EU Privacy Directive – Growing Obsolete?

The British Information Commissioner sponsored a study by RAND Europe of the EU Privacy Directive [PDF]. The study found the Directive in need of an overhaul, possibly a rebuilding from the ground up.

Here are the main challenges identified in the study, along with strengths and weaknesses of the current regime. Are any of them applicable to the Canadian system, either to PIPEDA and the provincial statutes that provide the framework, or to the privacy commissions that operate under them? Are the concerns applicable to public sector privacy statutes and commissioners as well?

From the study:

Within the contexts of rapid technological change and globalisation, a set of distinct challenges were identified:

• Defining privacy – when is privacy affected by personal data processing and when is it not, and how strong should the link between data protection regulations and privacy protection be?

• Risk assessment – can we predict how risky it is to provide our personal data to an entity or organisation?

• The rights of the individual in relation to the benefit of society – under what circumstances can personal privacy become secondary to the needs of society, considering the fundamental importance of privacy protection for the development of a democratic society as a whole?

• Transparency – personal data is everywhere, particularly online, and through technological developments such as ambient intelligence and cloud computing could become increasingly difficult to track and control. How can we be sure how and where it is being used?

• Exercising choice – many services are only provided after sufficient personal data is released, but if important services are denied when we are unwilling to supply that data, do we still have a real choice?

• Assigning accountability –who is ultimately held responsible and where do we go to seek redress?

Here are the strengths of the Directive:

• The Directive serves as a reference model for good practice.
• The Directive harmonises data protection principles and to a certain extent enables an internal market for personal data.
• The principles-based framework permits flexibility.
• The Directive is technology neutral.
• The Directive has improved awareness of data protection concerns.

And here are its weaknesses:

• The link between the concept of personal data and real privacy risks is unclear.
• The measures aimed at providing transparency of data processing through better information and notification are inconsistent and ineffective.
• The rules on data export and transfer to third countries are outmoded.
• The tools providing for transfer of data to third countries are cumbersome.
• The role of Data Protection Authorities (DPAs) in accountability and enforcement is inconsistent.
• The definition of entities involved in processing and managing personal data is simplistic and static.
• There are other minor weaknesses which add to difficulties in its practical implementation

The study goes on to recommend ways to patch the current system and ways to rebuild from the ground up. These are summarized at pages x and xi – xiv respectively. (The main body of the study is 60 pages long, plus appendices. The PDF document is 100 pages long.)

Does this sound reasonable to you?

Comments are closed.