Ladies and gentlemen,
Today's conference marks the entry into application of the new regulation on personal data protection – the General Data Protection Regulation (GDPR). This is of course not the end of the road, but a beginning of a new chapter.
Data protection is of vital importance and I think it is safe to say that the conversation about privacy has moved beyond the conference rooms of lawyers and other data experts. It's often a subject of a coffee table conversation, and not only in Europe.
I think our event today is a testimony to that as we gather representatives of civil societies, companies big and small, academics and regulators.
I think there is no doubt that data protection is crucial for our citizens as personal data protection is a fundamental right in the EU. But it is also crucial for our business as data protection is a gateway issue for trust in the digital economy.
The recent Facebook/Cambridge Analytica is a reminder that privacy is much more than just a luxury. It is a necessity.
These revelations focus the attention on some core challenges that we face today when we think about the protection of personal data: how do we ensure that individuals are informed about what happens to their data? What are business operators allowed to do with data that was handed to them for a specific purpose? How can we ensure that individuals remain in control of their data and what are their rights in this respect? What mechanisms guarantee effective oversight and enforcement?
And if things go wrong, as they clearly did in this case, what sanctions and redress possibilities exist, both to address past non-compliance and to deter further violations in the future?
The GDPR modifies and updates data protection rules at EU level to make Europe fit for the digital age. Today individuals leave digital traces in everything they do.
And they risk to lose control over their self-image, over their freedom to choose as consumers and, as a society, over their democratic process.
Data protection is directly linked to trust. When individuals are afraid that others will not respect their privacy or fail to guarantee the security of their data, they lose confidence and become reluctant to share those data. Trust is thus a key resource of the digital economy.
The new rules aim to offer benefits both for citizens and for business. More than 9 in 10 Europeans told us they want the same data protection rights across the EU – and as of today this will be the reality.
Citizens will have easier access to their own data; a right to transfer it from one service provider to another – for example a bank or mobile provider; a clarified right to be forgotten online; and the right to know quickly should their data be hacked.
For companies and authorities, one single set of rules will make it simpler and cheaper to do business across the EU; a one-stop shop will allow them to deal with only one supervisory authority; there will be a level-playing field for EU and non-EU companies in Europe; and rules will be fit for innovation.
We now need to ensure that those rules are properly applied on the ground from today onwards. We all have our roles to play: the Commission, the Member States, the Data Protection Authorities (DPAs) individually and in the form of the European Data Protection Board (EDPB), the companies and the civil society.
The DPAs are entrusted with the monitoring and enforcement of the application of the GDPR – both for the private and the public sector. They have a key role to play to make the GDPR effective. The Regulation gives them better means of cooperation. It clearly divides the competences between the DPAs in cross-border cases, and it harmonises the enforcement powers, in particular the power to impose fines.
I am delighted to welcome Ms Jelinek at our event. This morning, she was elected as Chair of the European Data Protection Board (EDPB). I warmly congratulate her for her appointment. She will head the work of the newly constituted EDPB and will have a major role in leading the DPAs through the changes and adjustments necessary for them to embrace the new work culture and functioning.
As guardian of the treaties, the Commission will monitor the proper application of the GDPR. We have a battery of actions to carry out from now on,we will continue our work with the Member States and closely monitor the application of the Regulation in Member States.
We will take appropriate actions as necessary, including the recourse to infringement actions. I have sent a letter this morning to the ministers, so there is a full clarity about this.
- We have allocated grants to support DPAs by co-financing their awareness-raising activities. These activities will start in the second half of this year and will continue in 2019.
- We will continue our work with stakeholders to explain the GDPR.
- In one year's time from now, in May 2019, we will take stock of the Regulation implementation. I want to talk to practitioners to understand better the real impact of the GDPR on businesses.
Even today, some people are still afraid of the GPDR.
In fact, when I was in Berlin a few weeks ago I publically gave out my email to one of the newspapers to ask for feedback. I have received almost 500 emails from SME's, Web Page Owners, Photographers, Bloggers, Online shops, schools, doctors – and many others.
All of them have questions and all of them are in the need of advice.
Of course I would like to reassure them. The GDPR is based on common sense and the DPAs are not sanction machines.
Privacy issues are becoming a part of global conversation.
Our event is actually the second of three conferences that the European Commission is having in the world today. The other EU conferences are being held in New Delhi and Santiago de Chile.
This just highlights the global dimension of the upward convergence towards higher data privacy standards taking place in the world today.
An increasing number of countries around the world are adopting new privacy laws that tend to be based on common elements, such as:
- a comprehensive legislation that applies across industries and sectors (rather than sectorial rules);
- a core set of enforceable rights;
- and the setting up of an independent supervisory authority.
While improving the level of protection of personal data transferred abroad, this developing convergence in privacy standards at international level offers new opportunities to facilitate data flows and thus trade. Companies increasingly operate across border and prefer to apply a single set of rules in all their business operations worldwide. Being part of this global trend can help the domestic economy, it can contribute to an environment conducive to direct investment, and it can improve trust between commercial partners.
The GDPR as a regulation starts applying today. But the GDPR is also a conversation that will continue for months and years to come.
I am very honoured of the presence of Luxembourg Justice Minister, Mr Braz, who played a key role in finalising the negotiations on the GDPR.
I am also very grateful to all the distinguished speakers from business, civil society, and from countries outside the EU, who have joined us to mark this memorable day.
I very much look forward to fruitful discussions.