Other available languages: none
Vice-President of the European Commission, EU Justice Commissioner
The EU Data protection reform: helping businesses thrive in the digital economy
DLD 2014/Munich, Germany
19 January 2014
Main Messages of the speech:
[T]wo years after I first set out the European Commission's [data protection] plans the new rules have still not been adopted. The political parties in the European Parliament have gone forth and found a broad compromise, backing the European Commission's proposals. Member States, however, have been stalling.
The goal is to make sure that businesses and national administrations do not collect and use more personal data than they need.
Data protection will be the selling point: a competitive advantage.
The European concerns have reached the United States. President Obama's speech concerning his "executive Presidential order" on secret services and privacy shows that the awareness in the U.S. that there is a serious problem to tackle seems to go from diplomatic acknowledgement to concrete implementation.
Data protection in Europe and the U.S. should be bolstered. Our citizens and businesses deserve nothing less.
Ladies and Gentlemen,
In the past years, you have given the Aenne Burda Award to a series of inspiring and successful women, and I am very honoured and proud to be considered among them. Aenne Burda was a true visionary, showing what is possible when armed with courage and ambition. She was an example to us all. Like her, and like many women here today, I am striving to act upon my convictions, to work hard for the causes I believe in: a strong, united Europe and effective rights for its citizens - whether it is about roaming charges, more women on company boards or the protection of personal data. This award will be an additional motivation for me to keep going, and a reminder of the power of perseverance, of the importance of fighting for your dreams and never giving up. Thank you for helping me to on striving for excellence in politics, society and in life.
One project that I will keep fighting for is the EU data protection reform. Working, as you do, in an extremely fast-moving industry, it is probably hard for you to believe that two years after I first set out the European Commission's plans to you here in Munich, the new rules have still not been adopted.
That is the problem of the two speeds: the fast lane in technology and economic decisions making, the slow lane in political implementation. Politics is complicated. Top-down decisions are rarely on the agenda. The normal path is one of shaping compromises negotiated in endless discussion rounds. The Americans among you might be astonished to hear that the European Parliament is much quicker in its capacity to move than the Council of European Ministers.
The political parties in the European Parliament have gone forth and found a broad compromise, backing the European Commission's proposals. Member States, however, have been stalling. Even after the shocking revelations of mass spying and surveillance which continue to dominate the headlines, they have so far mainly reacted with words. EU Heads of State and Government have committed to a "timely" adoption of the new framework. But in real terms there has been little action.
It is up to Member States to deliver because Europe needs this reform. A reform that will at the same time strengthen citizens' rights and help us complete our digital single market – in which businesses like the ones some of you represent can thrive.
1/Why the reform is good for business
You all know the enormous economic value of data. In 2011, the data of EU citizens was worth EUR 315 billion. This has the potential to grow to nearly EUR 1 trillion by 2020.
Yet to fully unlock the value of data, we will have to ensure we have a true digital single market. The reform we put on the table two years ago does just that. It is a market opener.
Why? Because it replaces a fragmented and complicated regulatory framework with one clear set of rules. Today businesses are faced with 28 different national laws. Our regulation will establish a single, pan-European law for data protection. One law, not 28.
That also means that companies will in the future only have to deal with one single supervisory authority, not 28. This will make it simpler and cheaper for companies to do business in the whole of the EU – this will be especially important for smaller companies and start-ups, who will find it easier to break into new markets. The system will also benefit citizens, who, unlike today, will always be able to take their complaint to their local authority.
Within a single market for data, identical rules on paper will not be enough. We have to ensure that the rules are interpreted and applied in the same way everywhere. That is why our reform introduces a consistency mechanism to streamline cooperation between the data protection authorities on issues with implications for all of Europe. Internet services or smartphone apps do not stop at national borders. It is therefore often frustrating for citizens and businesses when they are faced with different regulatory decisions and different levels of protection concerning the very same service or application.
The consistency mechanism is one of the solutions we have put in place to address this problem. Another is that, in future, the powers of data protection authorities will be the same across Europe. With our reform, standards will be equally high everywhere and companies will have legal certainty about what to expect.
Our data protection reform is a building block of the digital single market. A single set of rules in a crucial sector, consistently applied.
2/The need to rebuild citizens' trust
Yet opening the market and creating opportunities for business is only one side of the coin. The other is citizens' trust. Only if people are willing to give out their personal data will companies reap the full rewards of our digital single market.
And here is the problem: at the moment, people's trust in the way private companies handle their data is low. 92% of Europeans are concerned about mobile apps collecting their data without their consent. And 89% of people say they want to know when the data on their smartphone is being shared with a third party.
Why are the figures so poor? In part because the number of high-profile security and data breaches is on the rise.
Data protection has an important part to play in addressing this lack of trust. Let me illustrate this with two important aspects of our reform: data minimisation and strict sanctions.
First, by minimising the data you store, you minimise the damage that can be caused by a successful attack. Just ask Sony. Experts believe that a hacker attack on PlayStation accounts in 2011, in which the data of 77 million people was compromised, cost the firm between USD 1 and 2 billion. That is the cost of non-compliance. And this cost is both high and avoidable.
With problems such as these in mind, we have introduced new concepts in our reform proposals such as data protection by design and data protection impact assessments. Modern principles that address today's problems. The goal is to make sure that businesses and national administrations do not collect and use more personal data than they need. This will help to restore trust.
Second, people need to see that their rights are enforced in a meaningful way. If a company has broken the rules and failed to mend its ways, this should have serious consequences.
Europeans need to get serious. And that is why our reform introduces stiff sanctions that can reach as much as 2% of the global annual turnover of a company. In the Google case, that would have meant a fine of EUR 731 million (USD 1 billion). A sum much harder to brush off.
Our reform will thus not only open the market to companies, it will also help them to conquer this market by helping to build citizens' confidence. And what is more, strong data protection rules will also give companies with serious privacy policies a competitive edge. Trust is bankable. A survey carried out by the Cloud Security Alliance after the recent surveillance revelations found that 56% of respondents were hesitant to work with any U.S.-based cloud service providers. And the Information Technology and Innovation Foundation estimates that the surveillance revelations will cost the U.S. cloud computing industry USD 22 to 35 billion in lost revenues over the next three years. This should be a wake-up call and an opportunity for cloud providers who are able to deliver a higher standard of safety and security for data. Data protection will be the selling point: a competitive advantage.
Ladies and Gentlemen,
The European concerns have reached the United States. In autumn last year I and delegations from the European Parliament met with the U.S. Congress, with both Members of the House and of the Senators in Washington to make them aware of the problems with privacy. The reception was positive. The understanding, also in the constituencies of the Members of Congress, was evident. And President Obama's speech last Friday concerning his "Executive Presidential Order" on secret services and privacy shows that the awareness in the U.S. that there is a serious problem to tackle seems to go from diplomatic acknowledgement to concrete implementation. We will now analyse carefully – in collaboration with the Secretary of State of Commerce and with the Attorney General – the steps that need to follow. Data protection in Europe and the U.S. should be bolstered. Our citizens and businesses deserve nothing less.