesser extent than Italy,

Germany, Denmark and France has made use of the possibility of making exemptions fromand simplifications of notification. In the United Kingdom only four kinds of processingoperations are exempted from notification. In Germany the notification requirement isreplaced by the requirement of appointing a data protection officer. The Danish act exemptsseveral processing operations and in France 70% of all processing are simplified. The Italianact exempts to a great extent processing operations as the Italian introduces a positive list ofsix kinds of processing operations, which are required notification.

Another aspect of the national divergences in notification requirements is the fact thatmultinational companies established in more Member States have to make different kinds ofnotification of the same IT system, as they have to comply with different requirements andthus do not benefit from exemptions and simplification (European Commission, 2003b:28).

6.1.2 Annual notificationThe Directive does not require an annual notification of processing operations. However as theonly of the examined countries the United Kingdom requires that data controllers renew theirnotification annually. The annual renewal is associated with a fee. This requirement imposesrunning costs on data controllers, which are not found in the other countries.

4The Mason study focuses on cost effective means whereby data controllers can achieve compliance withthe requirements of the Directive. From the perspective of the study, solutions are found to be cost

effective if they advocate a common sense approach to data protection as an integrated part of good

information management policy, i.e. if they carry significant direct benefits in terms of more efficient

business administration, as well as indirect benefits such as better customer relations (Masons, 1998:15).


25/81

24

6.1.3 Appointment of data protection officerBoth Germany and France make use of the possibility to replace notification with theappointment of a data protection officer. In France, the appointment is voluntary, whereas inGermany, it is required to appoint a data protection officer when 5 or more employees areoccupied with the processing of data. The cross country analysis shows no clear connectionbetween the requirement of a data protection officer and the costs imposed on data

controllers. The appointment of a data protection officer may in fact result in greaterawareness of data protection, as outlined in the report from the Task Force Simplification ofNotification Requirements. The level of awareness of data protection is seen in theCommission consultation on the implementation of the Directive, where nearly 50% of allanswers received originated from Germany (Article 29 Working Party, 2005).

However it is important that the regulation leaves room for government institutions andcompanies to achieve this goal in a way that is best suited to their existing business op-erations and systems.

6.1.4 Transfer to third countriesAll the countries examined in this study have implemented provisions on authorisation oftransfer to third countries based on article 25 and 26 of the Directive. However therequirement for authorisation varies from country to country. This is confirmed by the Com-missions First Report on the Implementation of the Directive (95/46/EC), which concludesthat some Member States adopt a lax attitude toward authorisation, whereas other MemberStates submit all transfers to authorisation (First Report on the Implementation of theDirective (95/46/EC), 18).

The divergences in authorisation requirements across Member States impose additional costson multinational companies which are established in more Member States. The case study ofthe Danish IT service provider illustrates the impediments caused by the divergences inauthorisation requirements. Differences as to which transfers are being authorised and thelack of coherence between the national requirements impose costs on CSC as they have tospend additional time on setting up transfer agreements that all branches of the company aswell as the concerned national supervisory authorities can accept.

To summarise on evaluation question 1, the costs imposed on data controllers are modest inthe sectors examined, and the Directive have largely been implemented into national law in acost effective way. However some unnecessary costs have been identified. Thus asimplification and harmonisation of the national implementations of the Directive will increasethe cost-effectiveness of the legislation.

6.2 Evaluation question 2: If not, what are the alternative means of complying with theminimum requirements of the Directive in a most cost-effective way?

In evaluation question 1, a number of simplifications and harmonisations were identified,which can be undertaken in order to make the national implementations of the Directive morecost-effective.

As indicated above the most cost-effective way to meet the requirements of the Directive canbe identified as a choice of implementation which does not go beyond the requirements of theDirective and which makes use of the possibilities provided in the Directive for exemptions andsimplifications.

Alternative means of meeting the requirements of the Directive are outlined below.

6.2.1 Exemption from and simplification of notificationA more cost-effective way of meeting the requirements of the Directive is to make use of thepossibility to exempt processing operations from notification or to simplify the notification


26/81

25

process. The Directive provides two ways in which such exemptions can be made (article 18(2) of the Directive):

1. When processing operations are unlikely to affect the rights and freedoms of the datasubject.

2. When data controllers appoint a personal data protection officer.The delicate balance in this respect is for Member States to require notification of only thoseprocessing operations, which may present a risk to the individuals fundamental right for

privacy. Furthermore the benefits of notification should be taken into consideration, i.e.increasing transparency for data subjects, raising awareness of data controllers and enablingsupervisory authorities to keep abreast of the data processings in the concerned country(Article 29 Working Party, 2005).

As indicated in the above answer of evaluation question 1, the fact that some countries requireappointment of a data protection officer do not unambiguously implies additional costs on datacontrollers. In fact the appointment of a data protection officer may increase awareness ofdata protection. Hence either ways of reducing the costs related to notification can be appliedto increase the cost-effectiveness of the national implementation.

However multinational companies, who are data controllers in several Member States, are tocomply with a variety of notification requirements. This imposes unnecessary costs uponthem, which calls for a harmonisation of the exemptions and simplifications found in the

different Member States. Furthermore simplified notifications systems for multinationalcompanies are needed. The need for harmonisation and simplification is also recognised by theCommissions First Report on the Implementation of the Data Protection Directive (95/46/EC)and the report from the Article 29 Working Party Task Force Simplification of NotificationRequirements.

6.2.2 Notification requirementTo improve the cost-effectiveness of the national implementations of the Directive, theMember States can reduce the costs related to the frequency of the notification requirement. Acomparison of the costs related to the English annual notification requirement with the costsimposed in the remaining countries shows that there are alternative means of implementingthe provision on notification, which reduce the costs.

Hence by limiting the notification requirement to new processing operations instead ofrequiring an annual renewal of all notifications the running costs related to notification arereduced.

6.2.3 Transfer to third countriesAs the case study of the Danish IT service provider shows, some costs are related to the factthat Member States have implemented the provision on authorisation of transfer to thirdcountries differently. A harmonisation of those differences would facilitate the transfer ofpersonal data to third countries for multinational companies operating in several MemberStates. As indicated in the Commissions First Report on the Implementation of the DataProtection Directive (95/46/EC) there are more ways of facilitating the transfer of personaldata to third countries (First Report on the Implementation of the Data Protection Directive(95/46/EC), 25):

Multinational companies should be allowed to make use of binding corporate rules5.Binding corporate rules can provide the adequate safeguards for data exchange across

branches of the company. This would facilitate the transfer internally in a multinationalcompany by reducing the administrative costs related to applying for the authorisationof each concerned national supervisory authority.

5Binding corporate rules: Internal rules that bind a given mulitinational corporate group doing business inseveral different jurisdictions, both inside and outside EU. Binding corporate rules can provide adequate

safeguards for intragroup transfers of personal data (European Commission, 2003a)


27/81

26

The choice of standard contractual clauses6 should be widen in order to facilitate thesetting up of contracts between branches of the company or between the companyand the client. This would make it easier for data controllers to ensure that theadequate safeguards are provided for, for instance by an abroad data processor.

6.3 Evaluation question 3: From the reactions of the data controllers interviewed, canwe assess that the objectives of the Directive have been achieved at a reasonable

cost and are still relevant?

The objective of the Directive is stated in article 1.1 and 1.2:

Article 1.1: ..Member States shall protect the fundamental rights and freedoms of naturalpersons, and in particular their right to privacy with respect to the processing of personaldata.Article 1.2: Member States shall neither restrict nor prohibit the free flow of personal databetween Member States for reasons connected with the protection afforded underparagraph 1.

Thus the Directive has the two-fold objective of protecting peoples privacy and establishing aninternal market with free flow of information between Member States.

The first report on the Implementation of the Data Protection Directive (95/46/EC) concludedthat the Directive has achieved both the objective of securing the free movement ofinformation and a high level of protection of data (European Commission, 2003a). This studyconfirms the conclusion that the two objectives above have largely been fulfilled.

Regarding the objective of protecting fundamental rights, the respondents from Denmark,France, Germany and the United Kingdom all agree that the protection level for individuals isthe same as before the Directive was introduced, as all these countries had a similarregulation in place. The respondents considered the level of protection in these countries priorto the introduction of the Directive to be high, and the high level of protection has beenmaintained after the implementation of the Directive. In some specific areas, the regulationimplementing the Directive has actually improved the security, e.g.:

The legal security concerning the transfer of data has been improved as all MemberStates now per definition ensures an adequate level of protection.

Denmark: The implementation of the Directive includes all processing of data, whereasthe previous legislation only covered data registers. This means an extension of thescope of the data protection law.

The United Kingdom: The extension of the data protection act to transfer of dataoutside the EEA.

In Italy there was no regulation prior to the introduction of the Directive, which means thatthe protection level has increased considerably here. This is also confirmed by the Italiansupervisory authority (interview with supervisory authorities).

The interviews with the national supervisory authorities in Denmark, Germany and the United

Kingdom support the view that no significant changes regarding the protection of theindividuals fundamental right for privacy have been introduced with the implementation of theDirective. However, from the perspective of the French authority the implementation of theDirective has slightly improved the protection of the individuals right for privacy due to the

6Standard contractual clauses: A standard contractual clauses offer sufficient safeguards with respect tothe protection of the privacy and fundamental rights and freedoms of individuals and as regards the

exercise of the corresponding rights. By incorporating the standard contractual clauses into a contract,

personal data can flow from a Data Controller established in any of a specified group of countries

(www.http://europa.eu.int/comm/justice_home/fsj/privacy/modelcontracts/index_en.htm).


28/81

27

fact that the competences of the authority, the CNIL, has increased (interview withsupervisory authorities).

Regarding free movement of data, the respondent from CSC, which operates globally, thinkthat the previous obstacles related to transfer of data between Member States have beenremoved. The remaining multinational companies, Benetton Italy and France and Adler inGermany have not identified major changes regarding transfer of data internally in EU.

The supervisory authorities in Italy, Germany and Denmark do not perceive that themovement of personal data in EU was a major problem before implementation of the directive.The English authority, however, finds that the free movement to some degree has beenimproved. This French authority also finds that the free movement of data has been improvedwith the implementation of the Directive due to the fact that the previous national legislationin the area required contract covenants in order for data controllers to transfer data inside theEU (interview with supervisory authorities).

The obstacles to the free movement of data prior to the implementation of the Directive wereprimarily caused by the fact that Italy and Greece did not have any legislation in the area ofdata protection. For data controllers in these countries transfer of data was not subject to anyregulation and thus did not cause any problems. Hence the obstacles to the free movement ofdata were mostly experienced by data controllers in countries having regulation in the area of

data protection.

With the objectives of the Directive largely fulfilled, the next question is if the objectives of theDirective have been fulfilled at a reasonable cost? For the five sectors involved in theevaluation, custom authorities, IT Services, NGOs, pharmacies and the retail sector, theanswer is positive; the Directive has been implemented with relatively limited costs forbusiness.Even Benetton, which is a large multinational company, experienced very limited costs. Themain cost was an external consultant who worked on the topic in 1997 when the first law inthe field was adopted in Italy. The consultant mapped all data processing activities in theorganisation. The cost was 20 million Italian lire (about 10.000 euro). The yearly running costsin headquarters are estimated at less than 2.000 Euro. As these five sectors process datasimilarly to the majority of business sectors in Europe, it seems reasonable to conclude thatthe costs are limited for a large part of European business sectors. It should be added that the

study is not all-embracing, and that some specific sectors might experience higher burdens,e.g. the financial sector.

6.4 Evaluation question 4: What is their general perception with regard to the nationalData Protection Law?

The data controllers interviewed in the five sectors largely perceive the respective nationalData Protection Laws to be reasonable and relevant and the majority claim that they wouldcarry out similar safeguard measures in the absence of the Directive.

Furthermore, most of the data controllers interviewed find the extra costs of complying withthe national Data Protection Law to be relatively modest compared to the costs of complyingwith the previous legislation.

Generally, the respondents think that the regulation represents common sense and that somekind of regulation in the area is necessary in order for data objects to have trust in businessand thus accepting to provide information when necessary. This perception is in line with theviews found in the 2002 on-line consultation in which 69% of the data controllers considereddata protection requirements necessary (European Commission, 2002c).


29/81

28

6.5 Evaluation question 5: Do the impacts achieved by the Directive correspond to theneeds identified and the problems to be solved?

The needs identified among data controllers in the interviews include the following:

1. The need for a regulation securing a high level of data protection for individuals2. The need for a flexible regulation3. The need for a harmonisation of the regulation of transfer of data internally betweenMember States4. The need for a harmonisation of the regulation of transfer of data externally between

Member States and third countries

Each of these four points is commented below:

1. The need for a regulation securing a high level of data protection for individualsSeveral respondents mention that a high level of security contributes to increased trust amongdata subject concerning handling of sensitive data. In many sector, e.g. customs authoritiesand pharmacies, this trust is a prerequisite in order to operate. As mentioned previously,respondents in Denmark, France, Germany and UK think that the previous regulation providedsufficient security and that the situation after the implementation of the Directive is the same.

2. The need for a flexible regulation

While a high level of security is important to business as well as government institutions, it isequally important that the regulation leaves room for business to achieve this goal in a waythat is best suited to their existing business operations and systems. Thus, the demand insome Member States to appoint an employee as data protection officer is a non-flexible way ofachieving a sufficient security level. Other countries leave it to companies and governmentinstitutions themselves to decide which specific organisational measures to introduce in orderto comply with the regulation.

3. The need for a harmonisation of the data protection regulation in the European UnionIn the view of data controllers and data processors, one of the most important impacts of theData Protection Directive is the harmonisation of data protection legislation internally in theEuropean Union. This harmonisation represents a significant reduction in administrative costsas the free movement of data has been improved due to the fact that Member States now perdefinition ensure an adequate level of protection. However further harmonisation is needed tofacilitate compliance for companies operating across Member States. This applies especially to

the notification requirements, which could be simplified. Preferably notification undertaken inone country should be sufficient.

4. The need for a harmonisation of the regulation of transfer of data between Member Statesand third countries

As mentioned under evaluation question 3, this problem has not been solved. Data transferfrom Member States to third countries requires notification or application in each individualMember State even though the same data is transferred from different Member State to oneor several third countries. Harmonisation in this area has not been fully achieved which meanshigher compliance costs for companies.

The conclusion on evaluation question 5 is that the impacts achieved by the Directive for themost part correspond to the needs identified and the problems to be solved when looking at

the five sectors and five countries in the evaluation. The most important achievement hasbeen that all Member States now have introduced a minimum level of security, and thatmovement of data internally in the EU have been facilitated due to fact that all Member Statesnow per definition ensure an adequate level of protection.

However, the disparities in the implementation of the provisions on transfer of personal datato third countries and the notification requirements still need to be solved. Thus aharmonisation of the authorisation and notification requirements across Member States is stillneeded in order for multinational companies to fully benefit from the Directive.


30/81

29

7. Interviews with national supervisory authoritiesAs part of the study the national supervisory authorities in the examined countries wereinterviewed. The objective of the interviews was to identify whether or not the respectivecountry has introduced requirements that go beyond what is stipulated in the Directive, also

referred to as goldplating. Furthermore the enforcement of the national legislationimplementing the Directive was included in the interviews focusing on four aspects:information from authorities, services, digital administration and monitoring. Both goldplatingand enforcement of the rules may have an impact on the costs imposed on data controllers.

Hence the following section outlines the prior legislation and goldplating and the enforcementof the data protection act in the countries included in the study.

7.1 Prior legislation and goldplating7.1.1 Denmark

In Denmark legislation in the area of data protection has existed since 1978. The previouslegislation included the Public Authorities Registers Act and the Private Registers Act. The

Directive was implemented into national law in 2000.

The main difference introduced with the implementation of the Directive is that all processingoperations now are subject to the data protection law, whereas the previous legislation onlycovered registers of personal information. More kinds of processing operations are alsorequired an authorization from the supervisory authority. Furthermore, the implementation ofthe Directive introduced the requirement on data controllers to inform data subjects of thecollection of personal data.

The Danish act has to some degree introduced requirements which go beyond what isstipulated in the Directive. This concerns the requirement on application for processing ofsensitive personal data in the private sector, and credit information agencies and warningregisters, where the act also applies to data concerning enterprises. Special rules are alsoadopted regarding the selling of personal data for marketing purposes, automatic registration

of telephone calls, credit information agencies and data security in the public sector.Furthermore data controllers are to check direct marketing preferences before passing onpersonal information. The rationale for implementing the additional requirements was tomaintain the level of protection from the previous act and to improve the legal position of thedata subjects.

7.1.2 FranceFrance has had legislation in the area of data protection since 1978, where the actInformatique et Liberts was adopted. This act was modified in August 2004 in order to im-plement the Directive.

The differences introduced with the implementation of the Directive include that fewerprocessing operations in the public sector are required an authorisation by the supervisoryauthority. The supervisory authority can require data controllers to submit additional

information when notifying and requesting for authorisation.

According to the supervisory authority, the French act has not introduced any additionalrequirements to the text of the Directive. However some requirements are the result of themargin of manoeuvre, which is left by the Directive. This concerns article 20 of the Directive,which prescribes that Member States shall determine, which processing operations are to besubject t

economic evaluation en

Documents