Need for a harmonised approach & the Data Protection Directive
Leaving implementation of Convention 108 and the OECD Guidelines to member states produced a diverse, fragmented set of regimes, threatening both fundamental rights and the internal market. The result was (the Data Protection Directive), which used Convention 108 as its benchmark, covered both automated and manual data and both public and private sectors. Because a directive leaves choice of form and method to states, differences in implementation persisted.
Convention 108 and the Guidelines aimed for harmonisation through principles with implementation left to states. In practice this produced a diverse set of regimes, risking fundamental rights and impeding free trade under the Treaty of Rome. The European Parliament had called for a harmonising directive as early as 1976.
The result was , the Data Protection Directive. It used Convention 108 as a benchmark, then went wider - covering both automated and nonautomated (manual) data and both the public and private sectors - to give a high level of equivalent protection, consistent with Articles 8 and 10 of the ECHR.
A directive is binding as to the result but leaves the choice of form and methods to national authorities. So even correct implementation, within the allowed margin, produced inconsistencies - e.g. wildly differing DPA notification requirements created bureaucracy and cost. The Commission's first report (2003) confirmed this problem.
Charter of Fundamental Rights: proclaimed 7 December 2000 in Nice, it consolidated EU fundamental rights. Charter Articles 7 and 11 mirror ECHR Articles 8 and 10, and Charter Article 8 deals specifically with data protection: processing must be fair, for specified purposes, on a legitimate basis (consent or other basis in law), with rights of access and rectification and control by an independent authority. The Charter gained binding legal effect in December 2009 via the Lisbon Treaty; limitations must comply with Charter Article 52.