21 May 2009
In what will be one of his final acts in the role, the current Information Commissioner Richard Thomas last week called for the EU data protection directive to be updated for the 21st century.
Thomas believes massive technological advances, global trade and the need for personal information to cross international borders all mean the law has to evolve.
Further reading
Last year, Thomas commissioned the think-tank Rand to review European data protection law. Its findings concluded the current law has a number of shortcomings that need to be addressed urgently.
The launch of the review – and comments Thomas made at the time – caused some consternation in EU data protection circles and prompted the European Commission to order its own study. That review called for the current directive to be modified if need be rather than scrapped.
The Rand review was more forceful in its recommendations, though it stopped short of calling for the directive to be scrapped.
Publishing the review, Thomas said: “The directive is showing its age. Modern approaches to regulation mean that laws must concentrate on the real risks that people face in the modern world; must avoid unnecessary burdens; and must work well in practice.”
Thomas is keen to point out that the study is not a blueprint for a new directive, but that it should act as a basis for stimulating debate. A number of the review’s criticisms of the directive look at how it is unnecessarily preventing the free flow of information. The report found that the directive regulates data processing even when it has no noticeable impact on a people’s privacy.
And a requirement to let data subjects know what is happening to their information is overly prescriptive and requires data controllers to actively get in touch with data subjects rather than being able to post the information on a web site.
The report also says that a requirement in the directive to prevent the flow of information to countries where data protection is not as effective is outdated and overly restrictive in an era of increasing globalisation.
“For multinational organisations operating across boundaries but applying the same high standards of data protection across all geographical divisions, this mechanism made no sense and was seen as contrary to harmonisation and global trade,” it says.
Some efforts have been made to improve this situation. Accenture recently gained approval to use mechanisms known as binding corporate rules (BCRs), which allow it to assume direct responsibility for information across 20 different countries. But BCRs can only be used on uniform data.
Overall, the current data protection directive makes certain assumptions about information flow that are no longer relevant in a global marketplace, said Bridget Treacy, partner at international law firm Hunton & William.
“The directive assumes that information travels from A to B to C. But with cloud computing, it is much harder to know where information is and who is controlling it, and the review makes an attempt to address this problem,” she said.
The report points out that technology will always be ahead of lawmakers and that requiring firms to take more responsibility as data controllers rather than proposing an outdated geographic approach could be helpful.
David Roberts, executive director of blue-chip IT user group the Corporate IT Forum agreed and said many of its members have already been doing this.
Organisations generally have been investing heavily in technical, policy and process implementation to ensure security and confidentiality of customer information, he said.
“Data protection will become more effective when the next generation of processes and tools are developed,” he added.
Strengths and weaknesses of the data protection directive
Strengths
Weaknesses
Data protection and privacy remains a major cause of concern in British households across the land, with well-known UK brands continuing to hit the headlines for all the wrong reasons. However, if these organisations are to win back the trust of the British public, then they must become far more accountable when it comes to data governance, and put much tighter controls in place.
Data security is currently being undermined on a daily basis by the constant system change that typifies today's highly complex, tightly integrated IT infrastructures. Failure to police daily IT change fundamentally compromises any investment in security technology and opens the door to unacceptable business risk. As the pace of IT grows faster and complexity increases with technologies such as virtualisation, this imperative grows in importance.
Unauthorised system change is an excellent indicator of potential security threats. Yet most organisations still have no visibility of such events on a system by system basis - and certainly not across the entire infrastructure.
By automatically reconciling actual with expected changes, an organisation can be immediately alerted to the unauthorised changes that can compromise data security. It is only by creating a full audit of all change - planned and unplanned, authorised and unauthorised - that an organisation can fully protect their corporate data, maintain full visibility of their IT infrastructure and, critically, win back consumer confidence.
Yours sincerely,
Andrew Heather
General Manager, EMEA
Tripwire
www.tripwire.com
Posted by: Andrew Heather 22 May 2009
Can we have some regulators whose primary duty is to protect the citizen please? ICO seems focused on assisting business, and Ofcom seems focused on improving our perceptions of targeted advertising - please can we have someone who really really puts citizens first (and talks to them and listens to them FIRST?). With the next Information Commissioner coming from an advertising background it doesn't look like we will get that for another five years at least. A citizen focused ICO would have stopped Phorm in its tracks, after the first illegal trials were exposed by a vigorous lobby, prompt engagement with the general public, and appropriate advice from IT experts. But they did nothing. Again. Businesses and government are losing our data right left and centre, and when they are not losing it they are selling it to the highest bidder, regulating themselves and ignoring the "good practice" hints that the ICO timidly suggests to them. Self regulation didn't work for the banks, it didn't work in Parliament, and we know it won't work for the advertising industry. Regulators with teeth please, who care more about private citizens than businesses.
Posted by: phormaverse 21 May 2009
Yet again the ICO in the shape of Richard Thomas steps up to the plate for business interests while totally neglecting the poor consumer whose data he is supposed to protect. Is there no government department or regulatory body in the UK who gives a fig for the rights and privacy of UK citizens? No apparently not, We are just commodities to be used at the whim of the advertising ,media and telecom industries. We need more data protection Mr. Thomas not less. You're not there to make it easy for big business you're there,suppossedly, to enforce the regulations. Ironic laughter follows.
Posted by: Pingus 21 May 2009
call me old fashioned, but i thought the job of the ICO was to protect privacy and look out for breaches of an already lax set of data protection rules?
not relax them even more so the average person has less privacy just to allow advertisers and business to make more money selling personal information without penalty
Posted by: bluecar1 21 May 2009
Have your say on this article
Newsletters
Latest stories from Privacy
Latest videos
You may also like
Privacy jobs
Technology Patent Wars
Case studies from large organisations across all sectors
... And rich media, and flexible working, and peaks in traffic ...
Upcoming Events
Join us for this Computing web seminar, in which the Head of BI at the Co-operative Group Nick Colebourn will be explaining just how he reigned in the Group’s sprawling database estate and how significant savings were realised and data quality improved as a result.
Date: 31 May 2012
Time: 11:00 AM
Live June 13th 11:00am: Register now. During this web seminar we will be looking at the sorts of incidents that can bring data centres grinding to a halt and what can be done about them.
Date: 13 Jun 2012
Time: 11:00 am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
