Viviane Reding: The EU’s Data Protection reform: Decision-Time is Now


2nd Annual Cloud Computing Conference/Brussels

7 March 2013

Main Messages of the Speech

1/ On timing:

We are at the heart of the negotiations on the legislative proposals [on data protection]. The Irish Presidency is pushing the file forwards. Under the leadership of Jan-Philipp Albrecht, the European Parliament has accelerated its work.

2/ Three reasons why the data protection reform is so important:

First, data protection is a fundamental right in the EU. The reason for this is rooted in our historical experience with dictatorships from the right and from the left of the political spectrum. They have led to a common understanding in Europe that privacy is an integral part of human dignity and personal freedom. Control of every movement, every word or every e-mail made for private purposes is not compatible with Europe’s fundamental values or our common understanding of a free society.

Second, we have to fight for the data protection proposal because it will open up the EU’s the digital market. It is good for business. It meets the expectations of business to have a true digital single market with one single law for data protection. [T]he implementation of the current Directive is fragmented and complicated.

I say complicated: the 1995 Directive is 12 pages long, but it is implemented in 27 countries. In Germany, for example, the current data protection law is 60 pages long. Take those 60 pages and multiply by 27 Member States, and you’ll get an idea of what the term “regulatory complexity” means in practice. We will replace this mountain of paper with one law that is 91 articles long and valid in all of Europe.

One continent, one law. That’s what I call simplicity. That’s what I call opening a market.

Third, we need to ensure that the same rules apply to all businesses providing services to EU residents. Non-European companies, when offering services to European consumers, will have to apply the same rules and adhere to the same levels of protection of personal data.

3/ About the current state of negotiations

Data protection law has not fallen from the sky. Let me give you an example of this – the overblown discussion on consent.

The current Directive states since 1995 that consent has to be ‘unambiguous’. The Commission thinks it should be ‘explicit’. 27 national Data Protection Authorities agree. This has become a major talking point. What will this mean in practice? That explicit consent will be needed in all circumstances? Hundreds of pop-ups on your screens? Smartphones thrown on the floor in frustration? No. It means none of these things. This is only the scaremongering of certain lobbyists.

Citizens don’t understand the notion of implicit consent. Staying silent is not the same as saying yes.

At the moment, consent is one of several bases which make the processing of personal data lawful. For instance, a business can process personal data for commercial purposes so long as it does not have a significant effect on the rights of the person concerned. This is called the ‘legitimate interests’ ground. The Commission has not proposed to change this.

‘Legitimate interests’ is the ground that is currently used by the marketing industry for example. It will continue to be used by the marketing industry. From the perspective of this Regulation, consent is irrelevant in such cases. It will continue to be irrelevant.

4/ About data protection by design and data protection impact assessments:

Experts believe that the hacker attack on Sony, in which the data of 77 million people was compromised, cost the firm between 1 and 2 billion US dollars. That’s the cost of non-compliance. And this cost is both high and avoidable. If your business model is in line with the current rules, you have nothing to fear.

5/ On the challenges ahead:

The current Directive has served Europe well. The first challenge of the current negotiations is to make sure that the level of data protection in Europe does not fall below the level established by the Directive.

Another challenge is to make sure that the new rules are technology-proof. The data protection package means that the same rules will apply irrespective of where the data is stored. And they facilitate the flow of data within the Cloud. We are building bridges, not firewalls.

The final challenge relates to the speed with which we will reach a deal. The answer is simple. It is for this Parliament and for the current Members to deliver the reform. They have accompanied the file from the start. It will take the full span of the mandate. But they must finish the job.

Since the beginning of the negotiations, the story has remained the same. Those who want to maintain a high level of protection in Europe have recognised the need to move fast. Those who want to lower the level of protection in Europe have tried to slow the file down. I will not let this happen. Here to read more.

Share this article!

About Author

Leave A Reply