Learning Center
Plans & pricing Sign in
Sign Out

Invitation to Tender – Review of EU Data Protection Law


Invitation to Tender – Review of EU Data Protection Law

More Info
									14 April 2008

Invitation to Tender – Review of EU Data Protection Law
The Information Commissioner is the United Kingdom’s independent data
protection regulator, with a range of responsibilities set out in the Data
Protection Act 1998. A central focus of the Commissioner’s approach has
been to improve the effectiveness of data protection in practice, which
includes promoting and supporting legislative change.

To this end, the Commissioner wishes to stimulate debate about the strengths
and weaknesses of the EU Data Protection Directive (95/46/EC). He fully
recognises that only the European Commission can initiate the process for
changing the Directive and that the Commission has carried out reviews of
implementation in line with existing requirements. Any process of change will
inevitably take a long time to bear fruit.

Nevertheless, the Commissioner believes that the time has now come to start
a new debate. This recognises the pace of technological change, the
pressures on privacy and the integrity of personal information from so many
directions and ever-increasing public awareness and concerns about the need
for effective safeguards. But it also reflects a growing feeling that the Directive
is becoming increasingly out-dated, is not sufficiently clear in its objectives, is
more bureaucratic and burdensome than it needs to be and is out of step with
good regulatory practice.

Furthermore the Lisbon Treaty provides a real opportunity for the
development of a consolidated and modernised EU data protection
instrument. Currently Directive 95/46/EC only applies to processing of
personal data in the EU’s first pillar. There is a draft Data Protection
Framework Decision awaiting adoption that will cover information exchange in
the third pillar. However, if adopted, the Lisbon Treaty will pave the way for
one instrument applicable across both pillars.

The Commissioner therefore wishes to appoint a consultant, or preferably a
multi-disciplinary team of consultants, to undertake a study to be launched at
the Spring Conference of European Data Protection Commissioners. The
Commissioner will be hosting this in Edinburgh in April 2009. The
Commissioner does not anticipate that the study will be comprehensive in the
sense of analysing every last detail of the Directive and its application in
practice. He is looking for fresh thinking – possibly radical thinking - and
wishes to give the consultant(s) a reasonably free hand over both scope and
methodology. Equally he is fully aware that this study will be the first - not the
last – word in possible legislative reform. The terms of reference will therefore
be cast in open terms as follows:
To undertake a study leading to a report:

   •    identifying the main strengths and weaknesses of the EU Data
        Protection Directive (95/46/EC) and its application in practice; and
   •    identifying promising avenues (both general and specific) for
        improving EU law in ways which will provide effective protection
        for individuals and society whilst minimising burdens for

The central output will be a report to be delivered to the Commissioner
as a final draft by 31 January 2009 with a view to publication in final
form by the Commissioner in April 2009.


The working assumptions will be that the basic principles set out in the
Directive (if not their precise language) are sound and that the fundamental
challenge will be to find ways of improving their achievement in practice.

Without wishing either to be prescriptive or to limit scope, the Commissioner
anticipates that the following questions may need to be addressed within the

        •   Is there sufficient clarity of objective, especially in terms of desired
            outcomes from EU level law?
        •   Should the law more explicitly address identified detriments to
            individuals and society?
        •   Are the safeguards provided sufficient in the light of technological
            and societal developments?
        •   How can we best ensure that the potential for technology to
            safeguard personal privacy is realised, for example through ‘privacy
            by design’ approaches?
        •   How the law might better promote maximum accountability on the
            part of those handling personal information.
        •   How might better use be made of dispute resolution and self-
            regulatory mechanisms, including self-enforcement through
            reputational pressures, incentives for compliance and deterrents for
        •   How might simplification and user-friendliness be improved?
        •   Could individuals’ rights be strengthened and updated?
        •   How can recognised good regulatory practice be built in?
        •   How - including possible recasting of the Directive’s rules on
            international transfers - might pressures for a more global approach
            to privacy regulation and data protection be accommodated?
        •   What changes will be needed to achieve an EU law that is simple
            yet equally applicable to first and third pillar activities?
        •   What new or different approaches could address problems or
            controversy, such as:
              o   the definition of personal data
              o   the distinction between data controllers and data processors
              o   applicable law
              o   criteria for making data processing legitimate
              o   the need for and treatment of special categories of data
              o   notification requirements
              o   complaint-handling obligations
              o   funding for Commissioners?

Guidance to Bidders

The following Guidance to Bidders will be taken into account in selecting the
successful bidder:

   •   Although an individual consultant is not ruled out, a multi-disciplinary
       team is preferred because a wide range of disciplines, competencies
       and experiences is envisaged.

          o A good grasp of the current data protection regime is desirable,
            but there is also a need for the objectivity and detachment which
            comes from fresh eyes.
          o Relevant disciplines may include policy analysis/development,
            legal, regulatory and social policy and political science. But an
            academic study is not wanted - the focus must be on practical
            issues and political deliverables.

   •   The study will involve considerable desk research – with a great deal of
       existing empirical data and relevant literature to draw upon.
   •   It is not envisaged at this stage that there will be any fresh empirical
       research, a formal consultation exercise or an extensive programme of
   •   However, there should be scope for telephone and personal
       discussions with key players across the EU and beyond – including the
       European Commission, data protection commissioners and their staff,
       public officials, data controllers and civil society.
   •   The Information Commissioner is looking for imaginative approaches to
       this project and for bidders that will add value rather than simply review
       and represent existing material. He does though want to be able to
       demonstrate that a wide range of views have been taken into account
       in arriving at the final report.
   •   Whilst we would welcome an outline of the key features that a revised
       Directive might contain, we do not expect bidders to come up with any
       form of draft law.
   •   Although this Review has been launched, and will be funded, by the
       UK Information Commissioner, the study should not have an unduly UK
   •   The Commissioner anticipates that ICO staff will assist the successful
       bidder throughout the project – including discussion of emerging
       themes and drafts - but there are limited resources for this.
   •   The successful bidder will be expected to present the final report at the
       Spring Conference of European Data Protection Commissioners in
       Edinburgh in April 2009.


   •   A final report identifying the main strengths and weaknesses of
       the EU Data Protection Directive and its application in practice,
       and identifying ways of improving the law.

   •   Presentation of the report to the Spring Conference of European
       Data Protection Commissioners.

   •   Presentations to the ICO at key points during the life of the


The budget for this project must not exceed £100,000 (inc VAT). The contract
will be awarded to the bidder (whether an individual or a team) which offers
the best value for money and satisfies the Commissioner as to its ability to
deliver on time a study which fulfils the Terms of Reference, taking into
account (but elaborating) what is said in this Invitation to Tender. In making
this decision, the Commissioner will particularly consider competencies and
experiences, proposed approach and working methods.

Competitive Process

Sealed bids should be submitted to the ICO by Thursday 22 May. These will
be considered by an internal panel which may wish to interview some or all
bidders. Interviews will take place shortly afterwards. The successful bidder
will be expected to enter a contract with the Commissioner. The contract will
provide that copyright in the study will be held by the Commissioner who will
reserve the right not to publish the study or to publish it in modified form.

Bids should be submitted to Angela Russell
Further information about this project can be obtained from Iain Bourne

To top