The Review of the EU Directive prepared for my Office by RAND Europe has been presented to participants at this conference as a draft. The presentation by Neil Robinson and Hans Graux has highlighted their main findings and short and long-term recommendations. Peter Hustinx has added some very perceptive and important observations. We plan to publish the final version of the RAND Report in May – shortly before the conference which has been convened by Commissioner Jacques Barrot. We have always been clear that the RAND study is intended to provide food for thought and to stimulate debate. It is a not a blueprint for reform, still less does it contain the draft of a new Directive. We are equally clear that any reform will take many years, but the debate must start somewhere. That debate has started here in Edinburgh today. As the draft Edinburgh Declaration which will be discussed tomorrow makes clear, the fundamental role for Commissioners in this debate is that of Leadership
The press release goes into detail over the strengths of the DPD including:
The Directive is comprehensive, broadly-drafted and sets out a basic framework
of protection, drawing on OECD and Council of Europe approaches.
• It sets standards which are widely seen as “High” and has a strong Human
Rights resonance, with sharp focus on fundamental rights’ and freedoms.
• It has given people important and usable access and other rights.
• The basic Data Protection Principles have stood the test of time well
and are flexible in their drafting and application.
• The Directive seeks to be largely neutral in terms of technology.
• The Directive can claim significant success in harmonising DP rules and promoting an internal market across the European Union.
The press release also identifies the following:
There must be more emphasis on the benefits of maximum and genuine transparency, for example:
• Privacy by Design and the use of published Privacy Impact Assessments.
• There is much more scope to encourage and require organisations to adopt Privacy Policies, make them easily available and – of course - hold them to account for fulfilment.
• There is more scope for trust marks, accountability agents and 3rd party certification.
• More controversially, perhaps, we can envisage greater use of self-certification.
• And we must improve the use and content of Privacy Notices, getting the right information to the right people in the right language at right time.
More details can be found in their press release (pdf).