Implementing the European Union Data Protection Directive 1995 in UK law: The Data Protection Act 1998

The issue of personal data protection has grown in importance with the ever more ubiquitous role of the computer in modern society. While the unfettered collection and use of manually stored personal data by government and commercial organizations also held risks for the privacy of the individual, the use of computerized records allows the creation, combination, and analysis of personal data in ways that would previously have been uneconomical or simply unfeasible. Thus, the informational privacy of the individual is at risk more than ever before, and the potential consequences of abuse of that privacy have become ever more critical. The national data protection laws of the 1970s and 1980s have proven inadequate to deal with the challenges posed by technological developments in the 1990s, and, with the increasing globalization of commerce, there is increasing need for an international consensus on future approaches. The European Union (EU) has taken a proactive regulatory approach with strict rules on the collection, use, and transfer of personal data enshrined in the Data protection Directive. Member States of the EU had to implement the Directive by October 1998, and the UK has implemented it with a root and branch overhaul of its existing data protection legislation, in the form of the Data Protection Act 1998. The Data Protection Directive has a strong extra-territorial element, however, and has not been met with unanimous support outside the EU. A particular opponent has been the United States, which, while willing to impose legal constraints on the use of personal data by government, is currently disinclined to impose similar restrictions on U.S. commercial interests. The personal data privacy approaches of the EU, UK, and United States all demonstrate different priorities and influences, which suggest that true consensus may still be some way off.