The UK Information Commissioner’s Office has published a review of the strengths and weaknesses of the EU Data Protection Directive, commissioned from RAND Europe.
The concept of such a review was highly radical when first proposed. It provoked the promise of a similar study from the European Commission and generated much debate as to whether, and if so when, the Directive itself might be reviewed. The conclusions of the RAND study are much less radical than anticipated but more likely, as a consequence, to stimulate constructive debate within Europe as to the future shape of data protection law. Whilst not endorsing the RAND study, in April 2009, the European Privacy and Data Protection Commissioners’ Conference discussed the themes raised by RAND and issued a declaration committing to contribute to the ongoing debate concerning the future of data protection law, including better implementation and enforcement of the existing legal framework.
The RAND study concludes that the “widely applauded” principles contained in the Directive remain the touchstone for good data protection regulation. However, the implementation and enforcement of these principles require fresh thinking. Excessive bureaucracy and prescriptive criteria for data protection compliance, at the expense of a flexible, harms-based, approach, is one example of how out of date local implementation of the Directive has become.
The study includes a number of recommendations for improvement, working within the framework of the existing Directive, but leading ultimately to an outcomes based regulatory model for the future.
It may be less radical than many had hoped, but there is much within RAND which will stimulate debate. It represents merely the starting point for future discussion.