Vice-President of the European Commission, EU Justice Commissioner
Who pays for Data Protection?
EPP Group Public Hearing
Brussels, 31 March 2011
Ladies and gentlemen,
Thank you for inviting me to this debate on the very important question: "Who pays for Data Protection?" I am pleased to see that the European Parliament is taking a proactive approach to the data protection reform, which is my top legislative priority. Two weeks ago, here in the Parliament, I spoke about the right of protecting personal data. Today you have asked me to speak on the financial burden of this fundamental right.
To start with, let me remind you that our European law, the 1995 Data Protection Directive, has a strong built-in internal market logic. It states that "the establishing and functioning of an internal market require not only that personal data should be able to flow freely from one Member State to another, but also that the fundamental rights of individuals should be safeguarded."
The Directive's principles have stood the test of time. However, Europe has become more united, the internal market more coherent and data flows more global. Now, we need to catch up and make the rules future-proof for the decades to come.
Citizens expect action in this field. According to a recent Eurobarometer, 70% of EU citizens are concerned that their personal data may be misused. They are worried that companies may be passing on their data to other companies without their permission.
This issue has also come up across the Atlantic. You must have heard about the famous "do not track" initiative in the U.S. It has won wide support not only of U.S. citizens but also of U.S. businesses. And I am very glad that recently the Obama administration took a decisive step by announcing its intention to work with Congress on "a privacy bill of rights".
That means very clearly that the U.S. is approaching the EU regulatory model. It is important because under the reformed system in Europe all companies will be treated the same – no matter where they are based. As long as a company is targeting an EU citizen, it must abide by EU rules. There will no longer by any possibility for data controllers outside the EU to have a "free ride" when operating in the EU.
Ladies and gentlemen, all fundamental rights have a cost. The right to the protection of data is not an exception. Costs are carried by businesses, administrations and citizens – actually by society as a whole. But I believe that companies have specific responsibility because data is often their main economic asset. Data is a very valuable commodity and unfortunately many citizens do not know it or forget it.
However new law should not unduly punish the industry. While ensuring the rights of citizens, the reform needs to help encourage economic progress. It is thus my intention to help businesses to cope with high data protection standards. And here are my five priorities to do so:
First, companies often complain about working in a fragmented regulatory environment. The fragmentation of rules creates legal uncertainty and is a source of additional operating and compliance costs. My solution is to reduce this fragmentation and increase the harmonisation of data protection rules within the EU. This affects all companies, particularly those conducting business and processing personal data in several Member States.
Second, I am committed to promote innovation and new services. But the current inconsistent application of EU law impacts the take up of on-line and audio-visual media services. Citizens are limited in their use of new technologies because of a lack of trust in the digital environment and fears about possible misuse of their data. This creates costs for economic operators, and for the EU economy at large. For me one thing is very clear: trust is necessary for innovation. And innovation will speed up the marketing of new services. So in the beginning you need trust if you want to open market possibilities for a product and reach consumers by gaining their acceptance.
Third, I want to create a one-stop shop for all cross-border businesses by simplifying the rules of applicable law. Currently firms handling personal data in several Member States are subject to different decisions in different Member States. Again, this creates legal uncertainty and costs. Under my proposal, the simultaneous application of different laws to a same company active in several Member States will need to be avoided.
My fourth proposal is to facilitate international data transfers and to streamline and improve the procedures for exporting data.
Today, an EU company can send data to any company outside Europe under contractual agreements. The complexity of these contracts varies significantly across the EU. Larger companies have partly answered to this problem by adopting EU standards of data protection across all their units in all locations worldwide. A possibility of expanding the scope of such intra-business rules to "groups of companies" could be assessed, once we have a new EU data protection law in place.
In the meantime, I want to introduce intra-company standards rules officially in the new legislation. The procedures of putting them in place will be simplified and shortened, in particular by introducing the "mutual recognition" principle: once approved by a data protection authority in one Member State, the standard would be automatically recognised in other Member States.
My fifth pro-business measure is to cut red tape. I want to eliminate those administrative obligations and requirements imposed on businesses that are unnecessary and ineffective. For example, I will drastically simplify the current system of notifications to data protection authorities. The general obligation to notify data processing activities will be abolished. On the contrary, concerning the more delicate personal data, there will be still rules in place.
Ladies and gentlemen,
Data protection is both a fundamental right and a guarantee for a well functioning internal market. It is an invaluable asset that needs to be protected and further developed.
Many economic activities are linked to the processing of personal data. They can flourish if they have good data protection legislation which enhances consumers' trust. Strong growth of the internet economy, widespread use of new mobile devices, and the expansion of e-commerce and other web-based services will certainly bring us tremendous economic benefits.
However, trust can be enhanced only if all economic actors comply with the rules. Again, there should be no "free riders". We have seen that the current rules that require that users must give consent before their data is used are not fully applied.
Why should some companies that already apply high privacy standards and the "privacy by design" principle suffer competitive disadvantage? Some companies have spent time and money to develop solid data protection measures. Why can't the transparency and fairness in handling personal data be complied with by all businesses? There should be a level playing field for all companies in the EU. And no one should get away with avoiding the rules.
I strongly believe that the cost of no action in the field of data protection is much higher than the cost of improving the rules. A renewed data protection framework is a key element for increasing people's trust in new products and services, particularly in information and communication technologies, thus helping to stimulate the European economy. And this is in this sense that I look forward to hearing your thoughts about how data protection can help businesses compete better in our internal market while at the same time ensuring privacy of citizens. A robust and predictable regulatory environment benefits everyone – businesses and citizens.
Thank you for your attention!