Chemin de navigation

Left navigation

Additional tools

Speech: The EU's Data Protection reform: Decision-Time is Now

Commission Européenne - SPEECH/13/197   07/03/2013

Autres langues disponibles: FR DE

European Commission

Viviane Reding

Vice-President of the European Commission

The EU's Data Protection reform: Decision-Time is Now

2nd Annual Cloud Computing Conference/Brussels

7 March 2013

Main Messages of the Speech

1/ On timing:

We are at the heart of the negotiations on the legislative proposals [on data protection]. The Irish Presidency is pushing the file forwards. Under the leadership of Jan-Philipp Albrecht, the European Parliament has accelerated its work.

2/ Three reasons why the data protection reform is so important:

First, data protection is a fundamental right in the EU. The reason for this is rooted in our historical experience with dictatorships from the right and from the left of the political spectrum. They have led to a common understanding in Europe that privacy is an integral part of human dignity and personal freedom. Control of every movement, every word or every e-mail made for private purposes is not compatible with Europe's fundamental values or our common understanding of a free society.

Second, we have to fight for the data protection proposal because it will open up the EU’s the digital market. It is good for business. It meets the expectations of business to have a true digital single market with one single law for data protection. [T]he implementation of the current Directive is fragmented and complicated.

I say complicated: the 1995 Directive is 12 pages long, but it is implemented in 27 countries. In Germany, for example, the current data protection law is 60 pages long. Take those 60 pages and multiply by 27 Member States, and you'll get an idea of what the term "regulatory complexity" means in practice. We will replace this mountain of paper with one law that is 91 articles long and valid in all of Europe.

One continent, one law. That’s what I call simplicity. That’s what I call opening a market.

Third, we need to ensure that the same rules apply to all businesses providing services to EU residents. Non-European companies, when offering services to European consumers, will have to apply the same rules and adhere to the same levels of protection of personal data.

3/ About the current state of negotiations

Data protection law has not fallen from the sky. Let me give you an example of this – the overblown discussion on consent.

The current Directive states since 1995 that consent has to be ‘unambiguous’. The Commission thinks it should be ‘explicit’. 27 national Data Protection Authorities agree. This has become a major talking point. What will this mean in practice? That explicit consent will be needed in all circumstances? Hundreds of pop-ups on your screens? Smartphones thrown on the floor in frustration? No. It means none of these things. This is only the scaremongering of certain lobbyists.

Citizens don’t understand the notion of implicit consent. Staying silent is not the same as saying yes.

At the moment, consent is one of several bases which make the processing of personal data lawful. For instance, a business can process personal data for commercial purposes so long as it does not have a significant effect on the rights of the person concerned. This is called the 'legitimate interests' ground. The Commission has not proposed to change this.

'Legitimate interests' is the ground that is currently used by the marketing industry for example. It will continue to be used by the marketing industry. From the perspective of this Regulation, consent is irrelevant in such cases. It will continue to be irrelevant.

4/ About data protection by design and data protection impact assessments:

Experts believe that the hacker attack on Sony, in which the data of 77 million people was compromised, cost the firm between 1 and 2 billion US dollars. That's the cost of non-compliance. And this cost is both high and avoidable. If your business model is in line with the current rules, you have nothing to fear.

5/ On the challenges ahead:

The current Directive has served Europe well. The first challenge of the current negotiations is to make sure that the level of data protection in Europe does not fall below the level established by the Directive.

Another challenge is to make sure that the new rules are technology-proof. The data protection package means that the same rules will apply irrespective of where the data is stored. And they facilitate the flow of data within the Cloud. We are building bridges, not firewalls.

The final challenge relates to the speed with which we will reach a deal. The answer is simple. It is for this Parliament and for the current Members to deliver the reform. They have accompanied the file from the start. It will take the full span of the mandate. But they must finish the job.

Since the beginning of the negotiations, the story has remained the same. Those who want to maintain a high level of protection in Europe have recognised the need to move fast. Those who want to lower the level of protection in Europe have tried to slow the file down. I will not let this happen.

SPEECH

Ladies and gentlemen,

The backdrop to the debate about data protection and the cloud is clear.

The world has changed profoundly since 1995 – the year the existing EU data protection framework was adopted. We now live in a world of immense communication possibilities. We can update our friends and family on every move and in real time. We have access to an infinite pool of knowledge through highly refined search engines and we can entrust our private data to a cloud service provider without ever having to worry about storage space.

This has enormous implications for our economies. In 2011, McKinsey predicted a potential economic surplus of 120 billion euro in Europe by 2020. Last year, the Boston Consulting Group saw a potential 1 trillion euro of added GDP in 2020. We need a fully functioning digital single market to make this work, to unlock that growth potential.

This also raises important questions regarding the rights of citizens. How can we ensure the protection of data in a world of total connectivity? How can we nurture consumer confidence in a world of exploding data volumes? How can we reconcile privacy and digital growth, the rights of individuals and the needs of business?

Just over a year ago, the European Commission presented a data protection reform proposal which answers these questions. Since then, we have witnessed a great debate. It has been intense, vibrant, fascinating.

We are at the heart of the negotiations on the legislative proposals. The Irish Presidency is pushing the file forwards. Under the leadership of Jan-Philipp Albrecht, the European Parliament has accelerated its work.

At a time when discussions are breathless and arguments are flying back and forth, it is important not to lose track of the fundamentals. This is the task I have set for myself today.

There are three key points that I would like to make.

  • First, looking back to the reason why the Commission tabled the proposals, I am more convinced than ever that this reform is crucial for the European Union and its citizens;

  • Second, looking at the current negotiations, we should never forget that the rules the Commission proposed have not fallen from the sky. They are anchored in EU law which has been in force since 1995;

  • Third, looking ahead, we have to take up the challenge and conclude negotiations within the mandate of the current Parliament.

I. Looking back - the reasons for which the reform proposal is important

There are three reasons why the data protection reform is so important.

A. Data protection is a fundamental right

First, data protection is a fundamental right in the EU.

The reason for this is rooted in our historical experience with dictatorships from the right and from the left of the political spectrum. They have led to a common understanding in Europe that privacy is an integral part of human dignity and personal freedom. Control of every movement, every word or every e-mail made for private purposes is not compatible with Europe's fundamental values or our common understanding of a free society.

This is why the Union's Charter of fundamental rights recognises both the right to private life in Article 7 and the right to the protection of personal data in Article 8. But this is not all.

Article 16 of the Treaty on the Functioning of the European Union also gives the European Union the legislative competence to establish harmonised EU data protection laws that apply to the whole continent and that make the right to data protection a reality.

Data protection is thus one of the rare fields where we have full coherence between the fundamental right and the EU’s legislative competences. This makes data protection a particularly powerful fundamental right in the European Union, and the Commission’s proposals have been designed to put this right into practice everywhere in our internal market.

B. Data Protection is a Market Opener

Second, the data protection proposal will open up the EU’s the digital market. It is good for business.

It meets the expectations of business to have a true digital single market with one single law for data protection.

From this perspective, the implementation of the current Directive is fragmented and complicated.

I say fragmented: A business operating in all 27 Member States has to comply with a different set of rules, and has to deal with a different Data Protection Authority in each country it is active in. 27 laws and 27 interlocutors. With one single data protection law for Europe we create a reliable legal framework for business to operate in.

I say complicated: the 1995 Directive is 12 pages long, but it is implemented in 27 countries. In Germany, for example, the current data protection law is 60 pages long. Take those 60 pages and multiply by 27 Member States, and you'll get an idea of what the term "regulatory complexity" means in practice. We will replace this mountain of paper with one law that is 91 articles long and valid in all of Europe.

One continent, one law. That’s what I call simplicity. That’s what I call opening a market.

C. A Single Rule for EU Citizens

Third, we need to ensure that the same rules apply to all businesses providing services to EU residents. This is at the heart of the proposed EU data protection Regulation.

Non-European companies, when offering services to European consumers, will have to apply the same rules and adhere to the same levels of protection of personal data. The reasoning is simple: if companies outside Europe want to take advantage of the European market with its potential 500 million customers then they have to play by the European rules.

This is about fair competition. A principle that is cherished far and wide. That’s why, two weeks ago, major EU telecoms operators announced their support for the reform.

But don't forget that there is also a citizen’s perspective to this. It's above all for the 500 million Europeans that we need strong, clear and uniform data protection rules. Europeans need to know that when they are in Europe and their data is being processed, it is being processed according to European standards. According to rules that reflect the fact that data protection is a fundamental right.

II. The current negotiations: evolution not revolution

This brings me to the rules themselves.

As soon as a new piece of legislation is on the table, and often well before that, managers get their calculators out. "Internet services will become much more expensive!", they say. "The days of free social networks are numbered", say others. I’ve heard it all before.

A. No revolution - it’s not just about consent

I believe such predictions of doom are not justified. Data protection law has not fallen from the sky.

Let me give you an example of this – the overblown discussion on consent.

The current Directive states since 1995 that consent has to be ‘unambiguous’. The Commission thinks it should be ‘explicit’. 27 national Data Protection Authorities agree.

What will this mean in practice? That explicit consent will be needed in all circumstances? Hundreds of pop-ups on your screens? Smartphones thrown on the floor in frustration?

No. It means none of these things. This is only the scaremongering of certain lobbyists.

At the moment, consent is one of several bases which make the processing of personal data lawful. For instance, a business can process personal data for commercial purposes so long as it does not have a significant effect on the rights of the person concerned. This is called the 'legitimate interests' ground.

The Commission has not proposed to change this.

'Legitimate interests' is the ground that is currently used by the marketing industry for example. It will continue to be used by the marketing industry. From the perspective of our law, consent is irrelevant in such cases. It will continue to be irrelevant.

But what happens when the processing becomes more intrusive? What happens when a Data Protection Authority says that legitimate interests can no longer apply?

Then you need to obtain the consent of the person and it should be explicit. Citizens don’t understand the notion of implicit consent. Staying silent is not the same as saying yes.

This is not a revolution but an evolution. We do not change the fundamentals. The same goes for other core elements of the proposal – the definition of personal data, the provision on profiling. The Commission didn’t invent data protection in 2012. The principles of the 1995 Directive remain valid. They simply need to be refreshed.

If your business model is in line with the current rules, you have nothing to fear. Things are fine if you comply.

B. Data protection and innovation

It is in the same spirit that the Commission has introduced new concepts such as data protection by design and data protection impact assessments. It is about making sure that the principles of the 1995 Directive are taken into account by businesses from the start.

Experts believe that the hacker attack on Sony, in which the data of 77 million people was compromised, cost the firm between 1 and 2 billion US dollars. That's the cost of non-compliance. And this cost is both high and avoidable.

Compare this with the city of Hamburg in Germany, a place with a thriving gaming industry. Hamburg counts 155 gaming companies with more than 3500 employees. SMEs that are generating growth and wealth. This is a data-sensitive industry developing in an area where data protection standards high, maybe the highest in the world. Remember, it was the Hamburg data protection supervisor who first questioned face-recognition on Facebook.

C. What does this prove?

First, it highlights why we have to be particularly sensitive to the concerns of SMEs. 99% of EU companies are SMEs. There are 23 million in Europe. They represent two thirds of private sector employment. Our strategy has to be “Think Small First”. The interests of SMEs are not necessarily the same as those of multi-nationals.

Second, it demonstrates that innovation and data protection are complementary not conflicting objectives. The success story in Hamburg continues. Despite, or maybe thanks to a Data Protection Authority that takes its job seriously.

In fact, new business models based on data protection are mushrooming. Think reputation management. Think safe cloud services. Think new hard- and software that makes online banking more secure. Putting people in control of their own data, including on the Internet, will bring concrete benefits to individuals. They want new ways of managing their identities.

Privacy is a business opportunity and our rules recognise this.

III. The challenges ahead

A. Maintaining the level of protection in the European Union

The current Directive has served Europe well. The first challenge of the current negotiations is to make sure that the level of data protection in Europe does not fall below the level established by the Directive.

I have already explained that data protection is a fundamental right. But the benefits of a high level of data protection within the European Union can be measured not just in terms of citizens' rights.

Personal data has become a highly valuable asset. The market for analysis of large sets of data is growing by 40% per year worldwide. The currency of this new digital economy is data and in many cases personal data.

But the free flow of any currency depends on a precious commodity: Trust. It is only when consumers can 'trust' that their data is well protected that they will continue to entrust businesses and authorities with it by buying online and accepting new product developments and services.

And trust is waning. 72% per cent of Europeans have told us in surveys that they are concerned about how companies use their personal data. It is one of the most frequent reasons why people don’t buy goods and services online.

This trend needs to be reversed. Reliable, consistently applied rules make data processing safer, cheaper and inspire users' confidence. Confidence in turn drives growth.

B. The challenge of new technology

The second challenge is to make sure that the new rules are technology-proof.

The Cloud is the most relevant example for today. Data flows don't stop at national borders, and they don't stop at the borders of our continent either. The cloud means that personal data can be stored anywhere. It could be stored on servers located in California or the Caribbean.

That's why the proposals establish an important principle. They make clear that our rules apply to any data controller that offers goods or services to an individual residing in the EU. It will make no difference whether the data controller is established within the European Union or not.

This is the platform on the basis of which the proposals facilitate international data transfers. The proposals extend and simplify procedures such as "binding corporate rules" – codes of conduct allowing for transfers within companies with branches inside and outside the EU. In most cases, we will eliminate the need to obtain the authorisation of supervisory authorities before transferring data outside the EU.

We have also introduced a system to ensure that Europe's rules are interpreted and applied in the same way everywhere in Europe. That's the consistency mechanism.

Individual decisions will still be taken by national Data Protection Authorities. But we need to streamline cooperation on issues with implications for all of Europe. Here, the core work will be done by the European Data Protection Board, which brings together all 27 national Data Protection Authorities. In pan-European cases, the Board will issue an opinion, which national data protection authorities must take into account. The Commission intervenes only as a last resort if the Board is not followed. The Commission acts as a backstop. First the Commission will issue an Opinion; if necessary it can adopt a general rule. For the citizen, this ensures that difficult decisions are taken. For business, this ensures that the internal market is brought about.

These rules are tailor-made for the Cloud which needs consistent rules allowing data to flow across borders as easily as the air we breathe. The data protection package means that the same rules will apply irrespective of where the data is stored. And they facilitate the flow of data within the Cloud. The rules I have proposed reflect the reality of the Cloud. We are building bridges, not firewalls.

C. The challenge of time

The final challenge relates to the speed with which we will reach a deal. The answer is simple. It is for this Parliament and for the current Members to deliver the reform. They have accompanied the file from the start. It will take the full span of the mandate. And will finish the job.

Some will say this is all going too fast. This is too complex. The ramifications are huge.

Yes, the file is important. And that is exactly why we need to drive these negotiations to a conclusion.

Those who want to maintain a high level of protection in Europe have recognised the need to move fast. Those who want to lower the level of protection in Europe have tried to slow the file down. The first category is in the lead.

The questions on the table are well known to all involved. This is the fourth year of the reform. It all began with a conference in May 2009. We went through a public consultation, a Communication. The European Parliament, under the guidance of Axel Voss, responded with a Resolution in July 2011. The proposals have been on the table for over a year. By 2014, the reform will be in its fifth year. We know what the issues are. There have been no surprises. The file is ripe and the time is now.

Ladies and Gentlemen,

We want to open new growth opportunities that Europe needs, and at the same time, we want to make data protection an effective right for everybody. We will deliver effective, practicable and future proof data protection rules that enable growth. I will do everything I can to support the Irish Presidency and the European Parliament in this endeavour. And I hope I can count on your support, too. To deliver what business wants. To deliver what citizens want. And to bring European data protection rules into the digital age.


Side Bar

Mon compte

Gérez vos recherches et notifications par email


Aidez-nous à améliorer ce site