The European Data Directive needs to be less prescriptive and
should focus on the real risks people face, according to a review
of the law.
The Information Commissioner's Office (ICO)
commissioned the review by Rand Europe in July last year
because of concerns that the directive was out of date.
The
review report acknowledges that the directive has helped
harmonise data protection rules across Europe. But the directive is
often seen as burdensome and too prescriptive and does not
sufficiently address the risks to personal information.
Information commissioner Richard Thomas said modern approaches
to regulation mean that laws must concentrate on the real risks
people face in the modern world.
"This study is not meant to be an immediate blueprint for a new
directive, but we are hoping it recommendations will stimulate
debate and encourage people to think about what 21st century data
protection law should look like," he said.
The Rand report does not call for ditching the directive, but
highlights its good aspects, said Bridget Treacy, partner at law
firm Hunton &Williams.
The report suggests ways of improving implementation, such as
better methods of exporting data outside of Europe.
"This is an approach that will have appeal across Europe as many
of the European data protection authorities would be very resistant
to any suggestion that there needs to be wholesale change," said
Treacy.
The principles on which the directive is based are sound, but
companies that operate on a pan-European basis find that the way it
is applied is often contrary to the overall objective of enabling
the free flow of information, she said.
Other recommendations of the report include clarity on the
outcome the law requires, greater accountability of organisations
for data they handle, and a more strategic approach to
enforcement.