Navigation path

Left navigation

Additional tools

Speech: Intervention in the Justice Council, 8 March 2013

European Commission - SPEECH/13/209   08/03/2013

Other available languages: none

European Commission

Viviane Reding

Vice-President of the European Commission, Justice Commissioner

Intervention in the Justice Council, 8 March 2013

Justice Council/Brussels

8 March 2013

Main Messages

On timing:

A lot of ground has been covered in only 8 weeks. The first reading of the Regulation was completed in January – all its 91 articles. Solution-orientated discussions have begun on key elements of the Regulation. This is significant and extremely encouraging.

Discussions are also advancing at a fast pace in the Parliament. The various committees involved are sticking to all their deadlines. The Rapporteurs are preparing for a vote on the reports in the lead committee in April.

All the elements are falling into place to make decisive political progress on this critical dossier under the Irish Presidency.

Today's meeting is all about making sure our rules work in practice. About designing rules that offer a high level of protection without overburdening business or constraining the public sector unnecessarily.

On the Risk Based Approach

There are three principles that guide me on this point.

First, the purpose of the Regulation is to maintain the high level of protection of the 1995 Directive while taking into account changes in technology and business over the past 18 years.

A narrow definition of data, which would mean that some data protected in the past would no longer be covered in the future is out of the question. This would reduce the level of data protection in Europe. This is something that the European Commission and I will not accept. It would take unanimity in the Council to change this.

The second principle is that we must design rules that are good for SMEs.

The third principle is that we should not create unnecessary administrative formalities.

1/ On the definition of data/use of pseudonymous data

We should encourage companies to use pseudonyms rather than the actual names of persons. This makes sense. It is in the interest of citizens. For pseudonyms to be used, you need to create incentives. Lighter obligations on privacy by design or on notification of breaches are candidates.

But I would sound a note of caution: Pseudonymous data is personal data. It relates to an identified or identifiable natural person and has to be protected under the Charter and EU law.

I am happy to work on the notion of pseudonymous data but I will be vigilant. We need a robust definition and robust safeguards. Pseudonymous data must not become a Trojan horse at the heart of the Regulation, allowing the non-application of its provisions.

2/ On SMEs and cutting red tape

Protecting the interests of SMEs is a top priority for the Union. The interests of SMEs are not necessarily the same as those of multi-nationals. That is why throughout the Regulation, the Commission has proposed exemptions for SMEs where they are justified

This is relevant for the question of data protection officers (DPOs). My proposal is balanced. DPOs should be mandatory except for SMEs whose core business is not data processing. I think this proposal ticks all the boxes. It takes risk into account. It is flexible. It helps SMEs.

The Presidency suggests developing specific criteria for distinguishing different levels of risk. The key word here should be simplicity. We are not here to create a toy for the lawyers of multi-nationals. We should provide legal certainty to SMEs who should know clearly what their data protection obligations are. We need standard criteria and parameters, which allow simple compliance and supervision.

Complexity creates costs. If you Ministers force the butcher on the corner to prove he is not a data protection risk, you Ministers will deserve the "Nobel Prize for Red Tape". I am very sure that you are not interested in such a decoration!

On the flexibility for the public sector

The Presidency paper confirms the key point I made in December: there is already considerable flexibility with the Regulation. In December I committed to finding solutions within the Regulation point by point. I stand by this commitment.

Our German colleague Hans-Peter Friedrich and I have made significant progress in finding appropriate text that should be added in relation to Article 6(3). The purpose is to clarify the scope of the rules that can be adopted at national level.

I have also worked with our Swedish colleague Beatrice Ask on public access to documents. I understand that this is an issue of constitutional and cultural importance. I am prepared to work on a tailor-made provision to deal with this. On both these points we have made considerable progress.

I want a deal that is good for citizens and that is good for business. We need to maintain the high level of data protection in Europe created by the 1995 Directive. At the same time, we need to find solutions that are workable for business and for public administrations.

Introduction

First and foremost, I would like to thank the Presidency for all the hard work it has done on the Data Protection Reform.

A lot of ground has been covered in only 8 weeks. The first reading of the Regulation was completed in January – all its 91 articles. Solution-orientated discussions have begun on key elements of the Regulation. This is significant and extremely encouraging.

The Presidency has also dealt with another 17 articles of the Directive. The Commission strongly supports the Presidency's decision to move forward on both instruments - the Regulation and the Directive – as a package. This approach is also supported by the European Parliament.

Discussions are also advancing at a fast pace in the Parliament. The various committees involved are sticking to all their deadlines. The Rapporteurs are preparing for a vote on the reports in the lead committee in April.

All the elements are falling into place to make decisive political progress on this critical dossier under the Irish Presidency. Political discussions such as the one we will have today are the way to keep up the momentum, guiding the work of our experts.

There are two issues to be discussed today: the risk-based approach and flexibility for public sector. Both topics were addressed in general terms at our meeting in December. Today, we roll up our sleeves and get into the detail. Our meeting is all about making sure our rules work in practice. About designing rules that offer a high level of protection without overburdening business or constraining the public sector unnecessarily. I have always argued that these objectives are complementary. The Presidency’s paper is further evidence that this is the case.

It is in this spirit that I will answer the Presidency's questions.

The Risk Based Approach

I will begin with the risk-based approach. The Commission’s proposal already calibrated the obligations of businesses to the nature of the data and to the purposes of the processing. The Presidency proposes to go further in this direction. There are three principles that guide me on this point.

First, the purpose of the Regulation is to maintain the high level of protection of the 1995 Directive while taking into account changes in technology and business over the past 18 years.

Let me apply this principle to pseudonymous data. It’s not often that a word so difficult to pronounce is on everyone’s lips.

The current law, the 1995 Directive, includes a very broad definition of personal data. The Court of Justice has recognised this: it has made clear, for example, that IP addresses are personal data (the SABAM case).

The definition of personal data the Commission has proposed maintains this breadth. A narrow definition, which would mean that some data protected in the past would no longer be covered in the future is out of the question. This would reduce the level of data protection in Europe. This is something that the European Commission and I will not accept.

Dear colleagues, you know what this means. It would take unanimity in the Council to change this. And I am a sure that we all will want to avoid such a conflictual situation between the institutions.

Having said this, we have to take into account new technologies which allow data to be made anonymous or to be processed based on an identifier, a pseudonym, rather than the person’s name.

Anonymous data is easy to deal with. It is outside the scope of the instrument. There is no risk. The Commission’s proposal makes this clear.

Pseudonymous data is more difficult. I understand the principle. We should encourage companies to use pseudonyms rather than the actual names of persons. This makes sense. It is in the interest of citizens. For pseudonyms to be used, you need to create incentives. Lighter obligations on privacy by design or on notification of breaches are candidates.

The inclusion of a notion of pseudonymous data has also been suggested by the European Parliament's Rapporteur, Jan-Philipp Albrecht. This demonstrates that there is convergence between the Council and the Parliament on key elements of this file.

But I would sound a note of caution: Pseudonymous data is personal data. It relates to an identified or identifiable natural person and has to be protected under the Charter and EU law. Risks to privacy remain and are real. A single piece of data such as an email address can create a link between a very accurate profile and a person. It is particularly important to keep this in mind since pseudonymous data is often used in the health sector.

So I am happy to work on the notion of pseudonymous data but I will be vigilant. We need a robust definition and robust safeguards. Pseudonymous data must not become a Trojan horse at the heart of the Regulation, allowing the non-application of its provisions.

The second principle is that we must design rules that are good for SMEs.

99% of EU companies are SMEs. There are 23 million in Europe. They represent two thirds of private sector employment. Protecting the interests of SMEs is a top priority for the Union. Our strategy has to be “Think Small First”. The interests of SMEs are not necessarily the same as those of multi-nationals.

That is why throughout the Regulation, the Commission has proposed exemptions for SMEs where they are justified. They were welcomed by UEAPME, the organisation which represents SMEs, in the strongest terms: they “show how seriously the European Commission is taking its intention to strengthen the economic position of SMEs, which are in fact the backbone of the European economy”. The Industry committee of the Parliament and its Rapporteur Sean Kelly have proposed to reinforce the exemptions.

This is relevant for the question of data protection officers (DPOs). DPOs are a vital tool in protecting personal data and helping modern firms comply with data protection rules. Alan asks us whether their appointment should be compulsory or optional for companies. Views will differ.

My proposal is balanced. DPOs should be mandatory except for SMEs whose core business is not data processing. In addition, the DPO can be full or part-time, employee or external advisor. There is no obligation to create a new position. The Confederation of European Data Protection Organisations has explicitly welcomed this flexibility.

I think this proposal ticks all the boxes. It takes risk into account. It is flexible. It helps SMEs.

The Presidency suggests developing specific criteria for distinguishing different levels of risk. The key word here should be simplicity. We are not here to create a toy for the lawyers of multi-nationals. We should provide legal certainty to SMEs who should know clearly what their data protection obligations are. We need standard criteria and parameters, which allow simple compliance and supervision. Complexity creates costs. If you Ministers force the butcher on the corner to prove he is not a data protection risk, you Ministers will deserve the "Nobel Prize for Red Tape". I am very sure that you are not interested in such a decoration!

The third principle is that we should not create unnecessary administrative formalities.

That’s why I have proposed to scrap meaningless notifications. It is only in cases where there is a high degree of risk that the prior consultation of the supervisory authority is necessary. For me consultation should be the exception, not the rule. I agree with the Presidency that in the special cases where prior consultation is required we should agree on rules to make sure that it does not block processing activities endlessly. Supervisory authorities should be fully informed and consulted early on. In return they should be obliged to react quickly.

Approved codes of conduct and approved certification mechanisms can play an important role in shaping best practices and in reducing risks for individuals. They can reduce administrative formalities. There are two conditions however: first, codes of conduct and certifications have to be in line with the standards of the Regulation. Second, supervisory authorities should remain competent for monitoring their application.

Flexibility for the public sector

The second theme of today's discussion is flexibility for the public sector. The Presidency paper confirms the key point I made to you all in December: there is already considerable flexibility with the Regulation. At that meeting, I asked you to tell me which specific provisions are a problem. I committed to finding solutions within the Regulation point by point. I stand by this commitment.

Since December, I have had extremely constructive discussions with colleagues.

Our German colleague Hans-Peter Friedrich and I have made significant progress in finding appropriate text that should be added in relation to Article 6(3). The purpose is to clarify the scope of the rules that can be adopted at national level.

I have also worked with our Swedish colleague Beatrice Ask on public access to documents. I understand that this is an issue of constitutional and cultural importance. I am prepared to work on a tailor-made provision to deal with this.

On both these points we have made considerable progress. I am grateful for this. I am confident that we will find good solutions within the Regulation for the public sector.

Conclusion

Dear colleagues,

To conclude I wish to reiterate that I will provide my full support to the Irish Presidency with a view to making decisive progress on this file.

It is an extremely important topic, one that deserves to be debated across Europe. We should work together with Rapporteur Albrecht to make sure that the value of our reform is properly understood. The Polish Government has launched such a discussion and I welcome its initiative.

There are difficult discussions ahead of us. I know of the concerns of some colleagues on the one stop shop, of others on the consistency mechanism. I will continue to work with you to find good solutions on each of these points.

I want a deal that is good for citizens and that is good for business. We need to maintain the high level of data protection in Europe created by the 1995 Directive. At the same time, we need to find solutions that are workable for business and for public administrations. That is what today's discussion is about. I look forward to hearing your views.


Side Bar

My account

Manage your searches and email notifications


Help us improve our website