Economic Evaluation of the Data Protection Directive 95/46/EC

Final Report May 2005

Rambll Management Nrregade 7A DK-1165 Kbenhavn K Denmark Phone: 3397 8200 www.ramboll-management.dk

Table of contents

1. 1.1 1.2 1.3 2. 2.1 3. 3.1 3.2 3.3 3.4 3.4.1 4. 4.1 5. 5.1 6. 6.1 6.1.1 6.1.2 6.1.3 6.1.4 6.2

Executive summary Objectives and methodology Results of the analysis Conclusion Introduction Content of the report Methodology Case studies Cost structure Selection of cases to study Specific case selection criteria Case matrix Cross country analysis Divergences in national implementation of the Data Protection Directive Cross sector analysis Relative costs of implementing the directive

4 4 5 6 9 9 10 10 10 11 12 15 16 16 20 22

6.2.1 6.2.2 6.2.3 6.3

6.4 6.5

Analysis of evaluation questions 23 Evaluation question 1: Does the national implementing legislation meet the requirements of the Directive in the most economic way? 23 Exemption from and simplification of notification 23 Annual notification 23 Appointment of data protection officer 24 Transfer to third countries 24 Evaluation question 2: If not, what are the alternative means of complying with the minimum requirements of the Directive in a most cost-effective way? 24 Exemption from and simplification of notification 24 Notification requirement 25 Transfer to third countries 25 Evaluation question 3: From the reactions of the data controllers interviewed, can we assess that the objectives of the Directive have been achieved at a reasonable cost and are still relevant? 26 Evaluation question 4: What is their general perception with regard to the national Data Protection Law? 27 Evaluation question 5: Do the impacts achieved by the Directive correspond to the needs identified and the problems to be solved? 28 Interviews with national supervisory authorities Prior legislation and goldplating Denmark France 29 29 29 29

7. 7.1 7.1.1 7.1.2

Economic Evaluation of the Data Protection Directive 95/46/EC

7.1.3 7.1.4 7.1.5 7.1.6 7.2 7.2.1 7.2.2 7.2.3 7.2.4 7.2.5 8. 8.1 8.1.1 8.1.2 8.1.3 8.1.4 8.1.5 8.1.6 8.1.7 8.1.8 8.1.9 8.1.10 8.2 8.2.1 8.2.2 8.2.3 8.2.4 8.2.5 8.2.6 8.2.7 8.2.8 8.2.9 8.2.10 8.3 8.3.1 8.3.2 8.3.3 8.3.4 8.3.5 8.3.6 8.3.7 8.3.8 8.3.9

Germany Italy The United Kingdom Differences identified among the five countries Enforcement of the national data protection act Denmark France Germany Italy The United Kingdom Case studies Pharmacies Sector profile Data collected Differences in national legislation Handling of data Value chain perspective Quantitative impact Assessment of the relevance and effectiveness of achieving the increased privacy Assessment of the relevance and effectiveness of achieving the improved free movement of personal data General perception of the national data protection legislation Impacts/problems to be solved Retail Sector profile Data collected Differences in national legislation Handling of data Value chain perspective Quantitative impact Assessment of the relevance and effectiveness of achieving the increased privacy Assessment of the relevance and effectiveness of achieving the improved free movement of personal data General perception of the national data protection legislation Impacts/problems to be solved NGO Sector profile Data collected Differences in national legislation Handling of data Value chain perspective Quantitative impact Assessment of the relevance and effectiveness of achieving the increased privacy Assessment of the relevance and effectiveness of achieving the improved free movement of personal data General perception of the national data protection legislation

30 30 30 30 31 31 32 32 33 33 34 35 35 35 35 36 36 36 of 40 of 41 41 41 42 42 42 42 43 43 43 of 47 of 47 47 48 49 49 49 50 50 50 51 of 54 of 54 54

objectives objectives

objectives objectives

objectives objectives

Economic Evaluation of the Data Protection Directive 95/46/EC

8.3.10 8.4 8.4.1 8.4.2 8.4.3 8.4.4 8.4.5 8.4.6 8.4.7 8.4.8 8.4.9 8.4.10 8.5 8.5.1 8.5.2 8.5.3 8.5.4 8.5.5 8.5.6 8.5.7 8.5.8 8.5.9 8.5.10 9.

Impacts/Problems to be solved IT service provider Sector profile Data collected Differences in national legislation Handling of data Value chain perspective Quantitative impact Assessment of the relevance and effectiveness of achieving the increased privacy Assessment of the relevance and effectiveness of achieving the improved free movement of personal data General perception of the national data protection legislation Impacts/problems to be solved Customs authorities Sector profile Data collected Differences in national legislation Handling of data Value chain perspective Quantitative impact Assessment of the relevance and effectiveness of achieving the increased privacy Assessment of the relevance and effectiveness of achieving the improved free movement of personal data General perception of the national data protection legislation Impacts/problems to be solved Conclusion

objectives objectives

objectives objectives

54 55 55 55 55 56 56 56 of 59 of 59 60 60 61 61 61 62 62 63 63 of 67 of 67 68 68 69 71 71 71 71 72 72 72 73 74 74 77

Annex I: List of respondents 9.1 National supervisory authorities 9.2 Pharmacies 9.3 Retail sector 9.4 NGOs 9.5 IT service provider 9.6 Customs authorities Annex II: References Annex III: Interview guides Interview guide 1 - Authorities Interview guide 2 Data controllers (companies or organisations)

Economic Evaluation of the Data Protection Directive 95/46/EC

1.
1.1

Executive summary

Objectives and methodology This report is the Economic Evaluation of the Data Protection Directive 95/46/EC, which has been commissioned by the European Commission, Internal Market Directorate-General and prepared by RAMBOLL Management. In 2003 the Commission published its First report on the implementation of the Data Protection Directive (95/46/EC), which evaluates the transposition of the Directive into national law and the objectives reached so far. The objective of the Economic Evaluation of the Data Protection Directive (95/46/EC) is to supplement the evaluation of the Data Protection Directive initiated by the Commission by measuring the economic impact of the Directive on data controllers. More specifically, the aim of the economic evaluation is to answer the following five evaluation questions: Questions related to efficiency: 1. 2. Does the national implementing legislation meet the requirements of the Directive in the most economic way? If not, what are the alternative means of complying with the minimum requirements of the Directive in a most cost-effective way?

Questions related to effectiveness/relevance: 3. 4. 5. From the reactions of the data controllers interviewed, can we assess that the objectives of the Directive have been achieved at a reasonable cost and are still What is their general perception with regard to the national Data Protection Law? relevant? Do the impacts achieved by the Directive correspond to the needs identified and the problems to be solved?

The economic evaluation of the Directive is based on case studies of the following five sectors: pharmacies, retail, NGOs, IT service providers and customs authorities. The cases selected represent different types of organisations. The analysis is conducted in five EU Member States: Denmark, France, Germany, Italy and the United Kingdom. The case studies detect the additional cost resulting from compliance with the Directive by identifying, analysing and evaluating the costs of compliance measures that entities must take in order to fulfil the Directives objectives. Additionally, the case studies include evaluation of the following additional costs necessary to comply with the directive: Costs linked to learning about the requirements of the Directive Costs in adjusting the internal organisation to comply with the Directive Running costs of compliance Quantity and costs of Human Resources involved in the compliance Costs of external advice and support A value chain perspective has been applied in the case studies to minimise differences as a result of differences in set-up between the countries. Furthermore interviews have been conducted with the national data protection authorities in the five countries.

Analysis across countries and sectors has been undertaken. These identify the different choices of implementation among the countries included in the study and the variations in costs among organisations from different sectors. 1.2 Results of the analysis The below table summarises the total additional costs associated with compliance with the national legislation implementing the Directive for companies and government institutions in the five sectors.

Table 1: Total costs of complying with the Data Protection Directive in the five sectors
Total one-off costs Internal External 0 0 Total running costs (yearly) Internal External 0 0 0 Euro 0 Euro Euro Euro Euro Euro 0 0 Euro Euro 0 260 Euro 0 0 4 350 Euro 0 0 0 0 0 5 000 Euro 460 Euro

Pharmacy (France) Pharmacy 216 Euro 0 (Germany) Pharmacy 204 Euro 140 Euro 609 (United Kingdom) NGO 113 Euro 0 (France) NGO 2 674 Euro 0 2 417 (Germany) Customs authority 506 Euro 50 Euro 6 312 (United Kingdom) Customs Authority 213 Euro 135 Euro 550 (Denmark) IT service provider 6 131 Euro 135 Euro 8 666 (Denmark) Retail (Italy) 1 057 Euro 10 000 Euro 1 739 Retail (France) 0 0 Retail (Germany) 0 2 000 Euro Total* 11 000 Euro 12 000 Euro 20 000 Average cost* 500 Euro 1 200 Euro 1 200 per institution / company Excl. IT service provider1 * Total and average costs are round off to two significant digits

The table above shows that, in the sample of 10 companies, the average cost one-off costs are approximately 1.000 Euro for companies in internal costs (wages) and 1.100 Euro in external costs. The running costs are 1.200 Euro a year internally and 460 Euro a year externally. The figures indicate that for companies in the five sectors examined, the cost of compliance is limited, especially for small companies and institutions. The comments from the large companies indicate that the costs level stated do not represent a significant economic burden2.
The figures from the IT service provider is excluded in calculation of average costs as these operate systems on behalf of clients, thus technically included in the external costs of other government institutions and companies. 2 A study shows that the total direct spend on privacy varies considerably across 44 large U.S. based organisations. The spending ranges from less than $500k to over $22 million dollars in annual budgeted dollars (IBM and Ponemon Institute, 2004). These figures comprise all costs related to data protection whereas the present study includes the additional costs of a specific regulation in a specific geographical region (EU).
1

Another study shows that the cost of privacy increases as companies advance from early stage activities to later stage activities (IBM and Ponemon Institute, 2004). Hence the study suggests that as the corporate program matures, more dedicated resources are allocated to formal privacy compliance activities. This tendency is not confirmed by the present study, which shows that the majority of respondents experience higher one-off costs than the running costs. No quantitative data has been collected on the total costs of complying with both previous and EU data protection regulation, but the majority of the respondents found that the national legislation implementing the Directive did not impose significant additional costs compared with the previous legislation in the area. Most of the organisations already had the necessary technological and organisational safeguard measures in place and thus did not experience high additional costs in these areas. The cost figures only apply for companies which are comprised by the national legislation. As the data processings in these five sectors are similar to the majority of the comprised business sectors in Europe, it seems reasonable to conclude that the costs per company are limited for a significant part of affected business sectors. It should be added that the study is not allembracing, and that some specific sectors might experience higher burdens, e.g. the financial sector. National differences in implementation of the Directive may have an impact on the costs experienced by data controllers. Hence in the case studies and interviews with the national supervisory authorities, national differences in the implementation of the Directive were identified in order to make a comparison with the costs experienced by the respondents. National differences were identified in the following areas: Initial notification Annual notification Notification fee Exemptions from notification Simplification of notification Appointment of data protection official Security requirements Prior checks of processing operations Authorisation of transfer to third countries

The low compliance costs and the limited sample of companies and institutions make it difficult to identify a significant correlation between costs of complying and differences in implementation. For instance, it is not clear from the estimated costs whether or not the measure of appointing a data protection officer as replacement of notification is imposing a total extra cost on data controllers or if it represents a saving. The only clear correlation is fees for initial or annual notification, which is a direct cost imposed on data controllers. As also mentioned in its first report on the implementation of the Directive (European Commission 2003a), national deviations may impede organisations based in more Member States from fully benefiting from the Directive. Hence the case studies show that multinational companies experience additional costs especially related to different rules on authorisation of transfer to third countries and differences in notification requirements across EU Member States.

1.3

Conclusion Based on the case studies of the five sectors and the interviews with the supervisory authorities, the below conclusion summarises the findings of the country and sector analysis and the answers of the five evaluation questions.

The case studies show that the costs of compliance with the national legislation implementing the Directive are relatively low for the sectors examined. Most companies, except the multinational companies (CSC and Benetton Italy) and large public institutions (customs authorities), experience modest costs. The figures indicate that for companies in the five sectors examined, the cost of compliance is limited, especially for small companies and institutions. The comments from the large companies indicate that the costs level stated do not represent a significant economic burden. In addition the costs on multinational companies and large public administrations are minor related to the size and turnover of these organisations. The interviews with the national supervisory authorities showed that some additional requirements have been introduced by the national legislations mainly with the objective of maintaining the level of protection offered by the previous national legislation and with the objective of increasing the safeguard of the individuals right for privacy. Due to the limited compliance costs, it is difficult to identify any significant correlation between costs of complying and differences in implementation. Hence the country and sector analysis identified only one deviation from the Directive, which clearly has consequences for the costs imposed on data controllers, i.e. the fees on notification (three countries) and the annual notification (the United Kingdom). It is not clear if the organisational measure of appointing a data protection officer is increasing or decreasing costs on the data controllers. Furthermore the country and sector analysis found that divergences requirements might impose extra costs on multinational data controllers. Based on the analysis, the five evaluation questions are answered below. Evaluation question 1: Does the national implementing legislation meet the requirements of the Directive in the most economic way? The analysis shows that the Directive has largely been implemented into national law in a cost effective way. However, a number of areas have been identified in which simplifications or harmonisations are possible in order to increase the cost-effectiveness of the national implementations of the Directive. This regards for instance the notification obligation (article 18), including possible notification fees, and the provisions on transfer of personal data to third countries (article 25-26). Both are implemented differently across Member States. The failure by some countries to make use of the exemptions and simplifications provided for in the Directive causes unnecessary additional costs for data controllers. Furthermore, the national divergences in notification requirements and authorisation of transfer to third countries impose unnecessary costs on companies operating in more Member States. Evaluation question 2: If not, what are the alternative means of complying with the minimum requirements of the Directive in a most cost-effective way? A number of simplifications and harmonisations can be undertaken in order to make the implementation of the Directive more cost-effective: Harmonise notification requirements and case handling in the member states. Facilitate the transfer of personal data to third countries for multinational companies operating in several Member States by harmonising the rules on transfer of data to third countries. Make use of the possibility to exempt processing operations from notification, including the possibility to appoint a data protection officer. Limit the notification requirement to new processing operations instead of requiring an annual renewal of all notifications. This would also remove possible costs related to annual renewal-fees. in notification

Evaluation question 3: From the reactions of the data controllers interviewed, can we assess that the objectives of the Directive have been achieved at a reasonable cost and are still relevant? The Directive has fulfilled its twofold objective of removing barriers to the free movement of personal data between Member States while at the same time ensuring a high level of protection of the individuals fundamental right for privacy (First Report on the Implementation of the Data Protection Directive (95/46/EC), 10). The case studies show that the Directive has been implemented with modest costs for firms in all the sectors included in the study, indicating that the objectives have been achieved at a reasonable cost. However, national differences in the implementation impose some unnecessary costs on data controllers, and multinational companies operating in several Member States experience additional costs due to the lack of harmonisation of the implementation of the Directive in the Member States. Evaluation question 4: What is their general perception with regard to the national Data Protection Law? The data controllers interviewed largely perceive the respective national Data Protection Laws to be reasonable and relevant and the majority think that they would carry out similar safeguard measures in the absence of the Directive. Furthermore, the data controllers interviewed find the extra costs of complying with national Data Protection Law to be negligible compared to the costs of complying with previous legislation. This even applies to the Italian data controllers, even though Italy did have any similar legislation in the area of data protection prior to the implementation of Directive. the the not the

Data controllers operating across national borders calls for further harmonisation in EU of the rules as regard notification and transfer of data to third countries. Evaluation question 5: Do the impacts achieved by the Directive correspond to the needs identified and the problems to be solved? The impacts achieved by the Directive for the most part correspond to the needs identified and the problems to be solved when looking at the five sectors and five countries in the evaluation. However, further harmonisation in some areas will enhance the positive impact of the directive. The most important impact of the directive is that movement of data internally in EU has been improved due to the fact that all Member States now per definition ensure an adequate level of protection.

2.

Introduction

Prior to the adoption of the Data Protection Directive on 24 October 1995, differences in national data protection laws and the fact that Italy and Greece did not have any legislation at all constituted legal obstacles to the free movement of personal data. Hence, the Data Protection Directive was adopted with the objective of ensuring the protection of the individuals fundamental right for privacy, while at the same time improving the free movement of personal data across Member States. In 2003 the Commission published its First report on the implementation of the Data Protection Directive (95/46/EC), which evaluates the transposition of the Directive into national law and the objectives reached so far. The objective of the current study is to supplement the evaluation of the Data Protection Directive initiated by the Commission by measuring the economic impact of the Directive on data controllers. More specifically, the aim of the evaluation is to answer the following five evaluation questions: Questions related to efficiency: 1. 2. Does the national implementing legislation meet the requirements of the Directive in the most economic way? If not, what are the alternative means of complying with the minimum requirements of the Directive in a most cost-effective way?

Questions related to effectiveness/relevance: 3. 4. 5. From the reactions of the data controllers interviewed, can we assess that the objectives of the Directive have been achieved at a reasonable cost and are still What is their general perception with regard to the national Data Protection Law? relevant? Do the impacts achieved by the Directive correspond to the needs identified and the problems to be solved?

2.1

Content of the report The content of the report is the following: Section three outlines the methodology of the study Section four presents a cross country analysis of the collected data Section five presents a cross sector analysis of the collected data Section six provides answers to the five evaluation questions based on the five case studies Section seven presents the findings from the interviews with the national supervisory authorities Section eight presents the five case studies Section nine provides the conclusion on the evaluation Annex I lists the organisations, which have participated in the evaluation Annex II is the references Annex III contains the two questionnaires used for the interviews with data authorities and data controllers respectively.

3.
3.1

Methodology

Case studies In accordance with the task specifications developed by DG Internal Market, the evaluation should be based on five case studies. According to the task specifications the main objective of the case studies is to analyse the additional costs resulting from compliance with the Directive. The case studies should identify, analyse and evaluate the cost of compliance measures that entities must take in order to fulfil the Directives objectives. Further, according to the task specifications the case studies should include evaluation of the following additional costs necessary to comply with the directive: Costs linked to learning about the requirements of the Directive Costs in adjusting the internal organisation to comply with the Directive Running cost of compliance Quantity and costs of Human Resources involved in the compliance Cost of external advice and support The case study approach holds a number of advantages compared with a survey based approach. Particularly, case studies allow us to deal with differences in the context and set-up in the individual countries (e.g. differences in which entities are handling data in the different countries). As part of the case studies, a value chain perspective was applied in the interviews to minimise differences as a result of variations in business structure and organisation between the countries.

3.2

Cost structure As mentioned above, a key activity of the evaluation is to identify, analyse and evaluate the costs of complying with the Data Protection Directive. Using the terminology of the so called standard cost methodology, the total costs of compliance with legislation consist of financial costs, substantive compliance costs, and administrative burdens (Ministry of Finance/Legislative Burden Department, 2003). All tree cost elements can be divided into one-off costs (the initial investment needed to comply with the regulation) and running costs (the on-going operational cost). Each of the three elements are shortly described below. Financial costs are the result of a concrete and direct obligation to transfer a sum of money to the Government or the competent authority. An example of a financial cost that is derived from the Data Protection Directive is the fee for notification charged by some of the national data protection authorities. Substantive compliance costs are the costs that businesses have in order to comply with the content obligations that legislation and regulations require of a production process or a product. In the case of data protection regulation an example of substantive compliance costs is the investment in technology protection personal data. Administrative burdens are the costs on businesses of complying with the information obligations resulting from legislation and regulations. An example of administrative burdens that are imposed by the Data Protection Directive is the requirement to notify national data protection authorities of processing operations (Ministry of Finance/Legislative Burden Department, 2003). The costs measured in the present study are the total costs associated with compliance with the national legislation implementing the directive. Hence the study comprises financial, substantive and administrative costs.

10

A mapping of the Data Protection Directive and national legislations implementing the Directive has identified the following activities as potentially imposing costs on data controllers (companies and organisations):

Table 2: Cost elements related to compliance with the Data Protection Directive
Activities
Gather knowledge about the requirements of the Directive Initial training of staff Initial notification of authorities of existing processing operations Payment of potential fee for notification Initial application for processing operations requiring specific permission (e.g. sensitive data) Investment in technology protecting personal data Adjustment of existing IT systems Creation of organizational measures, e.g. appointment of data protection officer Notification of authorities of processing operations Payment of potential fee for notification Application for processing operations requiring specific permission Authorisation and notification of transfer to third country Handling access requests by data subjects Handling rectification, erasure and blocking based on complaints from data subjects Provide information to data subjects Provide information to data subjects regarding data obtained by other sources Obtaining consent from data subjects to processing Obtain permission from data subjects to transfer data to third countries Checking mailing preference services before using direct marketing Manage a register of processing operations Maintenance and adjustment of data protection technology Dissemination of information to internal staff Training of staff

One-off costs

As illustrated above, we divide the costs of compliance with the national legislation implementing the Directive on internal (in the company) and external costs (outside the company). In the interviews with data controllers, internal costs have been estimated by respondents in man hours and later calculated into euro based on Eurostat labour cost statistics (see annex II on case studies for further details on calculation method). External costs, which are the costs of contracting out, have been estimated in euros by the respondents. 3.3 Selection of cases to study The selection methodology has taken into consideration the recommended case selection approach in the MEANS collection. This framework recommends considering the following different strategies for selection of cases:

Running costs

11

Table 1: Questions addressed through case studies

Which questions can be answered? What happens at the extremes? What explains these differences? What explains the effectiveness of a project? Why does a project not function? How can the different types of project be compared? Among the examples chosen to represent significant variations, what happens and why? On a typical site, what happens and why? In these specific circumstances, what happens and why?
www.evalsed.info.

Basis of selection Contrasting cases The best cases The worst cases By sub-sets Representative cases Typical cases Particular cases

Source: Evaluating Socio Economic Development, SOURCEBOOK 2: Methods & Techniques, Case studies,

The standard cost methodology applied in this study (Ministry of Finance/Legislative Burden Department, 2003) aims at identifying the costs for normally efficient companies and institutions. The cases selected in the study all operate in business sectors which are affected at an average or above average level in terms of costs of compliance with the data protection legislation. Furthermore, the sample have a higher than average frequency of companies which distribute and manage personal data across national borders. These will face significantly higher compliance costs than others. The case selection strategy is thus representative with a bias towards particular (high costs of compliance) cases. Analysing private or public organisations which are unaware if and how they comply with the Directive will not provide input to the analysis of the costs resulting from compliance with the Directive, and are thus not relevant for the evaluation. The case selection strategy allows us to answer the question: In these specific circumstances, what happens and why. Sub questions can be formulated as: 3.4 What happens when implementing the Directive? What are the main factors and determinants, which influence the costs? What are the critical factors which influence the costs? How has the legislation been transposed into the national legislation?

Specific case selection criteria The overall case selection criteria have been identified as follows: The country dimension The business sector dimension The organisational type dimension (i.e. micro, small, medium and large)

The selection of countries was conducted in accordance with the task specification: Denmark, France, Germany, Italy and UK. Among these countries significant variations exist as to level of data protection before the implementation of the Directive, time of transposition and choices of implementation. As the only of the five countries, Italy did not have any legislation in the area of data protection prior to the adoption of the Directive. Both in Germany, France and Denmark the first legislation in the area was adopted in 1978, whereas the United Kingdom adopted the first law in 1984 (source: interviews with national supervisory authorities).

12

The first of the five countries to implement the Directive into national law was the United Kingdom in 1998. Denmark implemented the Directive in 2000, Germany and Italy in 2003 and France in 2004 (European Commission, 2002b and interviews with national supervisory authorities). The five countries included in the study represents different choices of implementation of the Directive, for instance in time of transposition, prior level of data protection and implementation of the provisions on notification. This variation means that the designated countries are found to be representative. Thus, the study of the five countries allows us to see differences in costs due to late implementation, goldplating and existence of legislation in the area prior to the adoption of the Directive. In accordance with the task specifications, the sectors needed to be determined. In the Eurobarometer survey on Data Protection (Special Eurobarometer 196, 2003), the following organisations holding critical personal data were identified: Medical services and doctors Insurance companies Credit card companies Banks and financial institutions Employers The police Social security Tax authorities Local authorities National authorities Credit reference agencies Mail order companies Non-profit organisations Market and opinion research companies

All of the sectors above are potentially relevant for the evaluation. We selected five sectors with different types of organisation and data being processed. Furthermore, we selected sectors which were expected to be affected at an average or above average level in terms of costs of compliance with the data protection legislation. The five sectors selected were: the health sector, the retail sector, the NGO sector, IT services and customs authorities. The sectors and the selected companies and organisations are shortly presented below: Health sector small firms - pharmacies In the health sector pharmacies were selected to represent small firms. Pharmacies collect personal information for various purposes. Like other businesses, pharmacies collect personal information for staff administration and for the keeping of records and accounts. However the collection of health related information distinguishes pharmacies from other organisations and makes pharmacies interesting from a data protection perspective as health related data are sensitive data. The selection of pharmacies took into consideration the impact of the data protection legislation on pharmacies in the five countries. Hence three pharmacies were selected in the United Kingdom, Germany and France respectively as these countries represent three different choices of implementation causing different requirements on pharmacies. Retail sector Multinational companies - Benetton and Adler As other sectors, retail sector businesses collect personal information for the administration of the staff, for the keeping of accounts and records and for advertising and marketing purposes.

13

A special feature of fashion retailers is the collection and storage of personal information on costumers, which is collected from the use of membership cards and the sharing of personal information among different chains and countries. In the retail sector the multinational fashion retailers Benetton (Italy and France) and Adler (Germany) were selected. Being located in more Member States these companies potentially face problems relating to differences in implementation of the Directive across Member States. Furthermore Benetton and Adler represent different practices as to the use of membership cards. NGO sector Amnesty International The term NGO can be applied to any non-profit organisation which is independent from government. NGOs are typically value-based organizations which depend, in whole or in part, on charitable donations and voluntary service. Although the NGO sector has become increasingly professionalized over the last two decades, principles of altruism and voluntarism remain key defining characteristics (http://docs.lib.duke.edu/igo/guides/ngo/ define.htm). NGOs collect personal information from employees, members, donators, complainants, victims, correspondents and enquirers. The information is collected for different purposes and may be transferred to other countries depending on the organisational structure of the organisation. Characteristic for NGOs is the collection of personal information for the administration of membership records and fundraising and for conducting research in the concerned field (e.g. human rights). In the NGO sector Amnesty International was selected as case. National divisions of Amnesty International are located in several Member States and the International Secretariat is located in the United Kingdom. Sensitive data is hold for the campaigning activity of the NGO and personal data on members and donators are processed. IT services and outsourcing - CSC Characteristic for the IT service and outsourcing sector is the processing of personal data on behalf of other companies. Thus IT service companies conducting outsourced functions for other companies are faced with issues of data protection as they are representative for data controllers. The Data Protection Directive also affects the transfer of data between national branches of the IT service company in different Member States and the execution of outsourced services in third countries. CSC is designated as case in the IT service and outsourcing sector. CSC process employee data and provides services for many sectors handling sensitive data. Additionally CSC is also a multinational company, which may face issues of data protection similar to the issues found in the retail sector. Public administration Customs authorities In the public administration customs authorities have been selected as case. Customs authorities collect personal information in relation to the assessment, payment and collection of customs. Additionally they collect information related to staff administration, and other common purposes. Customs authorities in Denmark and the United Kingdom have been selected as cases. The size of the administrations of these authorities varies significantly and they represent different choices in organisation of data protection in the administration.

14

Data protection authorities In addition, interviews with representatives from the supervisory authorities in all the five designated countries have been carried out. 3.4.1 Case matrix The below matrix shows which interviews were conducted. Table 2: Case matrix Country/Sector, Organisation Health, Small firms Pharmacies Fashion retail, Multinational company Benetton and Adler NGO Amnesty International IT services and outsourcing CSC Public administration Customs authorities Denmark The United Kingdom X Germany Italy France

X X X

X X

X X (*) (*) X X

* CSC and the Customs authorities in Italy were invited to participate in the study, but did not respond within the time frame of the study.

15

4.

Cross country analysis

The Commissions first report on the transposition of the Data Protection Directive from 2003 concludes that in spite of the late implementation of the Directive by Member States - the twofold objective of the Directive broadly has been achieved. The main barriers to the free movement of personal data between Member States have been removed as all Member States now have adopted Data Protection legislation. Furthermore adoption of the Directive has ensured an equal level of protection of the individuals right for privacy. However the report also concludes that differences in the national implementation of the Directive prevent the European economy of getting full benefit from the Directive. For instance, development of pan-European policies on data protection by multinational organisations is impeded by national disparities (European Commission, 2003a). This cross country analysis covers the following Member States: Denmark, France, Germany, Italy and United Kingdom. The analysis identifies the disparities that were prevalent in the interviews with data controllers and supervisory authorities. The identification is not exhaustive, but a further analysis of some of the national differences described in the technical analysis accompanying the Commissions first report. Additionally, it is analysed whether or not the national disparities have an economic impact on data controllers. This identification is based on a comparison between the costs estimated in the case studies and the disparities in national implementation of the Directive. 4.1 Divergences in national implementation of the Data Protection Directive Member States are committed to transpose the minimum requirements prescribed by the Directive into national legislation. However Member States have the possibility to introduce additional requirements as long as these are in compliance with the Directives procedures. The considerable margin of choice for transposition of the Directive into national law causes national deviations. Additionally, divergences may arise from different practices in interpretation of the laws by supervisory authorities and from wrongful transposition (European Commission, 2003b). The below table compares the divergences in national law, which were prevalent in the interviews with data controllers and supervisory authorities. The table also shows the provision of the Data Protection Directive.

16

Table 3: Differences in implementation of the Data Protection Directive

Denmark France Germany Italy The United Kingdom X 50 euro Data Protectio n Directive X

Initial notification

X 135 euro

Annual notification Exemptions from notification Simplification of notification Appoint data protection official

-Medium ---

-Some X Voluntary, replaces notification

Only processing of personal data permanently to third parties -High -Obligatory, replaces notification

Only some specified processing 150 euro

-High ---

X 50 euro Some ---

-X X Voluntary, replaces notification

Detailed security regulations for the public sector Prior checking of specific processing operations

--

--

--

--

--

Authorisation of X X X X transfer to third countries Source: Interviews with national supervisory authorities and European Commission, 2002a

Prior checking is the responsibilit y of the data protection official X

A possibility, but no processing are made subject to prior checks

X = the concerned provision is implemented in the national legislation. Some, medium, and high indicates to which level the provision is made use of. -- = the provision is not implemented in the national legislation.

Below, each of the activities and divergences are explained: Initial notification The extent to which processing of personal data needs to be notified to the supervisory authority varies from country to country. This also applies to initial notification of existing processing operations when the Directive was implemented into national law. Notification of existing data operations at the time the directive was implemented was required by Denmark, Germany, Italy and the United Kingdom. Organisations in France have not been required to notify their existing processing operations. For companies and organisations in Denmark, Italy and the United Kingdom the initial notification was and is associated with a fee of 135, 150 and 50 euro respectively.

17

Annual notification The notification requirement differs from country to country. Some countries require an annual renewal of the notification whereas others only require that new processing operations and changes to existing operations are notified to the supervisory authority. Of the five countries examined, the United Kingdom is the only one which requires an annual renewal of the notification. The remaining countries only require that new processing operations and changes to existing operations are notified to the supervisory authority. The renewal of the notification in the United Kingdom is associated with an annual fee of 50 euro. Exemption from notification The study shows differences in transposition of article 18 (2) of the Directive on the obligation to notify the supervisory authority. The provision lay down that Member States may provide for exemption from notification. The margin of manoeuvre left by this provision implies that the five countries included in the study all to a various extent have exempted some kind of processing of personal data from the notification requirement. Denmark, England, France, Germany and Italy all make more or less extensive use of the possibility to grant exceptions (European Commission, 2003b). This is confirmed by the interviews, which also shows that Italian and Danish legislation to a wider extent than English and French legislation exempts data controllers from notification. In France, however, the majority of the notifications have been simplified. Simplification of notification Article 18 (2) of the Directive also provides for the simplification of the notification requirement. Some of the countries included in the study make use of this possibility. Appointment of data protection official According to article 18 (2) of the Directive Member States may provide that notification is replaced by the appointment of a data protection official. This person can be either an employee or an outside expert. This possibility is also used to a various extent in the examined countries. In Germany notification is replaced by the appointment of a data protection officer, which is obligatory when 5 or more persons are employed with processing of personal data. In France, data controllers are also exempt from notification if a data protection officer is appointed. However it is voluntary to do so (http://www.cnil.fr/index.php?id=1577&print=1). Security of processing detailed security regulations Article 17 (1) of the Directive lays down that Member States shall provide that data controllers implement appropriate technical and organisational measures to protect the personal data. Based on this article, Denmark has implemented detailed security regulations for processing in the public sector. None of the other countries in the study have implemented corresponding requirements. Prior checks Article 20 of the Directive prescribes that Member States shall determine which processing operations that are likely to present specific risks to the rights and freedoms of the data subject and that these processing operations shall be subject to a prior check before being started. Among the countries examined, there are differences regarding which processing operations are subject to such a prior check. The United Kingdom is the only of the examined countries which do not require some processings to be subject to prior checking and authorisation by authorities, even though the English data protection act does provide for the possibility (section 22 of the English Data Protection Act). In the remaining countries it varies which processing operations need authorisations.

18

Authorisation Article 26 (2) of the Directive provides that Member States may authorise a transfer of personal data to a third country, which do not ensure an adequate level of protection, if the data controller adduces adequate safeguards. Such safeguards may in particular result form contractual clauses. The application of this provision differs from country to country. All of the countries examined in this study have implemented provisions on authorisation of transfer to third countries based on article 25 and 26 of the Directive. However the requirement for authorisation varies from country to country. This is confirmed by the Commissions First Report on the Implementation of the Directive (95/46/EC), which concludes that some Member States adopt a lax attitude toward authorisation, whereas other Member States submit all transfers to authorisation (European Commission, 2003a:18). The low compliance costs and the limited sample of companies and institutions make it difficult to identify a significant correlation between costs of complying and differences in implementation. For instance, it is not clear from the estimated costs whether or not the measure of appointing a data protection officer as replacement of notification is imposing a total extra cost on data controllers or if it represents a saving. The only clear correlation is fees for initial or annual notification, which is a direct cost imposed on data controllers. As mentioned in its first report on the implementation of the Directive (European Commission 2003a), national deviations may impede organisations based in more Member States from fully benefiting from the Directive. Hence the case studies show that multinational companies experience additional costs especially related to different rules on authorisation of transfer to third countries and differences in notification requirements across EU Member States. The issues related to differences in notification requirements are also recognised in the First Report on the Implementation of the Directive (European Commission 2003a), which called upon the Article 29 Working Party to contribute to a more uniform implementation of the Directive. Hence the Task Force Simplification of Notification Requirements was set down by the Article 29 Working Party with the purpose of identifying best practices as regards the duty of notification and exploring a possible system of simplification for organisations with more than one establishment in the EU (Article 29 Working Party, 2005). It should also be noted that divergences in implementation, which do not impose extra costs on data controllers who operate on a solely national basis, might impose extra costs on multinational data controllers. As recognised by the analysis and impact study on the implementation of the Directive EC 95/46 in Member States, multinational organisations have to comply with different national laws and thus do not fully benefit from national exemptions and simplifications (European Commission, 2003b:28). This applies especially to variations in notification requirements and requirements for transfers to third countries. As regards the issue of late implementation, the case studies have not identified a clear quantitative relation between costs and time of implementation of the Directive by Member States. However, companies operating across countries have highlighted the significant costs of a non-harmonised regulation. The late implementation impedes the free movement of data and decreases the benefits of the directive for the European economy.

19

5.

Cross sector analysis

As part of the study, data controllers from pharmacies, NGOs, customs authorities, IT service providers and the fashion retail sector have been interviewed. The below table shows which kind of personal information the various sectors collect and process.

Table 4: Data processed in the five sectors

Personal information collected on: Employees Clients/customers Suppliers Members/donators Victims Suspect/defendant s Importers and exporters Domestic traders Third parties Pharmacie s X X X NGOs X Customs authorities X IT service providers X X X Retail X X X X

X X X X X X

Each sector faces different issues in relation to data protection depending on the kind of information they process and the purpose of the processing. However all sectors included in the study process personal data on their employees. The handling of data also varies among data controllers. The majority of the data controllers handle the activities themselves whereas only one, the French pharmacy, has outsourced the handling and notification of the processing. Depending on the sector various IT systems are subject to the data protection law. The two pharmacies, which have not outsourced the processing, both have one IT system, where all kind of personal information is stored. One of the NGOs uses two IT systems: one for staff administration and one for administration of members, donators and customers, whereas the other NGO uses one integrated system. All three retailers handle the personal information in one IT system. Both the customs authorities and the IT service provider have several IT systems, which are subject to the data protection law. The IT service provider differs from the other respondents as they are both data controller (employee data) and processors on behalf of other data controllers. The below table summarises the total one-off costs and running costs estimated by respondents in the five sectors. Both one-off and running costs are divided on internal and external costs.

20

Table 3: Total costs of complying with the Data Protection Directive in the five sectors
Total one-off costs Internal External 0 0 Total running costs (yearly) Internal External 0 0 0 Euro 0 Euro Euro Euro Euro Euro 0 0 Euro Euro 0 260 Euro 0 0 4 350 Euro 0 0 0 0 0 5 000 Euro 460 Euro

Pharmacy (France) Pharmacy 216 Euro 0 (Germany) Pharmacy 204 Euro 140 Euro 609 (United Kingdom) NGO 113 Euro 0 (France) NGO 2 674 Euro 0 2 417 (Germany) Customs authority 506 Euro 50 Euro 6 312 (United Kingdom) Customs Authority 213 Euro 135 Euro 550 (Denmark) IT service provider 6 131 Euro 135 Euro 8 666 (Denmark) Retail (Italy) 1 057 Euro 10 000 Euro 1 739 Retail (France) 0 0 Retail (Germany) 0 2 000 Euro Total* 11 000 Euro 12 000 Euro 20 000 Average cost* 500 Euro 1 200 Euro 1 200 per institution / company Excl. IT service provider3 * Total and average costs are round off to two significant digits

The table above shows that, in the sample of 10 companies, the average cost one-off costs are approximately 1.000 Euro for companies in internal costs (wages) and 1.100 Euro in external costs. The running costs are 1.200 Euro a year internally and 460 Euro a year externally. The figures indicate that for companies in the five sectors examined, the cost of compliance is limited, especially for small companies and institutions. The comments from the large companies indicate that the costs level stated do not represent a significant economic burden. When related to the size of the company, the costs experienced by the larger companies and organisations in the study are relatively low. Hence when the costs of complying with the national legislation implementing the Directive are related to the number of employees, the relatively highest costs are experienced by the English pharmacy and the German NGO whereas the relatively lowest costs are experienced by the large organisations and multinational companies. Thus some economies of scale exist. The costs estimated by the English pharmacy differ from the costs estimated by the German and French pharmacy. However this difference is partly explained by the above mentioned national differences in implementation of the Directive, i.e. the requirement for annual notification in The United Kingdom. Pharmacies are some of the most trusted organisations holding personal information; 84% of EU citizens trust medical services and doctors to make correct use of their personal data (Special Eurobarometer no 196, 2003). The level of trust may have an impact on the number of access requests and complaints received from data subjects and thus on the costs imposed on pharmacies.
The figures from the IT service provider is excluded in calculation of average costs as these operate systems on behalf of clients, thus technically included in the external costs of other government institutions and companies.
3

21

The case study of the NGO in France shows close to no costs, whereas the German branch of Amnesty has experienced increased cost but also a higher security level. This difference may be caused by the fact that France just recently transposed the Directive into national law. Hence the French NGO may not be fully aware of the requirements of the Directive and may thus not have experienced the fully running costs related to the Directive yet. The difference in costs for customs authorities is explained by the fact that the English customs authority is significantly larger and differently organised than the Danish customs authority. Furthermore, as there is only one customs authority per Member State, the one-off and running costs are very small even at EU level. The IT service provider experiences some other costs than the remaining data controllers due to the fact that it is a multinational organisation with more cross border data exchange and that it is managing data on behalf of clients. The majority of the costs are related to the employment of a data protection manager on European level to coordinate data protection activities. Additionally, the requirements on data transfer to third countries affect transfer of for instance employee data from one branch of the company to the headquarters, and about 1/5 of the running costs are imposed by activities related to international transfer. Benetton, a large multinational company, experienced relatively modest costs. The main cost was an external consultant who worked on the topic in 1997 when the first law in the field was adopted in Italy. The consultant mapped all data processing activities in the organisation. The cost was of 20 million Italian lire (about 10.000 euro). The yearly running costs in headquarters are estimated at less than 2.000 Euro in running costs. Likewise, the compliance costs for Adler in the retail sector have also been limited. As regard Benetton France, no additional costs have been experienced. Data processings in these five sectors are similar to the majority of business sectors in Europe. Hence it seems reasonable to conclude that the costs are limited for a significant part of European business sectors. It should be added that the study is not all-embracing, and that some specific sectors might experience higher burdens, e.g. the financial sector. 5.1 Relative costs of implementing the directive The majority of the respondents found that the national legislation implementing the Directive did not impose significant additional costs compared with the previous legislation in the area. Most of the organisations already had the necessary technological and organisational safeguard measures in place and thus did not experience costs in these areas. This applies for instance to the English customs authorities, who estimates that the total cost of data protection is 2 staff year spend by senior managers and middle managers and 3 years spend by Business Information Managers and their staff. According to the respondents from the customs authorities, these figures have remained largely unchanged since prior to the introduction of the current Act, as the implementation of the Directive has had a negligible impact on the way in which the authority manages data (interview with Customs authorities in the United Kingdom). As the only of the five countries included in the study, Italy did not have any legislation in the area of data protection prior to the implementation of the Directive. Thus the costs experienced by the Italian data controller indicate the total cost of data protection. The Italian data controller, Benetton, estimates that the total one-off costs were 11 057 euro and the total running costs are 1739 euro.

22

6.
6.1

Analysis of evaluation questions

Evaluation question 1: Does the national implementing legislation meet the requirements of the Directive in the most economic way? Member States are committed to transpose the minimum requirements prescribed by the Directive into national legislation. However Member States have the possibility to introduce additional requirements as long as these are in compliance with the Directives procedures. As shown previously in the cross country analysis, the margin of choice for transposition of the Directive into national law causes national deviations, which in some cases impose additional costs on data controllers. In order to assess whether or not the national implementing legislation meets the requirement of the Directive in the most economic way, it is necessary to establish the most economic way to meet the requirements. This is done by imposing the lowest possible costs on data controllers, while at the same time increasing the benefits to society and individuals resulting from data protection. Data protection al though imposing costs on data controllers also potentially creates benefits for data controllers in form of increased customer trust and promotion of good practices in data management (Masons, 1998:9f4). In other words: data protection legislation shall strike the balance between providing a sufficient level of security for employees, customers, consumers etc. and at the other does not introduce unnecessary requirements. Generally this will mean not to go beyond what is required in the Directive, while at the same time exploits the margin of choice, which the Directive leaves, to make exemptions and derogations from the general requirements. In the cross country analysis a number of areas have been identified in which national deviations in the implementation of the Directive imposes additional costs on data controllers. These deviations are mainly related to the provisions on notification and transfer to third countries. The national deviations that were found in the case studies to be imposing unnecessary costs are outlined below.

6.1.1

Exemption from and simplification of notification The cross country analysis shows that the United Kingdom to a lesser extent than Italy, Germany, Denmark and France has made use of the possibility of making exemptions from and simplifications of notification. In the United Kingdom only four kinds of processing operations are exempted from notification. In Germany the notification requirement is replaced by the requirement of appointing a data protection officer. The Danish act exempts several processing operations and in France 70% of all processing are simplified. The Italian act exempts to a great extent processing operations as the Italian introduces a positive list of six kinds of processing operations, which are required notification. Another aspect of the national divergences in notification requirements is the fact that multinational companies established in more Member States have to make different kinds of notification of the same IT system, as they have to comply with different requirements and thus do not benefit from exemptions and simplification (European Commission, 2003b:28).

6.1.2

Annual notification The Directive does not require an annual notification of processing operations. However as the only of the examined countries the United Kingdom requires that data controllers renew their notification annually. The annual renewal is associated with a fee. This requirement imposes running costs on data controllers, which are not found in the other countries.
4 The Mason study focuses on cost effective means whereby data controllers can achieve compliance with the requirements of the Directive. From the perspective of the study, solutions are found to be cost effective if they advocate a common sense approach to data protection as an integrated part of good information management policy, i.e. if they carry significant direct benefits in terms of more efficient business administration, as well as indirect benefits such as better customer relations (Masons, 1998:15).

23

6.1.3

Appointment of data protection officer Both Germany and France make use of the possibility to replace notification with the appointment of a data protection officer. In France, the appointment is voluntary, whereas in Germany, it is required to appoint a data protection officer when 5 or more employees are occupied with the processing of data. The cross country analysis shows no clear connection between the requirement of a data protection officer and the costs imposed on data controllers. The appointment of a data protection officer may in fact result in greater awareness of data protection, as outlined in the report from the Task Force Simplification of Notification Requirements. The level of awareness of data protection is seen in the Commission consultation on the implementation of the Directive, where nearly 50% of all answers received originated from Germany (Article 29 Working Party, 2005). However it is important that the regulation leaves room for government institutions and companies to achieve this goal in a way that is best suited to their existing business operations and systems.

6.1.4

Transfer to third countries All the countries examined in this study have implemented provisions on authorisation of transfer to third countries based on article 25 and 26 of the Directive. However the requirement for authorisation varies from country to country. This is confirmed by the Commissions First Report on the Implementation of the Directive (95/46/EC), which concludes that some Member States adopt a lax attitude toward authorisation, whereas other Member States submit all transfers to authorisation (First Report on the Implementation of the Directive (95/46/EC), 18). The divergences in authorisation requirements across Member States impose additional costs on multinational companies which are established in more Member States. The case study of the Danish IT service provider illustrates the impediments caused by the divergences in authorisation requirements. Differences as to which transfers are being authorised and the lack of coherence between the national requirements impose costs on CSC as they have to spend additional time on setting up transfer agreements that all branches of the company as well as the concerned national supervisory authorities can accept. To summarise on evaluation question 1, the costs imposed on data controllers are modest in the sectors examined, and the Directive have largely been implemented into national law in a cost effective way. However some unnecessary costs have been identified. Thus a simplification and harmonisation of the national implementations of the Directive will increase the cost-effectiveness of the legislation.

6.2

Evaluation question 2: If not, what are the alternative means of complying with the minimum requirements of the Directive in a most cost-effective way? In evaluation question 1, a number of simplifications and harmonisations were identified, which can be undertaken in order to make the national implementations of the Directive more cost-effective. As indicated above the most cost-effective way to meet the requirements of the Directive can be identified as a choice of implementation which does not go beyond the requirements of the Directive and which makes use of the possibilities provided in the Directive for exemptions and simplifications. Alternative means of meeting the requirements of the Directive are outlined below.

6.2.1

Exemption from and simplification of notification A more cost-effective way of meeting the requirements of the Directive is to make use of the possibility to exempt processing operations from notification or to simplify the notification

24

process. The Directive provides two ways in which such exemptions can be made (article 18 (2) of the Directive): 1. When processing operations are unlikely to affect the rights and freedoms of the data subject. 2. When data controllers appoint a personal data protection officer. The delicate balance in this respect is for Member States to require notification of only those processing operations, which may present a risk to the individuals fundamental right for privacy. Furthermore the benefits of notification should be taken into consideration, i.e. increasing transparency for data subjects, raising awareness of data controllers and enabling supervisory authorities to keep abreast of the data processings in the concerned country (Article 29 Working Party, 2005). As indicated in the above answer of evaluation question 1, the fact that some countries require appointment of a data protection officer do not unambiguously implies additional costs on data controllers. In fact the appointment of a data protection officer may increase awareness of data protection. Hence either ways of reducing the costs related to notification can be applied to increase the cost-effectiveness of the national implementation. However multinational companies, who are data controllers in several Member States, are to comply with a variety of notification requirements. This imposes unnecessary costs upon them, which calls for a harmonisation of the exemptions and simplifications found in the different Member States. Furthermore simplified notifications systems for multinational companies are needed. The need for harmonisation and simplification is also recognised by the Commissions First Report on the Implementation of the Data Protection Directive (95/46/EC) and the report from the Article 29 Working Party Task Force Simplification of Notification Requirements. 6.2.2 Notification requirement To improve the cost-effectiveness of the national implementations of the Directive, the Member States can reduce the costs related to the frequency of the notification requirement. A comparison of the costs related to the English annual notification requirement with the costs imposed in the remaining countries shows that there are alternative means of implementing the provision on notification, which reduce the costs. Hence by limiting the notification requirement to new processing operations instead of requiring an annual renewal of all notifications the running costs related to notification are reduced. Transfer to third countries As the case study of the Danish IT service provider shows, some costs are related to the fact that Member States have implemented the provision on authorisation of transfer to third countries differently. A harmonisation of those differences would facilitate the transfer of personal data to third countries for multinational companies operating in several Member States. As indicated in the Commissions First Report on the Implementation of the Data Protection Directive (95/46/EC) there are more ways of facilitating the transfer of personal data to third countries (First Report on the Implementation of the Data Protection Directive (95/46/EC), 25): Multinational companies should be allowed to make use of binding corporate rules5. Binding corporate rules can provide the adequate safeguards for data exchange across branches of the company. This would facilitate the transfer internally in a multinational company by reducing the administrative costs related to applying for the authorisation of each concerned national supervisory authority.
5 Binding corporate rules: Internal rules that bind a given mulitinational corporate group doing business in several different jurisdictions, both inside and outside EU. Binding corporate rules can provide adequate safeguards for intragroup transfers of personal data (European Commission, 2003a)

6.2.3

25

The choice of standard contractual clauses6 should be widen in order to facilitate the setting up of contracts between branches of the company or between the company and the client. This would make it easier for data controllers to ensure that the adequate safeguards are provided for, for instance by an abroad data processor.

6.3

Evaluation question 3: From the reactions of the data controllers interviewed, can we assess that the objectives of the Directive have been achieved at a reasonable cost and are still relevant? The objective of the Directive is stated in article 1.1 and 1.2: Article 1.1: ..Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data. Article 1.2: Member States shall neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection afforded under paragraph 1. Thus the Directive has the two-fold objective of protecting peoples privacy and establishing an internal market with free flow of information between Member States. The first report on the Implementation of the Data Protection Directive (95/46/EC) concluded that the Directive has achieved both the objective of securing the free movement of information and a high level of protection of data (European Commission, 2003a). This study confirms the conclusion that the two objectives above have largely been fulfilled. Regarding the objective of protecting fundamental rights, the respondents from Denmark, France, Germany and the United Kingdom all agree that the protection level for individuals is the same as before the Directive was introduced, as all these countries had a similar regulation in place. The respondents considered the level of protection in these countries prior to the introduction of the Directive to be high, and the high level of protection has been maintained after the implementation of the Directive. In some specific areas, the regulation implementing the Directive has actually improved the security, e.g.: The legal security concerning the transfer of data has been improved as all Member States now per definition ensures an adequate level of protection. Denmark: The implementation of the Directive includes all processing of data, whereas the previous legislation only covered data registers. This means an extension of the scope of the data protection law. The United Kingdom: The extension of the data protection act to transfer of data outside the EEA.

In Italy there was no regulation prior to the introduction of the Directive, which means that the protection level has increased considerably here. This is also confirmed by the Italian supervisory authority (interview with supervisory authorities). The interviews with the national supervisory authorities in Denmark, Germany and the United Kingdom support the view that no significant changes regarding the protection of the individuals fundamental right for privacy have been introduced with the implementation of the Directive. However, from the perspective of the French authority the implementation of the Directive has slightly improved the protection of the individuals right for privacy due to the
Standard contractual clauses: A standard contractual clauses offer sufficient safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights. By incorporating the standard contractual clauses into a contract, personal data can flow from a Data Controller established in any of a specified group of countries (www.http://europa.eu.int/comm/justice_home/fsj/privacy/modelcontracts/index_en.htm).
6

26

fact that the competences of the authority, the CNIL, has increased (interview with supervisory authorities). Regarding free movement of data, the respondent from CSC, which operates globally, think that the previous obstacles related to transfer of data between Member States have been removed. The remaining multinational companies, Benetton Italy and France and Adler in Germany have not identified major changes regarding transfer of data internally in EU. The supervisory authorities in Italy, Germany and Denmark do not perceive that the movement of personal data in EU was a major problem before implementation of the directive. The English authority, however, finds that the free movement to some degree has been improved. This French authority also finds that the free movement of data has been improved with the implementation of the Directive due to the fact that the previous national legislation in the area required contract covenants in order for data controllers to transfer data inside the EU (interview with supervisory authorities). The obstacles to the free movement of data prior to the implementation of the Directive were primarily caused by the fact that Italy and Greece did not have any legislation in the area of data protection. For data controllers in these countries transfer of data was not subject to any regulation and thus did not cause any problems. Hence the obstacles to the free movement of data were mostly experienced by data controllers in countries having regulation in the area of data protection. With the objectives of the Directive largely fulfilled, the next question is if the objectives of the Directive have been fulfilled at a reasonable cost? For the five sectors involved in the evaluation, custom authorities, IT Services, NGOs, pharmacies and the retail sector, the answer is positive; the Directive has been implemented with relatively limited costs for business. Even Benetton, which is a large multinational company, experienced very limited costs. The main cost was an external consultant who worked on the topic in 1997 when the first law in the field was adopted in Italy. The consultant mapped all data processing activities in the organisation. The cost was 20 million Italian lire (about 10.000 euro). The yearly running costs in headquarters are estimated at less than 2.000 Euro. As these five sectors process data similarly to the majority of business sectors in Europe, it seems reasonable to conclude that the costs are limited for a large part of European business sectors. It should be added that the study is not all-embracing, and that some specific sectors might experience higher burdens, e.g. the financial sector.

6.4

Evaluation question 4: What is their general perception with regard to the national Data Protection Law? The data controllers interviewed in the five sectors largely perceive the respective national Data Protection Laws to be reasonable and relevant and the majority claim that they would carry out similar safeguard measures in the absence of the Directive. Furthermore, most of the data controllers interviewed find the extra costs of complying with the national Data Protection Law to be relatively modest compared to the costs of complying with the previous legislation. Generally, the respondents think that the regulation represents common sense and that some kind of regulation in the area is necessary in order for data objects to have trust in business and thus accepting to provide information when necessary. This perception is in line with the views found in the 2002 on-line consultation in which 69% of the data controllers considered data protection requirements necessary (European Commission, 2002c).

27

6.5

Evaluation question 5: Do the impacts achieved by the Directive correspond to the needs identified and the problems to be solved? The needs identified among data controllers in the interviews include the following: 1. 2. 3. 4. The need for a regulation securing a high level of data protection for individuals The need for a flexible regulation The need for a harmonisation of the regulation of transfer of data internally between Member States The need for a harmonisation of the regulation of transfer of data externally between Member States and third countries

Each of these four points is commented below: 1. The need for a regulation securing a high level of data protection for individuals Several respondents mention that a high level of security contributes to increased trust among data subject concerning handling of sensitive data. In many sector, e.g. customs authorities and pharmacies, this trust is a prerequisite in order to operate. As mentioned previously, respondents in Denmark, France, Germany and UK think that the previous regulation provided sufficient security and that the situation after the implementation of the Directive is the same. 2. The need for a flexible regulation While a high level of security is important to business as well as government institutions, it is equally important that the regulation leaves room for business to achieve this goal in a way that is best suited to their existing business operations and systems. Thus, the demand in some Member States to appoint an employee as data protection officer is a non-flexible way of achieving a sufficient security level. Other countries leave it to companies and government institutions themselves to decide which specific organisational measures to introduce in order to comply with the regulation. 3. The need for a harmonisation of the data protection regulation in the European Union In the view of data controllers and data processors, one of the most important impacts of the Data Protection Directive is the harmonisation of data protection legislation internally in the European Union. This harmonisation represents a significant reduction in administrative costs as the free movement of data has been improved due to the fact that Member States now per definition ensure an adequate level of protection. However further harmonisation is needed to facilitate compliance for companies operating across Member States. This applies especially to the notification requirements, which could be simplified. Preferably notification undertaken in one country should be sufficient. 4. The need for a harmonisation of the regulation of transfer of data between Member States and third countries As mentioned under evaluation question 3, this problem has not been solved. Data transfer from Member States to third countries requires notification or application in each individual Member State even though the same data is transferred from different Member State to one or several third countries. Harmonisation in this area has not been fully achieved which means higher compliance costs for companies. The conclusion on evaluation question 5 is that the impacts achieved by the Directive for the most part correspond to the needs identified and the problems to be solved when looking at the five sectors and five countries in the evaluation. The most important achievement has been that all Member States now have introduced a minimum level of security, and that movement of data internally in the EU have been facilitated due to fact that all Member States now per definition ensure an adequate level of protection. However, the disparities in the implementation of the provisions on transfer of personal data to third countries and the notification requirements still need to be solved. Thus a harmonisation of the authorisation and notification requirements across Member States is still needed in order for multinational companies to fully benefit from the Directive.

28

7.

Interviews with national supervisory authorities

As part of the study the national supervisory authorities in the examined countries were interviewed. The objective of the interviews was to identify whether or not the respective country has introduced requirements that go beyond what is stipulated in the Directive, also referred to as goldplating. Furthermore the enforcement of the national legislation implementing the Directive was included in the interviews focusing on four aspects: information from authorities, services, digital administration and monitoring. Both goldplating and enforcement of the rules may have an impact on the costs imposed on data controllers. Hence the following section outlines the prior legislation and goldplating and the enforcement of the data protection act in the countries included in the study. 7.1 7.1.1 Prior legislation and goldplating Denmark In Denmark legislation in the area of data protection has existed since 1978. The previous legislation included the Public Authorities Registers Act and the Private Registers Act. The Directive was implemented into national law in 2000. The main difference introduced with the implementation of the Directive is that all processing operations now are subject to the data protection law, whereas the previous legislation only covered registers of personal information. More kinds of processing operations are also required an authorization from the supervisory authority. Furthermore, the implementation of the Directive introduced the requirement on data controllers to inform data subjects of the collection of personal data. The Danish act has to some degree introduced requirements which go beyond what is stipulated in the Directive. This concerns the requirement on application for processing of sensitive personal data in the private sector, and credit information agencies and warning registers, where the act also applies to data concerning enterprises. Special rules are also adopted regarding the selling of personal data for marketing purposes, automatic registration of telephone calls, credit information agencies and data security in the public sector. Furthermore data controllers are to check direct marketing preferences before passing on personal information. The rationale for implementing the additional requirements was to maintain the level of protection from the previous act and to improve the legal position of the data subjects. France France has had legislation in the area of data protection since 1978, where the act Informatique et Liberts was adopted. This act was modified in August 2004 in order to implement the Directive. The differences introduced with the implementation of the Directive include that fewer processing operations in the public sector are required an authorisation by the supervisory authority. The supervisory authority can require data controllers to submit additional information when notifying and requesting for authorisation. According to the supervisory authority, the French act has not introduced any additional requirements to the text of the Directive. However some requirements are the result of the margin of manoeuvre, which is left by the Directive. This concerns article 20 of the Directive, which prescribes that Member States shall determine, which processing operations are to be subject to prior checking and authorisation by the supervisory authority. For the private sector this provision applies to the processing of sensitive data, genetic data, biometric data, data containing appraisal on social difficulties of people and judicial data. Furthermore authorisation is required when data can exclude a person from the benefit of a right or a contract. The

7.1.2

29

rationale for making these kinds of processing operations subject to authorisation was to better safeguard the individuals right for privacy. 7.1.3 Germany Legislation in the area of data protection was introduced in Germany with the adoption of the Bundesdatenschutzgesetz in 1978. The legislation was aligned with the Directive in January 2003. New requirements were introduced with the implementation of the Directive. This includes the obligation on data controllers to provide information to data subjects, regulation on sensitive data, regulation restricting data transfer to third countries, general prohibition on completely automated decisions and the right of data subjects to object to the processing of their personal data. According to the supervisory authority no additional requirements have been implemented. 7.1.4 Italy As the only of the five countries examined, Italy did not have any legislation in the area of data protection prior to the implementation of the Directive. The first framework for the legislation was introduced in December 1996 and in January 2004 the Data Protection Code was adopted. Italy has imposed some additional requirements than what is stipulated in the Directive. This applies to the public administration, where personal data only can be processed in order to discharge the institutional tasks of the administration. Specific codes of conduct which have a legal value will be adopted for various sectors. Furthermore special rules on processing of sensitive and judicial data for the private sector and profit seeking public bodies have been adopted. The rationale for implementing these additional requirements was to increase the level of protection for data subjects. 7.1.5 The United Kingdom The United Kingdom has had legislation in the area of data protection since 1984, and in 1998 the Directive was implemented into national law with the adoption of the Data Protection Act. The main difference between the previous act and the present is that the previous act only covered electronic processing of personal data, whereas the present act includes some manual files. Previous data controllers were only subject to the law, if they registered at the supervisory authority. Now all processing operations are subject to the legislation implementing the Directive and the majority of data controllers are to notify the supervisory authority. Additional other regulations on transfer of personal data have been introduced. According to the supervisory authority, the Information Commissioner, additional requirements have been introduced which criminalises the unlawful obtaining of personal data. 7.1.6 Differences identified among the five countries In four out five countries examined legislation in the area of data protection has existed for a number of years. Only Italy did not have any legislation in the area of data protection prior to the adoption of the Directive. Some of the countries examined have been late to transpose the Directive. This applies to France and Germany. Some additional requirements have been introduced by the national legislations mainly with the objective of maintaining the level of protection offered by the previous national legislation in the area and with the objective of increasing the safeguard of the individuals right for privacy.

30

7.2

Enforcement of the national data protection act Among the supervisory authorities interviewed differences are found as to organisation of the authority, monitoring tasks, services offered, the information provided, and digital administration. Differences in enforcement may have an impact on costs imposed on data controllers. Furthermore differences in enforcement may also have an impact on the level of awareness of data controllers and the costs related to enforcement of the legislation. Thus this section outlines the enforcement of the national data protection laws in the examined countries and the costs related to enforcement. As an indication of enforcement costs, the below table summarises the number of employees, the budget of the authority, the number of notifications in 2004 and the total number of notifications since the implementation of the Directive. All figures are from 2004, when not stated otherwise.

Table 5: Enforcement costs

Denmark Permanent employees Budget 25 2.1 million euro 1 970* France 80 6.9 million euro 59 182 Germany 406 21 million euro No answer Italy 93* 11.7 million euro* 9 791* United Kingdom 195 11.5 million euro 110 451

Notifications in 2004 or latest year available Total number 13 976** of notifications * 1978-2003 ** Per 27th January 2004 *** Per 31st March 2004 7.2.1 Denmark

941 076*

No answer

No answer

251 702***

The Danish Data Protection Agency consists of a council which is assigned by the Minister of Justice and a secretariat. The agency is supervisory authority for all processing of data subject to the Directive except for the courts processing of personal data, which is supervised by a separate authority and the courts themselves. Furthermore some individual authorities play a supervisory role in connection with certain questions of data protection in specific areas (European Commission, 2002a). When the Directive was implemented the Agency employed additional staff. However since the number of staff has decreased, and at present the Agency employs 25 permanent employees, which mostly are lawyers, a few technicians and some administrative staff. In 2004 the annual budget was 2.1 million euro. The Agency handles all tasks related to the Directive. Additionally a minor part of the Agencys tasks is related to notifications according to the act on mass medias information data bases and to the function as register authority for Greenland. 24% of the budget of the authority is allocated for handling of complaints and guidance for data controllers, 24% for handling of notifications and applications, 9% for inspections, 14% for assistance to new law making and 12% for international co-operation. The remaining 17%

31

is allocated for administration. In 2004 the Agency received 1970 notifications by data controllers. The Agency has published a brochure providing general information on the data protection act. Furthermore the web site of the Agency provides information and guidance on the national data protection act, for instance some of the rulings of the Agency are published on the web site. The web site also contains annual reports of the Agency and the public register of data controllers. On-line services are available as regards notification of processing operations and registration for news.

7.2.2

France In France the CNIL is supervisory authority for all processing operations subject to the Directive. During the last years the CNIL has increased its number of employees now employing 80 persons. As the implementation of the Directive has broadened the competences of the CNIL, a further increase is expected. The annual budget for the authority has also increased during the last years and in 2004 the annual budget was 6.9 million euro. The tasks of the CNIL include advice and consultation, handling of notifications and authorisation requests, control of data transfers to other countries, handling of complaints, inspections, consultation for new law making, participation in international co-operation, and inspections of international information systems. Furthermore three experts in the CNIL carry out technology evolution surveillance. In 2004 the number of notifications amounted to 59 182. Information on the data protection act is provided on the web site of the CNIL. However practical guidance to data controllers is only provided by phone. As regards the simplified notification, on-line registration is available. The remaining notifications and authorisation request are to be submitted in paper form.

7.2.3

Germany In Germany, several authorities are responsible for the supervision of the data protection law. The responsibility is split between the Federal State and the Laender. The Federal Data Protection Commissioner is supervisory authority for the federal public authorities, telecommunication services and postal services. The 16 Commissioners of the Laender are supervisory authorities for the public administration in the concerned Laender and municipalities. The private sector, except for the telecommunication and postal services, is subject to the authority of the Data Protection Commissioners of the Laender or the Ministries of the Interior in the respective Land. Additionally, media and churches and religious communities are subject to particular rules (European Commission, 2002a). In this study a respondent from the Bavarian Ministry of Interior participated. In 2004 the total persons employed in the various supervisory authorities was estimated to 406 and personnel and material costs were estimated to 18 million and 3 million euro respectively. However as the authorities are part of the administrative bodies of the Laender and Federation, material costs are difficult to estimate. Hence the material costs are likely to be higher. The Agency carries out advice to data controllers, handling of notifications and applications, inspections, participation in international co-operation and inspection of international information systems. Additionally the agency has the authority to recall data protection officers in enterprises, to prescribe penalties and fines, and to enact administrative deeds in case of technical and organisational deficiencies. The Agency provides the following on-line services; request for information, registration for news, notifications and applications.

32

7.2.4

Italy In Italy Garante per la protezione dei dati personali (the Garante) is responsible for the supervision of compliance with the data protection act. In 2003, 93 persons were employed at the Garante and the budget was 11.7 million euro. Both the number of employees and the budget have increased during the last years. The Agency carries out the following activities related to data protection: advice to data controllers, handling of notifications and applications, handling of complaints, inspections, support to new law making, inspection of international information system, and participation in international co-operation. Furthermore the Agency undertakes institutional communication and surveys. In 2003 the Agency received 9 791 notifications from data controllers. The Italian legislation implementing the Directive emphasises that IT technologies are made use of to the greatest possible extent in order to simplify the notification. Hence all notifications are to be submitted on-line and applications can also be submitted on-line. Furthermore the Agency provides information, legal texts, the register of data controllers and a weekly newsletter on the web site and requests for information can be made on-line.

7.2.5

The United Kingdom In the United Kingdom the Information Commissioner is the supervisory authority for the Data Protection Act. The Information Commissioner is also responsible for the English Freedom of Information Act. In the area of data protection 195 employees are employed and the budget for data protection for 2004-2005 was 11.5 million euro. According to the Information Commissioner these numbers have increased substantially since the implementation of the Directive. The office of the Information Commissioner handles all task related to data protection, i.e. advice to data controllers, handling of notifications and applications, handling of complaints, inspections, support to new law making, inspection of international information systems and participation in international co-operation. The handling of notification, applications and complaints are major administrative tasks of the agency. 110 451 notifications were received last year and about 10 000 complaints are received annually. Inspections take up a minor part of the budget as the law requires the consent of the data controller in order for the Information Commissioner to carry out an inspection. The web site of the Information Commissioner contains information and guidance on data protection. Notification and applications are not yet available on-line, although the notification form can be downloaded. The objective of the Information Commissioners office is that 70% of the notifications are made on-line by 2006.

33

8.

Case studies

The objective of the case studies is to analyse the additional costs resulting from the compliance with the Directive. Hence the case studies identify, analyse and evaluate the costs of complying with the implementation of the Directive. The case studies cover three dimensions; the country dimension, the business sector dimension and the organisational type dimension respectively. Each case study outlines the characteristics of the sector in question and the specific issues related to data protection in this sector. The kind of personal data, which is processed in the sector, and the purposes for which it is processed have an impact on the data protection issues that the sector in question faces. Hence the case studies entail a general description of the data classes collected and processed in the concerned sector. The data classes listed in the case studies include: Personal details, e.g. name, address, date of birth, civil registration number etc. Employment details, e.g. salaries, working hours etc. Education and training details, e.g. education, graduation year, skills etc. Financial details, e.g. bank details etc. Goods or services provided, e.g. transactions between companies or individuals. Family, lifestyle and social circumstances, which are sensitive personal information, e.g. sexual life, religious or other beliefs, social problems etc. Trade union membership, which also is sensitive data Physical or mental health or condition, which is sensitive data.

Value chain Variations between EU countries in the distribution of responsibilities throughout the value chain can be a significant source of error when comparing the economic consequences of implementing the Data Protection Directive across countries. Thus a value chain perspective has been applied in the case studies. Cost analysis With the introduction of the national legislation implementing the Data Protection Directive, organisations and companies subject to the legislation may experience decreases or increases in costs. Thus both aspects have been covered in the study. However none of the respondents have experiences any decreases in cost. Hence the case studies outline the increase in costs associated with the handling of additional activities resulting from the national implementation of the Directive. The cost associated with implementing the Directive can be divided in two categories: One-off costs: The one-off costs associated directly with complying with the Directive in the transition phase (the first six months of implementation) Running costs: the yearly running costs of complying with the legislation (after the first six months) Internal costs are estimated in both man hours and the equivalent euro, whereas the external costs are estimated in euro. The estimated internal costs in man hours are calculated in euro based on labour costs statistics provided by Eurostat. These statistics provide sector specific labour costs for each country.7 http://europa.eu.int/comm/eurostat/newcronos/reference/display.do?screen=welcomeref&op en=/labour/earncost/lacosts/lcan&language=en&product=EU_MASTER_labour_market&root=E U_MASTER_labour_market&scrollto=128
7

34

However the definition of labour costs does not include overhead, i.e. the indirect costs associated with the administrative activities of the company or organisation (e.g. expenditures for human resource, ICT, office supply, rent etc.). In line with the standard cost model used for measuring administrative burdens in Denmark an overhead per cent of 25% is used (www.amvab.dk). Hence the Eurostat figures for hourly labour costs in each sector and country are added a 25% overhead, in order to obtain the most correct estimate of internal costs in euro.

8.1 8.1.1

Pharmacies Sector profile Pharmacies are retail shops where medicine and other articles are sold. Three pharmacies have been interviewed as part of this study: A French pharmacy of 5 employees with an annual turnover of approximately 1.2 million euro. The company is not part of a holding or a multiple site business. The pharmacist herself was interviewed. A German pharmacy of 15 employees. The annual turnover of the pharmacy was not stated. The company is not part of a holding or a multiple site business. The vice managing director of the pharmacy was interviewed. A UK pharmacy of 5 employees with an annual turnover of approximately 1.1 million euro. The company is one of three pharmacies owned by the same owner. The figures below are for one specific pharmacy. The pharmacist himself was interviewed.

8.1.2

Data collected Pharmacies collect personal information on both own employees and customers. The data on customers include sensitive data such as health details. The table below lists the kind of information collected by pharmacies and the purposes for which the information is collected: Information collected Personal information on employees Data classes (examples) Personal details Employment details Education and training details Financial details Personal details Financial details Goods or services provided Personal details Social security number/insurance number History of prescriptions Physical or mental health or condition Purpose Staff administration and payroll

Personal information related to suppliers Personal information on clients

Keeping account and records Health administration and service Reporting to social security systems Reporting to insurance companies

8.1.3

Differences in national legislation Implementation of the Data Protection Directive in Germany did cause some adjustments and new requirements for enterprises. Pharmacies with five or more employees occupied with the processing of data are to appoint a data protection officer, who ensures that data is protected adequately. Besides from this, Germany has not imposed legal requirements on pharmacies which go beyond what is stipulated in the Directive. In France, pharmacies are required to register at the data protection authority (CNIL). If they appoint a data protection officer, the notification process is simplified. However the

35

appointment of a data protection officer is not obligatory. France has not imposed legal requirements on pharmacies which go beyond what is stipulated in the Directive. Pharmacies in the United Kingdom are required to notify to the Information Commissioner annually. Besides from that, UK has not imposed legal requirements on pharmacies which go beyond what is stipulated in the Directive. 8.1.4 Handling of data Two of the three pharmacies included in the study process the data related to the requirements of the directive on their own location and in their own IT-system. The French pharmacy has chosen to outsource the maintenance of its IT system to an external IT service company, including the notification to the data protection authority. The other two pharmacies in the analysis have their own IT system, an industry solution. In both cases these solutions integrate human resource management, accounting and information on clients. Thus all data subject to the data protection law is stored in one IT system. None of the pharmacies have cut back on activities in order to comply with the national legislation implementing the Directive. 8.1.5 Value chain perspective In the case of pharmacies, no significant variations in the distribution of responsibilities between the actors have been identified in France, Germany and the UK. All collection and management of the data listed in the table previously is done by the pharmacies themselves. As the previous table indicates, pharmacies in general obtain and give personal data to other actors. They receive prescriptions on medicine from doctors and give personal information to social security centres and insurance companies. This is illustrated by the transfers of data undertaken by the French pharmacy; personal data on clients are transferred via an IT system called the Vitale to different public social security centres, which then partly or fully refund the clients costs. Furthermore personal data are transferred to a mutual insurance platform, in order for clients to obtain refundments from their insurance companies. 8.1.6 Quantitative impact The respondents from the pharmacies did not perceive the administrative activities to have decreased following the introduction of the national legislation. Thus, this section outlines the increase in costs associated with handling of additional activities resulting from the national legislation implementing the Data Protection Directive. The one-off costs caused by the implementation of the Directive are outlined below in table 9. Internal costs are estimated in both man hours and euros and external costs are estimated in euro.

36

Table 6: Estimation of the one-off costs of complying with the legislation (the first six months of implementation)
France Germany United Kingdom Additional activities related to the data protection law

Intern al Gather knowledge about the requirements of the legislation Initial investment in technology protecting personal data Adjustment of existing ITsystems Creation of organizational measures, e.g. recruitment of data protection officer Initial notification of authorities of existing processing operations Initial application for processing operations requiring specific permission (sensitive data) Initial training of staff Other one-off costs Total one-off costs 0 0 0

Intern al (euro) 0

Extern al 0

Intern al 0

Internal (euro) 0

Extern al 0

Intern al 2 hours

Intern al (euro) 51 euro*

Extern al 0 Read the act Identify requirements Assess how the legislation affects the organisation.

0 **

8 hours

216 euro

Appointment of a data protection officer.

2 hours

51 euro

140 Euro (fee for notifica tion) 0

Gather the information needed Fill in notification form for the Send notification to authorities

4 hours 8 hour s

102 euro 204 euro

Provide information to the staff on the legislation

8 hour s

216 euro

0 140 Euro

*Man hours calculated in euro based on Eurostat labour costs figures for NACE G (Wholesale and retail trade) 2002. Overhead of 25% is included. **100 euros were spent to buy a printer which could handle subject access forms. This is not a requirement in the legislation.

The table above shows that the French pharmacy did not experience any one-off cost associated with compliance with the national legislation implementing the Data Protection

37

Directive. The notification undertaken by the IT service company took place prior to the implementation of the Data Protection Directive in compliance with the then French law Informatique et Liberts, and there has not been a requirement to renew the notification after the Directive was implemented. In Germany, the pharmacy estimated total one-off costs of 8 hours resulting from the requirement to appoint a data protection. From the perspective of the pharmacy this was perceived as a negligible cost. In the United Kingdom, the pharmacy estimated the total one-off cost to 8 hours and 140 euros in the transition phase. The costs were distributed on gathering knowledge of the legislation, notification and initial training of staff. Furthermore in the United Kingdom, a registration fee is collected for each notification of data processing. The low level of costs in all three countries reflects the fact that the previous national legislation in France, Germany and the United Kingdom was very similar to the national legislation implementing the Directive. The running costs caused by the implementation of the Directive are outlined below in table 10. Internal costs are estimated in both man hours and euro and external costs are estimated in euro.

38

Table 7: Estimation of the additional average yearly running costs of complying with the legislation (after the first six months)
France Germany United Kingdom Additional activities related to the data protection law

Intern al Notification of authorities of processing operations Application for processing operations (sensitive data) Authorisation and notification of transfer to third country Handling access requests Handling rectification, erasure and blocking based on complaints from data subjects Providing information to data subjects (internal and external) Information to data subjects regarding data obtained by other sources Obtaining consent to processing Permission to transfer data to third countries Check mailing preference services before using direct marketing register of Manage a processing operations Maintenance and adjustment of data protection technology Dissemination of information on the legislation to internal staff Training of staff Other running costs Total yearly running costs 0 0 0 0 0

Internal (euro) 0 0

Exte rnal 0 0

Internal

Internal (euro) 0 0

Extern al 0 0

Intern al 0 0

Intern al (euro) 0 0

Exter nal 50 euro 0 Fee for renewal of notification

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0 0

0 0 0

0 0 0

0 0 0

0 0 0

0 0 0

0 0 0

0 0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 210 euro Expenditure on hardware for backup archive media Information to staff on how to register data on patients

24 hours 0 24 hour s

609 euro* 0 609 euro

0 0

0 0 0

0 0

0 0

0 0

0 260 euro

*Man hours calculated in euro based on Eurostat labour costs figures for NACE G (Wholesale and retail trade) 2002. Overhead of 25% is included.

39

The table above shows that the only running costs of complying with the national legislation implementing the Data Protection Directive were found in the United Kingdom. The additional costs associated for the English pharmacy are the following: 50 euro yearly for renewal of notification 210 euro yearly for backup hardware designed to store data for up to ten years. The business association in the country recommends that pharmacies store data for ten years to be able to provide the requested information if data subjects make access request under the data protection law. Thus from the perspective of the pharmacy, the thorough archiving activity is a result of the obligation to provide data subjects with the requested information, which is laid down by the data protection act. 24 hours yearly to inform staff on how to register data carefully, so that possible access request can be obliged

The total additional average yearly running cost of complying with the legislation (after the first six months) is 24 hours and 260 euros in the UK. Apart from the fees associated with registration and yearly renewal of a data processing system in the UK, there are no important differences in how the legislation is imposing costs on businesses in the three countries. Thus, the differences identified are more a question of how different businesses choose to comply with the legislation. As stated above the French pharmacy has outsourced its IT functions to an IT service company. However the costs related to outsourcing are not a result of the implementation of the Data Protection Directive, but of the general maintenance and upgrading of the IT system. Furthermore the interaction with the French data protection authority, the CNIL, which is undertaken by the IT service provider, took place before the implementation of the Directive. Hence the French pharmacy has not experienced any yearly running costs of complying with the Data Protection Directive. From the perspective of the German pharmacy, the implementation of the Directive has not caused any additional running costs compared with the previous legislation in the area of data protection. None of the pharmacies have received any requests for access to data by data subjects yet. However the English pharmacy anticipates that access requests will be an issue in the future when individuals become more aware of data protection and of their rights as data subjects. Hence the pharmacy carries out a thorough archiving activity in order to be able to provide the requested information, when an access request is received and the pharmacist has also invested in a printer, which can handle subject access forms. The low number of access requests received by the pharmacies is in line with the majority of European businesses of which 23% have never received any access requests and 49% have received less than ten (Flash Eurobarometer no 147, 2003: 47). This may be due to the fact that European citizens not are aware of their right to make access request to their data. Hence the 2003 Euro-barometer shows that only 32% of the citizens in EU have heard of the right to obtain access to data held by others. As regards the countries included in this study this figure includes numbers as disparate as 21% in Germany and 53% in Italy (Special Eurobarometer no 196, 2003:49). Overall when including the fact that pharmacies are small firms and comparing the size and turnover of the three pharmacies with the estimated one-off and running costs, the costs are still regarded as minor. 8.1.7 Assessment of the relevance and effectiveness of achieving the objectives of increased privacy The pharmacy in the United Kingdom finds that the individuals right for privacy is better safeguarded with the new legislation implementing the Directive because the staff has restricted access to data and only the pharmacist has access to all data. The improvement is perceived to have been achieved at a reasonable cost.

40

In France the Data Protection Directive does not entail new measures compared with the previous 1978 French law Informatique et Liberts. Likewise, the new legislation in Germany is not perceived as having any additional requirements compared to the former legislation. 8.1.8 Assessment of the relevance and effectiveness of achieving the objectives of improved free movement of personal data None of the pharmacies have experienced any change related to free movement of personal data as a result of the legislation implementing the Data Protection Directive. However this may be due to the fact that none of them have any experience with movement of personal data across national borders. General perception of the national data protection legislation Both the French, the German and the English pharmacy perceive the additional costs of complying with the national legislation implementing the Directive to be negligible. This is due to the fact that the previous legislation in the area of data protection in all countries was quite similar to the current legislation. Thus the majority of the activities required by the legislation implementing the Data Protection Directive were already carried out and the organisational and technological safeguards were already in place. Impacts/problems to be solved The interviews with the pharmacies have not identified any further problems to be solved.

8.1.9

8.1.10

41

8.2 8.2.1

Retail Sector profile Fashion retail has been chosen as representatives for the retail sector. Fashion retailers process personal data on their employees, suppliers and customers. A special feature of fashion retailers is the collection and processing of personal information on customers, which is collected as part of the administration of membership or club cards. Furthermore, multinational fashion retailers might share personal information among different chains and countries. As part of the study three multinational fashion retailers have been interviewed; In Italy the Benetton Group, in France the national branch of Benetton, and in Germany the fashion retailer Adler. The Benetton Group is present in 120 countries with 5000 stores. The company employs about 7000 persons and in 2003 the company had an annual turnover of 1.9 billion euro (http://www.benettongroup.com/investors/). Personal information on retail customers is not collected as the company not offers membership cards. However personal information is collected in relation to manufacturers and employees. The French branch of Benetton employs about 600 persons. In Italy, the Director for Institutional and Industrial Relations was interviewed and in France the Human Resources Manager was interviewed. Adler is part of the Metro Group and Adler fashion stores are present in Germany, Luxembourg and Austria. 7000 persons are employed in 110 stores and the companys last annual turnover was 500 million euro. Adler collects personal information on customers as part of the administration of club cards.

8.2.2

Data collected The below table summarizes the personal information collected in the retail sector and the underlying purpose of the collection of data. Information collected Personal information on employees Data classes (examples) Personal details Employment details Education and training details Financial details Personal details Financial details Goods or Services Provided Personal details History of purchases Purpose Staff administration and payroll

Personal information related to suppliers Personal information on customers

Keeping accounts and records Administration of club- or membership cards Advertising and marketing

8.2.3

Differences in national legislation As the only of the five countries examined in the study, Italy did not have legislation in the area of data protection prior to the implementation of the Directive. The Italian act emphasises sectoral codes of conduct as means of ensuring a unified understanding of the requirements of the legislation. In the area of retail no special requirements have been identified except for the requirement to notify the supervisory authority if personal data is collected by means of membership cards. However this does not affect Benetton as they not offer membership cards. In France, companies in the retail sector need authorisation from the supervisory authority if customers data are being processed. However this does not affect Benetton France, as they do not have any direct marketing activity, including customer cards. Furthermore 70% of all processings notified to the supervisory authority are required to follow a simplified notification procedure (Technical analysis of the transposition in the Member States, 27). The simplified notification also applies to Benetton France.

42

In Germany, private enterprises are required to appoint a data protection officer if five or more employees are occupied with the processing of data. Apart from this, Germany has not imposed additional requirements on the retail sector which go beyond what is stipulated in the Directive, and for Adler the implementation of the Data Protection Directive did not cause any significant changes. 8.2.4 Handling of data Benetton in Italy has implemented a unique IT system for data management, which handles all information related to employees, suppliers and customers. The processing of data takes place in the concerned business unit, but on the same IT system. A well defined level of access authorisation ensures the protection of personal data contained in the IT system. The French branch of Benetton handles the processing of employees data and suppliers data on the location of the company. Additionally, employees data are also handled in the concerned outlets and some data are processed on group level in Italy. Adler handles all processing of data on the location of the company. None of the fashion retailers interviewed in the study have chosen to cut back on their activities in order to comply with the national legislation implementing the Directive. 8.2.5 Value chain perspective In the case of fashion retailers, no significant variations in the distribution of responsibilities between the actors have been identified in Italy, France and Germany. All collection and management of the data listed in the table previously are done by the retailers themselves. Quantitative impact The respondents from the fashion retailers did not perceive the administrative activities to have decreased following the introduction of the national legislation. Thus, this section outlines the increase in costs associated with handling of additional activities resulting from the national legislation implementing the Data Protection Directive. The one-off costs caused by the implementation of the Directive are outlined below in table 11. Internal costs are estimated in both man hours and euro and external costs are estimated in euro.

8.2.6

43

Table 8: Estimation of the one-off costs of complying with the legislation (the first six months of implementation)
Italy (Benetton) France (Benetton) Germany (Adler) Additional activities related to the data protection law Exter nal 2 000 euro Mapping all data processing activities in the company Fee for lawyer assistance Initial investment in technology protecting personal data Adjustment of existing IT-systems 0 0 0 0 0 0 0 0 0

Interna l Gather knowledge about the requirements of the legislation 0

Internal (euro) 0

Extern al 10 000 euro

Inter nal 0

Intern al (euro) 0

Extern al 0

Intern al 0

Interna l (euro) 0

40 hours

881 euro*

Creation of organizational measures, e.g. recruitment of data protection officer Initial notification of authorities of existing processing operations Initial application for processing operations requiring specific permission (sensitive data) Initial training of staff

Implementing technical security measures for access to the information held in the IT systems

8 hours

176 euro

Provide written information on data protection to the internal staff

Other one-off costs Total one-off costs

48 hours

1057 euro

10 000 euro

2 000 euro

*Man hours calculated in euro based on Eurostat labour costs figures for NACE G (Wholesale and retail trade) 2002. Overhead of 25% is included.

44

The table shows that both the Italian and German fashion retailers experienced external oneoff costs in relation to gathering knowledge about the requirements of the Directive, as they both received legal advice from external consultants. Additionally the Italian retailer experienced one-off costs as regard adjustment of existing IT systems and initial training of staff. The French retailer did not experience any initial costs. The total one-off costs were 48 hours and 10.000 euro in Italy and 2.000 euro in Germany. The amount spent on external consultancy is significantly higher in Italy. However this may be explained by the fact that Italy did not have any legislation in the area of data protection prior to the implementation of the Directive. Thus the consultant from the business association had to identify the processes in the organisation subject to the regulation. Furthermore, the Italian act emphasises codes of conduct as means of securing data protection in the various sectors and the Italian retailer had to consult the business association for guidance on compliance measures, e.g. technical requirements. The majority of the internal one-off costs of the Italian retailer were spent on adjusting the existing IT systems to the technical requirements and setting up a well defined level of access authorisations. The Italian retailer is exempt from notification and thus did not have to notify the supervisory authorities initially. The French retailer has not experienced any costs in relation to the implementation of the Directive. They have not spent any time gathering information on the new legislation and they have not been required to renew their notification after the implementation of the Directive. The running costs caused by the implementation of the Directive are outlined below in table 12. Internal costs are estimated in both man hours and euro and external costs are estimated in euro.

45

Table 9: Estimation of the additional average yearly running costs of complying with the legislation (after the first six months)
Italy (Benetton) France (Benetton) Germany (Adler) Additional activities related to the data protection law Exte rnal 0 0

Intern al Notification of authorities of processing operations Application for processing operations (sensitive data) Authorisation and notification of transfer to third country Handling access requests Handling rectification, erasure and blocking based on complaints from data subjects Providing information to data subjects (internal and external) Information to data subjects regarding data obtained by other sources Obtaining consent to processing Permission to transfer data to third countries Check mailing preference services before using direct marketing Manage a register of processing operations Maintenance and adjustment of data protection technology Dissemination of information on the legislation to internal staff Training of staff Other running costs 0 0

Intern al (euro) 0 0

Exter nal 0 0

Intern al 0 0

Intern al (euro) 0 0

Exter nal 0 0

Intern al 0 0

Internal (euro) 0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0 0

0 0 0

0 0 0

0 0 0

0 0 0

0 0 0

0 0 0

0 0 0

0 0 0

0 32 hours

0 704 euro*

0 0

0 0

0 0

0 0

0 0

0 0

0 0 The IT department manages access authorisations to the IT systems to staff.

0 32 hours

0 704 euro

0 0

0 0

0 0

0 0

0 0

0 0

0 0 Total time spent on data protection by the person responsible for legal matters, including keeping up to date with the legislation A 5 people working group on data protection.

15 hours Total yearly running costs 79 hour s

331 euro 1.739 euro

46

*Man hours calculated in euro based on Eurostat labour costs figures for NACE G (Wholesale and retail trade) 2002. Overhead of 25% is included.

The table above shows that the French and the German retailer do not experience any running costs related to the implementation of the Directive. The French retailer does not find that there are any additional activities related to complying with the legislation implementing the Directive compared to the previous legislation in the area of data protection. Likewise, the German retailer does not find that there are any noticeable burdens of complying with the data protection act, when the turnover of the company and burdens caused by other Directives and regulations are taken into consideration. The majority of the internal running costs experienced by the Italian retailer are divided on maintaining a well defined level of access to data bases and other data protection activities, including keeping up to date with the legislation. Additionally 15 hours are spent annually by a working group on data protection issues related to a future reorganisation of the company. The total running costs in Italy are 79 hours. Although no modifications to the Directive has been made on EU level, the Italian data protection legislation implementing the Directive has been modified several times since the introduction of the first framework law in 1996 (interview with supervisory authority). Hence the Italian retailer has had to keep up to date with the legislation. Although the costs estimated by the Italian retailer are higher than the costs experienced in France and Germany, the time spent on data protection is perceived to be a minor part of the every day work. The difference in costs between the three retailers can partly be explained by the fact that the Italian data protection legislation recently has been adopted and that no legislation in the area existed prior to the implementation of the Directive. Hence the first framework for legislation in the area of data protection in Italy was adopted in 1996 and has been modified several times since then, ending with the adoption of the data protection code in 2003 (Interview with Italian data protection authority). Compared to the annual turnover of the organisations the one-off and running costs of complying with the legislation implementing the Directive are regarded as minor. 8.2.7 Assessment of the relevance and effectiveness of achieving the objectives of increased privacy The Italian retailer does not find that personal data are better safeguarded than previously. However they find that the data protection act has improved the awareness of data protection, and that it has made it possible for Benetton to raise awareness on the fact that personal information can not be disclosed without appropriate procedures. The French retailer does not find that the implementation of the Data Protection Directive has introduced additional safeguard measures as regard the individuals privacy compared with the previous French act. The German retailer does not perceive the individuals right for privacy to be improved by the implementation of the Directive, as Germany already offered a high level of protection of the individuals privacy. 8.2.8 Assessment of the relevance and effectiveness of achieving the objectives of improved free movement of personal data In the opinion of both the German, French and Italian retailer, the free movement of personal information has not been improved with the present legislation. General perception of the national data protection legislation The German retailer perceives the costs of complying with the new data protection legislation compared to the previous legislation in the area to be negligible. The French retailer does not find that the implementation of the Directive has caused any changes in the national data protection legislation.

8.2.9

47

Although Italy did not have any legislation in the area of data protection before the implementation of the Directive, the Italian retailer does not experience significant costs of complying with the legislation. In the opinion of the Italian retailer, the data protection legislation does neither have a relevant impact on the activities of the company, nor the legal department of the company. Furthermore it is difficult to distinguish between the costs related to compliance with the data protection legislation and the costs related to other legal requirements or to the reorganisation of the company. 8.2.10 Impacts/problems to be solved The interviews with the retailers in France, Italy and Germany have not identified further problems to be solved.

48

8.3 8.3.1

NGO Sector profile NGOs collect personal information from employees, members, donators, complainants, victims, correspondents and enquirers. The information is collected for different purposes and may be transferred to other countries depending on the organisational structure of the NGO. Characteristic for NGOs is the collection of personal information for the administration of membership records and fundraising and for conducting research in the concerned field (e.g. human rights). Some NGOs also collect personal information for provision of legal services. Amnesty International is selected as case for the interviews in the NGO sector. The International Secretariat is located in London and national divisions are present in most EU Member States. National sections of Amnesty collect information for their membership records, for administration of staff and for fundraising. The information on the members is not transferred to other countries. The International Secretariat collects information on the human rights situation from victims and their relatives, witnesses, lawyers, advocates of human rights, social, religious and humanitarian organisations and the media, e.g. information on prisoners of conscience which are persons, who are held prisoners because of their religious or political beliefs, their ethnical origin and their gender. Information collected by the International Secretariat is distributed to the national offices where the information is used for campaigns, appeals, actions etc. Some information is also distributed to the media and other organisations as the UN. Information is transferred as publications or published on the Internet. As this information is transferred from the International Secretariat to offices in other Member States, the organisation may experience national differences in the implementation of the Data Protection Directive. This case is based on interviews with Amnesty International in France and in Germany. The French branch of Amnesty International employs 70 salaried workers and 300 voluntary workers and the 2004 budget amounted to 13 million euro. The interviewee was deputy director of Amnesty International France. The German branch of Amnesty international employs 35-40 full time employees. The interviewee was the person responsible for data protection in Amnesty International in Germany. Data collected The below table lists the personal data, which Amnesty International processes. These relate both to own staff, members and the human rights situation for victims. The list also shows for which purposes Amnesty collects the personal information. Information collected Personal information on employees Data classes (examples) Personal details Employment details Education and training details Financial details Personal Details Financial details: history of payment, bank Employment Personal Details Family, Lifestyle and Social Circumstances Religious beliefs Racial or Ethnic Origin Physical or Mental Health or Condition Purpose Staff administration and payroll

8.3.2

Personal information related to members or donators Personal information on victims

Administration of membership records and fundraising Information and administration of databanks for campaigns and research

49

 Offences Criminal Proceedings From the International Secretariat in London, personal data is transferred both across borders in Europe and to third countries. It is noted that especially databases on victims contains sensitive personal data. 8.3.3 Differences in national legislation Implementation of the Data Protection Directive did not cause any significant change for Amnesty International in France. 99% of the constraints affecting Amnesty France are linked to the data protection legislation from the 1978 French law Informatique et Liberts. The remaining 1% concerns the obligation to delete unused data after a significant period of time. The fact is that Amnesty France has never deleted any information on donators since the beginning of the NGO. But as the term significant is rather vague, this obligation did not have any impact on the activities so far. The new law also offers the opportunity for Amnesty France to nominate a data protection officer. With an official data protection officer, it is no longer required to notify new kinds of data treatment to the CNIL (The French data protection agency). Nevertheless, given that there is no need for new data treatment, a data officer has not been nominated. In Germany, the data protection act requires that a data protection officer is appointed when 5 or more people work with the processing of data. For Amnesty Germany the implementation of the Directive implied that all person-related data had to be documented and kept at disposal for inquiries. 8.3.4 Handling of data In Amnesty Germany one IT system integrates accounting, human resource management and other personal information (e.g. donors, members, victims, etc.) whereas in Amnesty France 2 IT systems are subject to the national legislation implementing the Data Protection Directive: 1. A database on employees with the purpose of staff administration. Nature and processing of the information included in the database are proportionate to the needs of staff administration, i.e. payment and social Security transfers. Such processings were declared to the CNIL prior to the implementation of the Directive and have not been modified afterwards. A database with information on members, donators and customers. More than 600.000 French resident people are referenced in this database.

2.

Both the German and the French branchs IT systems are uniquely used and handled by the concerned section of the NGO. No data is extracted from these databases and sent to other sections or to the International Secretariat. Nevertheless, Amnesty France also resorts to exchange of addresses with other NGOs: Amnesty lends some addresses of donators to fundraisers of other NGOs and Amnestys fundraisers are lent some addresses to collect further money. Amnesty France and Germany do not collect data on victims. As a consequence, the only international personal data transfer the French and the German section are involved in is the reception of data on victims from the International Secretariat. As this data is very sensitive (inappropriate diffusion of data may have tragic consequences for victims and their relatives), electronic data transfer is highly secured. For the same reason, access to Amnesty France offices is secured by two security doors. The fact that data on victims is sensitive also accounts for the fact that its truthfulness is controlled through 7 different channels. 8.3.5 Value chain perspective In the case of operations of Amnesty International, no significant variations in the distribution of responsibilities between the actors in the value chain have been identified.

50

8.3.6

Quantitative impact Amnesty in both France and Germany do not perceive the administrative activities to have decreased following the introduction of the national legislation. Thus, this section outlines the increase in costs associated with handling of additional activities resulting from the national legislation implementing the Data Protection Directive. The one-off costs caused by the implementation of the Directive are outlined below in table 13. Internal costs are estimated in both man hours and euro and external costs are estimated in euro.

Table 10: Estimation of the one-off costs of complying with the legislation (the first six months of implementation)
France Germany Additional activities related to the data protection law Interna l Gather knowledge about the requirements of the legislation 3 hours Interna l (euro) 113 euro* 0 10 322 euro 0 Collection of information on the requirement of the legislation Identify how the legislation affects the organisation Initial investment in technology protecting personal data Adjustment of existing IT-systems Creation of organizational measures, e.g. recruitment of data protection officer Initial notification of authorities of existing processing operations Initial application for processing operations requiring specific permission (sensitive data) training of staff Initial Other one-off costs Total one-off costs 0 3 0 113 0 0 0 83 0 2.674 0 0 0 0 0 0 0 0 0 0 0 15 hours 483 euro 0 Obtaining information about notification requirements 0 0 0 0 0 0 55 hours 3 hours 1772 euro 97 euro 0 0 Mapping of existing data bases Updating software Reorganisation of existing staff in relation to data protection 0 0 0 0 0 0 Extern al Interna l Interna l (euro) Extern al

hours euro hours euro *Man hours calculated in euro based on Eurostat labour costs figures for NACE G-K (services) 2003, as no separate figures for NACE N-O (health and social work and other community, social, personal service activities) are available. Overhead of 25% is included.

51

The table above shows that Amnesty France did not experience any one-off costs besides reading the legislation and identifying possible differences from the existing legislation. Safeguards were already in place due to the sensitivity of personal data on victims and Amnesty was not required to notify their existing processing operations when the Directive was implemented, as these operations were notified in compliance with the previous law. Amnesty Germany experienced one-off costs related to four activities: gathering knowledge of the legislation, adjusting existing IT systems, creating organisational measures and initial notification. The running costs caused by the implementation of the Directive are outlined below in table 14. Internal costs are estimated in both man hours and euro and external costs are estimated in euro.

52

Table 11: Estimation of the additional average yearly running costs of complying with the legislation (after the first six months)
France Germany Additional activities related to the data protection law Extern al 0 0 0 Structuring of transfer processes to third countries Testing procedures of notification and authorisation

Interna l Notification of authorities of processing operations Application for processing operations (sensitive data) Authorisation and notification of transfer to third country 0 0 0

Interna l (euro) 0 0 0

Extern al 0 0 0

Intern al 0 0 20 hours

Interna l (euro) 0 0 645 euro*

Handling access requests Handling rectification, erasure and blocking based on complaints from data subjects Providing information to data subjects (internal and external) Information to data subjects regarding data obtained by other sources Obtaining consent to processing Permission to transfer data to third countries Check mailing preference services before using direct marketing Manage a register of processing operations Maintenance and adjustment of data protection technology Dissemination of information on the legislation to internal staff Training of staff

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

10 hours 0

322 euro 0

0 0

Working out links to data protection

0 0

0 0

0 0

0 0

0 0

0 0

15 hours 15 hours 0 10 hours

483 euro 483 euro 0 322 euro

Analysing procedures for usage of mailing lists Analysing which processing operations should be included in the register

0 0

0 0

0 0

0 0 Identifying the need for dissemination of information Organisation of information procedures Training of data processing staff and employees working with personal information

162 euro 2.417 euro

Other running costs Total yearly running costs

75 hours

*Man hours calculated in euro based on Eurostat labour costs figures for NACE G-K (services) 2003, as no separate figures for NACE N-O (health and social work and other community, social, personal service activities) are available. Overhead of 25% is included.

53

As shown in the table above, the implementation of the Data Protection Directive did not result in any additional running costs for Amnesty France. As regards Amnesty Germany the implementation of the Directive has imposed additional running costs of 75 hours. The costs are distributed on several activities, none of them being prevalent. This difference may be due to the fact that the Directive not was implemented into French law until August 2004. Hence the French NGO may not be fully aware of the requirements of the Directive and may thus not have experienced the fully running costs related to the Directive yet. Furthermore the French law implementing the Directive does not require notifications to be renewed and Amnesty France is not required an authorisation from the supervisory authority, as they do not transfer personal data. On the other hand, Amnesty Germany is required to appoint a data protection officer, who is to ensure the compliance with the data protection legislation. 8.3.7 Assessment of the relevance and effectiveness of achieving the objectives of increased privacy The new legislation in France is not perceived by the respondent as having additional requirements compared to the former legislation. Thus, there is no difference in the protection of privacy of personal data. This also applies to the German respondent, who does not find that the level of protection of the individuals right for privacy has been improved with the new regulation. 8.3.8 Assessment of the relevance and effectiveness of achieving the objectives of improved free movement of personal data From the point of view of Amnesty France, the new legislation did not mean any change regarding free movement of personal data. In the opinion of Amnesty Germany, however, the free movement of personal data has been improved due to legal security concerning transfer of data offered by the Directive. 8.3.9 General perception of the national data protection legislation The legislation is considered reasonable by both respondents. According to Amnesty Germany the implementation of the Directive has caused some additional cost. However the Directive has also improved the legal security. In the opinion of Amnesty France the law implementing the Directive is very similar to the previous legislation in the area. Amnesty France regards data protection as part of good ethics and in the absence of the directive, Amnesty France would implement the same measures for protection of personal information except the notification of CNIL, the data protection authorities. 8.3.10 Impacts/Problems to be solved The interviews with the NGOs have not revealed any problems, which still need to be solved.

54

8.4 8.4.1

IT service provider Sector profile The IT service and outsourcing sector processes personal data on behalf of other companies. Thus IT service companies conducting outsourced functions for other companies are faced with issues of data protection as they are representatives for data controllers. The Data Protection Directive also affects the transfer of data between national branches of the IT service company in different Member States and the execution of outsourced services in third countries. CSC is designated as case for the interviews in the IT service and outsourcing sector. CSC provides IT services for many industries. National organisations are found in all of the designated countries and the headquarters of Europe, Middle East and Africa is located in the United Kingdom. The Danish branch of CSC has been interviewed. CSC Denmark employs nearly 2.500 people, of which approximately 50% work with outsourcing of operations and IT services. In 2003/2004 the turnover of the Danish branch of CSC was 352.2 million euro. As part of the case study, two persons from the Danish branch of CSC participated in the interview; a security consultant and a security manager both engaged in issues related to IT security including data protection in the company.

8.4.2

Data collected The below table lists the personal data which IT service companies process. These relate both to administration of own staff and outsourced functions for other companies. The list also shows for which purposes the IT services company collect or process personal information. Information collected Personal information on employees Data classes (examples) Personal details Employment details Education and training details Financial details Personal Details Financial Details Goods or Services Provided Personal Details Employment Details Financial Details Family, Lifestyle and Social Circumstances Trade Union Membership Physical or Mental Health or Condition Purpose Staff administration and payroll

Personal information related to customers and clients Personal information on third parties

Keeping accounts and records Providing IT services and outsourcing (Processing on behalf of customers)

Personal data is transferred both across borders in Europe and to third countries (especially the headquarters in the US). It is noted that especially databases operated for customers contain sensitive personal data. 8.4.3 Differences in national legislation Implementation of the Data Protection Directive did not cause any significant change, as the previous legislation in Denmark was quite similar. The main difference is that the new national legislation includes all processing of personal data, whereas the old one only covered registers. However, as all personal data processed by CSC are stored in databases this does not have any practical implications. The fact that CSC offers electronic processing services implies that Danish data protection act requires them notify the National supervisory authorities prior to the commencement of such

55

processing operations. Furthermore, if the processing operations require a notification, the Danish data protection act also requires that data controllers notification must include the name of the data processor (Interview with Danish supervisory authorities). At EU level, there are some differences between the various national legislations. The main difference is that German law requires appointment of a data protection officer. To reduce the costs imposed by differences in national legislation, the company would like a permission to use Binding corporate rules as described by the Art.29 Data Protection Working Party. 8.4.4 Handling of data CSC has appointed a data protection manager with office in Germany to coordinate full time the European activities in the field. Local issues are handled at the national offices, for example notification of authorities of processing operations. CSC has several IT systems which are subject to the data protection law: Human resource administration Payroll system Telephone directory Resource management Appraisals Skills

CSC Denmark has 100-150 clients for whom they operate one or more IT-systems. 8.4.5 Value chain perspective In the case of operations of CSC, no significant variations in the distribution of responsibilities between the actors in the value chain have been identified. However it is noted that CSC not handles contact with data subjects on behalf of their customers, e.g. the handling of access request and the obligation to provide information to data subjects. These activities are handled by the customers themselves. Quantitative impact CSC did not perceive the administrative activities to have decreased following the introduction of the national legislation. Thus, this section outlines the increase in costs associated with handling of additional activities resulting from the national legislation implementing the Data Protection Directive. The one-off costs caused by the implementation of the Directive are outlined below in table 15. Internal costs are estimated in both man hours and euro and external costs are estimated in euro.

8.4.6

56

Table 12: Estimation of the one-off costs of complying with the legislation (the first six months of implementation)
Denmark Internal Gather knowledge about the requirements of the legislation Initial investment in technology protecting personal data Adjustment of existing IT-systems Creation of organizational measures, e.g. recruitment of data protection officer Initial notification of authorities of existing processing operations Initial application for processing operations requiring specific permission (sensitive data) training of staff Initial Other one-off costs Total one-off cost 0 148 0 6.131 euro 0 135 euro 0 0 0 0*** 0 135 euro **** Gather information needed for notification Fill in the notification form Notification fee 0** 0 0 0 0 0 0 0 0 148 hours Internal (euro) 6.131 euro* 0 Identify the requirements of the legislation Identify how the requirements affect the organisation Meetings External Additional activities resulting from the data protection law

hours *Man hours calculated in euro based on Eurostat labour costs figures for NACE K (business services) 2003. Overhead of 25% is included. **Organisational measures were created on European level and not in CSC Denmark. See table 15 on running costs. ***Included in the 148 hours mentioned above ****Based on information from the national data protection authority on the amount of the notification fee.

The table above shows that CSC did experience some one-off costs associated with compliance with the national legislation implementing the Data Protection Directive. A total of 148 hours (4 working weeks) were spent in the initial phase for identifying requirements of the legislation, how the requirements affect the organisation and meetings. Included in this figure is also gathering of information needed for notification and filling in the notification form. Additionally a fee of 135 euro was paid for the initial notification. No costs were experienced in relation to investment in or adjustment of IT systems as the company already had the necessary technology to protect personal data. The running costs caused by the implementation of the Directive are outlined below in table 16. Internal costs are estimated in both man hours and euro and external costs are estimated in euro.

57

Table 13: Estimation of the additional average yearly running costs of complying with the legislation (after the first six months)
Denmark Internal Notification of authorities of processing operations Application for processing operations (sensitive data) Authorisation and notification of transfer to third country Handling access requests Handling rectification, erasure and blocking based on complaints from data subjects Providing information to data subjects (internal and external) Information to data subjects regarding data obtained by other sources Obtaining consent to processing Permission to transfer data to third countries 37 hours 0 0 0 0 Internal (euro) 1533 euro* 0 0 0 0 External 0 0 0 0 0 Notify changes in CSC own processing operations (6 systems) Additional activities related to the data protection law

0 0

0 0

0 0

0 37 hours

0 1.533 euro

0 0 Obtaining consent from employees on transfer of their personal data between branches of the organisation Develop function in the IT system

Check mailing preference services before using direct marketing Manage a register of processing operations Maintenance and adjustment of data protection technology Dissemination of information on the legislation to internal staff Training of staff Other running costs

0 0 7.4 hours 8.75 hours** 119 hours***

0 0 307 euro 363 euro 4930 euro

0 0 0 0 0 General briefing on the effect of the Act. Train new-coming staff in data protection in the security introduction course Full time employed data protection officer on European level. The data protection officers office is located in Germany

Total yearly running costs

209 8666 0 hours euro *Man hours calculated in euro based on Eurostat labour costs figures for NACE K (business services) 2003. Overhead of 25% is included. **CSC estimates that 5 security introduction courses with on average 20 employees each are conducted a year. Information on data protection takes up 5 minutes of these courses. Hence the trainer spends 25 minutes and the employees 500 minutes a year, adding up to a total of 8.75 hours. ***Costs of employing a full time data protection officer are evenly divided among the 14 branches of CSC, which are located in the EU.

58

The total additional average yearly running costs of complying with the legislation (after the first six months) are 209 hours per year in Denmark. The additional costs are a consequence of the shift in the Danish legislation from focus on registers of data to processing of data. Registers is more static and changes less frequently than the processing of data. Furthermore CSC needs to obtain consent from employees in order to transfer their personal data to a global human resource system in USA. Due to national differences in the implementation and application of the provisions regarding transfer of data to third countries, CSC has not been able to agree on a transfer agreement, which all the concerned countries could approve of (see below section on free movement). Hence CSC needs to obtain consent from the individual employee. CSC do not experience any costs related to handling of access requests. This is due to the fact that CSC mainly is processor on behalf of other data controllers. Hence requests for access to data by data subjects are directed to the data controllers and not CSC. For CSC, transfer to third countries is the most time-consuming activity related to data protection. In order to transfer data to third countries which do not ensure an adequate level of protection, data controllers are required to adduce adequate safeguards. Such adequate safeguards may result from contractual clauses, which are to be authorised by the supervisory authority (Article 26 (2) of the Directive and article 27 (4) of the Danish Act on processing of personal data). CSC estimates that staff year is spent on this activity yearly. This includes making controller-to-controller agreements with other branches of the company located in third countries and updating these agreements. Additionally controller-to-processor agreements are made regarding outsourcing of operations to third countries. CSC is not able to assess to which extent these costs are higher with the new legislation, which may indicate that the changes in costs are minor. The costs of employing a full time data protection officer on European level amounts to 119 hours annually. The need for coordination of data protection activities on a European level and the associated costs must however be seen in connection with the size of the company. Hence compared to the annual turnover of the company, the costs related to compliance with the national law implementing the Directive are regarded as minor, although representing some of the highest costs found in the five case studies. 8.4.7 Assessment of the relevance and effectiveness of achieving the objectives of increased privacy The new legislation in Denmark is not perceived as having any significant additional requirements compared to the former legislation in the field of IT services. Assessment of the relevance and effectiveness of achieving the objectives of improved free movement of personal data With the implementation of the Data Protection Directive in EU countries, a minimum level of protection is ensured. This has improved the movement of personal data within EU. However, CSC expected that the Directive would improve the free movement of personal data more than it has done. As the headquarters of CSC is located in USA, the transfer of data only inside Europe is not important to the organisation. The transfer of personal data to third countries has not been improved (article 25 and 26 of the Directive). There are national differences in the implementation which cause problems in relation to transfer to third countries. The national supervisory authorities apply the provisions on authorisation of data transfer and use of standard contractual clauses approved by the Commission differently. From the perspective of CSC this provision is applied in three different ways across EU: Some countries do not comply with the Directive as they do not require that standard contractual clauses are submitted to the supervisory authority.

8.4.8

59

Some countries require that standard contractual clauses are submitted to the supervisory authority. However there is no need for authorisation prior to the transfer. Some countries require that all transfers including transfers which are party to the standard contractual clauses are authorised prior to the beginning of the transfer.

The fact that some countries not even require a notification of the transfer implies that these supervisory authorities not are aware of which transfers are taking place. Hence they are unable to fulfil their obligation of informing other agencies of authorisations granted (section 26 (3) of the Directive). The Commissions First Report on the implementation of the Data Protection Directive (95/46/EC) supports this view. The report concludes that some Member States not are meeting the requirements of the Directive as they are adopting either an overly lax or overly strict attitude towards authorisation of transfers to third countries (First Report on the implementation of the Data Protection Directive (95/46/EC):18f). Due to the different requirements of authorisation some branches of the CSC do not comply with the provisions of the Directive. Hence it is impossible internally in CSC to agree on a wording of the transfer agreement, which is acceptable in all the concerned countries. Furthermore the organisation changes continuously with companies being bought and sold. Hence it is impossible to keep controller to controller agreements up to date. Thus CSC would prefer to use corporate binding rules, as it is outlined by the Article 29 Data Protection Working Party. In the opinion of CSC, it would be an advantage with a distinction between personal data which can be transferred without authorisation and personal data, which only can be transferred with authorisation. The distinction could be between insensitive identification information (name, picture etc.) and sensitive personal information (skills, appraisals etc.) 8.4.9 General perception of the national data protection legislation The Danish branch of the IT-service provider perceives the additional costs of complying with the present national data protection legislation to be negligible compared to the costs of complying with the previous legislation in the area. The deviation in the national legislation in Denmark from the Directive is minimal, and does not cause any impact on the administrative burdens caused by the legislation.

8.4.10

Impacts/problems to be solved The main problems identified are the rules regarding transfer of data to third countries and the deviations in the legislation and administration between the EU Member States. The differences in the national interpretation of the Directives article 26.2 and 26.3 have a significant impact on the administrative burdens caused by the data protection law. As described above, CSC Denmark finds that some branches of the company do not follow the EU Directive because the national Data Protection Agencies do not require transfers of data to be authorised to the same extent as the Danish supervisory authority. This causes a lot of internal discussion on how transfer agreements are to be framed.

60

8.5 8.5.1

Customs authorities Sector profile Custom authorities in Europe are responsible for collection of revenue in VAT, other taxes and exercise duty. In some countries, authorities are also responsible for preventing crime from illegal imports, smuggling and tax fraud. The definition of data subjects is, in several EU countries, not only individuals, but also single proprietor businesses (an unincorporated business owned by a single person, with no paid employees). This has wide implications to custom authorities, who process data on many such businesses. As part of the study, customs authorities in Denmark and the United Kingdom have been interviewed. In Denmark tax and customs authorities are gathered in one organisation employing 4700 person8.The administration is organised as one central administration and 8 regional offices (http://www.skat.dk/om_ministeriet/). In 2004 the budget for both tax and customs was 427 million euro (State budget, 2004). Due to the organisation of the authority, it is not possible to separate the expenses on tax and customs respectively. The interview focused on those activities related to customs, which are affected by the data protection legislation. The interviewee is employed in the security section of the tax and customs authorities. He has been engaged in data protection issues since the previous legislation and handles all contact to the national supervisory authority. In the United Kingdom, customs authorities are organised as one central administration in London and 200 local offices. The total number of employees is 23 000. A department employing 10 persons is responsible for all issues related to information law including data protection. Two persons, working directly with data protection in the Information law department in the English customs authorities participated in the interview.

8.5.2

Data collected Customs authorities collect personal information on both own employees, importers/exporters and companies (for tax collection). Moreover, in some countries custom authorities collect information on illegal imports, smuggling and tax fraud. The below table summarises the data collected by customs authorities and the underlying purpose of the collection the data:

No separate figures for customs are available.

61

Information collected Personal information on employees

Personal information related to domestic transactions Personal information on importers and exporters Personal information on suspects and defendants

Data classes (examples) Personal details Employment details Education and training details Financial details Personal details Goods or Services Provided Personal details Goods or Services Provided Personal Details Employment Details Financial Details Racial or Ethnic Origin Offences (Including Alleged Offences) Criminal Proceedings, Outcomes And Sentences

Purpose Staff administration and payroll

Collection of tax

Collection of VAT, customs and excise Prevention of crime

It is noted that only personal information collected on suspects and defendants are sensitive personal data. 8.5.3 Differences in national legislation Customs authorities are part of the public administration and the collection of personal data by customs authorities is enforced by law (except from data collected for certain parts of human resource management). Still, the collection of personal data by customs authorities is subject to data protection legislation. Thus customs authorities are to comply with the general provisions on data security and on legitimate processing. In both Denmark and the United Kingdom customs authorities are to notify the national data protection authority of their processing operations. However there may be special provisions in the national data protection law regarding public administrations processing of personal data, which is an effect of other laws. In Both Denmark and the United Kingdom transfers of personal data to third countries by customs authorities are not required an authorisation by the supervisory authority as these transfers are enforced by law. This also applies to the obtaining of consent from data subjects. In Denmark, customs authorities are not required to inform data subjects of the processing of data obtained by other sources, e.g. shipping agents (29, 2 in the national act). Additionally being a part of the public administration customs authorities are subject to the specified rules on data security in the public sector, which is enforced by the Danish act on processing of personal data. 8.5.4 Handling of data Generally customs authorities in all 25 EU countries are organised as one central administration with regional offices. Customs authorities in Denmark and the United Kingdom both handle the majority of the activities related to data protection in the central administration. In the United Kingdom the central function on information law including data protection handles the majority of the activities. For each of the four business areas in the administration (Business Services and Taxes, Law Enforcement, Logistics and Finance, and Information and e-services), a business information manager is appointed. Significant for the customs authorities is that they are not able to reduce administrative consequences of the regulation by cutting back on activities as the activities are enforced by law. Additionally, many of the activities related to data protection are perceived as a part of

62

normal business in the sense that good data management practise is necessary in order to carry out the function as customs authorities. Depending on the organisation, customs authorities have several IT systems which are subject to the data protection law. Types of IT systems are: 8.5.5 Human resource management Account system Different systems related to assessment, payment and collection of VAT, customs and excise Case management

Value chain perspective In the case of customs authorities, no significant variations in the distribution of responsibilities between the actors have been identified in Denmark and the United Kingdom. All collection and management of the data listed in the table previously is done by the custom authorities themselves. There might however be some variation in how customs authorities obtain personal information. In some countries, import and export information is provided by shipping agents or postal companies to the customs authorities.

8.5.6

Quantitative impact The respondents from the customs authorities did not perceive the administrative activities to have decreased following the introduction of the national legislation. Thus, this section outlines the increase in costs associated with handling of additional activities resulting from the national legislation implementing the Data Protection Directive. The one-off costs caused by the implementation of the Directive are outlined below in table 17. Internal costs are estimated in both man hours and euro and external costs are estimated in euro.

63

Table 14: Estimation of the one-off costs of complying with the legislation (the first six months of implementation)
United Kingdom Denmark Additional activities related to the data protection law Internal Gather knowledge about the requirements of the legislation Initial investment in technology protecting personal data Adjustment of existing IT-systems Creation of organizational measures, e.g. recruitment of data protection officer Initial notification of authorities of existing processing operations 8 hours 253 euro 50 euro** 2 hours 75 euro 135 euro** Gather the information needed for the notification Fill in notification form Send notification to authorities Notification fee Initial application for processing operations requiring specific permission (sensitive data) Initial training of staff Other one-off costs Total one-off costs 16 506 50 6 213 135 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 8 hours Internal (euro) 253 euro* Externa l 0 3.7 hours Internal Internal (euro) 138 euro Externa l 0 Read the act Identify requirements Assess how the legislation affects the organisation.

hours euro euro hours euro euro *Man hours calculated in euro based on Eurostat labour costs figures for NACE G-K (services) 2002, as no separate figures for NACE L (public administration) are available. Overhead of 25% is included. **Based on information from the national data protection authority on the amount of the notification fee.

The table above shows that in both Denmark and the United Kingdom the one-off costs of complying with the national legislation implementing the Data Protection Directive were distributed on two activities: gather knowledge about the legislation and initial notification of existing processing operations. None of the respondents experienced any one-off costs in relation to investment in technology or creation of organisational measures. The total one-off

64

costs were 16 hours and 50 euro in the United Kingdom and 6 hours and 135 euro in Denmark. In Denmark, the time consumption related to the initial notification of authorities of existing processing operations was limited because all information needed for notification was available from the registrations required by the previous legislation. In the United Kingdom, costs on reading the act and identifying the requirements were low because the customs authorities received thorough information and guidance on the legislation by the relevant public authorities. The low level of costs reflects the fact that in both Denmark and the United Kingdom, the previous national legislation was quite similar to the national legislation implementing the Directive. Thus adequate safeguards were already in place due to the previous legislation. The running costs caused by the implementation of the Directive are outlined below in table 18. Internal costs are estimated in both man hours and euro and external costs are estimated in euro.

65

Table 15: Estimation of the additional average yearly running costs of complying with the legislation (after the first six months)
United Kingdom Denmark Additional activities related to the data protection law Extern al 0 Renew notification annually Notify changes to processing operations Notification fee

Interna l Notification of authorities of processing operations 4 hours

Interna l (euro) 126 euro*

Extern al 50 euro**

Interna l 0

Interna l (euro) 0

Application for processing operations (sensitive data) Authorisation and notification of transfer to third country Handling access requests

0 0 148 hours *** -****

0 0 4671 euro 0

0 0 0

0 0 0

0 0 0

0 0 0 Handle access requests by data subjects

Handling rectification, erasure and blocking based on complaints from data subjects Providing information to data subjects (internal and external) Information to data subjects regarding data obtained by other sources Obtaining consent to processing Permission to transfer data to third countries Check mailing preference services before using direct marketing Manage a register of processing operations Maintenance and adjustment of data protection technology Dissemination of information on the legislation to internal staff Training of staff Other running costs Total yearly running costs

-***** -*****

0 0

0 0

0 0

0 0

0 0 n/a

0 0 n/a

0 0 n/a

0 0 n/a

0 0 n/a

0 0 n/a

0 0 48 hours 0 200 hours

0 0 1.515 euro 0 6312 euro

0 0 0

0 0 14.8 hours 0 14.8 hours

0 0 550 euro 0 550 euro

0 0 0 Disseminate knowledge on the legislation. Inform staff via internet, staff magazines etc. On average 1 employee attends a course on data protection a year.

4 300 euro 4.350 euro

0 0

*Man hours calculated in euro based on Eurostat labour costs figures for NACE G-K (services) 2002, as no separate figures for NACE L (public administration) are available. Overhead of 25% is included. **Based on information from the national data protection authority on the amount of the notification fee. ***148 access requests were handled last year. 68 of these were from staff members. **** Not able to estimate costs: has had 1 case last year. ***** Perceived as part of the handling of access requests.

66

The table above shows that in Denmark and the United Kingdom the additional running costs of complying with the national legislation implementing the Data Protection Directive include the following activities: notification of authorities, handling of access requests, dissemination of information, and training of internal staff. Notification of authorities is estimated at 4 hours per year in the United Kingdom corresponding to a working day. The running costs related to notification are caused by the fact that the English legislation requires an annual renewal of the notification, whereas the Danish act does not require renewal of existing notification unless new kinds of processing takes place. In the United Kingdom, customs authorities handled 148 requests last year with an estimated handling cost of 1 hour each which represented a total of 148 hours per year. 68 of these access requests were from staff members. No data subjects requested access to personal information processed by the Danish customs authority in 2004. The Eurobarometer survey on data protection from 2003 shows that only 2% of the respondents received between 101-500 requests for access, whereas the majority of the respondents (72%) had never received any access request or had received less than 10 access requests (Flash Eurobarometer no. 147:46). Hence the English customs authorities experience significantly more access requests than the majority of European data controllers. Dissemination of knowledge about the Data Protection Directive to internal staff was estimated at 48 hours in the United Kingdom ( day per month) and 15 hours in Denmark (2 working days a year). Additionally, H.M. Customs and Excise have a yearly cost of approximately 4.300 euro for external training courses. The running costs related to dissemination of information and training of staff are significant higher for the English customs authorities. However the size and organisation of the administration explain the difference. The English customs authorities employ about 5 times as many employees as the Danish administration. Thus information needs to be disseminated to more people. Furthermore a department in the English customs authorities is devoted entirely to activities related to information law including data protection. Thus more people work directly with data protection and need training in the field. The total additional average yearly running costs of complying with the legislation (after the first six months) are 200 hours in the United Kingdom and nearly 15 in Denmark. Considering that there is only one customs authority per Member State, the total costs in EU in this sector are regarded as very small. 8.5.7 Assessment of the relevance and effectiveness of achieving the objectives of increased privacy In the United Kingdom, customs authorities find that the individuals right for privacy is better safeguarded with the new legislation implementing the directive because the act includes processing of personal data in manual registers. Moreover, conditions for processing abroad have been introduced. The improvement is perceived to be achieved at a reasonable cost. The Danish customs authorities do not find that the level of protection of privacy in Denmark has been improved as the previous legislation also provided a high level of protection. However the harmonisation of the level of protection across the EEA is perceived to be an improvement of the individuals privacy. 8.5.8 Assessment of the relevance and effectiveness of achieving the objectives of improved free movement of personal data The harmonisation of the level of protection across EEA is also emphasized by the English customs authorities as an element of improving the free movement of personal data. This improvement has been achieved at a reasonable cost. From the perspective of the Danish customs authorities, the transfer of data which is part of the exercise of authority has not been improved. As regards data processing in third countries, this has not yet been an issue for the Danish customs authorities.

67

8.5.9

General perception of the national data protection legislation Both the Danish and English customs authorities perceive the additional costs of complying with the present national data protection legislation to be negligible compared to the costs of complying with the previous legislation in the area. This is due to the fact that the previous legislations in the area of data protection in both countries were quite similar to the current legislation9. Thus the majority of the activities required by the legislation implementing the Data Protection Directive were already carried out and the organisational and technological safeguards were already in place. The national deviations from the Data Protection Directive are not perceived to be affecting the English customs authorities. In Denmark the specified security regulations for the public administration do not cause additional costs for the customs authorities as these regulations were present in the previous legislation. Thus the customs authorities already complied with those before implementation of the directive into national law.

8.5.10

Impacts/problems to be solved None.

This is confirmed by the interviews with the Danish Data Protection Agency and the English Information Commissioner.

68

9.

Conclusion

Based on the case studies of the five sectors and the interviews with the supervisory authorities, the below conclusion summarises the findings of the country and sector analysis and the answers of the five evaluation questions. The case studies show that the costs of compliance with the national legislation implementing the Directive are limited for the sectors examined. Most companies, except the multinational companies (CSC and Benetton Italy) and large public institutions (customs authorities), experience modest costs. In addition the costs on multinational companies and large public administrations are minor related to the size and turnover of these organisations. The interviews with the national supervisory authorities showed that some additional requirements have been introduced by the national legislations mainly with the objective of maintaining the level of protection offered by the previous national legislation in the area and with the objective of increasing the safeguard of the individuals right for privacy. Due to the limited compliance costs, it is difficult to identify any significant correlation between costs of complying and differences in implementation. Hence the country and sector analysis identified only one deviation from the Directive, which clearly has consequences for the costs imposed on data controllers, i.e. the requirement for annual notification in the United Kingdom including an annual fee. The organisational measure of appointing a data protection officer was not found to be neither increasing nor decreasing costs on the data controllers. Furthermore the country and sector analysis found that divergences in implementation, which do not impose extra costs on data controllers who operate on a solely national basis, might impose extra costs on multinational data controllers. Hence the following answers to the five evaluation questions can be outlined as below: Evaluation question 1: Does the national implementing legislation meet the requirements of the Directive in the most economic way? The analysis shows that the Directive largely has been implemented into national law in the most cost effective way. However, a number of areas have been identified in which simplifications or harmonisations are possible in order to increase the cost-effectiveness of the national implementations of the Directive. This regards for instance the notification obligation (article 18), including possible notification fees, and the provisions on transfer of personal data to third countries (article 25-26), both of which are implemented differently across Member States. The failure by some countries to make use of the exemptions and simplifications provided for in the Directive causes unnecessary additional costs for data controllers. Furthermore the national divergences in notification requirements and authorisation of transfer to third countries impose unnecessary costs on multinational companies operating in more Member States. Evaluation question 2: If not, what are the alternative means of complying with the minimum requirements of the Directive in a most cost-effective way? A number of simplifications and harmonisations can be undertaken in order to make the implementation of the Directive more cost-effective: Harmonise notification requirements and case handling in the Member States. Make use of the possibility to exempt processing operations from notification, including the possibility to appoint a data protection officer, without jeopardizing the protection of the individuals right for privacy.

69

Limit the notification requirement to new processing operations instead of requiring an annual renewal of all notifications. This would also remove possible costs related to annual renewal-fees. Facilitate the transfer of personal data to third countries for multinational companies operating in several Member States by harmonising the rules on transfer of data to third countries. This could include the adoption of binding corporate rules and a wider choice of standard contractual clauses (First Report on the Implementation of the Data Protection Directive (95/46/EC), 25).

Evaluation question 3: From the reactions of the data controllers interviewed, can we assess that the objectives of the Directive have been achieved at a reasonable cost and are still relevant? The Directive has fulfilled its twofold objective of removing barriers to the free movement of personal data between Member States while at the same time ensuring a high level of protection of the individuals fundamental right for privacy (First Report on the Implementation of the Data Protection Directive (95/46/EC), 10). The case studies show that the Directive has been implemented with modest costs for firms in all the sectors included in the study, indicating that the objectives have been achieved at a reasonable cost. However, national differences in the implementation impose some unnecessary costs on data controllers, and multinational companies operating in several Member States experience additional costs due to the lack of harmonisation of the implementation of the Directive in the Member States. Evaluation question 4: What is their general perception with regard to the national Data Protection Law? The data controllers interviewed largely perceive the respective national Data Protection Laws to be reasonable and relevant and the majority think that they would carry out similar safeguard measures in the absence of the Directive. Furthermore, the data controllers interviewed find the extra costs of complying with national Data Protection Law to be negligible compared to the costs of complying with previous legislation. This even applies to the Italian data controllers, even though Italy did have any similar legislation in the area of data protection prior to the implementation of Directive. the the not the

Data controllers operating across national borders calls for further harmonisation in EU of the rules as regard notification and transfer of data to third countries. Evaluation question 5: Do the impacts achieved by the Directive correspond to the needs identified and the problems to be solved? The impacts achieved by the Directive for the most part correspond to the needs identified and the problems to be solved when looking at the five sectors and five countries in the evaluation. However, further harmonisation in some areas will enhance the positive impact of the Directive. The most important achievement has been that all Member States now have introduced a minimum level of security, and that movement of data internally in the EU is facilitated by the fact that all Member States now per definition ensure an adequate level of protection.

70

Annex I: List of respondents

The below tables outline the companies and organisations which were interviewed as part as the study. 9.1 National supervisory authorities Country Denmark Company The Danish Data Protection Agency www.datatilsynet.dk Commission Nationale de linformatique et des liberts (CNIL) www.cnil.fr Ministry of the Interior, Bavaria www.bfd.bund.de www.datenschutz-bayern.de Garante per la protezione dei dati personali www.garanteprivacy.it The Information Commissioner www.informationcommissioner.gov.uk Respondent Mrs. Lene Andersen, Head of department Mr. Christophe Pallez, Secretary General of CNIL Mrs. Marie Georges, in charge of European and international Affairs Mr. Christian Peter Wilde

France

Germany

Italy

The United Kingdom

Mrs. Vanna Palumbo, Head of the International and Community Matters department Mr. Richard Thomas, Information Commissioner

9.2

Pharmacies Country Germany France Company Vita Pharmacy, Hamburg Pharmacy, La Celle Saint Cloud (Suburbs of Paris) D Parry Pharmacy, London Respondent Mrs. Raddatz, Vice Managing Director Mrs. Chabrier, Manager

The United Kingdom

Mr. Paresh Modasia, Owner of the Pahrmacy

9.3

Retail sector Country Italy Company Benetton Group spa Respondent Mr. Umberto Dardi, Director for Institutional and Industrial Relations Mr. Massimo Genata, Human resources Manager Mr. Leitz, responsible for data protection

France

Benetton Sarl

Germany

Adler

71

9.4

NGOs Country France Germany Company Amnesty International France Amnesty International Germany, Bonn Respondent Mrs. Thirion, Deputy director Mr. Diesem, responsible for data protection

9.5

IT service provider Country Denmark Company CSC Denmark, Copenhagen Respondents Mr. Niels Skovbjerg, Manager Security and IT Audit Mr. Carsten Penter, Security Consultant

9.6

Customs authorities Country The United Kingdom Company HM Customs and Excise, London Respondent Mr. Mick Davidge, Information Law department Mr. Nick Milcoy, Information Law department Mr. Henning Robdrup, Security section

Denmark

Tax and Customs authorities, Copenhagen

72

Annex II: References

Article 29 Working Party (2005): Report on the obligation to notify the national supervisory authorities, the best use of exceptions and simplifications and the role of the data protection officers in the European Union European Commission (2002a): Consultation of Data Protection Authorities European Commission (2002b): Consultation of Member States European Commission (2002c): Online consultation. Questionnaire for data controllers on the implementation of the Data Protection Directive (95/46/EC) European Commission (2003a): Report from the Commission. First report on the implementation of the Data Protection Directive (95/46/EC) European Commission (2003b): Analysis and impact study on the implementation of Directive EC 95/45 in Member States Flash Eurobarometer no 147 (2003): Data protection in the European Union IBM and Ponemon Institute (2004): The Cost of Privacy Study Ministry of Finance/Legislative Burden Department (2003): Focus on administrative burdens: Guide for defining and quantifying administrative burdens for business Masons Study (1998): Handbook on Cost Effective Compliance with the directive 95/46/EC Special Eurobarometer no 196 (2003): Data protection

73

Annex III: Interview guides

Two interview guides were used for the case studies: Interview guide 1: Data Protection Authorities o o o Legislation in the area of Data Protection Transposition of the Directive The Data Protection Directive compared to the national legal framework

These questions were answered by officials knowledgeable about the policy domain of Data Protection in general today and historically (e.g. Head of Department or juridical experts). Interview o o o o guide 2: Data controllers Company/institution details Handling of activities Internal and external costs of handling activities Assessment of the effectiveness of the Data Protection Directive

These questions were answered by employees with knowledge about the compliance with the Data Protection Directive (e.g. data protection officers, chief accountant, juridical experts etc.).

Interview guide 1 - Authorities 1. 2. 3. How would you describe the national legislation within the area of data protection policy in your country before transposition of EC Data Protection Directive? Please describe the differences introduced through the implementation of the Data Protection Directive compared to the previous national legislation. Has your country imposed legal requirements on businesses regarding data protection, which go beyond what is stipulated in the Directive? Please outline such legal requirements:__________________ What was the rationale for implementing additional requirements? Do these additional requirements have any impact of the level of protection offered? Please elaborate:___________ Do these additional requirements have any impact of the administrative burdens caused by the Data Protection law? Please describe:___________ Under which circumstances are data controllers exempt from notification? Please list exemptions. Please describe how the implementation and enforcement of the Data protection directive is organised (e.g. board, line of command, secretariat, regional/local offices, help desk)? Have some of the enforcement tasks been outsourced? If yes, please detail.

4. 5.

6.

7. 8.

9.

10. Does other (neighbouring) EC legislation in the area of data protection of impose costs on the data protection agency or data controllers?

74

If the agency has other tasks, which are not related to the Data Protection Directive, the following questions will concern only those parts of the agency activities that deal with the Data Protection Directive. 11. What is the overall budget allocated for the agency (including out sourcing)? 12. How many permanent staff members are employed by the agency? 13. Has the agency employed additional staff and resources to guarantee implementation and enforcement of the directive? If yes, how many staff members and which resources? 14. What kind of tasks and functions are carried out by the agency? Please estimate the percentage of the overall costs allocated for each of the agencys tasks. Advise to public authorities and private enterprises on the interpretation of data protection law Handling of notifications and applications Handling of complaints Inspections Support to new regulation and law-making Inspection of international information systems Participation in international co-operation Other tasks 15. What kind of indicators do you use for measure: a. The performance of the agency? b. Compliance with the directive? c. Enforcement of the directive? 16. If the following indicators are measured, please indicate the number Yearly number of notifications by data controllers since the directive was implemented Yearly number of applications since the directive was implemented Average (calendar)time for handling an application Yearly number of inspections since the directive was implemented Yearly numbers of penalties 17. Is any of the following on-line services provided by the agency (if yes, please state percentage of use)? a. On-line request for information b. On-line registration for news c. On-line registration of notification d. On-line applications e. Other online services:________ 18. Are some of the requirements in the directive causing particularly problems for 1) The supervisory authority? 2) The data controllers? Which requirements is that? Assessment of the relevance and effectiveness of achieving the objectives of increased protection of privacy: 19. Are the individuals right for privacy better safeguarded by the present regulation?

75

20. If better safeguarded: Which elements in the new regulation have caused the improvement? 21. If better safeguarded: Has this improvement been achieved at reasonable costs? 22. If no: Could the same improvement have been achieved by other less costly measures? Which measures? 23. If not better safeguarded: Why hasnt the safeguard of the privacy been improved? Assessment of the relevance and effectiveness of achieving the objectives of improved free movement of personal data: 24. Was the movement of personal data between Member States of the EU a problem before the present regulation was implemented? 25. If so: Has the present regulation improved the free movement of personal data? 26. If improved free movement of personal data: Which elements in the new regulation have caused the improvement? 27. If improved free movement of personal data: Has this improvement been achieved at reasonable costs? 28. If no: Could the same improvement have been achieved by other less costly measures? Which measures? 29. If no improvement in free movement of personal data: Why hasnt the free movement of personal data been improved? Questions concerning the five sectors included in the study: 30. Are enterprises within the health sector (pharmacies) facing any special problems / challenges in relation to the data protection directive? 31. Please describe (pharmacies). the responsibilities of data controllers in the health sector

32. Are enterprises within the retail sector facing any special problems / challenges in relation to the data protection directive? 33. Please describe the responsibilities of data controllers in the detail sector. 34. Are enterprises within the NGO sector facing any special problems / challenges in relation to the data protection directive? 35. Please describe the responsibilities of data controllers in the NGO sector. 36. Are enterprises within the IT service sector facing any special problems / challenges in relation to the data protection directive? 37. Please describe the responsibilities of data controllers in the IT service sector. 38. Are enterprises within the public sector (customs authorities) facing any special problems / challenges in relation to the data protection directive? 39. Please describe the responsibilities of data controllers in the public sector (customs authorities).

76

Interview guide 2 Data controllers (companies or organisations) Company/organisation details: 1. How many people are currently employed in the company / organisation?

If company: 2. 3. What was the companys last annual turnover (approximately)? Is the company part of a holding or a multiple-site business?

Handling of activities: 4. 5. 6. 7. Please describe the consequences for your company of the national legislation implementing the Data Protection Directive compared to the previous national legislation. How many IT-systems in the company/organisation are subject to the national legislation implementing the Data Protection Directive? Please detail each of them. Has the company/organisation chosen to cut back on any activities in order to comply with the national legislation implementing the Data Protection Directive? Where are the activities related to the requirements of the national legislation implementing the Data Protection Directive handled? a. Activities are handled by the company/organisation on this location b. Activities are handled on another location (if holding or multiple-site business) c. Activities are outsourced to external parties (Please state which:________) d. Activities are performed by other organisations/institutions (Please state which:________)

77

Costs of handling additional activities resulting from the national legislation implementing the Data Protection Directive: 8. Please estimate the one-off costs of complying with the legislation (the first six months of implementation): Internal cost - no. of manhours
Gather knowledge about the requirements of the legislation Initial investment in technology protecting personal data Adjustment of existing IT-systems Creation of organizational measures, e.g. recruitment of data protection officer Initial notification of authorities of existing processing operations Initial application for processing operations requiring specific permission (sensitive data) Initial training of staff Other one-off costs (please state type):

External cost - euro

Comment

Please state any comments regarding the figures above on one-off costs:

78

9.

Please estimate the additional average yearly running costs of complying with the legislation (after the first six months): Internal cost - no. of man hours per year External cost - euro per year Comment

Notification of authorities of processing operations Application for processing operations requiring specific permission (sensitive data) Authorisation and notification of transfer to third country Handling access requests Handling rectification, erasure and blocking based on complaints from data subjects Providing information to data subjects Information to data subjects regarding data obtained by other sources Obtaining consent to processing Permission to transfer data to third countries Check mailing preference services before using direct marketing Manage a register of processing operations Maintenance and adjustment of data protection technology Dissemination of information Training of staff Other running costs (please state type):

Please state any comments regarding the figures above on running costs: If possible: Please state the average cost incl. overhead of internal man hours (in Euro): 10. Have any activities decreased compared with the situation before the national legislation implementing the Data Protection Directive was introduced? If yes please estimate the costs for each activity? 11. Please indicate to what extent the company would carry out any of activities in the absence of regulation? (See the above table of activities)

79

12. In general, how do you find the investment costs of complying with the national legislation implementing the Data Protection Directive compared to the costs of complying with the previous (national) requirements? Assessment of the relevance and effectiveness of achieving the objectives of increased protection of privacy: 13. Are the individuals right for privacy better safeguarded by the present legislation than the previous legislation? 14. If better safeguarded: Which elements in the new legislation have caused the improvement? 15. If better safeguarded: Has this improvement been achieved at reasonable costs? 16. If no: Could the same improvement have been achieved by other less costly measures? Which measures? 17. If not better safeguarded: Why hasnt the safeguard of the privacy been improved? Assessment of the relevance and effectiveness of achieving the objectives of improved free movement of personal data: 18. Has the free movement of personal data been improved with the present legislation? 19. If improved free movement of personal data: Which elements in the new legislation have caused the improvement? 20. If improved free movement of personal data: Has this improvement been achieved at reasonable costs? 21. If no: Could the same improvement have been achieved by other less costly measures? Which measures? 22. If no improvement in free movement of personal data: Why hasnt the free movement of personal data been improved? Assessment of the national legislation implementing the Data Protection legislation: The Data Protection law in differs from the minimum requirement in relation to (list of differences based on interview with supervisory authority). 23. Do these deviations have any impact of the level of protection offered by the new national legislation? If yes, please describe: 24. Do these deviations have any impact of the administrative burdens caused by the national legislation? If yes, please describe:

80