Viviane Reding Vice-President of the European Commission responsible for Justice, Fundamental Rights and Citizenship Towards a true Single Market of data protection Meeting of the Article 29 Working Party "Review of the Data protection legal framework" Brussels, 14 July 2010
European Commission - SPEECH/10/386 14/07/2010
Other available languages: none
Vice-President of the European Commission responsible for Justice, Fundamental Rights and Citizenship
Towards a true Single Market of data protection
Meeting of the Article 29 Working Party "Review of the Data protection legal framework"
Brussels, 14 July 2010
Ladies and Gentlemen,
I am very pleased to be here today to discuss privacy and personal data protection matters with the real experts, those who have the essential role of ensuring that European rules are complied with at national level.
Protection of personal data is a fundamental right. As Vice-President of the Commission and Commissioner for Justice, Fundamental Rights and Citizenship I want to make sure that this right is promoted in all our actions.
The current EU rules on the fundamental right to the protection of personal data have stood the test of time. However, we need to address new developments and challenges: the impact of new technologies, the fact that we are now living in a "globalised" world.
Nowadays the exchange of information across the globe has become much easier and faster. The new ways of creating, using and transferring data bring benefits to individuals, businesses and public authorities. However, the data revolution we are witnessing must go hand in hand with the necessary privacy safeguards to gain the trust of our citizens and contribute to boosting our economies.
In addition to trust, the security of personal information needs to be ensured. In particular this applies to the law enforcement area. The increasing demands from public authorities to have access to individuals' personal data and to use online surveillance techniques must not to be made at the expense of the confidentiality and integrity in information-technology systems and should respect the rights of individuals even in the information age. We therefore need a comprehensive and coherent approach so that the fundamental rights to personal data protection and others are fully respected within the EU and beyond.
Let me outline my main ideas on the way forward:
Firstly, I believe we need to strengthen individuals' rights by ensuring that they enjoy a high level of protection and maintain control over their data. This is particularly important in the on-line environment, where often privacy policies are unclear, non-transparent and not always in full compliance with existing rules.
Individuals need to be well and clearly informed, in a transparent way, by data controllers – be it services providers, search engines or others – about how and by whom their data are collected and processed. They need to know what their rights are if they want to access, rectify or delete their data. And they should be able to actually exercise these rights without excessive constraints.
Secondly, the internal market requires not only that personal data can flow freely from one Member State to another, but also that the fundamental rights of individuals are safeguarded. Provided that all data protection guarantees are in place and properly applied, personal data should freely circulate within the EU and, where necessary and appropriate, be transferred to third countries.
This requires us to provide a level playing field for all economic operators in different Member States. This is currently not the case: indeed, one of the main concerns expressed by businesses in the recent consultations is the lack of harmonisation and the divergences of national measures and practices implementing our 1995 Directive.
It is therefore clear that we need to provide further harmonisation and approximation of data protection rules at EU level.
We also need to reduce the administrative burden on businesses and public authorities. Certain administrative formalities (for example, notifications) could be reduced, simplified and harmonised. Businesses and public authorities, however will need to better assume their responsibilities by putting in place certain mechanisms such as the appointment of Data Protection Officers, the carrying out of Privacy Impact Assessments and applying a 'Privacy by Design' approach.
Thirdly, establishing a comprehensive and coherent system at EU level implies that we need to revise the current rules on data protection in the area of police cooperation and judicial cooperation in criminal matters.
The Framework Decision adopted in 2008 is a first step in establishing data protection rules in these areas, but in the post-Lisbon scenario we need to be more ambitious. Moreover, many different instruments have been adopted in the ex-third pillar areas, which provide quite different rules on the protection of personal data. As a result, the protection of personal data in these areas is neither consistent nor uniform.
The European Parliament asked the Commission to act quickly in this respect, and now that the Lisbon Treaty provides us with a solid, comprehensive, legal basis [Article 16 TFEU], we shall not hesitate in providing a consistent and uniform high-level of personal data protection in all areas of Union activities.
I am well aware of the specificities linked to the exchange of personal data in these areas, and I intend to take them into account. However, I firmly believe that – in line with the European Convention on Human Rights and well established case-law – derogations to general data protection principles should be limited. They may not go beyond what is necessary and proportionate in order to pursue objectives of general interest, such as the fight against terrorism and organised crime, or the need to protect the rights and freedoms of others.
Fourthly, we also need to ensure that personal data are adequately protected when transferred and processed outside the EU. To that end, I intend to improve, strengthen and streamline the current procedures for international data transfers, including in the areas of police cooperation and judicial cooperation in criminal matters.
At the same time, the EU will continue to promote the development of high data protection standards at international level, by cooperating with relevant international organisations and actors (e.g., the OECD, the Council of Europe, and the United Nations).
And in some cases the conclusion of international agreements – like the one we are about to negotiate with the US on data protection in judicial and police cooperation in criminal matters – can also be an effective tool to enhance cooperation and allow for an exchange of information with the relevant authorities. This agreement will establish a legal framework for data protection, but it will not constitute in itself the legal basis for specific transfers of personal data. A transfer of personal data will continue to require a specific agreement providing the legal basis for it. In any case, my intention is to be ambitious and negotiate a good agreement with the US, ensuring a high-level of data protection and providing all necessary guarantees and mechanisms for effective enforcement and compliance.
I am encouraged after exploratory contacts I had with my US counterparts last week in Washington. I expect the Belgian Presidency to give the Commission a mandate in the coming months so that talks can start swiftly.
Last but not least, let me conclude by stressing the importance of implementation and enforcement of the existing rules. This is an essential element to guarantee that individuals' rights are actually respected.
The Commission will certainly continue to play its role as guardian of the Treaties and monitor the implementation of EU rules by Member States – this is a priority for me.
I would like, however, to point out the important role you should play as Data Protection Authorities. You are independent guardians of our fundamental rights and freedoms. You are a founding element of the EU data protection system, as you are the authority upon which individuals rely to ensure the protection of their personal data and the lawfulness of processing operations.
I believe your role should be strengthened and you should be provided with the necessary powers and resources to be able to properly exercise your tasks both at national level and when co-operating with each other.
You also have a very important role as Article 29 Working Party, first of all in advising the Commission on all data protection matters. In that context, I appreciate and very much welcome your continuous input in the current discussion on the review of the legal framework. In particular, I agree with you that we should include the fundamental principles of data protection into one comprehensive legal framework.
Your role is also essential in fostering cooperation between Data Protection Authorities at national and at EU level. This is to ensure a coordinated and uniform approach when applying the common rules. I believe this matter requires serious reflection.
The EU data protection space must be one without cracks and one where the EU laws and regulations are clear and effectively implemented and enforced.
Thank you for your attention.