Dear Fellow Speakers,
Ladies and Gentlemen,
I am delighted to attend the International Privacy Conference for the first time and I would like to thank Jacob Kohnstamm, Chairman of the Dutch Data Protection Authority, for inviting me and hosting this year's event.
The focus of your event on "Privacy Bridges" between Europe and the United States is especially timely after the European Court of Justice ruling in the Schrems case.
This important ruling reaffirms once more that personal data protection is a fundamental right and that it applies also when personal data is transferred to third countries.
The Commission respects the Court's ruling and will abide by it. And so must all stakeholders!
Before turning to the transatlantic discussion, let me say a few words about what we our doing on "our side of the bridge", here in Europe, to address citizen's concerns about data protection in the digital era.
Too many Internet users today do not trust the Internet.
Two thirds of them in the EU do not feel in complete control of their personal data.
Another 42% worry that their online payments are not safe.
We must always bear in mind that a strong economy and a thriving society rest primarily on one powerful human feeling: TRUST.
This is why we launched in 2012 the data protection reform.
The negotiations are now in the final stages, and I confident that a final result will be reached by the end of this year.
So what will these new rules change for European citizens and companies?
First of all, they will strengthen and better protect people's fundamental rights and freedoms.
They will also restore trust in the internet and the Digital Single Market.
Second, the new rules will simplify companies' legal environment.
They will create a level playing field for all companies offering goods or services online and by doing so, will boost the European digital economy.
Finally, in line with the Court ruling in the Schrems case, European data protection authorities will have more power to uphold the fundamental right to data protection.
They will also play a central role in bringing the reform forward.
For example, they will help implement the one-stop shop to solve cross-border data protection cases, and turn it into a model of governance for other areas of EU law.
The Commission will work closely with data protection authorities in the two-year transition period after its adoption, to ensure a harmonised interpretation and application of the new rules.
And once the rules are applicable, I also rely on civil society to uphold and help enforce the right to data protection.
When the new laws are in place, any organisation involved in personal data protection will be entitled to take legal action on behalf of people.
[International aspects of data protection]
The famous English poet John Dunne once said: "No man is an island".
And let me be clear, Europe is not – and never will be – a "digital island".
Personal data has grown to become a currency, fuelling our modern market economies.
This raises questions about the protection of consumers' personal data inside and outside of the EU.
The Commission is committed to ensuring that EU’s fundamental rights to privacy and the protection of personal data are fully guaranteed by a robust legal framework for data protection, including for international transfers of personal data.
Over the past decade, we have seen a growing interest in Privacy and Data protection in many countries outside the European Union.
Many countries decided to establish or modernise their legal frameworks for the protection of personal data and often turned to Europe for inspiration.
They either used the 1995 Data protection directive or the Council of Europe Convention 108 as a major reference and a blue print for their own national legislation.
The Commission will continue to engage at international level to promote and develop international privacy and personal data protection standards.
I am convinced that our new data protection rules will grow into a strong point of reference and brand. I am also convinced that modern and robust and uniform data protection rules in the EU will be a competitive advantage for our businesses in the digital age.
We will also continue to encourage our international partners to sign the Council of Europe’s Convention for the Protection of Individuals, with regard to Automatic Processing of Personal Data.
But beyond the legal framework, it is important to have strong and independent enforcement authorities applying these new laws.
This is why I call on data protection supervisory authorities across the globe to step up their cooperation for effective protection of all citizens' rights.
Let me now turn to Safe Harbour.
Safe Harbour was one of the central avenues for data transfers from Europe to the U.S. Why did we create it in the first place? It was created to protect European citizens in the context of the important volumes of commercial data transferred across the Atlantic reflecting our intense economic interdependence. This has not changed. On the contrary. Against the background of the digital revolution we are experiencing even more intensive data flows and therefore an even stronger need today to protect consumers and citizens when their data is transferred across the Atlantic on a daily basis.
The European Court of Justice has now declared invalid the old arrangement. This leaves in the short term no choice but to recur to the other means of data transfers foreseen under the 1995 Directive, and the Commission will refer to this in an Communication explaining the judgment.
However, it is clear to me that we need a new general framework with the US – whatever we will call it.
A new general arrangement is the best way to protect our consumers in an age of ever increasing commercial data transfers across the Atlantic. It is important not only for transatlantic commercial relations but first and foremost for our own citizens and their data protection rights. Only a comprehensive framework with commitments and enforcement by the US authorities can ensure in practice the level of data protection Europeans deserve and are entitled to under EU data protection law.
And the Court has not ruled it out either. The judgment allows for such an arrangement but set criteria for it. This is why we have immediately resumed discussions with our American counterparts both at political and technical level. For the coming weeks, we have an intensive schedule and I will go to Washington in mid-November to take stock. These discussions are not easy, but I am confident that with political willingness on both sides we should soon see progress.
In particular since we do not start from scratch. Already prior to the judgment, the Commission identified a number of issues that needed to be addressed in a revised Safe Harbour, in its 13 Recommendations of 2013 and started discussions with the US that we can build on.
But since any new arrangement has to live up to the standard of the Schrems ruling we need more clarifications from our U.S. counterparts on a number of points, in particular to show that there is a substantially equivalent level of protection. I was pleased to see that the Judicial Redress Bill passed the House, and we hope to see progress soon in Senate too. This redress in cases of data exchanges for law enforcement purposes is a good signal. But we will also need more clarity regarding the limitations and safeguards when it comes to access of data for law enforcement and national security purposes. So, lots of intense work ahead!
Let me however insist that beyond inter-governmental exchanges and legal frameworks, it is crucial that the EU and the US also develop a mutual understanding of their respective privacy cultures and that they work together on practical and technological solutions, for instance in the area of "privacy by design".
[Privacy Bridges Project]
This is why I welcome many of the the ideas in the "Privacy Bridges Project" that seeks to look in a very practical way at bringing the best aspects of European and American privacy protection systems closer and making experts work together on concrete solutions and tools.
While data protection is a fundamental right in the EU, and only our democratic legislative bodies can define rules in this area, I intend to use the ideas of the Privacy Bridges Project and its 10 bridges as inspiration when looking for practical ways of supporting the implementation of our own data protection rules.
Ladies and Gentlemen,
Let me conclude with this:
The protection of personal data is more than a “European” fundamental right it is a right for “everyone” around the globe.
Together, let us fight to make data protection a reality for everyone both in law and in practice.