Other available languages: none
Vice-President of the European Commission, responsible for Justice, Fundamental Rights and Citizenship
Privacy matters – Why the EU needs new personal data protection rules
The European Data Protection and Privacy Conference
Brussels, 30 November 2010
Ladies and Gentlemen,
I am delighted to be with you today at the European Data Protection and Privacy Conference. Most of you know that the European Commission recently set out its strategy on how to protect personal data. Your conference gives me an excellent opportunity to explain – for the first time in public – and share with you my ideas on the upcoming data protection reform for the EU.
People are sometimes asking me: why do we need any changes? Don't we already have good legislation: the Data Protection Directive of 1995? My simplest answer is: Yes, we do! Even though we have the best data protection laws in the world, the rapid pace of technology change has prompted new questions and challenges. Privacy nowadays has become a moving target: new risks need better legal remedies.
These risks are related to how we live today. Personal data can easily be stored and then even more easily multiplied on the Web. But it is not easy to wipe it out. As somebody once said: “God forgives and forgets but the Web never does!" This is why the "right to be forgotten" is so important for me. With more and more private data floating around the Web – especially on social networking site – people should have the right to have their data completely removed.
The protection of personal data is one of the basic values for Europe. With the entry into force of the Lisbon Treaty last year we now have a mandate to devise a comprehensive strategy to protect this fundamental right within the EU.
I want to make sure that our citizens' rights are well protected, both offline and online, both in their private and business relations, both in the context of civil and criminal law, and – last but not least – both within the EU and in our relations with third countries.
I made this very clear in the recent Commission Communication on “a comprehensive approach on personal data protection in the EU".
My key objectives are: strengthening the rights of individuals to protect their personal data; enhancing the Single Market dimension; and reinforcing data controllers' responsibility. Let me explain these goals one by one:
First, I believe individuals' need to be able to maintain control over their data. This is particularly important in the on-line world, where data protection practices are often unclear, non-transparent and not always in full compliance with existing rules. Individuals need to be well and clearly informed, in a transparent way, about how and by whom their data are collected. They need to know what their rights are if they want to access, change or delete their data.
I want to introduce the "right to be forgotten". Social network sites are a great way to stay in touch with friends and share information. But if people no longer want to use a service, they should have no problem wiping out their profiles. The right to be forgotten is particularly relevant to personal data that is no longer needed for the purposes for which it was collected. This right should also apply when a storage period, which the user agreed to, has expired.
Second, the reform will enhance the Single Market dimension. Companies often complain about how Member States apply rules differently. This creates legal uncertainly and adds costs and administrative burdens.
To ensure a true level playing field across the EU, we will further harmonise data protection rules. We aim to reduce and simplify administrative formalities, such as notifications to data protection authorities.
Third, the reform tackles how our data is treated. Companies that are in control of our personal data will need to better assume their responsibilities by putting in place effective data protection mechanisms. These mechanisms could include establishing Data Protection Officers, carrying out Privacy Impact Assessments based on EU data protection rules, and applying a “Privacy by Design” approach. Businesses must use their power of innovation to improve the protection of privacy and personal data from the very beginning of the development cycle.
Fourth, I also believe that the role of national data protection authorities should be considerably strengthened. We should provide them with the necessary powers and resources to properly exercise their tasks. We should also reinforce their cooperation and better coordinate their activities, especially when confronted by cross-border or international issues.
In order to put these four proposals in place we need further harmonisation and approximation of data protection rules.
Existing legislation gives the Member States some room for manoeuvre to maintain or introduce particular rules for specific situations. This, together with the fact that the 1995 Directive has sometimes been incorrectly implemented by Member States, has led to divergences between the national laws.
Even when there is only one European issue, there is not always one European response. Take the example of Google StreetView and the collection of snippets of personal information from unsecured WiFi networks. This did not only prompt different responses by national data protection authorities but it also led the company to provide different remedies for individuals in different Member States.
This situation runs counter to both of the two main objectives of the existing Data Protection Directive: ensuring the protection of a fundamental right and ensuring the free flow of personal data within the Single Market.
New general data protection legislation with precise and detailed rules will produce benefits for all stakeholders.
First and foremost, individuals will be able to understand what their rights and obligations are when it comes to personal data processing in Europe.
For data controllers, businesses and public authorities alike, a more detailed and precise set of data protection rules would provide for legal certainty, reduce costs, be easier to apply, and therefore will create incentives for better data protection compliance.
In addition, data protection authorities with identical powers and enough resources would be better equipped for better co-ordination of their activities, especially when confronted by issues which, by their nature, have a cross-border dimension.
And, let us not forget: A high and uniform level of data protection legislation within the EU will be the best way of endorsing and promoting EU data protection standards globally. Our citizens expect action and concrete results from Europe. I am determined to working in this direction. Thank you!