EU Data Protection Framework as explained by Ms. Reding

Posted by fgilbert on January 24th, 2012

I have previously commented on the proposed Data Protection Regulation to be unveiled at a press conference on January 25, 2012.  The document will be part of Version 2.0 of the EU Data Protection Framework that will be implemented throughout the European Economic Area within the next two years.

In her speech “The EU Data Protection Reform 2012: Making Europe the Standard Setter for Modern Data Protection Rules”, given on January 22, 2012, Mrs. Viviane Reding, Vice-President of the European Commission and EU Justice Commission, provided an excellent description of the background and reasons for the choices made when framing the new EU Data Protection framework, and drafting the upcoming Data Protection Regulation.

Rather than summarizing her thoughts, I provide below an extract of the text of Ms. Reding’s presentation.  All bolding and emphasis are in the original text of her prepared remarks.

I will propose this week a comprehensive reform of the data protection rules. There will be two legislative texts to accomplish these goals:

First, a Regulation to enhance opportunities for companies that want to do business in the EU’s internal market, while ensuring a high level of data protection for individuals.

Second, a Directive to ensure a smoother exchange of information between Member States’ police and judicial authorities in the fight against serious crime while at the same time protecting people’s fundamental right to data protection.

The new rules will help businesses in three ways.

Firstly, they create legal certainty. Secondly, they simplify the regulatory environment. And thirdly, they provide clear rules for international data transfers.

Let’s look at the first point (legal certainty) in more detail. Instead of a patchwork of 27 different rules in 27 countries, there will be one law that will apply to all Member States in the European Union and to all companies which are offering their goods and services to consumers in the EU – even if their servers are based outside of the European Union.

The directly applicable Regulation will create a strong, clear and uniform legislative framework that will help unleash the potential of the Digital Single Market. It will do away with the fragmentation that will save businesses around 2.3 billion euros per year. The new Regulation will remove barriers to market entry – a factor of particular importance to small and medium-sized enterprises.

The savings will be achieved by a series of measures. First, by simplifying the regulatory environment and by drastically cutting red tape. No more general notification requirements. Instead, companies across Europe will be themselves responsible and accountable for the protection of personal data in their business field. They will have to appoint a data protection officer – a requirement that businesses here in Germany are already very familiar with. The scrapping of the general notification rule alone brings about savings worth 130 million euro a year.

Second, there will a regulatory ‘one-stop-shop’ for businesses for all data protection matters. A company will have to comply with one law for the whole of the EU territory. It will only have to deal with one single data protection authority. It will be the data protection authority of the Member State in which the company has its main establishment.

It will not matter anymore which data protection authority deals with a case. All data protection authorities in whichever EU country will have the same adequate tools and powers to enforce EU law. Data protection authorities should be able to deal with complaints, carry out investigations, take binding decisions and impose effective and dissuasive sanctions, whether the French, the Irish, the Romanian or the Bavarian data protection authority is in charge of a case. This will give the legislation the necessary ‘teeth’ so the rules can be enforced.

Data protection authorities must be independent from political and economic interests and have sufficient resources to do their job. They will need to work closely together – especially in cross-border cases – to make sure that the rules are enforced consistently across Europe.

The third element to ease burdens on companies is to ensure clear rules for international data transfers. In a world where the free flow of data is fundamental to business models and physical boundaries are meaningless, we need to rethink the way we transfer data. It seems odd that data held by a European company is adequately protected whilst it is inside the borders of the European Union, but not when it is transferred to a different part of that same company in Asia or South America, even when there are safeguards in place. In the Internet age, data protection laws need to take account of this global dimension. If they only focus on the activities of a company within a given country, they will not reflect reality.

Personal data can be collected in Berlin and processed in Bangalore. I therefore want to improve the current system of binding corporate rules to make these exchanges less burdensome and more secure. I will propose a consistent and streamlined approval process with a single point of contact for companies. And once the binding corporate rules are approved by one data protection authority, they will be recognised by all the data protection authorities in the European Union. There should be no need for additional national authorisation in case of further transfers.

As a result, companies will be able to sell goods and services under the same data protection rules to 500 million people – this can be a very interesting business opportunity!

This is what Europe can do to help the Digital Single Market take off. This is what Europe can do to work towards global standards.

But you, businesses handling personal data, have a critical role to play as well. If we want to give a real meaning to the fundamental right to the protection of personal data, if we want individuals to be in control of their information, then business responsibility has to come in. It makes good business sense to respect customers’ privacy and build up trust so people feel secure sharing their personal information on your platform, on your service.

Here, transparency is the name of the game.

First, people need to be informed about the processing of their data in simple and clear language. Internet users must be told which data is collected, for what purposes and how long it will be stored. They need to know how it might be used by third parties. They must know their rights and which authority to address if those rights are violated. People need to be able to make an informed decision about what to disclose, when and to whom.

Second, whenever users give their agreement to the processing of their data, it has to be meaningful. In short, people’s consent needs to be specific and given explicitly.

Thirdly, the reform will give individuals better control over their own data. I will include easier access to one’s own data in the new rules. People must be able to easily take their data to another provider or have it deleted if they no longer want it to be used.

The new rules will provide for data portability. Another important way to give people control over their data: the right to be forgotten. I want to explicitly clarify that people shall have the right – and not only the ‘possibility’ – to withdraw their consent to the processing of the personal data they have given out themselves.

The Internet has an almost unlimited search and memory capacity. So even tiny scraps of personal information can have a huge impact, even years after they were shared or made public. The right to be forgotten will build on already existing rules to better cope with privacy risks online. It is the individual who should be in the best position to protect the privacy of their data by choosing whether or not to provide it. It is therefore important to empower EU citizens, particularly teenagers, to be in control of their own identity online. By the way, 81% of German citizens are worried they are no more in control of their personal data!

If an individual no longer wants his personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from their system.

The right to be forgotten is of course not an absolute right. There are cases where there is a legitimate and legally justified interest to keep data in a data base. The archives of a newspaper are a good example. It is clear that the right to be forgotten cannot amount to a right of the total erasure of history. Neither must the right to be forgotten take precedence over freedom of expression or freedom of the media.

The new EU rules will include explicit provisions that ensure the respect of freedom of expression and information. After all, I have been the EU’s Media Commissioner for many years, and I will never compromise in the fight for the fundamental rights of freedom of expression and freedom of the media. This also holds true in the field of data protection, which is another important fundamental right, but not an absolute one.

Finally, individuals must be swiftly informed when their personal data is lost, stolen or hacked. Whether user data gets stolen from an online gaming service, or credit card details are hacked on a firms’ website: these security breaches affect millions of users around the world. There were recently many serious data breach incidents which highlight why companies need to reinforce the security of the information they hold. Frequent data security breaches risk undermining consumers’ trust in the digital economy. I will therefore introduce a general obligation for data controllers to notify data breaches. Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay. As a general rule, without undue delay means for me ‘within 24 hours’.

My detailed analysis of Draft 56 of the Regulation was also published in early December 2011 on my law firm’s website. For my other comments on how the new Regulation will affect cloud service providers and users, see my monthly column on TechTarget.


Similar Posts
Posted in Europe

Comments are closed.