Data protection is at the heart of the digital economy. Whether it is students posting photographs of themselves online, consumers typing in credit card details to book a flight, or individuals interacting with e-government applications, we constantly rely on our data being protected. As such, information technology has huge economic and social potential. However, this potential will only be fully realised if citizens trust that their personal information is protected: hyper-connectivity must go hand-in-hand with the protection of privacy online.
In order to protect our online privacy in Europe we currently rely on the Data Protection rules, part of an EU Directive, of 1995. At that time less than one percent of Europeans used the Internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds. The 1995 rules were good rules, and far from ripping them up, we are now taking the principles they are based upon and updating them to make them future-proof.
Our 1995 legislation provides that the processing of personal data is only legitimate when a specific legal ground is given for it. It determines several legal grounds, including consent of the individual, legal or contractual obligations, vital interests of the individual, public interest, and legitimate interests of the data controller. Personal data must be processed fairly and lawfully, must not exceed what is needed and must not be kept longer than necessary for the purpose for which it was collected. Individuals have the right to demand that data relating to them is erased when its processing does not comply with the directive.
Principles such as transparency of data processing vis-à-vis individuals, the proportionality of processed data and security of processing have served individuals well in Europe since the adoption of this directive, but with the onslaught of new technologies, they have come under increasing challenge.
Transparency is often lacking in the way that personal data is handled, as the individual knows and understands little about what happens to his or her information behind the scenes – as for instance in the case of online behavioural advertising. The same considerations apply for the proportionality of processing, which establishes that data collected should always be proportional to the purpose of the processing; with the ubiquity of the internet and the ever-enhanced means of data manipulation and aggregation, the amount of data held on an individual in massive digital databases increases exponentially, increasing also the connected risks.
In January, the European Commission, the EU’s executive branch, adopted my proposals on how to reform Data Protection. The new rules, which now require approval of the European Parliament and the Council of Ministers of the 27 EU Member States, will help build trust in online services because people will be better informed about their rights and in more control of their information. A strong, clear and uniform legal framework at EU level will also help to unleash the potential of the Digital Single Market in Europe and foster economic growth, innovation and job creation. The most important changes I have proposed are:
• A single set of rules on data protection, valid across the EU.
• A ‘right to be forgotten’ to help people better manage data-protection risks online. When they no longer want their data to be processed and there are no legitimate grounds for retaining it, the data will be deleted.
• Whenever consent is required for data processing, it will have to be given explicitly, rather than be assumed.
• Easier access to one’s own data and the right of data portability, i.e. easier transfer of personal data from one service provider to another.
• Companies and organisations will have to notify serious data breaches without undue delay, where feasible within 24 hours.
• Companies will only have to deal with a single national data protection authority – in the EU country where they have their main establishment.
• EU rules will apply to companies not established in the EU, if they offer goods or services in the EU or monitor the online behaviour of individuals.
• Increased responsibility and accountability for those processing personal data and elimination of unnecessary administrative burdens such as notification requirements.
• National data protection authorities will be strengthened so they can better enforce the EU rules at home.
People rightly care about how their personal information is protected. We need to strengthen our rules to provide people with more confidence and also to make it easier for businesses to operate on Europe’s digital single market.
A fundamental principle of the reform is that one single law and one single authority will apply to a business based in the EU. Companies based outside the EU, but which offer goods or services to EU individuals or monitor their behaviour will also have to apply EU data protection rules. This will provide a level playing field for all businesses handling personal data in the EU. Companies will be able to offer their customers assurances, backed up by a regulatory framework, that valuable personal data will be treated with the necessary care and diligence.
We currently have a real patchwork of data protection laws in the EU and its 27 Member States. Companies in Europe have to deal with 27 often conflicting data protection laws with national data protection authorities that apply the law in different ways. Legal uncertainty and legal fragmentation are a burden for those companies – both small and large – that want to do business in Europe’s Single Market. This fragmentation of data protection laws in Europe is not only an extra cost for business, but also holds back economic growth and innovation.
We are slashing red tape with these reforms, and unifying 27 national structures into a single European data protection regime. This will give legal clarity to all businesses that target Europeans, greatly lowering the costs of doing business in Europe, and will give a competitive advantage to any company – wherever it is based in the world – that complies with it.
Trust in online commerce will encourage consumers to migrate to more trustworthy companies. It will also give Europeans more control over their own data. This is as should be – personal data is just that, personal. With this reform people will be able to use precisely whichever services they prefer, which will foster competition in the industry and drive further growth.
I should stress, though, that a simpler, harmonised and less bureaucratic market is not a rules-free market. We have given businesses a golden opportunity. But they will have to ensure they protect individuals’ data. That is the deal. Those handling the personal data of individuals in Europe without being sufficiently transparent on what they actually do with the data, or those that handle data without legitimate grounds for doing so or without adequate security safeguards will be held accountable under the new EU data protection rules.
Online privacy is not just an issue within the EU of course. Internet allows people and businesses to interact both globally and instantly. Personal data is transferred across an increasing number of virtual and geographical borders and stored on servers in multiple countries both within and outside the EU by an increasing number of actors in areas such as cloud computing. In the digital age, the transfer of data to third countries has become an important part of daily life, but not all countries provide the same level of protection for personal data.
The increasingly globalised nature of data flows calls for a strengthening of individuals’ rights to data protection internationally. This requires strong principles for protecting individuals’ data, aimed at facilitating the flow of personal information across borders while still ensuring a high and consistent level of protection, without loopholes or unnecessary complexity.
The proposed new EU laws will allow a company to establish Binding Corporate Rules (BCR), a kind of binding corporate code for all data transfers worldwide within a corporate group that will grant full legal certainty and preservation of individuals’ rights.
BCRs can be used to adequately protect personal data when it is transferred or processed outside the EU. Businesses can adopt these rules voluntarily and they can be used for transfers of data between companies that are part of the same corporate group.
The BCRs will be largely interoperable with the systems prevailing in other parts of the world, including the United States. Foreign companies can use them, and I invite them to do so. When the EU cooperates with third countries, the Commission’s proposals will make sure that individuals’ data is protected throughout the world, and not only within the EU. This will help to improve international trust in the protection of consumers’ data, wherever the data is located. This will, in turn, promote growth opportunities for EU businesses. EU data protection standards have to apply independently of the location where the data of EU individuals is processed.
These innovations will be combined with a renewed push on the part of the EU to engage in a political and technical dialogue with its international partners in an effort to promote high data protection standards worldwide. The ongoing dialogue with our American partners will certainly be furthered and deepened, particularly in the aftermath of the Obama Administration’s White Paper on a Privacy Bill of Rights – an encouraging first step in the right direction in protecting the data of US consumers.
One much discussed part of the European Commission proposal is the “right to be forgotten”. This right is to help people better cope with data protection risks online. People, when they no longer want their personal data to be processed and when there are no legitimate grounds for companies to keep retaining the data, should be able to delete their information.
Imagine a juvenile posted an embarrassing photo online. And imagine the same person – a few years later – has a job interview and so wants to remove it. Under the new rules, this right will exist as a reality, not just a principle. It is meant to protect in particular the most vulnerable – children.
There are some voices that the right to be forgotten will let people rewrite the past or that it will threaten the rights of freedom of expression and information. It will not. This right is about taking back personal information about ourselves if there are no legitimate grounds to keep it, for example when information about people can be justified on the grounds of freedom of expression and public interest. The right to be forgotten and freedom of expression go hand in hand; they are not enemies, and this reform of the EU’s data protection rules protects both basic freedoms.
I am confident that the reform of EU data protection rules – which can be expected to enter into force by 2014 – will encourage growth and development through ensuring effective promotion of the fundamental right to privacy online. The EU aims to be a model for other countries when it comes to online privacy protection. Privacy and the modern world go hand in hand together, and it is through the first of these that we can ensure the security of the second. Growth, confidence, innovation – all safeguarded by robust online privacy laws.
VIVIANE REDING is the European Union’s Commissioner for Justice, Fundamental Rights and Citizenship.