The European Union adopted its “data protection directive” (directive 95/46) on October 24, 1995. This directive provides a harmonised level of protection between the EU member states, thus ensuring that personal data may freely flow within the Union since the same rights and guarantees in terms of data protection and individual liberties are recognised to all EU citizens, in whatever EU member state they reside.
These independent authorities meet in Brussels on a regular basis, to harmonise their practices and offer common guidance, within a body that issues working papers or opinions to the European Commission and publishes an annual activity report. That body, which does not represent governments but their “CNILs”, is referred to as the “Article 29 Working Party”, by reference to Art.29 of the European directive that instituted this group.
Other European countries that are not Union members have passed similar laws : e.g. Switzerland, Monaco, Bulgaria, Croatia and Romania.)
Outside Europe, various countries such as Australia, New Zealand, Argentina, Burkina Faso and South Korea also have legislation and an independent supervisory authority. Other states have chosen to pass legislation limited to the public sector, or to some activities in the private sector, without setting up an independent supervisory authority : judiciary courts are then responsible for sanctioning any breach of rights. Such is the case in the United States, Japan, Paraguay, Taiwan and Thailand.
The principle of adequate protection does not ban international data exchanges, but subjects them to Europe’s commercial or political partners’ acknowledgement of minimum guarantees resulting from third countries passing specific legislation in that area, or guarantees recognised by an agreement between the data exporter and the data importer, or by corporate rules implemented within company groups : right of access and rectification, data confidentiality, prohibition to use data for other purposes or a different purpose than the initial purpose of the transfer, designation of a representative for European data protection authorities, prohibition of transfers for advertising or commercial purposes without informing the individuals concerned, who have a right to object thereto.
In Southern countries, including in South America and Africa, state consolidation, security, credit development and the prevention of epidemics have led to sensitive files being created. The CNIL co-operates with countries which want to implement privacy and data protection laws.
At a time when a growing amount of information exchanges takes place on the Internet, directive 95/46 imposes the rule that the principle according to which personal data could not be transferred or assigned outside the European Union if the recipient company or country of destination does not offer an “adequate” level of protection.