In what will be one of his final acts in the role, the current Information Commissioner Richard Thomas last week called for the EU data protection directive to be updated for the 21st century.

Thomas believes massive technological advances, global trade and the need for personal information to cross international borders all mean the law has to evolve.

Last year, Thomas commissioned the think-tank Rand to review European data protection law. Its findings concluded the current law has a number of shortcomings that need to be addressed urgently.

The launch of the review ­ – and comments Thomas made at the time –­ caused some consternation in EU data protection circles and prompted the European Commission to order its own study. That review called for the current directive to be modified if need be rather than scrapped.

The Rand review was more forceful in its recommendations, though it stopped short of calling for the directive to be scrapped.

Publishing the review, Thomas said: “The directive is showing its age. Modern approaches to regulation mean that laws must concentrate on the real risks that people face in the modern world; must avoid unnecessary burdens; and must work well in practice.”

Thomas is keen to point out that the study is not a blueprint for a new directive, but that it should act as a basis for stimulating debate. A number of the review’s criticisms of the directive look at how it is unnecessarily preventing the free flow of information. The report found that the directive regulates data processing even when it has no noticeable impact on a people’s privacy.

And a requirement to let data subjects know what is happening to their information is overly prescriptive and requires data controllers to actively get in touch with data subjects rather than being able to post the information on a web site.

The report also says that a requirement in the directive to prevent the flow of information to countries where data protection is not as effective is outdated and overly restrictive in an era of increasing globalisation.

“For multinational organisations operating across boundaries but applying the same high standards of data protection across all geographical divisions, this mechanism made no sense and was seen as contrary to harmonisation and global trade,” it says.

Some efforts have been made to improve this situation. Accenture recently gained approval to use mechanisms known as binding corporate rules (BCRs), which allow it to assume direct responsibility for information across 20 different countries. But BCRs can only be used on uniform data.

Overall, the current data protection directive makes certain assumptions about information flow that are no longer relevant in a global marketplace, said Bridget Treacy, partner at international law firm Hunton & William.

“The directive assumes that information travels from A to B to C. But with cloud computing, it is much harder to know where information is and who is controlling it, and the review makes an attempt to address this problem,” she said.

The report points out that technology will always be ahead of lawmakers and that requiring firms to take more responsibility as data controllers rather than proposing an outdated geographic approach could be helpful.

David Roberts, executive director of blue-chip IT user group the Corporate IT Forum agreed and said many of its members have already been doing this.

Organisations generally have been investing heavily in technical, policy and process implementation to ensure security and confidentiality of customer information, he said.

“Data protection will become more effective when the next generation of processes and tools are developed,” he added.

Strengths and weaknesses of the data protection directive

Strengths

• The directive serves as a reference model for good practice.

• It harmonises data protection principles and to a certain extent enables an internal market for personal data.

• A principles-based framework permits flexibility.

• The directive is technology neutral.

• Generally, it has improved awareness of data protection concerns.

Weaknesses

• The link between the concept of personal data and real privacy risks is inherently unclear.
  

• The measures aimed at providing transparency of data processing through better data and notification are inconsistent and ineffective.

• Rules on data export and transfer to third countries are outmoded.

• Tools providing for transfer of data to third countries are cumbersome.

• The role of data protection authorities in accountability and enforcement is inconsistent.

• Definitions of entities involved in processing and managing personal data is simplistic and static.