Data protection is at the heart of the digital economy. Whether it is students posting photographs of themselves online, consumers typing in credit card details to book a flight, or individuals interacting with e-government applications, we constantly rely on our data being protected. As such, information technology has huge economic and social potential. However, this potential will only be fully realised if citizens trust that their personal information is protected: hyper-connectivity must go hand-in-hand with the protection of privacy online.
In order to protect our online privacy in Europe we currently rely on the Data Protection rules, part of an EU Directive, of 1995. At that time less than one percent of Europeans used the Internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds. The 1995 rules were good rules, and far from ripping them up, we are now taking the principles they are based upon and updating them to make them future-proof.
Our 1995 legislation provides that the processing of personal data is only legitimate when a specific legal ground is given for it. It determines several legal grounds, including consent of the individual, legal or contractual obligations, vital interests of the individual, public interest, and legitimate interests of the data controller. Personal data must be processed fairly and lawfully, must not exceed what is needed and must not be kept longer than necessary for the purpose for which it was collected. Individuals have the right to demand that data relating to them is erased when its processing does not comply with the directive.