Gaps in Europe's protection of individuals' data are emerging, in part because of different national approaches.
For almost 15 years, Europe has led the world in protecting personal data. At the EU level, it has done this through the data-protection directive adopted in 1995. At the national level, member states have done so by establishing independent data-protection authorities and by putting in place numerous legal and regulatory measures.
But surveys such as one carried out by Eurobarometer last year illustrate that Europeans now feel insufficiently protected. The world has moved on, bringing new threats to privacy, such as genome sequencing and online social networks. Over time, the public's awareness of such threats has grown.
In addition, member states currently approach data protection very differently. Some are very strict; others are more laissez faire. There is also a lack of harmonisation in certain areas (for example, how to achieve meaningful consent to the use of personal data), leading to collective uncertainty among regulators and organisations. Enforcement too differs, with approaches being influenced by specific national, cultural and legal contexts.
Such differences make it difficult for national and EU authorities to protect data when it is moved outside the EU. The long and heated debate surrounding the sharing of names of airline passengers with the US authorities is just one example. A lack of harmonisation also complicates the operations of European businesses that want to exploit the benefits of globalisation, benefits such as the virtualisation of data storage and global outsourcing.
An unharmonised response to globalisation and uncertainties posed by technological change suggests Europe needs to reform its approach to data protection and privacy. Certainly, any future regulatory system will need to promote individuals' rights and ensure users of personal data handle them appropriately and accountably. Enforcement should be more focused, more like a scalpel than the axe it currently is, and it should take a stronger line on repeat offenders and types of deliberate misuse such as identity theft.
But does the EU need to issue a new data-protection directive? In the short term, probably not. If member states align their national laws more closely, if they implement existing regulations better and if they make more effort to understand socio-economic and technological trends, a new EU-level arrangement would be unnecessary at this point.
In the future, though, the EU will inevitably have to adjust its system of rules to cope with the evolving uses of personal data, globalisation and international data flows. That systemic change would need to be broad-based – EU institutions, industry, civil society and academia would all have to be involved – because this is ultimately far more than a regulatory matter. At stake is nothing less than a fundamental human right and one of the cornerstones of modern democratic society: privacy.
Lorenzo Valeri and Neil Robinson are senior researchers at RAND Europe, a pan-European public policy research organisation with offices in Brussels and Cambridge.
This commentary originally appeared on European Voice on May 19, 2009. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.