Europe needs to update its data-protection framework, but new regulations are unlikely before the end of the decade, Europe's top data protection official said today.
Rather than wait, companies should take data protection into their own hands by showing they have control over their data and are accountable for it, said Peter Hustinx, European data protection supervisor.
"I don't think we need an overdose of regulation," said Hustinx, who spoke as part of a panel on online privacy at the RSA Conference in London.
Ari Schwartz, vice president and chief operating officer for the Centre for Democracy and Technology, also on the panel said security failures by business mean regulation is needed.
"We've seen many companies do things with personal information that are clearly unethical," Schwartz said. "In some cases, even just plain illegal under current laws in the US and the EU."
Governments are increasingly demanding that enterprises collect data for a range of uses, such as compliance and antiterrorism purposes. But there are still questions over how to classify data, such as IP (Internet Protocol) addresses, and whether they constitute personal information.
Enterprises also have difficulty trying to comply with different data protection regulations in the U.S., Europe and elsewhere. Complying with privacy and data protection laws are of far greater concern than, for example, a server going down, said Michael Spadea, privacy counsel for Barclays bank.
"We want to comply," Spadea said. "I don't care what the laws are. I want them to be clear, and I want them to be harmonised."
In response Hustinx said, "I think we will see progress in the next few years," Hustinx said.
However, new regulations must be clear and allow for a certain amount of self regulation by the industry, said Paul Goad, managing director of the controversial online advertising company NebuAd. The company's software monitors a person's Web surfing in order to deliver targeted ads.
Regulations often only come after companies have developed their technology, which then has to be retrospectively modified to comply, Goad said.
"The fact is we very rarely get a clear mandate," Goad said.