Online Privacy in the European Union
Data protection is at the heart of the digital economy. Whether it is students posting photographs of themselves online, consumers typing in credit card details to book a flight, or individuals interacting with e-government applications, we constantly rely on our data being protected. As such, information technology has huge economic and social potential. However, this potential will only be fully realised if citizens trust that their personal information is protected: hyper-connectivity must go hand-in-hand with the protection of privacy online.
In order to protect our online privacy in Europe we currently rely on the Data Protection rules, part of an EU Directive, of 1995. At that time less than one percent of Europeans used the Internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds. The 1995 rules were good rules, and far from ripping them up, we are now taking the principles they are based upon and updating them to make them future-proof.
Our 1995 legislation provides that the processing of personal data is only legitimate when a specific legal ground is given for it. It determines several legal grounds, including consent of the individual, legal or contractual obligations, vital interests of the individual, public interest, and legitimate interests of the data controller. Personal data must be processed fairly and lawfully, must not exceed what is needed and must not be kept longer than necessary for the purpose for which it was collected. Individuals have the right to demand that data relating to them is erased when its processing does not comply with the directive.
Principles such as transparency of data processing vis-à-vis individuals, the proportionality of processed data and security of processing have served individuals well in Europe since the adoption of this directive, but with the onslaught of new technologies, they have come under increasing challenge.
Transparency is often lacking in the way that personal data is handled, as the individual knows and understands little about what happens to his or her information behind the scenes – as for instance in the case of online behavioural advertising. The same considerations apply for the proportionality of processing, which establishes that data collected should always be proportional to the purpose of the processing; with the ubiquity of the internet and the ever-enhanced means of data manipulation and aggregation, the amount of data held on an individual in massive digital databases increases exponentially, increasing also the connected risks.
In January, the European Commission, the EU's executive branch, adopted my proposals on how to reform Data Protection. The new rules, which now require approval of the European Parliament and the Council of Ministers of the 27 EU Member States, will help build trust in online services because people will be better informed about their rights and in more control of their information. A strong, clear and uniform legal framework at EU level will also help to unleash the potential of the Digital Single Market in Europe and foster economic growth, innovation and job creation. The most important changes I have proposed are:
• A single set of rules on data protection, valid across the EU.
• A ‘right to be forgotten’ to help people better manage data-protection risks online. When they no longer want their data to be processed and there are no legitimate grounds for retaining it, the data will be deleted.
• Whenever consent is required for data processing, it will have to be given explicitly, rather than be assumed.
• Easier access to one’s own data and the right of data portability, i.e. easier transfer of personal data from one service provider to another.
• Companies and organisations will have to notify serious data breaches without undue delay, where feasible within 24 hours.
• Companies will only have to deal with a single national data protection authority – in the EU country where they have their main establishment.
• EU rules will apply to companies not established in the EU, if they offer goods or services in the EU or monitor the online behaviour of individuals.
• Increased responsibility and accountability for those processing personal data and elimination of unnecessary administrative burdens such as notification requirements.
• National data protection authorities will be strengthened so they can better enforce the EU rules at home.
People rightly care about how their personal information is protected. We need to strengthen our rules to provide people with more confidence and also to make it easier for businesses to operate on Europe's digital single market.