The ICO commissioned RAND Europe to investigate whether or not
1995's EU Data Protection Directive was a good basis for
Europe-wide data protection law. The research concluded that the
law was flawed and needed to be updated.
It found that the law must be clearer about what it seeks to
achieve, that it should be better at forcing organisations to
protect personal data in their charge, that it should encourage a
more strategic approach to enforcement and that it does not deal
well enough with the export of personal data outside the EU.
Thomas said that the Directive, on which the UK's Data
Protection Act is based, is outmoded. "The Directive is showing its
age. Modern approaches to regulation mean that laws must
concentrate on the real risks that people face in the modern world,
must avoid unnecessary burdens, and must work well in practice," he
said. "Organisations must embed privacy by design and data
protection must become a top level corporate governance issue."
RAND said that the Directive would be improved by its
fundamental approach to ensuring data privacy being changed. It
said that the law should focus on the protection of individuals and
the security of their data, and not on the processes that lead to
that.
"The stronger, results oriented approach described in this
report aims to protect data subjects against personal harm
resulting from the unlawful processing of any data, rather than
making personal data the building block of data protection
regulations," said the report. "It would move away from a
regulatory framework that measures the adequacy of data processing
by measuring compliance with certain formalities, towards a
framework that instead requires certain fundamental principles to
be respected, and has the ability, legal authority and conviction
to impose harsh sanctions when these principles are violated."
The report emphasized that a law alone will not properly protect
personal data, that the behaviour of national regulators is
crucial.
"The success or failure of privacy and data protection is not
governed by the text of legislation, but rather by the actions of
those called upon to enforce the law," it said. "It cannot be
stressed enough that supervisory authorities must be given an
appropriate level of responsibility for this arrangement to
work."
Thomas said that the way that regulators operate is changing as
people and organisations become more aware of the dangers of poor
data security.
"21st century themes for regulating the privacy and integrity of
personal information involve greater emphasis on trust, confidence,
and transparency," he said. "Safeguarding personal information has
become a major reputational issue for businesses and governments.
They must be held accountable if things go wrong."
William Malcolm, a data protection law specialist at Pinsent
Masons, the law firm behind OUT-LAW.COM, said that the analysis of
the nature of the Directive was accurate.
"Both the Directive and the UK legislation deriving from it have
always been mechanistic, rules-based and prescriptive; given the
changing world in which we live, legislation which takes a more
rights-based approach would be of benefit to organisations and
individuals alike," he said.
The report made nine recommendations, including that the terms
associated with data protection law, such as privacy by design, be
clarified, and that enforcement methods be more closely
harmonised.
Malcolm said that this is an appropriate time to be thinking
about revising the EU law. "In 2010 we're coming upon the 15 year
anniversary of the Directive. It would seem a fitting time to
reflect on both the strengths and weaknesses and to ensure that the
measures are delivering for individuals, businesses and
organisations," he said.
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
