Europe's data-protection regulatory framework needs updating, but it will be two to three years before companies even see proposals, Europe's top data protection official said Monday.

In the meantime, companies can take data protection into their own hands by showing they have control over their data and are accountable for it, said Peter Hustinx, European data protection supervisor.

"I don't think we need an overdose of regulation," said Hustinx, who spoke as part of a panel on online privacy at the RSA Conference in London.

But there have been several instances of company failures to handle data correctly, such as when AOL released a large tract of what it thought was anonymous search data, said Ari Schwartz, vice president and chief operating officer for the Center for Democracy and Technology.

Those failures mean regulation is needed, such as the adoption of stronger consumer privacy laws in the U.S., Schwartz said.

"We've seen many companies do things with personal information that are clearly unethical," Schwartz said. " In some cases, even just plain illegal under current laws in the U.S. and the E.U."

The irony of data protection is that governments are increasingly demanding that enterprises collect data for a range of uses, such as compliance and antiterrorism purposes. But there are still questions over how to classify data, such as IP (Internet Protocol) addresses, and whether they constitute personal information.

Enterprises also have difficulty trying to comply with different data protection regulations in the U.S., Europe and elsewhere. Complying with privacy and data protection laws are of far greater concern than, for example, a server going down, said Michael Spadea, privacy counsel for Barclays bank.

"We want to comply," Spadea said. "I don't care what the laws are. I want them to be clear, and I want them to be harmonized."

Hustinx said that regulators are looking toward harmonizing data protection rules. "I think we will see progress in the next few years," Hustinx said.

However, new regulations must be clear and allow for a certain amount of self regulation by the industry, said Paul Goad, managing director of the controversial online advertising company NebuAd. The company's software monitors a person's Web surfing in order to deliver targeted ads.

Regulations often only come after companies have developed their technology, which then has to be retrospectively modified to comply, Goad said.

"The fact is we very rarely get a clear mandate," Goad said.