Navigation path

Left navigation

Additional tools

The right to be forgotten and the EU data protection reform: Why we must see through a distorted debate and adopt strong new rules soon

European Commission - SPEECH/14/568   18/08/2014

Other available languages: none

European Commission

[Check Against Delivery]

Martine Reicherts

EU Justice Commissioner

The right to be forgotten and the EU data protection reform: Why we must see through a distorted debate and adopt strong new rules soon

IFLA World Library and Information Congress

Lyon, France 18 August 2014

Main messages

Just as work on the data protection reform has picked up speed and urgency, detractors are attempting to throw a new spanner in the works. They are trying to use the recent ruling by the European Court of Justice on the right to be forgotten to undermine our reform. They have got it wrong. And I will not let them abuse this crucial ruling to stop us from opening the digital single market for our companies and putting in place stronger protection for our citizens.

This ruling does not give the all-clear for people or organisations to have content removed from the web simply because they find it inconvenient. Far from it. It calls for a balance between the legitimate interests of internet users and citizens' fundamental rights. A balance that will have to be found in each case.

Search engines such as Google and other affected companies complain loudly. But they should remember this: handling citizens' personal data brings huge economic benefits to them. It also brings responsibility. These are two sides of the same coin, you cannot have one without the other.

Like the Court's ruling, the reform seeks a fair balance of rights: it empowers citizens to manage their personal data while explicitly protecting the freedom of expression and of the media. Those who try to use distorted notions of the right to be forgotten to discredit the reform proposals are playing false. We must not fall for this. Indeed, we must keep working hard to ensure the new rules are adopted as soon as possible. Europe needs them urgently to revive economic growth and job creation. And it needs them to make sure that the rights of its citizens are upheld and protected.

Negotiations on the data protection reform have been ongoing for more than two and a half years. They have made good progress. But there is more work to be done. Heads of State and Government have committed themselves to a swift conclusion of negotiations several times. At the European Council at the end of June, they affirmed the importance of adopting "a strong EU General Data Protection framework by 2015".

I urge Member States: stick to this goal. Be ambitious and help to give Europe the data protection rules it needs. The world will not wait for us.

Speech

Dear Ladies and Gentlemen,

I am very pleased to be here with you. At the time you invited me to this conference, you most definitely did not imagine that I would address you as Commissioner for Justice, Fundamental Rights and Citizenship. Neither did I!

How handy that this new role has given me responsibility for a big European project that is of great importance to you. I can therefore today give you some insights on how far we have come – and what we still have ahead of us. I am of course talking about the reform of the EU rules on the protection of personal data.

The European Commission has been working for a strong, modern framework for a while now – it started long before Edward Snowden and a flood of spying revelations made data protection fashionable. My predecessor Viviane Reding fought hard to advance this reform, and I am determined to continue this effort.

Thankfully, the European Parliament recognised the significance of this reform very early. It found a broad compromise, backing the Commission's proposals. Member States have been slower. But they have – belatedly – started to move forward, agreeing on a number of important principles.

But just as work on this reform has picked up speed and urgency, detractors are attempting to throw a new spanner in the works. They are trying to use the recent ruling by the European Court of Justice on the right to be forgotten to undermine our reform. They have got it wrong. And I will not let them abuse this crucial ruling to stop us from opening the digital single market for our companies and putting in place stronger protection for our citizens.

That is what I want to talk to you about today: the ruling and its implications (1), the opportunities our data protection reform will create for business (2) and the benefits we will all reap from safeguarding the fundamental right of European citizens' to protection of their personal data and rebuilding their trust (3).

Google and the right to be forgotten: separating facts from fiction

First, the ruling. This has been causing a big stir, with many critics raising the prospect of censorship on the internet. Claims that the ruling and its implications are leading to – even encouraging – violations of the freedom of expression and the freedom of the media are worrying many of you. As someone who has been involved in publishing for so long, I understand that very well.

But we must not get confused by all the noise. A sober analysis of the ruling shows that it does in fact not elevate the right to be forgotten to a "super right" trumping other fundamental rights, such as the freedom of expression.

What did the Court actually say on the right to be forgotten? It said that individuals have the right to ask companies operating search engines to remove links with personal information about them – under certain conditions. This applies when information is inaccurate, for example, or inadequate, irrelevant, outdated or excessive for the purposes of data processing. The Court explicitly ruled that the right to be forgotten is not absolute, but that it will always need to be balanced against other fundamental rights, such as the freedom of expression and the freedom of the media – which, by the way, are not absolute rights either.

This means that each case will have to be assessed on its own merits. Factors to be taken into account include the type of information in question, its sensitivity for the individual's private life and the interest of the public in having access to that information. The role which the person requesting the deletion plays in public life might also be relevant. And after all, this is about requests to remove irrelevant or outdated links, rather than the content they lead to.

In a nutshell: This ruling does not give the all-clear for people or organisations to have content removed from the web simply because they find it inconvenient. Far from it. It calls for a balance between the legitimate interests of internet users and citizens' fundamental rights. A balance that will have to be found in each case. This may not always be straightforward. Sometimes it may indeed be difficult. But not more or less difficult than tracking the owner of copyright protected content.

Search engines such as Google and other affected companies complain loudly. But they should remember this: handling citizens' personal data brings huge economic benefits to them. It also brings responsibility. These are two sides of the same coin, you cannot have one without the other.

It is also useful in this context to remember that neither the Commission nor the Court have just invented the right to be forgotten. It already exists, it is enshrined in the EU Data Protection Directive from 1995. The aim of the reform proposed by the Commission is to update this principle and clarify it for the digital age - for example by making it clear that EU rules have to be applied by all companies offering products and services to European consumers, whether they are located in the EU or outside of it.

Like the Court's ruling, the reform seeks a fair balance of rights: it empowers citizens to manage their personal data while explicitly protecting the freedom of expression and of the media. No one could have a newspaper article removed from an online archive because they do not like its content.

Those who try to use distorted notions of the right to be forgotten to discredit the reform proposals are playing false. We must not fall for this. Indeed, we must keep working hard to ensure the new rules are adopted as soon as possible. Europe needs them urgently to revive economic growth and job creation. And it needs them to make sure that the rights of its citizens are upheld and protected. Let me tell you why.

Modern data protection rules: giving a boost to businesses

You all know the enormous economic value of data. In 2011, the data of EU citizens was worth EUR 315 billion. This has the potential to grow to nearly EUR 1 trillion by 2020. Yet to fully unlock the value of data, we will have to ensure we have a true digital single market. Our reform does just that. It is a market opener.

Why? Because it replaces a fragmented and complicated regulatory framework with one clear set of rules. Today businesses are faced with 28 different, often conflicting national laws. Our regulation will establish a single, pan-European law for data protection. One law, not 28.

What is more, with our reform, companies will in the future only have to deal with one single supervisory authority, not 28. This will make it simpler and cheaper for companies to do business in the EU – especially for smaller companies and start-ups, who will find it easier to break into new markets. And, as I have already indicated, the reform will create a level playing field for Europe's digital industry: companies located in third countries such as the US, when offering services to Europeans, will have to play by our rules and adhere to the same levels of protection of personal data as their European competitors.

Within a single market for data, identical rules on paper will not be enough. We have to ensure that the rules are interpreted and applied in the same way everywhere. That is why our reform introduces a consistency mechanism. Individual decisions will still be taken by national data protection authorities. But we need to streamline cooperation on issues with implications for the entire EU. Internet services or smartphone apps do not stop at national borders. It is therefore often frustrating for citizens and businesses when they are faced with different regulatory decisions and different levels of protection concerning the very same service or application. The consistency mechanism is one of the solutions we have put in place to address this problem.

The new framework will also benefit citizens, who will always be able to take their complaint to their local authority. That will make it easier for consumers to stand up big internet firms. Just think of the Austrian student Max Schrems who has just launched a class-action lawsuit with 25,000 participants against Facebook over the way it handles users' data. He has been locked in a fight with Facebook for years – and he has been forced to keep travelling to Ireland as that is where the company's European headquarters is located. In the future, people like him will be able to turn to their local authority.

Our data protection reform is a major building block of the digital single market. A single set of rules in a crucial sector, consistently applied.

The importance of safeguarding fundamental rights: rebuilding citizens' trust

Yet opening the market and creating opportunities for business is not enough. Internet users will have to regain their confidence. Only if people are willing to give out their personal data will companies reap the full rewards of our digital single market.

And here is the problem: at the moment, people's trust in the way private companies handle their data is low. 92% of Europeans are concerned about mobile apps collecting their data without their consent. And 89% of people say they want to know when the data on their smartphone is being shared with a third party.

Spying revelations, as well as high-profile security and data breaches are important reasons for this lack of trust. Our data protection reform has a part to play in rebuilding confidence. The new rules will put citizens back in control of their data, in a number of ways. Apart from the right to be forgotten, there will be a right to data portability which will make it easier for consumers to transfer their data between service providers. And when citizens' consent is required to process their data, they must be asked to give it explicitly.

Moreover, ‘privacy by design’ and ‘privacy by default’ will become essential principles in EU data protection rules. This means that data protection safeguards should be built into products and services from the earliest stage of development, and that privacy friendly default settings should be the norm, for example on social networks.

Another significant aspect of the reform is the new approach to sanctions. People need to see that their rights are enforced in a meaningful way. If a company has broken the rules, this should have serious consequences. Yet so far, the fines European data protection authorities can impose are very low. For giants like Google, they are just pocket money.

We need to get serious. And that is why our reform introduces stiff sanctions that can reach as much as 2% of the global annual turnover of a company. Showing citizens that a strong EU data protection framework effectively protects and upholds their rights will help to build trust.

And finally, we are putting in place safeguards against the unfettered international transfer of data. The rules must ensure that the data of EU citizens are transferred to non-European law enforcement authorities only on the basis of a clear legal framework subject to judicial review.

Our reform will thus not only open the market to businesses, it will also help them to conquer this market by helping to rebuild citizens' confidence. And more and more, companies are beginning to understand that trust is key – for instance, an increasing number of companies are providing services which allow users the option of storing their data in Europe. Data protection is the new business model. It is a selling point where Europe can make the difference.

Concluding remarks

Once again, business is thus moving faster than the political machine. It is high time for Member States to catch up. Negotiations on the data protection reform have been ongoing for more than two and a half years. They have made good progress. But there is more work to be done. Heads of State and Government have committed themselves to a swift conclusion of negotiations several times. At the European Council at the end of June, they affirmed the importance of adopting "a strong EU General Data Protection framework by 2015".

I urge Member States: stick to this goal. Be ambitious and help to give Europe the data protection rules it needs. The world will not wait for us. We cannot afford to delay such significant opportunities for growth and run the risk of having others' – weaker – standards imposed on us by others. We need a strong, modern data protection framework, and we need it soon. Our businesses and citizens deserve it.


Side Bar

My account

Manage your searches and email notifications


Help us improve our website