The overhaul of EU rules on data protection: making the single market work for business

Viviane Reding — Vice-President of the European Commission, EU Justice Commissioner

3rd Annual European Data Protection and Privacy Conference / Brussels

Brussels, 5-12-2012 — /europawire.eu/ — Ladies and Gentlemen,

1995 was a long time ago. In terms of digital technologies, a different age. Since then, the internet has blossomed. Social networking has boomed. Cloud computing has taken off. These changes have fuelled an explosion in data processing. Digital data is everywhere now. It has generated new industries and new opportunities. The market for analysis of large sets of data is growing by 40% per year worldwide.

17 years on, we have to think about whether our data protection rules still work. Many citizens think that they don’t. 92% of Europeans are concerned about mobile apps collecting their data without their consent. 89% of people say they want to know when the data on their smartphone is being shared with a third party. They want the option to give or refuse permission. This raises an important question. A question which goes to the heart of this new economy. Can it continue to grow without the trust of citizens? The citizens on whose data it depends.

11 months ago, I answered this question. I presented a data protection reform proposal for Europe. My message was clear: reliable, consistently applied rules make data processing safer, cheaper and inspire users’ confidence. Confidence in turn drives growth.

Since then, we have witnessed a great debate about data protection. Not only in Europe, but also beyond. Our proposal was discussed in Brussels, Berlin and Washington, in Punta del Este and Cyprus. We received more than 50 detailed written contributions from stakeholders, from dentists to insurance firms, from biometrics specialists to cloud computing businesses.

Why is there so much interest in our data protection reform?

First, because the economic stake is huge. Last year, McKinsey predicted a potential economic surplus of 120 billion Euro in Europe by 2020. This year, the Boston Consulting Group sees a potential 1 trillion of added GDP in 2020. We need a fully functioning digital single market to make this work, to unlock that growth potential. That is my ambition and data protection reform is one cornerstone of this vital project.

Second, because data protection is a global challenge. In a world where borders are increasingly blurred, and where data moves at the speed of light, the Union’s rules matter beyond its borders. Our debate is a precursor of future debates in other parts of the world. Many countries have a new generation of data protection laws in the making, in Asia, in Latin America, in Africa. In the U.S., the voices of reform are growing louder. All across the world, people are realising that good data protection rules are good for growth. This is at the heart of our own proposals here in Europe.

I have listened to this intense, vibrant, fascinating debate for the past 11 months, and I remain convinced that we will succeed in adopting a data protection reform that is good for business and good for citizens. Two sides of the same coin.

Today, I want to talk to you about my data protection reform proposal from the perspective of businesses and why I believe the fundamentals of my data protection reform are good for business.

The fundamentals of the data protection reform

The decision to propose a Regulation was the right one beyond any doubt; it meets the expectations of business to have a true digital single market with one single law for data protection. Without a Regulation, we would have continued to have an inconsistent patchwork of 27 different laws, which would entail huge legal costs for firms who simply want to do business across the EU. I am doing away with those costs by making sure there is one single clear set of rules for all businesses in the Union.

It was also correct to build into this single law what we call the “one-stop-shop” principle. This is another way the Regulation is designed to be simple and practical for businesses. It allows firms to have just one supervisory authority that they need to deal with. I am sure you can appreciate the benefits that this system will bring and the savings that will be made.

Along with simplicity, I have also made sure that the Regulation includes legal certainty. Legal certainty will exist in the form of the ‘consistency mechanism’, which makes sure that the supervisory authorities can collectively agree positions that apply across the Union. This will put an end to situations where there is one rule in Germany and another rule in France because the supervisory authorities there interpreted the Directive and national legislation differently. With our reform there will be one clear rule for all of the EU, with no contradictions. This will make it much easier to conduct business across borders.

Finally, a word on administrative sanctions. I am sure we all agree that the systems introduced in the Regulation will not work if organisations can just ignore them – we can’t have rules that are all bark and no bite! If the rules are ignored, then consumers will lose confidence in companies and this is very bad for business. The rules exist for the efficient and safe administration of the personal data of citizens. Businesses need to realise that with handling personal data comes responsibility. And part of that responsibility is to follow the law. And if they can partake in profits, they are also liable for lack of compliance with the law. That is why the new Regulation will have a larger fines regime that will ensure compliance.

Now let me be clear, the ideal situation is one where no fines are levied; where all the rules are respected. But if we have weak sanctions, then it weakens the one-stop-shop, it weakens the consistency mechanism and it weakens the ability of businesses to operate in the digital single market. Promoting growth requires a robust administrative sanction system.

These four important aspects of the proposal – the one single law via a Regulation, the one-stop-shop, the consistency mechanism and the sanctions system – will mean that data protection compliance will be simpler than ever before. It is through bold action like this that we can allow firms to innovate, to create jobs and to contribute to economic growth. Clear rules within which business can do what it does best.

Some estimates show that EU GDP could grow by a further 4% by 2020 if the EU takes the necessary steps to create a modern digital single market. I want to help EU business contribute to this growth. And we must ask ourselves, in these tough economic times, who would position themselves against measures to promote growth?

Next steps in the negotiations

Further cuts in red tape

I am aware that the goal of stimulating economic growth would be frustrated were the package to impose an additional burden on European business. That is why I have proposed to scrap notifications, for example. Notifications to supervisory authorities are a formality which has little added value from a data protection point of view. A formality that represents a cost for business of 130 million euros a year. So yes, let’s get rid of it.

I have listened to MEPs, to Member States, to stakeholders and to businesses. They want us to cut red tape even more and to keep costs low. And we will do so. We will look at the proposal and consider ways in which red tape can be cut without affecting the level of protection of personal data.

For example, I have already said on several occasions that I am willing to consider following a more risk-based approach. The risk-based approach already exists in the text. In a number of cases, the obligations of data controllers and processors are calibrated to the size of the business (enterprises employing fewer than 250 persons) and to the nature of the data being processed. We have foreseen derogations in cases where a business cannot identify the person whose data is being processed.

This should be our focus when we talk about a risk-based approach. Such an approach doesn’t just mean “let data controllers choose what they will do”. This could undermine protection for data subjects and would destroy the level playing field we want to create. Instead, we want to build an approach into the legislation that adequately and correctly takes into account risk. The approach also has to be simple. Complex analyses of risk may lead to increased costs and less legal certainty. So we must think carefully about the criteria we choose to introduce. But I am prepared to go further.

This will help us to achieve a greater degree of simplification for businesses but will still ensure that the one single law is adequate to protect data subjects’ rights. We want to make sure that obligations are not imposed except where they are necessary to protect personal data.

Another change we are going to make is to reduce prescriptiveness in the Regulation. Our objective was always to set out rules that are clear, so that businesses know what they need to do and citizens know what rights they have. However, if the language we used is too prescriptive, then we will remove or change it. By doing this intelligently, we can make sure the legislation remains clear and effective, but we can also make sure businesses avoid unnecessary costs. Again, our goal here is to make things easier and less costly for businesses.

Public / Private sector split

Administrative burdens are not the only thing we have been hearing about from stakeholders. We have also heard their concerns about legal fragmentation occurring from a “public-private split”, where the public sector is removed from the scope of the Regulation and is allowed to operate under different rules.

Of course, businesses are right to be concerned that some are advocating such a radical step away from the harmonized system that we proposed. While there will always be some areas where the public sector has the right to act differently from the private sector, the overall principles must be the same.

It is important to recall that current EU rules – the Data Protection Directive – do not draw any distinction between rules applicable to the public or the private sector.

It would not have been wise to change the current situation because the distinction between public and private has never been clear cut. Technological change is making it increasingly blurred. Let me give you an example. What happens when a local authority uploads personal data onto a cloud provided by a private company? An interesting question for lawyers but not a clear rule for private enterprise.

Some of the most damaging data breaches can come from the public sector. In 2011, Government was the second highest sector for the number of data breaches. The sector most frequently affected was healthcare, which in many member states is part of the public sector too. I’m sure we can all agree then that it is not right to just remove the public sector from the Regulation; to do so would be irresponsible and make the legislation incomplete.

Further reconciling flexibility and legal certainty

We also had a debate on how to further reconcile flexibility and legal certainty, and on how to reconcile the horizontal approach with sectoral concerns and specificities, in the spirit of smart regulation.

The way we tried to tackle this was to include delegated and implementing acts. These are a new way of achieving flexibility and certainty at the same time, which is not always an easy task.

Delegated acts mean avoiding a text that is too prescriptive. They avoid us having to write long and detailed lists for every article. Instead, we would see if the system worked as drafted, and if extra detail was needed, then we could add it by using the delegated act. Of course delegated and implementing acts were never meant to be a way of re-writing the whole Regulation. That is simply not possible to do and was never our intention.

But let me be clear, although I believe that delegated and implementing acts are one of the ways to achieve legal certainty, I am prepared to look at other ways to ensure an effective application of the rules.

So we have re-examined every delegated and implementing act one-by-one, to see if there is a better method that could take its place. As a result of this exercise, there are a number of delegated and implementing acts that we would be happy to replace.

In lieu of these acts, we have considered several different solutions. These include more detail in the text, allowing the consistency mechanism to step in and make a decision, allowing codes of conduct and other business-lead initiatives or just deleting the act in its entirety.

We have to be careful. The alternatives should not make the text more prescriptive. The package should remain technologically neutral and future proof. But I am prepared to work on this basis. To look at each empowerment individually and make changes that best maintain flexibility and certainty in every case.

Conclusion

Ladies and gentlemen,

I hope my explanations today show you that it is worth continuing to engage in this fast moving debate.

I trust that together, we will make a giant leap forward for the Digital Single Market. We want to open new growth opportunities that Europe needs, and at the same time, we want to make data protection an effective right for everybody. We are closer than ever to delivering effective, practicable and future proof data protection rules that enable growth. I expect the Parliament and the Council to make swift progress on data protection by the end of the Irish Presidency. I will do everything I can to support the Irish Presidency and the European Parliament in this endeavour. And I hope I can count on your support, too. To deliver what business wants. To deliver what citizens want. And to bring European data protection rules into the digital age.