Other available languages: none
Brussels, 27 January 2014
Data Protection Day 2014: Full Speed on EU Data Protection Reform
Vice-President Viviane Reding, the EU's Justice Commissioner said ahead of data protection day (which is on 28 January): "Data protection in the European Union is a fundamental right. Europe already has the highest level of data protection in the world. With the EU data protection reform which was proposed exactly two years ago – in January 2012 – Europe has the chance to make these rules a global gold standard. These rules will benefit citizens who want to be able to trust online services, and the small and medium sized businesses looking at a single market of more than 500 million consumers as an untapped opportunity. The European Parliament has led the way by voting overwhelmingly in favour of these rules. I wish to see full speed on data protection in 2014."
Vice-President Reding will deliver a key speech on data protection day, tomorrow at 11 CET at the Centre for European Policy Studies (CEPS) calling for "A new Data Protection Compact for Europe".
1. Where are we two years after the Commission's proposals?
Two years ago, in January 2012, the European Commission proposed a reform of the EU's data protection rules to make them fit for the 21st century (see IP/12/46). The reform consists of a draft Regulation setting out a general EU framework for data protection and a draft Directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities. The proposals are currently being discussed by the two European Union co-legislators, the European Parliament and the Council of the EU in which national Ministers sit.
To become law, the proposals must be approved by these co-legislators.
On 21 October 2013, the European Parliament's leading Committee on Civil Liberties, Justice and Home Affairs (LIBE) backed the Commission's proposals with an overwhelming majority and even reinforced them in certain areas (see MEMO/13/923 for full details). The reports of the members of the European Parliament (MEPs) Jan-Philipp Albrecht and Dimitrios Droutsas, on which members of the LIBE Committee voted, were welcomed as a strong endorsement of the Commission's package approach to the data protection reform, and an important signal of progress in the legislative procedure. The LIBE vote gives a mandate to its Rapporteurs, MEPs Albrecht and Droutsas, to enter into negotiations with the Council of the EU.
Council of the EU:
The data protection reform has been discussed repeatedly by national Ministers in the Justice Council. Most recently, Justice Ministers reached an agreement in principle on the "one-stop shop" mechanism (the proposal that every company operating in the single market should have a single regulatory interlocutor in the EU) at the Council in October 2013 (Council Press Release and SPEECH/13/788). The proposals were discussed again at the December Justice Council (see SPEECH/13/1029) and at the Informal JHA Council in Athens, on 23-24 January. An agreement on the reform is possible before the end of this year.
European heads of state and government committed to a “timely” adoption of the new data protection legislation at a summit on 24 and 25 October 2013, which focused on the digital economy, innovation and services (see Conclusions).
What are the next steps?
The data protection reform is a priority for the Greek Presidency. The Presidency convened a tripartite meeting in Athens (on 22 January) with the European Commission, the two European Parliament rapporteurs and the next Presidency of the EU (Italy) to work out a road map for agreeing on the data protection reform swiftly. The objective is to agree on a mandate for negotiation with the European Parliament before the end of the Greek Presidency.
The European Parliament is expected to adopt the proposals in first reading in the April 2014 Plenary session.
An agreement on the data protection reform is thus possible before the end of this year. As a comparison: the current 1995 data protection directive took five years to negotiate.
2. Which are the main benefits of the EU Data Protection Reform?
The European Commission proposals for a comprehensive reform of the EU's 1995 data protection Directive aim to strengthen privacy rights and boost Europe's digital economy. The Commission’s proposals update and modernise the principles enshrined in the 1995 Directive, bringing them into the digital age and building on the high level of data protection which has been in place in Europe since 1995.
Benefits for citizens
There is a clear need to close the growing rift between individuals and the companies that process their data: nine out of ten Europeans (92%) say they are concerned about mobile apps collecting their data without their consent. Seven Europeans out of ten are concerned about the potential use that companies may make of the information disclosed (see Annex).
The data protection reform will strengthen citizens' rights and thereby help restore trust. Better data protection rules mean you can be more confident about how your personal data is treated, particularly online. The new rules will put citizens back in control of their data, notably through:
Benefits for business
Data is the currency of today's digital economy. Collected, analysed and moved across the globe, personal data has acquired enormous economic significance. According to some estimates, the value of European citizens' personal data has the potential to grow to nearly €1 trillion annually by 2020. Strengthening Europe’s high standards of data protection is a business opportunity.
The European Commission's data protection reform will help the digital single market realise this potential, notably through four main innovations:
Benefits for SMEs
The data protection reform is geared towards stimulating economic growth by cutting costs and red tape for European business, especially for small and medium enterprises (SMEs). First, by having one rule instead of 28 the EU's data protection reform will help SMEs break into new markets. Second, the Commission has proposed to exempt SMEs from several provisions of the Data Protection Regulation – whereas today's 1995 Data Protection Directive applies to all European companies, regardless of their size. Under the new rules, SMEs will benefit from four reductions in red tape:
The rules will also be flexible. The EU rules will adequately and correctly take into account risk. We want to make sure that obligations are not imposed except where they are necessary to protect personal data: the baker on the corner will not be subject to the same rules as a (multinational) data processing specialist. In a number of cases, the obligations of data controllers and processors are calibrated to the size of the business and to the nature of the data being processed. For example, SMEs will not be fined for a first and non-intentional breach of the rules.
3. What are the "one-stop shop" and the "consistency mechanism" proposed in the EU data protection reform? How will they help?
Within a single market for data, identical rules on paper will not be enough. We have to ensure that the rules are interpreted and applied in the same way everywhere. That is why our reform introduces a consistency mechanism to streamline cooperation between the data protection authorities on issues with implications for all of Europe.
At present, a company processing data in the EU has to deal with 28 national laws and with even more national and local regulators. The Data Protection Regulation will establish a single, Europe-wide law for data protection, replacing the current inconsistent patchwork of 28 national laws. It will also create a regulatory “one-stop-shop” for business: companies will only have to deal with one supervisory authority, not 28.
The flaws of the present system were illustrated in the Google Street View case. The actions of a single company affected individuals in several Member States in the same way. Yet they prompted uncoordinated and divergent responses from national data protection authorities.
The one-stop shop will ensure legal certainty for businesses operating throughout the EU and bring benefits for individuals and data protection authorities.
Businesses will profit from faster decisions, from one single interlocutor (eliminating multiple contact points), and from less red tape. They will benefit from consistency of decisions where the same processing activity takes place in several Member States.
At the same time, individuals will see their protection enhanced via their local supervisory authorities, because individuals will always be able to go to their local data protection authority. The aim is to improve the current system in which individuals living in one Member State have to travel to another Member States to lodge a complaint with a data protection authority just because the company is based outside their home country. At the moment, when a business is established in one Member State, only the Data Protection Authority of that Member State is competent, even if the business is processing data across Europe. The proposals aim to correct this anomaly.
The new rules bring the resolution of a complaint closer to home for citizens, simplifying procedures and removing complexity, and thereby making problems easier and faster to resolve. This would decisively help citizens in cases similar to that of the Austrian student, who had to file his complaint against Facebook in English before the authority in Ireland, where Facebook is established.
The proposals also enshrine the right of a citizen to take a company processing his data to court in his home Member State. Every citizen therefore has rights of administrative and judicial redress at home.
4. How will the EU data protection help the EU Digital Single Market?
The world has changed profoundly since 1995, the year the existing EU data protection framework was adopted. Technological revolutions have led to an explosion in the quantity and quality of personal data available in the Digital Single Market. Companies have learnt to harness its potential in sectors as diverse as insurance, health and advertising. Collected, analysed and moved by these companies, personal data has acquired enormous economic value. According to the Boston Consulting Group, the value of EU citizens’ data was €315 billion in 2011 and has the potential to grow to nearly €1 trillion in 2020.
The data protection reform will help the Digital Single Market realise this potential. The benefits of simplification via the EU data protection reform are estimated at €2.3 billion per year.
The biggest challenge to growth in personal data-dependent industries is a lack of trust. Only if people are willing to give out their personal data will companies reap the full rewards of our digital single market. At the moment, people's trust in the way private companies handle their data is declining.
Data protection has an important part to play in addressing this lack of trust. People need to see that their rights are enforced in a meaningful way. The reform will update citizen’s rights such as the right to be forgotten, the right to data portability and the right to be informed of personal data breaches (see above). The reform will also ensure that the Union’s rules are properly applied. It provides for an effective enforcement mechanism and empowers national regulators to impose fines of up to 2% of a company’s annual worldwide turnover.
5. What is the right to be forgotten? Will it affect the freedom of the press and historical archives?
The Commission's 2012 proposals include a reinforced Right to be Forgotten. The reform proposals build on the existing right to demand that personal data should be deleted if it is no longer needed for any legitimate purpose. This covers all kinds of everyday situations. For example, children may not understand the risks involved in making their personal information available – only to regret it when they grow up. They should be able to delete that information if they want to.
The right to be forgotten is not about rewriting history. The Commission’s proposal protects freedom of expression and the freedom of the media, as well as historical and scientific research. It provides exemptions for these sectors asking Member States to adopt national laws to guarantee the respect of these fundamental rights. This allows archives to continue operating on the basis of the same principles as today. Equally, personal data may be kept for as long as it is needed to carry out a contract or to meet a legal obligation (for example when citizens have a loan contract with their bank). In short, the right to be forgotten is not absolute and does not affect historical research or the freedom of the press.
The rights of businesses are also protected. If the personal data in question has been made public (for example, posted on the Internet), a company must make a genuine effort to ensure third parties know about the citizen's request to delete the data. Evidently a company will not be obliged to wipe out every trace left in search indexes and that is not what the Commission is asking for. Companies should simply take reasonable steps to ensure that third parties, to whom the information has been passed on, are informed that the individual would like it deleted. In most cases this will involve nothing more than writing an email.
6. How will the EU data protection reform affect scientific research?
Scientific research in the EU stands to benefit from the proposed data protection reform. Personal data relating to health are sensitive data and should generally not be processed, unless this is necessary for reasons of public interest, or where the identified person has given his approval. The data protection rules we have in Europe at the moment do not harmonise conditions for health data processing. This has resulted in fragmentation, costs and disincentives for scientists and businesses involved.
The Commission’s reform package aims at eliminating fragmentation and providing consistency and coherence for the whole of the Union. This should in particular benefit the research sector. The General Data Protection Regulation has specific provisions on processing for health purposes and on historical, statistical and scientific research purposes. These provisions will be fully harmonised – providing one set of rules on research data across the Union.
The right to be forgotten does not apply to these sectors.
The uniformity of the rules will reduce costs and complexity, and act as a strong driver for the development of cross-border healthcare services, public-private health initiatives and eHealth applications that crucially depend on the processing of personal data.
7. What is the EU response to allegations of surveillance of European citizens by US intelligence agencies?
Trust across the transatlantic relationship has been damaged by the revelations. The European Commission responded to the U.S. surveillance programmes by making clear that the mass surveillance of citizens is unacceptable. Data collection should be targeted and be limited to what is proportionate to the objectives that have been set. National security does not mean that anything goes.
The surveillance revelations also have an economic impact. A survey carried out by the Cloud Security Alliance after the recent surveillance revelations found that 56% of respondents were hesitant to work with any U.S.-based cloud service provider. That is the impact of consumer mistrust. In monetary terms, the Information Technology and Innovation Foundation estimates that the surveillance revelations will cost the U.S. cloud computing industry $22 to $35 billion in lost revenues over the next three years. In short: lost trust means lost revenue.
The European Union's response
In November 2013, the European Commission set out the actions that need to be taken in order to restore trust in data flows between the EU and the U.S. (IP/13/1166). The Commission's response took the form of (1) a strategy paper (a Communication) on transatlantic data flows setting out the challenges and risks following the revelations of U.S. intelligence collection programmes, as well as the steps that need to be taken to address these concerns; (2) an analysis of the functioning of 'Safe Harbour', which regulates data transfers for commercial purposes between the EU and U.S.; and (3) a report on the findings of the EU-U.S. Working Group (see MEMO/13/1059) on Data Protection which was set up in July 2013.
The Commission's strategy paper called for action in six areas:
The Commission also made clear that standards of data protection will not be part of the on-going negotiations for a Transatlantic Trade and Investment Partnership.
The EU-U.S. Working Group
The ad hoc EU-U.S. Working Group on data protection was established in July 2013 to examine issues arising from revelations of a number of U.S. surveillance programmes involving the large-scale collection and processing of personal data. The purpose was to establish the facts around U.S. surveillance programmes and their impact on personal data of EU citizens.
The main findings of the Working Group were the following:
Making Safe Harbour safer
The European Commission made 13 recommendations to improve the functioning of the Safe Harbour scheme. The Commission specifically called on U.S. authorities to identify remedies by summer 2014. The Commission will then review the functioning of the Safe Harbour scheme based on the implementation of these 13 recommendations and decide on its future.
The 13 Recommendations are (see also MEMO/13/1059):
Access by US authorities
EU-U.S. negotiations on a data protection 'umbrella agreement'
The EU and the U.S. are currently negotiating a framework agreement on data protection in the field of police and judicial cooperation (“umbrella agreement”) (IP/10/1661). The EU's objective in these negotiations is to ensure a high level of data protection, in line with the EU data protection rules, for citizens whose data is transferred across the Atlantic, thereby further strengthening EU-U.S. cooperation in the fight against crime and terrorism.
The conclusion of such an agreement, providing for a high level of protection of personal data, would represent a major contribution to strengthening trust across the Atlantic.
At the last EU-U.S.-Justice and Home Affairs Ministerial Meeting (of 18 November) we made good progress:
The EU and U.S. committed to "complete the negotiations on the agreement ahead of summer 2014" (MEMO/13/1010).
1. Eurobarometer: Seven Europeans out of ten are concerned about the potential use that companies may make of the information disclosed.
Source: Flash Eurobarometer 359: Attitudes on Data Protection and Electronic Identity in the European Union, June 2011
For more information
Reding speech at CEPS
Press pack: data protection reform:
European Commission – data protection: http://ec.europa.eu/justice/data-protection
Homepage of Vice-President Viviane Reding, EU Justice Commissioner:
Justice Directorate General Newsroom:
Follow the Vice-President on Twitter:@VivianeRedingEU
Follow EU Justice on Twitter: @EU_Justice