On Data Protection Day (28 January) 2014, the former European Union (EU) Commissioner for Justice, Viviane Reding, pointed out that if the EU wants to become a global leader on protecting data privacy, “it also has to get its own house in order.” While the Commissioner was clearly referring to the 'house of EU nations', recent RAND Europe research suggests that her words are equally applicable to the 'Brussels house.' Indeed, the EU institutions and agencies urgently need to revisit the frameworks that govern data privacy in their own houses if they want to keep pace with some of the latest trends in corporate information and communication technology (ICT) delivery and use, such as cloud computing or the consumerisation of ICT ('bring your own device').
We undertook a systematic review of the broad and diverse canon of legal and policy frameworks addressing data privacy considerations in the context of ICT use and delivery across the EU institutions and agencies. Our findings suggest that little provision has been made for major trends in corporate ICT delivery and their implications for how the EU institutions work. For example, although the e-Commission Communication indicates the involvement of the European Commission in the EU's Cloud Computing Strategy (PDF), the existing policy and legal frameworks governing data privacy within the Commission fail to address the potential challenges inherent in releasing protected data to the cloud. Furthermore, EU institutions and agencies are not in step with the approach that large-scale private-sector organisations take when building new ICT systems. Accordingly, provisions relating to 'Privacy by Design' appear to be absent from existing EU legal and policy frameworks.
A similarly bleak picture of the appropriateness of EU data privacy frameworks in light of ICT innovation emerges when looking at specific EU institutions and agencies. These are variously responsible for the storage of personally identifiable data for intelligence, border management or criminal justice cooperation, or the processing of sensitive classified information for EU-led crisis management operations. These EU policy domains are unique in nature, and each institution needs to take account of a different set of security and privacy considerations, in many cases while operating with out-of-date hardware and software. The barriers to fully exploiting innovations such as cloud computing or 'bring your own device' are obvious.
Any large and complex administrative organisation finds introducing policy changes difficult—and Brussels is no exception. Indeed, in recent years, path dependency in EU law and policymaking seems to have acted as a primary inhibitor to equipping EU institutions and agencies with data privacy frameworks that are on a par with the latest developments in corporate ICT. The specific and yet diverse ICT delivery and use requirements of the different EU institutions and agencies as well as a tendency to stick to legacy ICT assets have further discouraged any efforts to modify existing EU data privacy frameworks in the face of ICT innovation.
Indeed, the diversity of data privacy frameworks as well as legacy ICT systems currently in place across and within the EU institutions and agencies will pose a considerable challenge should new Commissioner for Justice Martine Reicherts decide to modify some of the policy and legislation we have reviewed. However, it is a challenge that should be tackled if the EU wants to reconcile data privacy considerations with ICT innovation and thus put its own house in order.
Jan Gaspers is an associate analyst at RAND Europe. He is currently engaged in a range of cyber security and data privacy research projects for public- and private-sector clients across Europe, and is a frequent commentator on EU foreign and security policy and NATO affairs.
Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.