Brussels, 28 January 2013
The Data Protection reform - One Year On
One year ago, the European Commission presented a comprehensive reform of the EU's 1995 data protection rules to strengthen online privacy rights and boost Europe's digital economy (IP/12/46). Technological progress and globalisation have profoundly changed the way our data is collected, accessed and used. In addition, the 27 EU Member States have implemented the 1995 rules differently, resulting in divergences in enforcement. A single law will do away with the current fragmentation and costly administrative burdens. This will save businesses around €2.3 billion a year. The initiative will help reinforce consumer confidence in online services, providing a much needed boost to growth, jobs and innovation in Europe.
How will the data protection reform boost economic growth?
Sharing data has become crucial for economic growth. Privacy protection and the free flow of data are complementary not contradictory concepts.
To flourish, the digital economy needs trust. Many people do not have confidence about giving out their personal data online. This means they are less likely to use online services and other technologies. According to a GSMA study 9 out of 10 smartphone users are concerned about mobile apps collecting their data without their consent, and say they want to know when the data on their smartphone is being shared with a third party.
Strong, reliable, consistently applied rules will make data processing safer, cheaper and strengthen people’s confidence. Confidence in turn drives growth. This is a message that is well understood worldwide. In a letter to the European Parliament strongly supporting the data protection reform package, 25 major U.S. consumer organisations stressed that “stronger privacy standards in Europe will benefit consumers around the globe”.
What does the reform do for business?
The proposed EU data protection law will do three things to help business to contribute to growth:
First, it will cut costs and increase legal certainty by replacing the current patchwork of laws in Europe with a single uniform set of rules for all 27 European Union countries.
It will cut red tape by introducing a one-stop shop for businesses to deal with regulators. In the future, companies will only have to deal with the data protection authorities in the EU country in which they are based.
They will also no longer be obliged to notify every single data processing activity to national regulators.
All of this will save businesses about €2.3 billion a year.
Second, the reform will generate growth because it takes account of the cost of non-compliance. Violations of data protection rules can have an enormous cost. According to reports, an attack on Sony during which 100 million accounts were hacked had a cost of between 1 and $2 billion. Making sure that customers are notified without undue delay when their data, including credit card details, is hacked will generate trust and give consumers confidence in doing business online.
Third, the Commission’s proposals extend the number of ways in which businesses can show that they meet high standards of protection when they transfer personal data beyond the EU's borders. It's a long list. Businesses operating globally will benefit from clear rules that set out how they can use binding corporate rules (BCRs) and standard contractual clauses to transfer personal data securely.
The proposal also abolishes many cumbersome prior-authorisation procedures. Under certain conditions, it will be possible to transfer data outside the Union on the basis of codes of conduct. Safe Harbour will not be affected.
The proposed new EU rules on adequacy take full account of privacy systems in other countries. It's not about having a system identical to that of the EU but about ensuring the same level of data protection in practice. Experience shows that this approach works.
What does the reform do for people?
The proposed EU data protection law will do three things to put individuals in control of their data and help increase the confidence they have in using online services.
First, by reinforcing the existing ‘right to be forgotten’ (the right to ask for the erasure of data when it is no longer needed) the EU law will help people better manage data protection risks online: people will be able to delete their data if there are no legitimate reasons for retaining it. People will also have easier access to their own data and be able to transfer personal data from one service provider to another more easily.
Second, wherever consent is required for data to be processed, it will have to be given explicitly, rather than assumed as is sometimes the case now. Consent is at present – and will remain under the proposed law – only one of the several grounds allowing for the lawful processing of data. Processing can also be based on the performance of a contract, on a legal obligation, a public interest or on the legitimate interests of the controller, etc. But when consent is required for the processing of data, that consent must be explicit: staying silent is not the same thing as saying yes.
Explicit consent does not necessarily have to be given in writing: a person can agree to the processing of their data by clicking on icons or ticking a box on a website. This won't mean constant pop-ups because consent can be given for multiple operations.
Third, new rules will help to reduce the number of data breaches. When it does happen and people's data is lost, stolen or hacked, victims should be notified as swiftly as possible. Fast action to tackle data breaches hurts criminals, not legitimate business. Why shouldn't data breaches be notified within 24 hours if that is feasible? The Commission's proposal does not ask for anything more. Statistics show: countries which require quick notifications have fewer data breaches. Clearly, strong rules in this area encourage companies to manage personal data more securely.
What does the right to be forgotten really mean?
Those hoping that the right to be forgotten will allow them to clean their credit history are going to be disappointed.
The Commission’s proposal builds on the already existing right to demand that personal data should be deleted if they are no longer needed for any legitimate purpose. This covers all kinds of everyday situations. For example, children may not understand the risks involved in making their personal information available – only to regret it when they grow up. They should be able to delete that information if they want to.
Will history be re-written with the right to be forgotten?
The right to be forgotten is not about rewriting history. The Commission’s proposal specifically protects (in Articles 17 and 80) freedom of expression and the freedom of the media, as well as historical and scientific research.
Equally, personal data may be kept for as long as they are needed to carry out a contract or to meet a legal obligation. In short, the right to be forgotten is not absolute.
The rights of businesses are also protected. If the personal data in question has been made public (for example, posted on the internet), a company must make a genuine effort to ensure third parties know about the request to delete the data. Evidently a company will not be able to wipe out every trace left in search indexes and that is not what the EU draft law is asking for. But companies should take every reasonable step to ensure that third parties, to whom the information has been passed on, are informed that the individual would like it deleted. In most cases this will involve nothing more than writing an email.
Will the data protection reform give the Commission a blank cheque to regulate?
The executive powers given to the Commission by the data protection reform package are not a blank cheque. These executive powers will only allow non-essential elements of the legislation to be adjusted to new developments, under the scrutiny of the European Parliament and the Council of Ministers. Without this flexibility to adapt to technological change, the new law would inevitably be too prescriptive and less open to innovation. The new rules would be outdated quickly. As always, the Commission will fully consult stakeholders before using its powers.
European law foresees these kinds of executive powers for a reason – to ensure that the technical elements of our rules can be adapted quickly to changing realities, without having to go through the full and lengthy legislative procedure required to adopt new legislation.
Will the new rules weaken international cooperation to combat crime?
Data exchanges between law enforcement authorities will not be made more difficult. Only those agreements that involve personal information sharing which are lacking appropriate data protection safeguards will need to be re-examined.
What are the next steps?
The draft law must now be approved by the European co-legislators: the European Parliament and the Council of Ministers in which national Ministers are represented. The European Parliament’s rapporteurs (members of the European Parliament in lead of the data protection reform) prepared their draft reports (MEMO/13/4) which will now be discussed in the relevant parliamentary committees. A European Parliament vote is expected around the end of April.
The Irish Presidency of the EU which for the next six months will chair and steer the Council meetings has made data protection a priority and is working hard to achieve a political agreement on the data protection reform by the end of the Irish Presidency (June 2013). Good progress was made at the Informal Justice Council meeting on 18 January (see SPEECH/13/29)
The European Commission will continue to work very closely with the European Parliament and with the Council to support the Parliament and the Irish EU Presidency in their endeavour and get the data protection law adopted before the end of this year
For more information