Britain’s Information Commissioner, Richard Thomas, leaves his post shortly after almost seven years. Computing reports on one of his final high-profile actions: the publication of a report he commissioned a year ago which reviews the action of the European data directive. The Press Release from the Information Commissioner’s Office (ICO) refers to “growing fears that the current European Directive is out-dated and too bureaucratic”.
European legislation on data protection and privacy led the world, and in many ways still does. Its implementation into in-country legislation varies from wholehearted to grudging. But it’s established in public awareness and, in particular, in the information professions the need to respect information about individuals and handle data appropriately. None the less, both business and technology have moved on and Richard Thomas believes that regulation needs to catch up.
For example: the directive’s restrictions on cross-border flows of information didn’t push the US to implement full data protection legislation; but it did result in the creation of “safe harbor” provisions. But a work-around is common: notifying data subjects that the data they are providing may be transferred to non-EU countries. If they don’t agree, they can’t get access to whatever service they are trying to sign up for.
The report’s overall conclusion is that the Directive, as it stands, “will not suffice in the long term”. The principles remain good; but implementation needs to be what the authors call “harms-based” – that is, based on an understanding of the damage that can be done – in order to respond to the challenges of globalisation. The authors don’t call for the Directive to be scrapped, but they believe some of the concepts need to be re-thought and better consensus achieved in some areas.
So the report proposes, among other things, that global enterprises should shoulder global responsibility for the data they hold rather than having to work through “outdated” geo-politically based restrictions. The ICO’s Press Release speaks of “stronger focus on the accountability of all organisations for safeguarding the information they handle”, “improved arrangements … for the export of personal data outside the European area”, and “a more strategic approach to enforcement”. There are about four pages of recommendations in the full report, well worth reviewing if it’s in your area.
Thomas believes that “Data protection is too important to be left to data protection specialists talking to each other”. The report isn’t a blueprint for a new directive but is intended to stimulate debate. Let’s see where it goes.
• Data protection needs new approach, Computing, 21 May 2009
• Making European data protection law fit for the 21st century, ICO Press Release, 12 May 2009 (PDF document, with links to both the full report and an ICO summary)
• European data directive 1995 (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data)
• For Richard Thomas’s bio see the ICO management Board page