Navigation path

Left navigation

Additional tools

Other available languages: none

European Commission

Viviane Reding

Vice-President of the European Commission

EU Data Protection rules: Better for business, better for citizens

European Voice event/Brussels

26 March 2013

Main Messages of the Speech

1/ On timing:

We are moving forward at full speed. It is in the coming months that policy-makers will make a decision on the data protection law that will apply in the future for our European continent with its 500 million citizens.

The Irish Presidency is pushing the file forward. Under the leadership of Jan-Philipp Albrecht and Dimitrios Droutsas, the European Parliament is working at full speed. Arguments are flying back and forth.

2/ Three reasons why the data protection reform is so important:

First, data protection is a fundamental right in the EU. The reason for this is rooted in our historical experience with dictatorships from the right and from the left of the political spectrum. They have led to a common understanding in Europe that privacy is an integral part of human dignity and personal freedom. Control of every movement, every word or every e-mail made for private purposes is not compatible with Europe's fundamental values or our common understanding of a free society.

Second, the data protection proposal will open up the EU’s digital market. It meets the expectations of business to have a true digital single market with one single law for data protection. The implementation of the current Data protection Directive is fragmented and complicated. The 1995 Directive has 34 Articles, but it is implemented in 27 countries. In Germany, for example, the current Federal data protection act has 63 sections. Take those 63 sections from the Federal level only and multiply by 27 Member States, and you'll get an idea of what the term "regulatory complexity" means in practice. We will replace this mountain of paper rules with one law that is 91 articles long and valid in all of Europe.

One continent, one law. That’s what I call simplicity. That’s what I call opening a market.

Third, we need to ensure that the same rules apply to all businesses providing services to EU residents. Non-European companies, when offering services to European consumers, will have to apply the same rules and adhere to the same levels of protection of personal data.

3/ About the current state of negotiations and the notion of "explicit consent"

Data protection law has not fallen from the sky. The Commission has proposed an evolution not a revolution of the current rules. Let me give you an example of this – the overblown discussion on consent.

The current Directive states since 1995 that consent has to be ‘unambiguous’. The Commission thinks it should be ‘explicit’. 27 national Data Protection Authorities agree. Because staying silent is not the same as saying yes.

What will this mean in practice? That explicit consent will be needed in all circumstances? Computers overheating because of hundreds of pop-ups on the screen? Smartphones thrown on the floor in frustration? It means none of these things. This is only the scaremongering of certain lobbyists.

At the moment, consent is one of several bases which make the processing of personal data lawful. For example, the 'legitimate interest' of the data controller is the ground that is currently used by the direct marketing industry. It will continue to be used by the same industry. From the perspective of the current rules, consent is not necessary in such cases. And it won't be necessary in the future.

My message is clear: If your business model is in line with the current rules, you have nothing to fear.

4/ On the challenges ahead and the use of "pseudonymous data":

The current Directive has served Europe well. The [first] challenge is to maintain the high level of protection of the 1995 Directive while taking into account changes in technology and business over the past 18 years.

Take the example of new technologies which allow data to be made anonymous or to be processed based on an identifier, a pseudonym, rather than the person’s name.

The inclusion of a notion of pseudonymous data has been suggested by the European Parliament's Rapporteur and is being worked on in the Council. This demonstrates that there is convergence between the Council and the Parliament on key elements of this file.

We should encourage companies to use pseudonyms rather than the actual names of persons. This makes sense. It is in the interest of citizens. For pseudonyms to be used, you need to create incentives. But I would sound a note of caution: Pseudonymous data is personal data. It relates to an identified or identifiable natural person and has to be protected under the Charter and EU law.

I am happy to work on the notion of pseudonymous data but I will be vigilant. We need a robust definition and robust safeguards. Pseudonymous data must not become a Trojan horse at the heart of the Regulation, allowing the non-application of its provisions.

The second challenge relates to the speed with which we will reach a deal. The answer is simple. It is for this Parliament and for the current Members to deliver the reform.

Those who want to maintain a high level of protection in Europe have recognised the need to move fast. Those who want to lower the level of protection in Europe have tried to slow the file down. The first category is in the lead.

Honourable Member of the European Parliament Mr Kelly, dear Mr Dunne, dear Joe,

Ladies and gentlemen,

I am happy to be here today at this data protection event organised by the European Voice. It is exactly one year ago – on the 26 March 2012 – when the European Voice hosted a first event to discuss the European data protection reform that the Commission proposed in January 2012. Since then a great deal has happened. We are moving forward at full speed. It is in the coming months that policy-makers will make a decision on the data protection law that will apply in the future for our European continent with its 500 million citizens.

We are moving on with the data protection reform to respond to an environment that is also moving on, that is evolving rapidly. Today, we live in a world of total connectivity. A world where people exchange their personal data for digital services. A world where data flows across borders as easily as the air we breathe. A world where we have access to an infinite pool of knowledge at the tap of a screen.

This has enormous implications for our economies. In 2011, McKinsey predicted a potential economic surplus of 120 billion euro in Europe by 2020. Last year, the Boston Consulting Group saw a potential 1 trillion euro of added GDP by 2020. We need a fully functioning digital single market to make this work, to unlock that growth potential.

This raises fundamental questions. How we can reconcile data protection and digital growth, the fundamental rights of individuals and the needs of business? How can we nurture people's confidence in a world where data volumes are exploding just as data breaches are multiplying?

The European Union will answer these questions. We are at the heart of the negotiations on the legislative proposals on data protection. The Irish Presidency is pushing the file forward. Under the leadership of Jan-Philipp Albrecht and Dimitrios Droutsas, the European Parliament is working at full speed.

Arguments are flying back and forth. The reform is debated from Japan to Uruguay and everywhere in between. In the midst of such a debate – a lively debate to say the least – it is important not to lose track of the fundamentals.

That is my purpose today – just one year after the first European Voice data protection debate. I will refresh the fundamentals.

  • First, looking back at why the Commission tabled the data protection reform proposal just over a year ago;

  • Second, looking at the current negotiations and remind you that the rules the Commission has proposed have not fallen from the sky; and

  • Third, looking ahead to the challenge of completing the negotiations within the current mandate of the European Parliament.

Three reasons why the data protection reform is so important

Let me give you three reasons why the data protection reform is so important.

First, data protection is a fundamental right in the EU. The reason for this is rooted in our historical experience with dictatorships from the right and from the left of the political spectrum. They have led to a common understanding in Europe that privacy is an integral part of human dignity and personal freedom. Control of every movement, every word or, every mouse click is not compatible with Europe's fundamental values or our common understanding of a free society.

This is why the Union's Charter of fundamental rights recognises both the right to private life in Article 7 and the right to the protection of personal data in Article 8. But this is not all.

Article 16 of the Treaty on the Functioning of the European Union also gives the European Union the legislative competence to establish harmonised EU data protection laws that apply to the whole continent and that make the right to data protection a reality.

Data protection is thus one of the rare fields where we have full coherence between the fundamental right and the EU’s legislative competences. A broad competence entails a great responsibility. It was the Commission's responsibility to make a proposal designed to put this right into practice everywhere in our internal market. It is the Union's responsibility to make sure it is adopted.

Second, the data protection proposal will open up the EU’s digital market. It is good for business. It meets the expectations of business to have a true digital single market with one single law for data protection. The implementation of the current Data protection Directive is complicated.

Let's try to visualise this. The 1995 Directive has 34 Articles, but it is implemented in 27 countries. In Germany, for example, the current Federal data protection act has 63 sections. Take those 63 sections from the Federal level only and multiply by 27 Member States, and you'll get an idea of what the term "regulatory complexity" means in practice. We will replace this mountain of rules with one law that is 91 articles long and valid in all of Europe.

One continent, one law. That’s what I call simplicity. That’s what I call opening a market.

Third, we need to ensure that the same rules apply to all businesses providing services to EU residents. Non-European companies, when offering goods and services to European consumers, will have to apply the same rules and adhere to the same levels of protection of personal data.

The reasoning is simple: if companies outside Europe want to take advantage of the European market with its potential 500 million customers then they have to play by the European rules. This is about fair competition. A principle that is cherished far and wide.

The data protection reform: evolution not revolution

As soon as a new piece of legislation is on the table, and often well before that, managers get their calculators out. "Internet services will become much more expensive!", they say. "The days of free social networks are numbered", say others. I’ve heard it all before.

These predictions of doom are not justified. They give the impression that data protection law has fallen from the sky. The opposite is the case. The Commission has proposed an evolution not a revolution of the current rules.

Let me give you an example of this – the overblown discussion on consent.

The current Directive states since 1995 that consent has to be ‘unambiguous’. The Commission thinks it should be ‘explicit’. 27 national Data Protection Authorities agree.

What will this mean in practice? That explicit consent will be needed in all circumstances? Computers overheating because of hundreds of pop-ups on the screen? Smartphones thrown on the floor in frustration? No. It means none of these things. This is only the scaremongering of certain lobbyists.

At the moment, consent is one of several bases which make the processing of personal data lawful. For example, the 'legitimate interest' of the data controller is the ground that is currently used by the direct marketing industry. It will continue to be used by the same industry. From the perspective of the current rules, consent is not necessary in such cases. And it won't be necessary in the future.

But what happens when the processing becomes more intrusive? What happens when a Data Protection Authority says that legitimate interests can no longer apply?

Then you need to obtain the consent of the person and it should be explicit. Citizens don’t understand the notion of implicit consent. Staying silent is not the same as saying yes.

This is not a transformation. This is a re-affirmation of the principles of the 1995 Directive. It is in the same spirit that the Commission has introduced new concepts such as data protection by design and data protection impact assessments. It is about making sure that the principles of the 1995 Directive are taken into account by businesses from the start.

So my message is clear: If your business model is in line with the current rules, you have nothing to fear. Things are fine if you comply.

The challenge ahead: maintaining the level of protection of the 1995 Directive

The current Directive has served Europe well. The challenge is to maintain the high level of protection of the 1995 Directive while taking into account changes in technology and business over the past 18 years.

Take the example of new technologies which allow data to be made anonymous or to be processed based on an identifier, a pseudonym, rather than the person’s name.

Anonymous data is easy to deal with. It is outside the scope of the instrument. There is no risk. The Commission’s proposal makes this clear.

Pseudonymous data is more difficult. I understand the principle. We should encourage companies to use pseudonyms rather than the actual names of persons. This makes sense. It is in the interest of citizens. For pseudonyms to be used, you need to create incentives.

The inclusion of a notion of pseudonymous data has been suggested by the European Parliament's Rapporteur and is being worked on in the Council. This demonstrates that there is convergence between the Council and the Parliament on key elements of this file.

But I would sound a note of caution: Pseudonymous data is personal data. It relates to an identified or identifiable natural person and has to be protected under the Charter and EU law. Risks to privacy remain and are real. A single piece of data such as an email address can create a link between a very accurate profile and a person. It is particularly important to keep this in mind since pseudonymous data is often used in the health sector.

So I am happy to work on the notion of pseudonymous data but I will be vigilant. We need a robust definition and robust safeguards. Pseudonymous data must not become a Trojan horse at the heart of the Regulation, allowing the non-application of its provisions.

The second challenge relates to the speed with which we will reach a deal. The answer is simple. It is for this Parliament and for the current Members to deliver the reform. They have accompanied the file from the start. It will take the full span of the mandate. But I am confident: they will finish the job.

Some will say this is all going too fast. This is too complex. The ramifications are huge.

Yes, the file is important. And that is exactly why we need to drive these negotiations to a conclusion.

Those who want to maintain a high level of protection in Europe have recognised the need to move fast. Those who want to lower the level of protection in Europe have tried to slow the file down. The first category is in the lead.

The questions on the table are well known to all involved. This is the fourth year of the reform. It all began with a conference in May 2009. We went through a public consultation, a Communication. The European Parliament, under the guidance of Axel Voss, responded with a Resolution in July 2011. The proposals have been on the table for over a year. By 2014, the reform will be in its fifth year. We know what the issues are. There have been no surprises. The file is ripe and the time is now.

Ladies and gentlemen,

I want a deal that is good for citizens and that is good for business. We need to maintain the high level of data protection in Europe created by the 1995 Directive. At the same time, we need to find solutions that are workable for business. That is what the discussion is about. And I'm sure you will have a fascinating debate tonight!


Side Bar

My account

Manage your searches and email notifications


Help us improve our website