Other available languages: none
Vice-President of the European Commission, EU Justice Commissioner
Assuring data protection in the age of the internet
BBA (British Bankers' Association) Data Protection and Privacy Conference
London, 20 June 2011
Ladies and gentlemen,
I am delighted to be here at the British Bankers' Association's Data Protection and Privacy Conference to share with you my ideas on the upcoming data protection reform for Europe.
The protection of personal data is one of the basic values for people in Europe, for the Member States of the EU and for the EU institutions. The fundamental right to personal data protection is guaranteed for every person in Europe, citizens and non-citizens alike.
Current legal framework and envisaged reform
The current EU legal framework for protecting personal data is from 1995. In the meantime, rapid technological developments and globalisation have profoundly changed the world around us, and brought new challenges for data privacy. With social networking sites, cloud computing, location-based services and smart cards we leave digital traces with every move we make.
In this 'brave new data world' we need a robust set of rules. Our knowledge-based economies thrive on the free exchange of data. Our aim should be to preserve freedom of information and data flows, to create a level-playing field for businesses when it comes to data protection obligations, and to protect the personal data of individuals.
In order to find out how to best address these challenges in practice, the Commission has consulted widely. We held a public consultation on the review of the current legal framework followed by targeted stakeholders' consultations throughout 2010. I am very grateful for the British Bankers' Association's valuable contribution to the public consultation, submitted by the European Banking Federation. We also received comprehensive and insightful responses from the UK Ministry of Justice, the Information Commissioner's Office and the Bar Council of England and Wales.
The consultations have confirmed that the underlying principles of the current EU data protection legislation are still very much valid and have stood the test of time. However, it became equally clear that the EU needs a more comprehensive and more coherent approach in its policy for the fundamental right to personal data protection.
One of the concerns raised by the European Banking Federation is the diversity of rules and requirements across different EU Member States and the resulting administrative costs, especially for banks operating in several EU Member States. The upcoming data protection reform is an opportunity to streamline those rules. The current diversity of rules across Member States comes at a huge cost to citizens and businesses alike. A level-playing field is clearly in businesses' interest.
This reform will greatly simplify the regulatory environment and will substantially reduce the administrative burden. We need to drastically cut red tape, do away with all the notification obligations and requirements that are excessively bureaucratic, unnecessary and ineffective. Instead, we will focus on those requirements which really enhance legal certainty.
Companies handling personal data in several EU countries currently have to meet different requirements in different Member States. This creates legal uncertainty and extra costs. The new legislation will clarify which law applies, across the EU.
This is what I will do for businesses. In turn, I expect businesses to do their share to ensure safe and transparent digital products and services.
People must know how their data is being used. Service providers have to increase transparency on how a service operates, what data is collected and further processed, for what purposes, and where and how it is stored. In light of recent data theft scandals, let me add that I expect companies to do more to keep their customers' personal data secure. Whether it is the Play Station, Google or Facebook – I can well understand if users lose trust in the internet and in companies offering online services. Without this confidence, business and the economy as a whole will suffer. We have to regain that trust.
A recent survey across the EU found that while 62% of people trust banks to protect their data, 35% do not. These figures mean there is no room for complacency for the banking sector.
We often hear from citizens who are concerned about the security of their personal data, especially in online transactions. This was also one of the main concerns individual users raised in the public consultation.
Only recently, we witnessed a massive security theft in online gaming services affecting millions of users around the world. This incident highlights why companies need to reinforce the security of the information they hold. Frequent incidents of data security breaches risk undermining consumers' trust in the online economy.
Companies should beef up their precautions against identity theft and better protect consumers' personal data. They should immediately notify breaches of data security and confidentiality.
I intend to introduce a mandatory requirement to notify data security breaches – the same as I did for telecoms and internet access when I was Telecoms Commissioner, but this time for all sectors, including banking and financial services.
I understand that some in the banking sector are concerned that a mandatory notification requirement would be an additional administrative burden. However, I do believe that an obligation to notify incidents of serious data security breach is entirely proportionate and would enhance consumers' confidence in data security and oversight mechanisms.
It would also create a stronger incentive for business to conduct serious risk assessments to protect personal data and to implement the appropriate security measures protecting the confidentiality, the integrity and the availability of personal data.
Ladies and gentlemen, we will finalise our proposals for revising the EU data protection legislation in the coming months. As I said earlier, we have consulted widely on this major reform of data protection in the EU, and we have taken into account many suggestions and concerns of experts and stakeholders. During my visit to London, I will have the opportunity to discuss our proposals with Justice Secretary Kenneth Clarke who gave a very thoughtful speech on EU data protection reform in Brussels last month.
I welcome the proactive attitude of the United Kingdom's government on privacy and personal data protection. This appears to reflect the public mood. Just to give you an example: I have received letters from parents concerned that their children are fingerprinted in school, without their consent. I have urged the UK authorities to solve this injustice and received assurances that children's biometric data should only be used once parental consent has been obtained.
In fact, outlawing the finger-printing of children at school was one of the commitments set out in the Coalition Agreement as part of this Government's agenda in upholding civil liberties. It features alongside the "ending of storage of internet and email records without good reason". These commitments go very much in the same direction as the protection that is at the heart of the reform of the data protection rules.
So, it is hardly surprising that I can agree with a great deal in Kenneth Clarke's Brussels speech. For example, in re-visiting the EU's data protection rules, there is no need to reinvent the underlying principles. Many of the principles of the current Directive have indeed stood the test of time. I also fully agree that we need to make the rules more relevant to modern methods of business. We need to reinforce the internal market logic of the existing directive, which too often fails to provide businesses with sufficient clarity. Instead it confronts them with a variety of often conflicting standards. I agree with Kenneth Clarke that this needs to be addressed.
He is also right to observe that outside the economic context of the internal market, there is more room, and also a need, for flexibility in the way national authorities meet their data protection objectives. That means a more nuanced approach when we revise the rules on law enforcement to make sure that they comply with the extra guarantees provided by the Lisbon Treaty.
It also goes without saying that reform of the current rules should work with the grain of national systems of enforcement and national constitutional traditions. But if I may be permitted to round off my speech, by returning to my point of departure: what worked in 1995 needs to be adapted to the internet society in which we increasingly live.
We have to be as creative in our thinking on regulatory design, as those who have created and designed the internet and the cloud. I do not see the cloud as a threat to our rights, but as a challenge.
Take the cloud, the story goes that the data in cross-border and cross-continent flows is impossible to regulate. This is not my vision of the future. I agree with those businesses arguing that regulation would be feasible if we make them more accountable! This is why I am considering the inclusion of the "accountability principle" in my reform so that data of citizens exported to third countries is always exported with their rights attached.
Or take the "right to be forgotten". "Impossible" some say, "get over it". Well, I don't agree. Already the current Directive gives individuals a possibility to have their data deleted, in particular when the processing is unlawful. Or take the e-Privacy Directive, where subscribers are entitled to have data that is contained in public directories withdrawn.
I do not approach this subject of the "right to be forgotten" lightly. I know that there is a balance to be struck with freedom of expression. It may also call for some flexibility in the way this balance is struck, but I cannot accept that individuals have no say over their data once it has been launched into cyberspace.
I know that your conference today will touch on many of these issues. I am sure that we can learn from your experiences to build a data protection regime fitted to our new age.