The European Data Directive needs to be less prescriptive and should focus on the real risks people face, according to a review of the law.
The Information Commissioner's Office (ICO) commissioned the review by Rand Europe in July last year because of concerns that the directive was out of date.
The review report acknowledges that the directive has helped harmonise data protection rules across Europe. But the directive is often seen as burdensome and too prescriptive and does not sufficiently address the risks to personal information.
Information commissioner Richard Thomas said modern approaches to regulation mean that laws must concentrate on the real risks people face in the modern world.
"This study is not meant to be an immediate blueprint for a new directive, but we are hoping it recommendations will stimulate debate and encourage people to think about what 21st century data protection law should look like," he said.
The Rand report does not call for ditching the directive, but highlights its good aspects, said Bridget Treacy, partner at law firm Hunton &Williams.
The report suggests ways of improving implementation, such as better methods of exporting data outside of Europe.
"This is an approach that will have appeal across Europe as many of the European data protection authorities would be very resistant to any suggestion that there needs to be wholesale change," said Treacy.
The principles on which the directive is based are sound, but companies that operate on a pan-European basis find that the way it is applied is often contrary to the overall objective of enabling the free flow of information, she said.
Other recommendations of the report include clarity on the outcome the law requires, greater accountability of organisations for data they handle, and a more strategic approach to enforcement.