Vice-President of the European Commission, EU Justice Commissioner
The future of data protection and transatlantic cooperation
Speech at the 2nd Annual European Data Protection and Privacy Conference
Brussels, 6 December 2011
Ladies and Gentlemen,
I am happy to be with you today at the second annual European Data Protection and Privacy Conference. I am glad to see so many esteemed colleagues and experts from the United States. With such an audience, I am sure that we will come away from this conference fired up with bright new ways to ensure data protection on both sides of the Atlantic.
I would to talk about the current data protection and privacy landscape in Europe and challenges for the future of trans-Atlantic cooperation. I will also give a preview of what I have in mind to ensure the fundamental right to data protection here in Europe.
Firstly, how do we in the European Commission see data protection and privacy today? You know perfectly well how much technology has progressed and how the world has become much smaller over the past 16 years, since our current Data Protection Directive was created.
In the digital age, the collection and storage of personal information are essential. Data is used by all businesses – from insurance firms and banks to social media sites and search engines. In a globalised world, the transfer of data to third countries has become an important factor in daily life.
We all know that data is a key economic asset. Vast amounts of personal information are transferred and exchanged every day, around the globe in fractions of seconds. We need to facilitate these exchanges if we are to encourage innovation and stimulate growth. But we also need to protect the rights of those whose personal data is transferred to third countries, outside the European Union.
So how are we doing this in Europe?
I want to create a level playing field for companies and create rules which are business-friendly. I want to simplify the rules and eliminate unnecessary costs and administrative burdens. Inconsistent rules hold back businesses. If we want to encourage companies to take advantage of new technologies and operate across borders, we need to make the rules simpler.
One good tool which facilitates secure transfers of data is binding corporate rules. These codes of practice are based on European data protection standards. Businesses adopt them to ensure adequate safeguards for transfers of data between companies, even those situated outside the European Union. Once approved by our data protection authorities, they become legally binding. In my reform I want to make it easier for companies to develop such rules and have them approved.
I also want to simplify the regulatory environment. I want to introduce one data protection law in Europe and have one single data protection authority for each business. The rule is simple: A business will be subject to the data protection authority in the Member State of its main establishment in the EU. To get it consistently done, we need reinforced cooperation between fully fledged data protection authorities in our Member States.
All these measures will allow companies to sell goods and services under the same rules to 500 million people. This massive market is a huge opportunity for companies surrounded by clear legal rules.
This is for business side. However, this must not be done at the expense of individuals' rights. Their data needs to be properly protected. We Europeans place a high value on privacy and data protection: The right to protection of personal information is enshrined in our Treaty and our Charter of Fundamental Rights.
This is why I will propose a new European law on data protection next month. It will replace the law from 1995, when the full potential of the internet had not yet been realised. In a world of ever-increasing connectivity, our fundamental right to data protection is in this moment seriously tested. Although the basic principles and objectives of the 1995 Directive remain valid, the rules need to be adapted to new technological challenges.
People are sharing more and more personal information online and it is now important to ensure their rights. For this reason, the reform of EU data protection rules will include easier access to one's own data, and better data portability so that it is simple for users to transfer their data between providers.
I also want to establish the famous right to be forgotten, which will build on existing rules to better cope with privacy risks online. I believe this right is very important in a world of increased connectivity and the unlimited search and storage. If users no longer want their data to be stored, and if there is no good reason to keep it online anymore, the data should be removed.
Solid rules are good for consumers but they are also good for internet companies. Because they create legal certainty - they enhance users' trust. To flourish, the digital economy needs trust. Consumers must have confidence when giving personal information online. Otherwise, they are hesitant to buy online and accept new digital services. Clear rules are needed for the transfer of data outside the EU. This is why my proposals pay utmost attention to international transfers.
Transfers are not only important in the commercial field. They are also important for police and judicial cooperation. Our current law in this area only sets standards for data when it is transferred between Member States, but not when treated inside Member States themselves. This means that the rights of citizen depend on which EU Member State is processing their data.
I want, in this reform, to introduce the same rules for both cross-border and domestic processing for law enforcement purposes. This will enhance mutual trust between police forces in different Member States and improve the free flow of data in the fight against crime.
As you can see, we in the EU are doing our job. And I could stop my speech here. But this is a globalised world and we are also counting on others to take data protection seriously. We also need others to build trust – both in the commercial and law enforcement fields.
I am reading in the press more and more about European internet companies offering a cloud computing service which stays in Europe. Just yesterday I read about a Swedish company whose selling point is that they shelter users from the US Patriot Act and other attempts by third countries to access personal data.
Well, I do encourage cloud computing centres in Europe - because we need more innovation, more research and more investment in the ICT industry. But this cannot be the only solution. We need free flow of data between our continents. And it doesn't make much sense for us to retreat from each other.
You might remember that last year I welcomed the Democrat-Republican joint initiative on data protection. In April, Senator John Kerry and Senator John McCain introduced a draft Commercial Privacy Bill of Rights. It made headlines. The Senators made clear that a federal law is necessary to ensure the protection of privacy in the United States. They argued that the U.S. government had a substantial interest in creating a level playing field for all collectors of personal data both in the U.S. and abroad. This sounded encouraging indeed!
However, I have been told that only voluntary codes of conduct based on multi-stakeholder consultations are envisaged. Well, I hope I got it wrong – because I am worried that US 'self-regulation' will not be sufficient to achieve full interoperability between the EU and US.
I spoke to you earlier about our approach in the law enforcement area. This is also an area where we can do better in our trans-Atlantic relations. You might know that we are currently negotiating a data protection agreement with the US. And we will still need to achieve substantial progress to conclude these negotiations in 2012. I hope we will manage to do it.
Europeans should be confident that their rights are respected whenever their personal information is transmitted in Europe or over the Atlantic for law enforcement purposes.
Ladies and Gentlemen, this is how I see the current landscape in data protection and privacy. Trust has been at the core of the relationship between the EU and US. We need to make sure that future developments in data protection enhance this trust – based on firm legal grounds on both sides of the Atlantic. I hope our reform of data protection rules in the EU can be an inspiration for such changes in the US and elsewhere.