Member of the European Commission responsible for Information Society and Media
Privacy: the challenges ahead for the European Union
Keynote Speech at the Data Protection Day
28 January 2010, European Parliament, Brussels
Ladies and Gentlemen,
I am pleased to be with you today to celebrate the Data Protection Day. The growing number of events organised each year all over Europe to raise awareness and inform citizens of their privacy rights clearly demonstrates the usefulness of this Day. I am particularly glad to see here, in the European Parliament, so many young participants at the "Think Privacy" event. It is evidence of the growing understanding by the young generation of the importance of keeping control over their data.
Whether we want it or not, almost every day we share personal data about ourselves. These data are collected, processed and then stored out of our sight. By booking a flight ticket, transferring money, applying for a job or just using the Internet we are exposing our private lives to others. Sometimes it is necessary. For example we declare our income to allow the State to collect taxes. Sometimes we give our personal data because we simply chose to do so. For example we give our address to a seller to receive new offers and discounts. But sometimes we do not want to show our data. Still, data are being collected without our consent and often without our knowledge. This is where European law comes in.
It is my firm belief that we cannot expect citizens to trust Europe if we are not serious in defending the right to privacy . We need to ensure that personal data are protected against any unauthorised use and that citizens have the right to decide on the way their data are processed. Privacy and the protection of personal data have always been high on my list of priorities as the Commissioner for the Information Society.
Let me give you some examples:
The first is our work with social networking sites. Facebook, MySpace or Twitter have become extremely popular, particularly among young people. However children are not always able to assess all risks associated with exposing personal data. This led me to agree with key providers of social networking services on the "Safer Social Networking Principles for the EU". The providers agreed to ensure that profiles of users under the age of 18 should be private by default and not searchable. On 9 February, on the occasion of Safer Internet Day 2010, we will report on how these principles are being implemented in practice.
The second example is RFID , small chips that exchange information over radio waves. These chips may include sensitive personal data. I share the strong concerns received from citizens about the possible threat of wider use of RFID to their privacy. Therefore, the Commission took the initiative last year to adopt a Recommendation defining how data protection should be guaranteed for RFID applications. As a result the RFID industry committed itself to deliver a Privacy Impact Assessment on the use of these chips.
My third example is behavioural advertising . Monitoring internet users' web browsing to better target them with advertisements gives rise to privacy concerns. Users are not always aware that they are being tracked whenever browsing the Internet. We have launched an infringement procedure in the so-called Phorm case, alerted by worried citizens of the UK. For me it is clear that without the prior informed consent of citizens their data cannot be used .
Better protection of privacy was also one of the priorities of the Telecoms Reform, my fourth example. The amendments the Commission proposed to the ePrivacy Directive provide more transparency and give stronger control to citizens. The European Parliament and the Council supported and adopted these changes. Providers will now have to notify breaches of personal data without delay to both the competent authorities and the individuals concerned. Moreover in the coming months I intend to address in the context of the reform of the EU's General Data Protection Directive the issue of broader application of notification requirements so that they apply also beyond electronic communication networks.
Ladies and Gentlemen,
As the EU's Information Society Commissioner, I have had many opportunities to see the impressive power of innovation of information society and the creation of exciting and promising new products and services. Unfortunately, privacy and the protection of personal data were not always a key ingredient at the early development stage of these products and services.
Here we need a change of approach: Businesses must use their power of innovation to improve the protection of privacy and personal data from the very beginning of the development cycle. Privacy by Design is a principle that is in the interest of both citizens and businesses. Privacy by Design will lead to better protection for individuals, as well as to trust and confidence in new services and products that will in turn have a positive impact on the economy. I have seen some encouraging examples, but much more needs to be done.
Now let me turn to the wider picture. Articles 7 and 8 of the Charter of Fundamental Rights of the European Union enshrine the fundamental rights to privacy and to the protection of personal data of every individual in a legally binding nature. We have also a solid set of principles established by our General Data Protection Directive of 1995. However, we can not rest on our laurels! The world has changed and keeps changing since 1995. The EU has to lead the world when it comes to protecting personal data. As such the EU will have to provide a robust legal instrument to respond to the challenges posed by the rapid development of new technologies and by evolving security threats. The demand for personal data continues to grow massively, and so should our determination to reinforce the rights of individuals over the use of their personal data.
The European Commission is currently analysing the over 160 responses to the public consultation on the reform of the General Data Protection Directive. I can tell you that most responses call for stronger and more consistent data protection legislation across the Union. We will carefully assess all responses and prepare a future proposal in line with the Lisbon Treaty and the Charter of Fundamental Rights. There are important challenges ahead:
We need to clarify the application of some key rules and principles (such as consent and transparency) in practice;
We need to ensure that personal data are protected regardless of the location of the data controller.
We need to promote Privacy Enhancing Technologies (PETs), by introducing new evolving principles (such as ‘privacy by design’).
We need to strengthen enforcement and
We need to incorporate the fundamental principles of data protection to cover all areas of EU competence, including police and judicial cooperation in criminal matters and the EU's external relations.
In our external relations we should firmly promote fundamental rights including the right to privacy and protection of personal data. The right to data protection should also be respected when performing simple operations like transferring money, booking a flight ticket or passing a security check at the airport .
Why should citizens have to reveal their personal information in order to prove that they have nothing to hide?
This leads me to body scanners.
I am convinced that body scanners have a considerable privacy-invasive potential. Their usefulness is still to be proven. Their impact on health has not yet been fully assessed. Therefore I cannot imagine this privacy-intrusive technique being imposed on us without full consideration of its impact.
The same applies to large volumes of our financial data transferred to the U.S. I remain to be convinced that all these SWIFT transfers are necessary, proportionate and effective to fight terrorism. I will be looking into this very closely in the coming weeks.
I want to make sure that our EU legislation and international agreements are based on evidence rather than on emotional responses to the latest scare.
Thank you for your attention!