Modernise Data Protection Laws says Former UK Information Commissioner

January 17, 2011

London — 17 January 2011 — Former UK Information Commissioner Richard Thomas CBE called today for a modernised European framework for data protection to address the realities of the digital world of the 21st Century.

"The pace of technological change is increasing both benefits and threats," said Mr Thomas, now a strategy adviser at leading international law firm Hunton & Williams and member of the Centre for Information Policy Leadership (CIPL), the privacy think tank associated with the firm. "Powerful devices, instant communications, more effective search and analytical tools and ever-cheaper data storage capacity create seemingly endless opportunities to gather and interpret information about us, our activities and our preferences. But European data protection laws have a poor reputation for being bureaucratic, uncertain and burdensome. The new approach must find the 'Holy Grail' of maximising effectiveness while minimising the burden," he added.

Mr Thomas was speaking as CIPL, under his guidance, published two papers responding to the European Commission’s current consultation on "A comprehensive approach to personal data protection".

"When I was Commissioner, I described the EU Directive as no longer fit for purpose and called for a re-think," continued Thomas. "I am delighted that this is now under way, but there is still a long way to go to draft balanced laws which will work in practice when so much personal information can flow so easily around cyber-space with no regard to national boundaries."

The Centre’s two papers identify two priorities for the new EU law — introducing an Accountability Principle and a new framework of Binding Global Codes for international data transfers.

"Companies, government departments and other data controllers need to adopt privacy programmes to deliver genuine protection for the people they deal with. They should then be held directly accountable for the claims they make and the way they implement their programmes," argues Thomas. "This is more realistic and less burdensome than expecting prior approval for specific activities from regulators. This approach also recognises that the legal paperwork, the technology and the staff management must all be addressed. But 'one size does not fit all' and each organisation should be able to decide for itself how best to implement the basic data protection principles in practice. If they get it wrong, businesses know that they pay a heavy price in financial, reputational and legal terms."

The Accountability Principle also provides the foundations for a new framework of Binding Global Codes for international data transfers. "It is welcome that the European Commission has proposed streamlining international data transfers," Thomas commented, "but there is not much sign of fresh thinking so far. We are proposing that a company should be able to adopt a bespoke Binding Global Code to demonstrate, in practical terms, how it will protect personal information worldwide in accordance with the data protection principles. This Code would have legal effect and companies would be held accountable for meeting the requirements of their own Code. Crucially, and unlike existing arrangements, companies would not need to wait for a regulator, sometimes several regulators, to approve a Code in advance. Prior approval may have made sense in the days of mainframe computing, but it is meaningless when hundreds of thousands of companies are moving personal data electronically every day of the week."

More generally, other points made in the Centre’s papers include:

  • Reform must focus on implementation and practicalities. The Centre suggests criteria for a modernised, 21st Century, regulatory framework, based on clear objectives, real risks and well-balanced outcomes.
  • The Centre has severe doubts about EU standard-form Privacy Information Notices, which will be so comprehensive — or so simple — as to be meaningless either way.
  • Efforts to simplify rights of access, rectification, erasure and blocking are welcomed, but the Centre is sceptical about a simple “right to be forgotten”.
  • Harmonisation — European and global — must be based on common principles and objectives, avoiding both highest and lowest common denominators.
  • In line with the commitment to reducing the administrative burden, notification requirements should be replaced with a very simple registration system to provide regulators with funding and channels of communication for enforcement and education.
  • Privacy Impact Assessments and Privacy by Design are welcome, but their use should be encouraged as business processes, not made mandatory.

— ENDS —

NOTES TO EDITORS

About the papers

1. The two papers published today are:

  • Commentary in Response to the European Commission’s Communication on "A comprehensive approach to personal data protection"
  • A New Approach to International Transfers. Commentary in Response to the European Commission’s Communication on “A comprehensive approach to personal data protection”

Both papers are available on the Centre’s website at: www.informationpolicycentre.com

2. The European Commission published its consultation paper, Communication on “A comprehensive approach to personal data protection” on 17 November 2010.

3. The Centre for Information Policy Leadership is a global think tank, associated with Hunton & Williams, which encourages responsible information governance in today’s digital society. Through collaboration with industry leaders, civil society, consumer organizations and government representatives, it explores innovative and pragmatic approaches to global policy issues, seeking to build privacy and data protection in practice while balancing economic and societal needs and interests. More details about the Centre can be found at: www.informationpolicycentre.com.

About Hunton & Williams

Hunton & Williams provides legal services to corporations, financial institutions, governments and individuals, as well as to a broad array of other entities. Since the firm's establishment more than a century ago, Hunton & Williams has grown to more than 900 attorneys serving clients in 100 countries from 18 offices around the world. Computerworld magazine named Hunton & Williams the top firm for privacy for the fourth consecutive time based on a survey of more than 4,000 corporate privacy professionals. Whilst key practices have a strong industry focus on energy, financial services and life sciences, the depth and breadth of the firm’s experience extends to more than 100 separate practice areas, including privacy and information management, bankruptcy and creditors rights, commercial litigation, corporate transactions and securities law, intellectual property, international and government relations, regulatory law and products liability.

The views expressed in this press release and the published papers are those of the Centre for Information Policy Leadership. They do not necessarily reflect the views of the Centre’s members or those of Hunton & Williams or its clients.