Viviane Reding: The EU’s Data Protection rules and Cyber Security Strategy: two sides of the same coin


The Internet is the infrastructure of the modern age. It accounted for more than 20% of GDP growth in the world’s major economies over the last five years. If it were a national economy, the Internet economy would already rank in the world’s top five.

The benefits of the Internet go far beyond its direct economic impact. It is one of the most powerful agents for change, growth and jobs everywhere, and its impact is particularly forceful in the developing world. It can reduce poverty by connecting local communities to existing cultural and institutional structures. It can revolutionise education through the provision of free access to courses and classroom lectures. We all have seen how the Internet has promoted social and democratic reform across the world. The Arab Spring is one of the large scale examples, but certainly not the only one.

But the Internet is not only there for those who fight for progress and freedom. It can be exploited for sectarian and extremist purposes. Hackers can use the Internet for financial gain or for political goals. And as we could see during the war in Georgia, cyber-attacks can be used as an additional tool in conventional warfare.

That’s why, as policy-makers, we should always be aware of the challenges that go along with the opportunities. These considerations are not relevant only for international politics. The need to make sure that technological progress is in line with our values applies also inside the European Union. As Europe’s first Justice Commissioner I see that the question of how our values apply to the online world is being asked with increasing regularity.

Two recent cases stand out. The reform of the EU’s data protection rules proposed by the Commission in January 2012 and the Cyber-Security Strategy it unveiled in February 2013. Some might think that they are unrelated. Some may even murmur that they serve different purposes and seek to achieve different goals. They would be mistaken. The two initiatives are mutually reinforcing. I will make my point in two steps

  • First, I will set out the shared objectives of these two initiatives: they reflect the values on which the Union has been built and they contribute to the creation of the digital single market serving 500 million citizens in the largest economy in the world;

  • Second, I will explain how the protection of personal data complements measures to promote cyber-security and shapes the fight against cyber-crime.

1/Data Protection, Cyber-Security and the EU’s values and goals

Data protection is a fundamental right in the EU. The reason for this is rooted in our historical experience with dictatorships from the right and from the left of the political spectrum. They have led to a common understanding in Europe that privacy is an integral part of human dignity and personal freedom. Control of every movement, every word or, every mouse click is not compatible with Europe’s fundamental values or our common understanding of a free society.

This is why the Union’s Charter of fundamental rights, our “Bill of Rights”, recognises both the right to private life in Article 7 and the right to the protection of personal data in Article 8. But this is not all.

Article 16 of the Treaty on the Functioning of the European Union also gives the European Union the legislative competence to establish harmonised EU data protection laws that apply to the whole continent and that make the right to data protection a reality.

Data protection is thus one of the rare fields where we have full coherence between the fundamental right and the EU’s legislative competences. It is our responsibility as political leaders to adapt and refresh the current rules.

Recent years have demonstrated that while the digital world brings enormous benefits, it is also vulnerable. Cyberspace is the subject of incidents, malicious activities and misuse. The Cyber-Security Strategy for “An Open, Safe and Secure Cyberspace” – represents the EU’s comprehensive vision on how best to prevent and respond to these disruptions and attacks. It is the Union roadmap to the safety and security of the Internet.

But the European Cyber-Security strategy is about more than security. Measures to ensure safety and security online are not a goal in themselves. The overarching aim is to make sure that the internet remains open and free. The goal is to ensure that the same norms, principles and values that the EU upholds offline, also apply online. Fundamental rights, democracy and the rule of law need to be protected in cyberspace. Our freedom and prosperity increasingly depend on a robust and innovative Internet. The Cyber-Security Strategy is about our fundamental values.

The data protection reform and the Cyber-Security Strategy also share a second goal. Both seek to build the EU’s digital single market.

The EU already has a data protection law: a Directive which dates back to 1995. In the intervening 18 years, the Member States have reacted to new technologies differently. The result is an inconsistent patchwork of 27 different national laws. It entails huge legal costs for firms who simply want to do business across the EU. The European Commission is eliminating those costs by replacing the current Directive by one single clear set of rules for all businesses in the Union – resulting in savings for companies of around 2.3 billion EUR per year.

Let me explain this more graphically. The 1995 Directive is 12 pages long. In Germany, it has been transposed in the shape of a data protection law that is 60 pages long. Take those 60 pages and multiply by 27 Member States, and you’ll get an idea of what the term “regulatory complexity” means in practice. We will replace this mountain of paper with one law that is valid in all of Europe.

It meets the expectations of business to have a true digital single market with one single law for data protection. One continent, one law. That’s what I call simplicity. That’s what I call opening a market.

The proposed Network Information Security Directive which accompanies the Cyber-Security Strategy has a similar goal: it is also concerned with building a resilient digital single market.

The Commission, together with the EU’s Network Security Agency, ENISA, identified clear gaps in the Member States’ preparedness for cyber-attacks. We found that only a handful of Member States cooperated on these issues. We consider that companies also need to take cyber-security more seriously.

Indeed, the number of cyber-attacks and incidents is high and rising. Let me give you 3 examples from the past 3 years. In 2010, a cyber-attack on the London Stock Exchange forced trading to stop for a day. In 2011, an outage affected millions of BlackBerry users. In 2012, total internet cut-offs resulted from the mistaken cut of a sub-sea cable between the UK and the Netherlands. Each of these incidents disrupted the provision of services within the internal market.

The proposed Directive responds to these incidents. It requires Member States to improve the level of national preparedness, for instance through the creation of Emergency Response Teams. National authorities will be required to cooperate, notably by informing each other of threats in good time. The Commission also wants to extend the number of sectors – not just Telecoms but also banking, energy, health, transport – which have to adopt Network Information Security management measures and to report significant incidents to national authorities. The purpose is clear: to raise the level of Cyber-Security in the EU in order to strengthen the digital single market.

Ladies and Gentlemen,

The EU wants to develop the digital single market. It wants to remain true to the values on which it is founded. The EU’s reform of its data protection rules and its strategy on cyber-security serve both these purposes. But they have more in common than objectives and aspirations. They are mutually reinforcing. Here to read more.

Share this article!

About Author

Leave A Reply