Vice-President of the European Commission responsible for Justice, Fundamental Rights and Citizenship
Building Trust in Europe's Online Single Market
Speech at the American Chamber of Commerce to the EU
Brussels, 22 June 2010
Ladies and Gentlemen,
It is my pleasure and honour to be with you today. This is a great occasion to discuss consumer and privacy rights in the EU with US companies doing businesses in Europe.
From my experience as Europe’s Telecoms Commissioner, I know first hand about the amazing growth of information technologies. These technologies – from mobile phones to social networking sites – have transformed our society.
Today, I am responsible for Justice, Fundamental Rights and Citizenship – a new portfolio created by European Commission President José Manuel Barroso. My background in telecoms and my new responsibilities to enforce fundamental rights – such as privacy and data protection – give me a useful vantage point as we confront today’s challenges.
I would like to discuss two of these challenges and propose solutions so we can move forward.
First, regulatory barriers are still holding back the potential of a real Singe Market for e-commerce. We need to boost consumers’ and businesses’ confidence in a truly pan-European online marketplace.
Second, we need to modernise our data protection rules, which date from 1995. We need to build up a trusted environment for the use of personal data.
The internet’s full potential will only be realised if it is seen as a trusted and open platform. This is where the European Union can make a difference.
Let me first discuss online commerce.
As a consumer, I can – in principle – compare prices across 27 markets. I want the "power of data" to be at the service of consumers throughout the EU. This is not working at the moment. Where are the European price comparison sites? We are far from realising the €100 billion potential revenues from an online Single Market.
Unfortunately, national barriers hamper the online Single Market’s potential. I can understand the fears and uncertainties of entrepreneurs and consumers:
entrepreneurs are uncertain about what rules apply in different countries. Online businesses have to respect the law of their customer's country, so they need to know the rules of any country where they want to do business.
consumers are uncertain of their rights when they shop online. Even though half of EU households have a high-speed internet connection, consumers' lack of confidence still holds them back from shopping online. Only 12% of EU web users feel safe making transactions on the internet.
Those who do are often frustrated when online sellers ask for a credit card or address in the sellers' country – 61% percent of cases. We cannot be satisfied that national online trade is growing at a much faster rate than cross-border online trade. If this continues, the opportunity for the online Single Market will have been squandered.
What's encouraging is that there is strong desire to take advantage of the Single Market. A third of consumers would consider buying online from another country because it is cheaper or better. Sadly, only 7% actually do so. If we give consumers more confidence, we could unlock the full economic potential of Europe's single online market.
Consumers will hold back from new technologies if they are worried about privacy, the safety of payments and whether they are protected from unfair commercial practices. The Commission’s task is to build trust.
I will ensure that Europe has clear rules for businesses and strong rights for consumers. It’s essential that the European Parliament and the EU's national governments make a breakthrough on a comprehensive proposal harmonising consumer rights. I am confident that we can make real progress. Consumers should be reassured that they are well protected when they shop online and businesses need clarity when venturing into new markets.
We are all aware of the problems with digital content. In Europe, consumers in some countries don’t even have access to some online music stores. We are studying the rules that are applied in different EU countries. One solution may be more specific consumer protection rules for digital content.
I think we also have to recognise that we may be approaching the limits to how far we can go with fully harmonising national consumer protection rules. These often overlap with cherished national contract law traditions.
Does this mean that we have to be content with a second-class Single Market for consumers? I don't think so. It means we have to be prepared to look to complementary tools for those areas where full harmonisation might not to be possible.
That is why in the summer I will launch a public consultation on various longer-term possibilities, including an optional European contract law regime that would be based on a high level of consumer protection.
This would open up the possibility for businesses – and in particular for smaller companies – to choose a single set of terms and conditions based on one law of contract when trading across borders. This is an ambitious project, but in a world revolutionised by the internet, can Europe afford the comfortable certainties of the fragmented status quo?
Let me now turn to privacy and data protection.
With my responsibility for fundamental rights, I know that it is the very "power of data" that requires us to be on our guard to ensure that web surfers’ privacy rights are fully protected. Everyone needs private space – to think freely, grow up, make mistakes, say silly things, experiment, be creative or pursue any other interest. The EU Charter of Fundamental Rights specifically protects our right to personal data and privacy (Article 8).
My paramount goal is to ensure that people have a high level of protection and control over their personal information. Both the makers and users of new technologies – the "merchants of data" – will benefit from a consistent set of rules for 27 countries.
All companies that operate in the EU must abide by our high standards of data protection and privacy.
As I mentioned at the beginning, the EU has had rules protecting the fundamental right to protect personal data since 1995. These rules are built on very strong data protection principles for all industries and technologies.
Until now, the Data Protection Directive has stood the test of time. But now we are facing a whole new way of creating and using data. Entrepreneurs start social networking sites in their college dorm rooms. Web surfers generate their own content and share it by clicking a mouse.
Today people use mobile internet devices that connect them to the internet. Tomorrow they will be connected to physical objects all around them. Businesses use cloud computing to let employees share their work and interact across the world using software in remote locations.
And online operators use behavioural advertising to create profiles of users' online activities to better target them with advertising. There are estimates that this market will grow to over €3 billion in 2012, eight times as much as in 2007. Advertising pays for a large part of the services that makes the internet world turn. But our data protection principles say that peoples' emails and online activity can only be used this way if individuals are fully aware of the use and they do not object. So we need rules that make the obligations for respecting privacy rights very clear.
This data revolution is putting individuals centre-stage when it comes to the “management” of their personal data. This requires a shift of focus for the policy makers.
Personal data can circulate easily through the private sector, governments or law enforcement authorities across different parts of the world where different rules exist.
Is all this data used in legitimate ways? Is it transferred in secure ways? There is no room for doubt when we are dealing with peoples' personal information. There must be clear rules and specific guidance for applying the data protection principles in practice.
That is why we are now going to modernise the EU's data protection rules so that they meet the needs of the 21st century and a truly globalised interconnected world. We will re-examine these principles of data protection that have worked well for Europeans since 1995, and see if new ones need to be added.
Let me outline three initial thoughts on how these rules may be updated.
First, we need to find ways to empower web surfers. Internet users need to feel that their fundamental rights, and their personal data, are safe in the digital world.
Internet users must have effective control of what they put online and be able to correct, withdraw or delete it at will. In the recent public consultation on the review of the data protection rules, we were told that there should be "a right to be forgotten." We need to look more closely at this idea. More control also means being able to move your data from one place to another, and to have it properly removed from the first location in the process. If I have my precious photos stored somewhere in the cloud, what happens if I want to change to another provider? There is also an important competition point here. As EU Telecoms Commissioner, I fought to make number portability a real option for consumers, in the interests of competition. I can see the same logic applying here with data.
Second, I see the need for having more clarity about what "users' consent" means in practice. This is one of the essential steps if we are to build a firm basis of trust. Users must have informed consent to use of their personal data. In practice, that means working to avoid ambiguous and confusing information or the absence of any real information. More trust also means more legal certainty for the "merchants of data."
Third, we also need to extend the fundamental principles of data protection into one comprehensive set of EU rules, which also applies to police and judicial cooperation in criminal matters.
In conclusion, European regulators need to ensure that internet users can trust online operators with their personal information. This trust must not be abused. We must prepare a level playing field between users and operators. Operators of all online tools and services must be very clear that they are obliged to respect the fundamental right of protection of personal data.
I am very much aware that this sector needs clarity, not red tape. Anyone who works with the internet knows that users' confidence is paramount. That is why industry self-regulation could work well in this area to complete the existing rules. I am considering this approach as a way to have codes of conduct, the incorporation of “privacy by design” principles and more use of Privacy Enhancing Technologies. I will study whether we can cut unnecessary red tape when existing rules are applied.
Ladies and Gentlemen,
The internet changes and enriches our lives. As regulators, we must nurture its strength and ensure that privacy and data protection rights are protected. We will succeed as long as we build trust in Europe's online Single Market.