Following the release of the Data Sharing Review, the UK's Information Commissioner Richard Thomas has continued to criticise the European Data Protection Directive (95/46/EC). He has referred to it as out of date, bureaucratic and in dire need of reform.
But this isn't just rhetoric - he has gone on to appoint RAND Europe, an independent think tank, to carry out a comprehensive assessment of the strengths and the weaknesses of the Directive.
So is the government listening?
Maybe. The Ministry of Justice has released a consultation paper into extending the Information Commissioner's Office's (ICO) powers of inspection and a restructuring of the notification fee system.
Directing data protection
The European Data Protection Directive (95/46/EC) (the Directive) was adopted by the European Parliament and the European Council on 24 October 1995. It was intended to harmonise the processing of personal data throughout the EU. It imposed minimum data protection standards on member states and required member states to implement those standards via national legislation.
Almost 13 years on, it is the subject of much contention and debate.
The ICO argues that the increased use of the internet, technological advances and the growth of global e-commerce have all brought fresh legal challenges with which the Directive is ill-equipped to deal.
Cross-border transfers of information, for example, are now more common as a result of the internet's popularity. There is also an increased collection and storage of information as a result of social networking on websites such as Facebook.
The future of European Data Protection law
In light of the above, the ICO has commissioned RAND Europe to carry out a comprehensive assessment of the strengths and the weaknesses of the Directive. It hopes that this will generate new thinking about data protection and identify possible avenues for reform.
Among other things, RAND Europe will consider:
- whether the safeguards provided for by the Directive are sufficient in light of technological and societal developments;
- how personal privacy could be safeguarded most effectively; and
- how the Directive could be simplified and made more "user friendly".
The results of RAND's assessment will be published quickly, in April 2009. Various organisations will be given the opportunity to take part in related interviews or workshops.
In contrast, reform is expected to be slow. It is unlikely that changes will be seen within the next five years. This should not, however, taint the importance of this development.
As noted by the ICO, it is "important to make a start". The very existence of RAND's assessment has, and will, continue to encourage debate about the Directive. Interestingly, the European Commission will also be appointing an independent body to carry out a separate review of the Directive shortly. Anyone involved with data protection should, therefore, watch out for further developments. It is likely that a formal review of European Data Protection laws will be taking place in the not too distant future.
And in the meantime?
On the other hand, the consultation from the Ministry of Justice is aimed not at slow reform at a European level. Rather, it sets its sights on specific, achievable proposals arising from the Data Sharing Review.
In particular, key proposed reforms are around the ability for the ICO to inspect data controllers for compliance. They also include the introduction of a tiered notification fee structure to recognise different sized organisations, and to provide greater funding to the ICO, something which is greatly needed if enforcement is to be increased.
The consultation ends on 27 August 2008. A shorter than usual consultation period was approved due to the pressing need of the ICO for these new powers. We shall see if the powers are introduced as quickly!