Check out my blog post @ CDT on review of the EU Data Protection Directive. Excerpt:
In a way, the process undertaken by the European Commission to review the current framework applicable to privacy and data protection is akin to speeding on a highway at 100 mph while looking at the rear-view mirror. The consultation launched by the EC and comments filed by some of the main players (see, e.g., here and here) are strongly anchored in the text of the EU Data Protection Directive, enacted in 1995, negotiated several years before then, and based on documents dating back to the late 1970s. That was the era of mainframe computers and punched cards; long before PCs, the Internet, and mobile, not to mention cloud services, ubiquitous computing, smart grid, genetics and biometrics.
Building on acquired knowledge and proceeding with care in small increments is firmly rooted in legal culture. Ours is a discipline based on precedent and cautious tweaking of existing texts. Torts, contracts, and even public law today are strikingly similar to those in Roman times or ancient Jewish law. Yet given the scope and pace of technological innovation over the past 40 years and its massive impact on the collection, storage and use of personal information, it seems that an innovative mindset is needed to overcome some of the shortcomings of the current framework.
[Next week, I moderate a panel on review of the EU DPD at the IAPP Summit in Washington, DC, with Peter Hustinx, European Data Protection Supervisor; Thomas Zerdick, European Commission; Jacob Kohnstamm, Chairman of the Article 29 Data Protection Working Party and President, Dutch Data Protection Authority; and Artemi Rallo Lombarte, Director, Spanish Data Protection Authority and Vice-Chairman of the Article 29 Data Protection Working Party. Hope you can attend.]