Vice-President of the European Commission, EU Justice Commissioner
The reform of the EU Data Protection Directive: the impact on businesses
European Business Summit
Brussels, 18 May 2011
The growth of the internet economy brings tremendous economic benefits. This needs to be taken very much into account when the EU will start working on a new, modern and comprehensive framework for data protection across our continent later this year.
Quite naturally, businesses see the upcoming data protection reform as an opportunity to reaffirm the internal market dimension of personal data. Indeed, the lack of harmonisation at EU level comes at a huge cost and is detrimental to everyone, companies and citizens alike. A level playing field is needed.
I want to make sure that new data protection rules meet the challenges of globalisation and emerging technologies, stimulate our economy and foster economic growth. My solution is to simplify EU rules and to increase the harmonisation within the EU. I want to reduce the current fragmentation of the EU legal framework and further harmonise data protection rules across the EU, while maintaining a high level of data protection.
I also intend to reduce the administrative burden for businesses. We need to make a drastic move in cutting red tape, which today exists mostly at national level in the field of data protection. We have to cut all those notification obligations and requirements which are excessively bureaucratic, unnecessary and ineffective. We need to focus on those requirements which enhance legal certainty.
Firms handling personal data in several Member States are currently subject to different decisions in different Member States. This creates legal uncertainty and costs. Therefore, the new legislation will clarify which law applies to a company active in several Member States.
Companies expect us to facilitate international data transfers. Free flow of data is imperative for doing business in today's global economy. Just look at the importance of cloud computing for today’s businesses. Data can be collected in Germany, stored in India and processed in the United States. We are working on improving the current mechanisms and looking at the model of "Binding Corporate Rules" – codes of conduct based on strict EU data protection standards. These rules could be voluntary but legally binding and fully enforceable. For the European Commission, it remains essential that EU data are adequately protected when transferred and processed outside the EU. A sound data protection framework fosters trust, which is an essential component of a well functioning society.
This is what I will do for businesses. In turn, I expect businesses to do their share to ensure safe and transparent digital products and services. The key principle of EU data protection rules is that users have to give consent before their data is used. This information cannot be passed on without the user’s approval and companies cannot use it for purposes other than what was agreed. People must know how their data is being used. Service providers have to increase transparency on how a service operates, what data is collected and further processed, for what purposes, where and how it is stored and ensure appropriate security measures. Transparency is the key word, as are privacy-enhancing technologies that need to be built into the architecture of new digital environments, to ensure 'privacy by design'.
I want to provide a uniform European approach towards cloud computing which has a great potential in terms of efficiency, innovation acceleration and costs savings for economic operators. I want to make sure that our data protection rules cover the use of cloud computing services provided from outside the EU for EU citizens.
Currently, data transfers outside the EU are allowed only to countries that ensure an adequate level of protection or if there is a standard contract between two companies on data safeguards.
You may wonder how we are going to implement this rule, particularly in cloud computing that entails the continuous transfer of personal data to a big number of destinations.
A part of the answer is that we need to develop our own, European cloud computing centres. Some providers are developing offerings or EU-based clouds. In other words, they ensure their customers that data will only be processed in EU or countries recognised as "adequate". Other providers are suggesting developing more flexible contract models for third country transfers. This clearly shows that the current rules need to be improved.
In the reform I want to introduce four important changes:
1. Companies outside the EU - if they directly target their activities to EU citizens - will need to abide to the new EU data protection rules.
2. I will introduce a principle of "data protection by design" and reinforce existing rules on security of processing as well as liability of those who control and process data.
3. I will revise the current rules on adequacy and simplify data transfers: streamline and strengthen procedures for international data transfers.
4. I am also thinking about the creation of an EU mechanism for third country providers to voluntarily adhere to EU data protection rules. Such a mechanism would be possibly linked to certification and with guarantees for auditing and enforcement. Over time, this could become an “EU Safe Harbour” system.
The fact that non-EU cloud service providers active in the EU will be covered by EU data protection rules will enhance the confidence of individuals, who would be encouraged to take up cloud services. The new rules will enhance legal certainty and reduce the compliance costs of businesses processing data. They will boost the competitiveness of EU economic operators internationally, as they will find it easier to transfer personal data outside of the EU.
The EU-U.S. cooperation on data protection is crucial to protect consumers and enhance legal security for businesses online. I welcome a draft Bill of Rights just introduced in the US Congress as a bi-partisan initiative of Democrats and Republicans.
The EU and the US, have similar concerns with regard to the risks posed to privacy by new technologies. The Commission also shares the main objective of the Bill: strengthening individuals' trust in new technologies through compatible standards. This is a good opportunity to strengthen our transatlantic cooperation.
"Trust in the treatment of personally identifiable information collected on and off the Internet is essential for businesses to succeed". This is a quote from the draft US Bill. It can't be said better. I can say that because the Commission had inserted exactly this sentence already in our Digital Agenda in spring 2010. We are not claiming copyright on this, but are simply satisfied that our most important trading partners is more and more following the EU approach to data protection.
Let's take a concrete example: mobile technologies. Movements of citizens should not be tracked without their explicit consent. Storing location data may lead to betraying the location of users. Service providers on Internet- and smart-phones or car navigation systems providers should be fully aware of their responsibilities. In the EU, geo-location information is protected. The draft U.S. Bill proposes the same: it specifically recognises geographic location as "personally identifiable information".
Another example is data security breaches. We have just witnessed a massive security theft in online gaming services affecting millions of users around the world. Security of information needs to be reinforced. Companies should take utmost precautions to avoid identity thefts of their consumers and should be held responsible to immediately notify breaches of data security and confidentiality.
I will introduce a mandatory data breach notification requirement – the same as I did for telecoms and Internet access when I was Telecoms Commissioner, but this time for all sectors: banking data, data collected by social networks or by providers of online video games. In this context I welcome the fact that the U.S. draft Bill identifies "Right to Security" as the most important right.
You can see that our approaches in the EU and U.S. are similar. In the age of globalisation of data flows we need a common approach of countries sharing the same values. Otherwise we may end up with standards imposed by others. The EU-US "Safe Harbour" mechanism is a good starting point. We should build on it. The core elements should be security, interoperability and personal data protection. Such a scheme could set the world standard and be a reference for businesses around the world.