Joint Statement by Vice-President Andrus Ansip and Commissioner Věra Jourová on European Data Protection Day, 28 January 2015
"Today marks the 9th European Data Protection Day. It is a day to celebrate and raise awareness of the importance of protecting personal data, a fundamental right for everyone in the EU.
On this day, citizens and businesses are waiting for the modernisation of data protection rules to catch up with the digital age. New technologies are emerging fast and have enormous potential for our society and economy. This potential can only be fully realised if people can trust the way their personal data is used. Ensuring trust will allow the European Digital Single Market to live up to its full potential. EU data protection reform, which will cut red tape for business and ensure a single set of rules, is part of the solution.
EU Data Protection reform also includes new rules for police and criminal justice authorities when they exchange data across the EU. This is very timely, not least in light of the recent terrorist attacks in Paris. There is need to continue and to intensify our law enforcement cooperation. Robust data protection rules will foster more effective cooperation based on mutual trust.
We must conclude the ongoing negotiations on the data protection reform before the end of this year. By the 10th European Data Protection Day, we are confident that we will be able to say that the EU remains the global gold standard in the protection of personal data".
1. Where are we three years after the Commission's proposals?
Three years ago, in January 2012, the European Commission proposed a reform of the EU's data protection rules to make them fit for the 21st century (see IP/12/46). The reform consists of a draft Regulation setting out a general EU framework for data protection and a draft Directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities. The proposals are currently being discussed by the two European Union co-legislators, the European Parliament and the Council of the EU in which national Ministers sit.
To become law, the proposals must be approved by these co-legislators.
On 12 March 2014, the European Parliament voted in plenary to back the European Commission's proposal for a data protection reform with an overwhelming majority (MEMO/14/186) (621 votes in favour, 10 against and 22 abstentions for the Regulation; and 371 votes in favour, 276 against and 30 abstentions for the Directive). MEPs voted on the reports of MEPs Jan-Philipp Albrecht and Dimitrios Droutsas that strongly endorsed the Commission's data protection reform. The support at plenary followed previous strong backing at committee level (see MEMO/13/923 and MEMO/14/60). The firm backing by the European Parliament marked an important sign of progress in the legislative procedure.
Council of the EU:
Justice Ministers from the Member States have been negotiating on various aspects of the data protection regulation to reach a common agreement on its provisions among Member States. Three partial agreements have been reached so far on key aspects of the General Data Protection Regulation.
At the June 2014 Justice Council, Ministers agreed on two very important pillars of the data protection reform: on rules governing transfers to non-EU countries or international organisations; and on the territorial scope, meaning that non-European companies have to apply the same rules when offering services to EU consumers. (MEMO/14/381, SPEECH/14/431 and conclusions)
In October, Justice Ministers reached a partial agreement on rules governing the processing of personal data by companies, governments and other organisations, with the objective of cutting red-tape and building flexibility into our future data protection rules. (See MEMO/14/569 and conclusions)
At the December 2014 Justice Council, Ministers reached a partial general approach on rules providing additional flexibility to the public sector when handling personal data. The Council also held a debate on the "one stop shop" mechanism. Once adopted into law, this would allow companies to have to deal with only one single supervisory authority, rather than 28, making it simpler and cheaper for companies to do business in the EU. Further technical work is now taking place and an agreement on this point is expected in the coming months. (see conclusions)
Ministers in the Justice Council must now work to finalise the agreement on the Regulation and make progress on the 'police' Directive within 2015.
European heads of state and government reiterated the importance of the timely adoption of a strong EU General Data Protection framework at both the June and October European Council meetings in 2014. The European Council highlights that agreement on the data protection framework is essential for the completion of the Digital Single Market by 2015.
What are the next steps?
One of the Juncker Commission's top priorities is to rapidly conclude the negotiations on the EU data protection rules. The Latvian Presidency is committed to building consensus to achieve a general approach by the end of its mandate in June 2015. The European Commission is pushing for a complete agreement between Council and European Parliament on the data protection reform before the end of this year.
2. Which are the main benefits of the EU Data Protection Reform?
The European Commission proposals for a comprehensive reform of the EU's 1995 data protection Directive aim to strengthen privacy rights and boost Europe's digital economy. The Commission’s proposals update and modernise the principles enshrined in the 1995 Directive, bringing them into the digital age and building on the high level of data protection which has been in place in Europe since 1995.
Benefits for citizens
There is a clear need to close the growing rift between individuals and the companies that process their data: nine out of ten Europeans (92%) say they are concerned about mobile apps collecting their data without their consent. Seven Europeans out of ten are concerned about the potential use that companies may make of the information disclosed (see Annex).
The data protection reform will strengthen citizens' rights and thereby help restore trust. Better data protection rules mean you can be more confident about how your personal data is treated, particularly online. The new rules will put citizens back in control of their data, notably through:
- A right to be forgotten: When you no longer want your data to be processed and there are no legitimate grounds for retaining it, the data will be deleted. This is about empowering individuals, not about erasing past events or restricting freedom of the press (see separate section on this).
- Easier access to your own data: A right to data portability will make it easier for you to transfer your personal data between service providers.
- Allowing you to decide how your data is used: When your consent is required to process your data, you must be asked to give it explicitly. It cannot be assumed. Saying nothing is not the same thing as saying yes. Businesses and organisations will also need to inform you without undue delay about data breaches that could adversely affect you.
- The right to know when your data has been hacked: for example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours) so that users can take appropriate measures.
- Data protection first, not an afterthought: ‘Privacy by design’ and ‘privacy by default’ will also become essential principles in EU data protection rules – this means that data protection safeguards should be built into products and services from the earliest stage of development, and that privacy-friendly default settings should be the norm – for example on social networks or mobile apps.
Benefits for business
Data is the currency of today's digital economy. Collected, analysed and moved across the globe, personal data has acquired enormous economic significance. According to some estimates, the value of European citizens' personal data has the potential to grow to nearly €1 trillion annually by 2020. Strengthening Europe’s high standards of data protection is a business opportunity.
The European Commission's data protection reform will help the digital single market realise this potential, notably through four main innovations:
- One continent, one law: The Regulation will establish a single, pan-European law for data protection, replacing the current inconsistent patchwork of national laws. Companies will deal with one law, not 28. The benefits are estimated at €2.3 billion per year.
- One-stop-shop: The Regulation will establish a 'one-stop-shop' for businesses: companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU; and easier, swifter and more efficient for citizens to get their personal data protected.
- The same rules for all companies – regardless of their establishment: Today European companies have to adhere to stricter standards than companies established outside the EU but also doing business on our Single Market. With the reform, companies based outside of Europe will have to apply the same rules. We are creating a level-playing field.
- European regulators will be equipped with strong enforcement powers: data protection authorities will be able to fine companies who do not comply with EU rules with up to 2% of their global annual turnover. The European Parliament has even proposed to raise the possible sanctions to 5%. Privacy-friendly European companies will have a competitive advantage on a global scale at a time when the issue is becoming increasingly sensitive.
Benefits for SMEs
The data protection reform is geared towards stimulating economic growth by cutting costs and red tape for European business, especially for small and medium enterprises (SMEs). First, by having one rule instead of 28 the EU's data protection reform will help SMEs break into new markets. Second, the Commission has proposed to exempt SMEs from several provisions of the Data Protection Regulation – whereas today's 1995 Data Protection Directive applies to all European companies, regardless of their size. Under the new rules, SMEs will benefit from four reductions in red tape:
- Data Protection Officers: SMEs are exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity.
- No more notifications: Notifications to supervisory authorities are a formality and red tape that represents a cost for business of 130 million euro every year. The reform will scrap these entirely.
- Every penny counts: Where requests to access data are excessive or repetitive, SMEs will be able to charge a fee for providing access.
- Impact Assessments: SMEs will have no obligation to carry out an impact assessment unless there is a specific risk.
The rules will also be flexible. The EU rules will adequately and correctly take into account risk. We want to make sure that obligations are not imposed except where they are necessary to protect personal data: the baker on the corner will not be subject to the same rules as a (multinational) data processing specialist. In a number of cases, the obligations of data controllers and processors are calibrated to the size of the business and to the nature of the data being processed. For example, SMEs will not be fined for a first and non-intentional breach of the rules.
3. What are the "one-stop shop" and the "consistency mechanism" proposed in the EU data protection reform? How will they help?
Within a single market for data, identical rules on paper will not be enough. We have to ensure that the rules are interpreted and applied in the same way everywhere. That is why our reform introduces a consistency mechanism to streamline cooperation between the data protection authorities on issues with implications for all of Europe.
At present, a company processing data in the EU has to deal with 28 national laws and with even more national and local regulators. The Data Protection Regulation will establish a single, Europe-wide law for data protection, replacing the current inconsistent patchwork of 28 national laws. It will also create a regulatory “one-stop-shop” for business: companies will only have to deal with one supervisory authority, not 28.
The flaws of the present system were illustrated in the Google Street View case. The actions of a single company affected individuals in several Member States in the same way. Yet they prompted uncoordinated and divergent responses from national data protection authorities.
The one-stop shop will ensure legal certainty for businesses operating throughout the EU and bring benefits for individuals and data protection authorities.
Businesses will profit from faster decisions, from one single interlocutor (eliminating multiple contact points), and from less red tape. They will benefit from consistency of decisions where the same processing activity takes place in several Member States.
At the same time, individuals will see their protection enhanced via their local supervisory authorities, because individuals will always be able to go to their local data protection authority. The aim is to improve the current system in which individuals living in one Member State have to travel to another Member States to lodge a complaint with a data protection authority just because the company is based outside their home country. At the moment, when a business is established in one Member State, only the Data Protection Authority of that Member State is competent, even if the business is processing data across Europe. The proposals aim to correct this anomaly.
The new rules bring the resolution of a complaint closer to home for citizens, simplifying procedures and removing complexity, and thereby making problems easier and faster to resolve. This would decisively help citizens in cases similar to that of the Austrian student, who had to file his complaint against Facebook in English before the authority in Ireland, where Facebook is established.
The proposals also enshrine the right of a citizen to take a company processing his data to court in his home Member State. Every citizen therefore has rights of administrative and judicial redress at home.
4. Why are EU data protection rules essential for the Digital Single Market?
Creating a Digital Single Market is a priority for the European Commission. Digital technologies know no borders, it does not make sense for each EU country to have its own rules for data protection, telecommunications services, copyright or spectrum management.
It is a golden opportunity. By fostering a Digital Single Market, we can create up to €250 billion in additional growth, hundreds of thousands of new jobs, and a vibrant knowledge-based society.
But if citizens do not trust e-services, they will never use them. Confidence is paramount, but it is still far from a reality. More than 90% of Europeans are concerned about mobile apps collecting their data without their consent.
The data protection reform will address this lack of trust. It will update citizen’s rights such as the right to be forgotten, the right to data portability and the right to be informed of personal data breaches. The reform will also ensure that the Union’s rules are properly applied. It provides for an effective enforcement mechanism and empowers national regulators to impose fines of up to 2% of a company’s annual worldwide turnover.
Further actions aiming at building trust and confidence in the online world will be part of the Digital Single Market Strategy to be presented in May.
5. What is the right to be forgotten? Will it affect the freedom of the press and historical archives?
The Commission's 2012 proposals include a reinforced "right to be forgotten". The reform proposals build on the existing right to demand that personal data should be deleted if it is no longer needed for any legitimate purpose. This covers all kinds of everyday situations. For example, children may not understand the risks involved in making their personal information available – only to regret it when they grow up. They should be able to delete that information if they want to.
The right to be forgotten is not about rewriting history. The Commission’s proposal protects freedom of expression and the freedom of the media, as well as historical and scientific research. It provides exemptions for these sectors asking Member States to adopt national laws to guarantee the respect of these fundamental rights. This allows archives to continue operating on the basis of the same principles as today. Equally, personal data may be kept for as long as it is needed to carry out a contract or to meet a legal obligation (for example when citizens have a loan contract with their bank). In short, the right to be forgotten is not absolute and does not affect historical research or the freedom of the press.
The rights of businesses are also protected. If the personal data in question has been made public (for example, posted on the Internet), a company must make a genuine effort to ensure third parties know about the citizen's request to delete the data. Evidently a company will not be obliged to wipe out every trace left in search indexes and that is not what the Commission is asking for. Companies should simply take reasonable steps to ensure that third parties, to whom the information has been passed on, are informed that the individual would like it deleted. In most cases this will involve nothing more than writing an email.
On 13 May 2014, the Court of Justice of the European Union acknowledged that under existing European data protection legislation, EU citizens have the right to request internet search engines to remove search results directly related to them. This right for citizens to request the deletion of their personal data - under certain conditions – has existed in European data protection laws since 1995.
In its ruling of 13 May 2014 the EU Court said:
a) On the territoriality of EU rules: Even if the physical server of a company processing data is located outside Europe, EU rules apply to search engine operators if they have a branch or a subsidiary in a Member State which promotes the selling of advertising space offered by the search engine;
b) On the applicability of EU data protection rules to a search engine: Search engines are controllers of personal data. Google can therefore not escape its responsibilities before European law when handling personal data by saying it is a search engine. EU data protection law applies and so does the right to be forgotten.
c) On the “Right to be Forgotten”: Individuals have the right - under certain conditions - to ask search engines to remove links with personal information about them. This applies where the information is inaccurate, inadequate irrelevant or excessive for the purposes of the data processing. The court found that in this particular case the interference with a person's right to data protection could not be justified merely by the economic interest of the search engine. At the same time, the Court explicitly claimed that the right to be forgotten is not absolute but will always need to be balanced against other fundamental rights, such as the freedom of expression and of the media. A case-by-case assessment is needed considering the type of information in question, its sensitivity for the individual's private life and the interest of the public in having access to that information. The role the person requesting the deletion plays in public life might also be relevant.
More information is available on the ECJ ruling: http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_en.pdf
6. What is the purpose of the Directive?
The 'police' Directive will apply general data protection principles and rules to the data used by police and judicial authorities to cooperate in criminal matters. The Directive will apply to all data processing by the law enforcement authorities, including those which are processed domestically. By contrast, the current Framework Decision only applies to those data which have been exchanged between Member States. This will simplify data processing rules for authorities involved, who will no longer have to apply different sets of rules according to the origin of the data. The Directive, once adopted, will be EU law subject to ordinary legislative procedure, involving also the European Parliament in the law making process. In such a sensitive area affecting citizens' fundamental rights, this is an important guarantee. So is the possible intervention of the European Court of Justice (so far excluded) and monitoring by the European Commission.
The proposed Directive is a timely and necessary instrument, which together with the proposed Regulation, ensures that the EU will have a future-proof, well-balanced and comprehensive framework guaranteeing high standards for the protection of personal data.
7. How will the EU data protection reform affect scientific research?
Scientific research in the EU stands to benefit from the proposed data protection reform. Personal data relating to health are sensitive data and should generally not be processed, unless this is necessary for reasons of public interest, or where the identified person has given his approval. The data protection rules we have in Europe at the moment do not harmonise conditions for health data processing. This has resulted in fragmentation, costs and disincentives for scientists and businesses involved.
The Commission’s reform package aims at eliminating fragmentation and providing consistency and coherence for the whole of the Union. This should in particular benefit the research sector. The General Data Protection Regulation has specific provisions on processing for health purposes and on historical, statistical and scientific research purposes. These provisions will be fully harmonised – providing one set of rules on research data across the Union.
The right to be forgotten does not apply to these sectors.
The uniformity of the rules will reduce costs and complexity, and act as a strong driver for the development of cross-border healthcare services, public-private health initiatives and eHealth applications that crucially depend on the processing of personal data.
For more information
Vice-President Andrus Ansip: A safe and secure connected digital space for Europe
Follow Vice-President Ansip on Twitter: @Ansip_EU
Follow EU Justice on Twitter: @EU_Justice