The Data Protection Directive, the European Union’s statement of principles upon which the UK’s data protection laws are based, is out of date, according to a new report commissioned by the Information Commissioner’s Office.
The report, coordinated by policy think tank RAND Europe, acknowledged that the Directive has successfully fostered consensus among European countries on how personal data must be treated.
But the Directive, which was written in 1995, fails to address the practical concerns of the day, the report said, and the way it defines the various parties involved in data transfer is outmoded.
“As we move toward a globally networked society, the Directive as it stands will not suffice in the long term,” the report reads. “While the widely applauded principles of the Directive will remain as a useful front-end, they will need to be supported by a harms-based back-end in order to cope with the growing challenge of globalisation and international data flows.”
Interesting Links
Making European data protection law fit for the 21st century – .pdf
It added that the Directive’s recommendations fail to address the risks facing private individuals, and are often found to be overly “prescriptive and burdensome”.
Information Commissioner Richard Thomas called for a reassessment of the Directive. “We are hoping that [this report] will stimulate debate and encourage people to think about what 21st century data protection law should look like,” he said in a statement.
He added that the weakness of the Data Protection Directive meant that organisations must pay greater attention to privacy and data protection. “Organisations must embed privacy by design and data protection must become a top-level corporate governance issue,” he said.
Thomas’s comments imply that the responsibility for improving data protection regulation lies with Europe. However, another report published earlier this year found that many UK government databases contravene European human rights regulation.
One of the Database State report’s criticisms was that the Information Commissioner’s role was limited to upholding the Data Protection Act. This, the report said, is by itself insufficient to protect the rights of individuals.