ICO blasts sluggish speed of EU data law reforms

Progress towards updating European data protection laws is moving at a "snail's pace", according to the Information Commissioner's Office (ICO).

The EU's current data protection measures are decades out-of-date, while lawmakers risk falling further behind with each new technological innovation around data, the watchdog warned yesterday.

In a speech at Liverpool John Moores University, Information Commissioner Christopher Graham pointed out that bodies like the ICO are forced to protect people's data armed with ancient legislation like the 1995 Data Protection Directive.

"Today that 20-year-old Directive is scarcely fit for purpose as the technology and the uses of data have raced further ahead of anything the law makers envisaged," he said.

"The institutions of the European Union are moving, but at a snail's pace, to reform the data protection regime with a new regulation which would apply uniformly across the single market."

That EU Data Regulation will replace the 1995 directive, aiming to give citizens more control over who uses their personal data, a right to be forgotten, and will also require companies to get people's explicit consent to use their data.

The regulation was due to be adopted into law this year, but EU countries keep hitting sticking points.

One objection raised was by the British Government last month, which called the explicit consent requirement "unjustified".

Graham said that while the regulation is debated, citizens' data is becoming increasingly at risk the more people use the internet.

"Whatever we do online, we are leaving a trail of personal data which can be analysed, linked, mashed, and crunched. And our privacy is more and more compromised," he said.

The commissioner said it was vital that citizens can trust those who wish to use their information.

He pointed to the example of the NHS's controversial care.data scheme, under which patient data will be shared between GP surgeries and hospitals, as a beneficial move undermined by a lack of trust.

The project was postponed after the public was inadequately consulted, and the director of patient information at the NHS, Tim Kelsey, said yesterday that the initiative was starting anew this year.

Graham said the project "depends crucially on citizen confidence which, following last year's botched communications exercise, is in short supply."

However, he said a balance could be achieved with "proportionate, risk-based enforcement".

"The laws have to be practical and realistic and not tie data protection authorities like mine up in knots attempting to enforce over-spec'd procedural obligations when the emphasis should be on promotion of good practice for data controllers and consumers," he added.

"Sensible laws and sensible citizens can protect privacy and still enable good things to happen online."