Strong and independent data protection authorities: the bedrock of the EU's data protection reform

Transcription

1 SPEECH/12/316 Viviane Reding Vice-President of the European Commission, EU Justice Commissioner Strong and independent data protection authorities: the bedrock of the EU's data protection reform Spring Conference of European Data Protection Authorities Luxembourg 3 May 2012

2 Ladies and gentlemen, I am grateful for the opportunity to continue our discussion on the reform proposal on data protection. Since I last met many of you, in December at the last Working Party 29 meeting, the Commission adopted its proposals for a reform of the EU's data protection rules. And you, within the formation of the article 29 Working Party, published a very detailed and useful opinion on this reform. I would like to thank you for this comprehensive analysis, which welcomes many aspects of our reform and makes useful clarifications and suggestions. I do not have to tell you that the data world has changed profoundly in recent years, it's your daily bread and butter. Today we live in a world of total connectivity, where data is processed on the go using mobile devices such as smart phones. We also live in a much more globalised world companies have offices branches all over the globe and exchange data between these offices. In short, we are not only witnessing a data revolution we are right in the middle of it. You know best the challenge this new data world poses for an effective protection of personal data because you are faced every day with the complaints of consumers or the difficulties that companies experience when they try to offer their new services in your country. You are the eyes and ears on the ground who know best what works and what doesn't. Therefore it is important that the new EU data protection rules will equip you with the right tools so you can make data protection a reality for Europe's 500 million consumers and for our businesses. That is exactly what the Commission tried to do with the reform proposals that we put on the table, as promised, on 25 January. We decided to simplify the application of the data protection rules with one single EU law: the rules will apply to all controllers established in the EU. They will also apply to all those not established in the EU but offering services and products to individuals based in the EU. I have chosen a Regulation because this is the only way to achieve real harmonisation and consistency of the rules on data protection. As experience since 1995 has taught us, we would not have achieved this level of harmonisation with a Directive. Instead, as we all know, today we have a patchwork of rules which did not offer sufficient protection to individuals, and which did not provide a uniform and reliable regulatory environment for businesses. However, having one rule alone is not sufficient. We also need someone to make sure that this rule is enforced everywhere throughout the EU, and everywhere in a similar way. You, the national Data Protection Authorities, play a central role in this endeavour. A core element of the reform is therefore to strengthen the national Data Protection Authorities - helping you to better help citizens and businesses. Let me give you some examples, starting with the advantages the reform will bring for individuals. 2

3 Improvements for individuals The proposals place clear responsibility and accountability on those who are processing personal data, throughout the information life cycle. In the Regulation, we have included incentives for controllers to invest, from the start, in getting data protection right. For example, we have foreseen data protection impact assessments, data protection by design and data protection by default, which will encourage data controllers to think about data protection from the very beginning when designing new applications or services. We have also clarified and strengthened citizens' rights. We clarify the notion of consent, introduce a general transparency principle and enhance redress mechanisms. And we introduce an obligation to notify clients or users in the event of a data breach which will apply to all sectors. Introducing a data breach notification requirement was a longstanding request from the Working Party 29. Another demand of the Working Party was to harmonise the powers and competences of supervisory authorities. While today not all of you can start investigations or impose fines in case of data protection breaches, in the future you will have all the necessary powers to do so if the Commission's proposals are approved by the European Parliament and Council. The new Regulation will give you the tools that you need to better ensure, and, where necessary enforce, compliance with the EU data protection rules. The power to impose fines gives Data Protection Authorities the teeth they need. Delegated acts While we have been striving towards a greater degree of harmonisation and more uniformity, we have still resisted the temptation to write every single regulatory detail into the new rules. Why? First of all, because overly prescriptive legislation is never good legislation. Secondly, because we wanted to leave some room for new technological developments and room for a possible adaptation of the rules to these technological developments without the need to always re-open the entire Regulation in a two- to three-years full fledged legislative process. That is why the Commission's proposal foresees in a number of areas the possibility to adopt delegated acts. And I know well that these delegated acts are the source of some questions and even controversy. I believe that this is based on many misunderstandings. Delegated acts are very new instruments which were only introduced by the 2009 Treaty of Lisbon. They are based on the new Article 290 of the Treaty on the Functioning of the European Union an article introduced into the Treaty at the request of the European Parliament. I need to underline this because I hear, after the first wave of lobbying, that some people do not know that delegated acts are an invention of the European Parliament. They are the long overdue response of the Treaties to a very complex and non-transparent procedure called "Comitology". Comitology was rightly criticised for decades by the Parliament as it allowed unelected bureaucrats from the Member States' ministries to draft so-called technical implementation rules behind closed doors in expert committees. The Parliament understandably did not like this law-making by Committee, as it was neither European it was national bureaucrats which decided nor democratic, as the Parliament played almost no role in Comitology. 3

4 This is very different with delegated acts as now foreseen in Article 290 of the Treaty. Delegated acts allow to "supplement or amend certain non-essential elements" of a legislative act. The possibility for delegated acts the so-called delegation must be explicitly agreed by Parliament and Council in the text of the legislative act in question, as well as the object, the content, the scope and the duration of the delegation. It may even be foreseen that Parliament and Council can decide to revoke the delegation; or that a delegated act only enters into force if neither the Parliament nor the Council have expressed an objection. In other words: delegated acts are not, as some very misinformed (or misinforming?) lobbyists say, an undemocratic procedure that would allow for a power grab by the Commission. On the contrary: delegated acts were deliberately created to allow for a process to adjust non-essential elements of EU legislation to new developments, and to do this under the full control of the Parliament and the Council. Delegated acts thus end the secretive way of technical legislation being drafted by bureaucratic committees behind closed doors. They bring the process out in the open, as it should be in our European democracy. It is understandable to me that certain lobbyists from powerful multinationals are not very keen on delegated acts. Because for decades they managed very well with "Comitology". Logically so, as it is much easier to influence a handful of national experts in national ministries in a meeting behind closed doors than to change the view of 754 directly elected European Parliamentarians. Ladies and gentlemen, Please question those who tell you that delegated acts are undemocratic. These people have either not read and understood the Lisbon Treaty or they have reason to make you believe something that is incompatible with the new Treaty. I believe we are all too European and too democratic to fall into the trap of this argument! That being said, I would like to reassure you that the Commission will of course always consult broadly before making proposals for delegated acts. We will need your expertise in the legislative process as well as in the process of delegated acts. Some have criticised the delegated acts provisions recently by saying that the Commission could thereby pre-empt data protection authorities' powers and scope for interpreting EU law. I don't agree with this. In fact, the Commission proposal rather encourages national data protection authorities to provide guidance. Take the example of facial recognition on which you recently adopted an opinion. Such opinions of the Working Party on how to interpret data protection rules vis à-vis a new service or a new technology will be needed more than ever after the reform enters into force. Your opinion will be even more pertinent in the light of the new consistency mechanism, in which a strengthened Working Party will play a key role as you know. And your opinion will have more weight after the reform. Because once given, your opinion can find its way into the actual legislative texts by means of a delegated act if Commission, Parliament and Council agree to make your opinion a binding rule. I personally believe that making Article 29 Working Party opinions binding could in many instances be an excellent way for further developing data protection EU law without always starting again a full-fledged legislative reform. 4

5 The new consistency mechanism Let me devote a few words to the new consistency mechanism which I know is a cause of concern to some of you. The new consistency mechanism is there to help streamline the work between data protection authorities. It will also considerably strengthen the weight of your opinions. The consistency mechanism will ensure a harmonised approach to any issue of European relevance, be it individual cases or general data protection issues. By helping each other, data protection authorities will reinforce their power of intervention. Peer reviewed decisions, taking into account the expertise of 1500 data protection professionals across Europe, working closely together, will carry more weight - companies will not so easily be able to ignore this in the future. The consistency mechanism will also strengthen the data protection authorities' independence from and position towards national governments. Peer pressure on Member States will be much stronger than now, and problems of understaffing or lack of resources will be more visible. The Commission's role in the consistency mechanism is clear: a possible intervention is a measure of last resort. The Commission is there as a backstop. Its power to suspend a decision of a data protection authority is limited to cases where conformity with EU law is doubtful, or where there is a risk of an inconsistent application of our data protection rules. Similar mechanisms exist in other policy areas for example the telecoms sector, and these have worked well. In the best of worlds, we would therefore quite happily leave it to the new European Data Protection Board (the strengthened Working Party 29) to issue opinions on data protection matters affecting individuals in different Member States. And to ensure that such matters are dealt with in a consistent manner throughout the entire European Union, in the interest of citizens and businesses. But what if one authority were to disregard the consensus of the European Data Protection Board on a general point of importance? The Commission has no intention of becoming a "super-data protection authority". This is not our job, and it cannot be our job. The deliberation and determination of individual cases is for the data protection authorities, not for the Commission. But we all know that individual cases may well raise important general questions about the way the rules operate or have been intended to operate. They may also highlight consistency problems that with the best will in the world the European Data Protection Board cannot resolve. Let me say a word on the importance that the Commission attaches to the independence of data protection authorities. You all know that we, the Commission, have fought very hard with several Member States over the independence of national data protection authorities. Just last week, in the case of Hungary, we decided to bring the case of the personal independence of the national data protection supervisor in front of the Court of Justice of the European Union. I recall very well our conversations on this matter last year, and I have well understood your concerns. I hope you see that the Commission will never be shy when it comes to standing up for the independence of data protection authorities, and that you can count on the Commission in this respect. We do this out of a strong conviction. Because the words in the Treaty and in the EU Data Protection Directive about the independence of data protection authorities have been drafted on the basis of the provisions which foresee the independence of the Commission. An independence for which I have fought during my whole political career. 5

6 How the one-stop-shop will save resources for DPAs To further simplify things and reduce the danger of duplicating work, the Commission has also proposed to set up a one-stop-shop for data protection for businesses in Europe: the national data protection authority where the business has its main establishment will act as the single contact point. For this one-stop-shop to work, the 1500 employees of data protection authorities in Europe will now cooperate more closely. And you need the appropriate resources. The one-stop-shop and the end of the general data processing notification requirement should save some resources for individual data protection authorities. For example, you will be able to share information more efficiently, and the work of what is today the Working Party 29 will in the future be coordinated by a fully staffed secretariat. This set-up should ensure that you can investigate and decide more quickly when it comes to coordination at EU level. We have also seen that in the last Facebook case and in the Google privacy policy case, one single authority coordinating the investigation, backed by the expertise of all the others, can be a very effective approach. It saves resources while increasing impact. Media and individuals welcomed such coordinated investigations. It obviously saves resources and avoids duplicating effort, while bringing results across Member States. I know well that many of you actively contributed to both investigations. And I want to thank you for this because this is the only way we can effectively change things: not by remaining silent, but by actively taking up citizens' concerns, with the company in question and via the media. This was, in my view, a very promising anticipation of the world of European data protection as it could look like as a rule once the reform will be law across all Member States. Funding of DPAs I know that some of you have concerns when it comes to funding and staffing issues. I have carefully read the Working Party's letter of 4 th April, in which the Working Party underlines the importance of financing data protection authorities. I agree that money is indeed very important, particularly in view of budgetary constraints in many Member States. I fully share the opinion that we need to have well staffed and properly resourced data protection authorities in all Member States. Because financial independence is for me a key aspect of full independence. In last year's annual report of the Working Party, the Commission therefore introduced clear indicators that should allow us to assess the current level of funding and draw comparisons. The Fundamental Rights Agency has also carried out a very useful study. I believe that we need to develop and further strengthen this approach to ensure that, at national level, funding matters are dealt with by benchmarking the situation with the best and most efficient data protection authorities in the EU. In terms of the resources of data protection authorities, I expect the Commission's reform proposals to trigger "a race to the top", and not "a race to the bottom". I am ready to prepare a further, more detailed study looking into the different national funding and staffing models. For this, however, I would ask for your help. I would need you to identify an objective method for calculating the needs of an efficient national data protection authority, on the basis of your practical experience. For this purpose, you will receive a survey letter from the Commission before the summer that will ask you for the relevant detailed and updated information. 6

7 I am also willing to support you on this on the basis of similar experiences the Commission has made in other sectors of regulation, such as energy, telecoms, or competition. And finally, I am also prepared to intensify the work with the Fundamental Rights Agency. My aim is that we develop, by summer 2013, objective guidelines for an ideal, effective, financially independent national data protection authority that can make a strong contribution to cooperation and coordination with other data protection authorities. We should in my view do this regardless of the reform itself. Because we do not need strong data protection authorities in the distant future. We need them now. The reform indeed entails many changes to the tasks of data protection authorities. However, this does not mean automatically that the amount of work will increase. On the contrary, the one-stop-shop and the end of the general notification requirement should reduce the workload of data protection authorities. The Regulation requires each Member State to ensure that the data protection authority is provided with the resources, premises and infrastructure necessary for the effective performance of its duties. This is in line with the general jurisprudence of the European Court of Justice saying that Member States must provide the resources necessary to ensure compliance with EU law. However this does not mean necessarily an increase of the financial burden of the Member State in which the main establishment of the data controller or processor is located. On the contrary: for a national government, to properly resource the national data protection authority can even be a good investment as it can bring additional revenue for the Member State due to the fact that the main establishment is located in its territory. Such extra revenue and wider benefits can come from tax income, newly created jobs, and the collection of administrative fines on infringements. Let's also not forget that according to the reform proposals, the administrative fines a national data protection authority can impose can be up to 2% of the annual worldwide turnover of an enterprise. This can lead to quite substantial revenues, even though we should of course not base staffing and financial planning on the expectation that businesses will breach the law. Our objective should be that the law is fully respected and this sometimes requires also investing into public authorities We thus stand on the same side in this battle. Transfers to third countries, adequacy decisions In this globalised world, data knows no borders. Therefore, we have to make sure that companies can easily transfer data to third countries while not compromising the level of data protection for individuals when their data leaves the EU. In this context, I welcome the support of the Working Party 29 on international transfers. The Commission proposal offers many opportunities for interoperability. I would also like to highlight some first positive developments on the US side. We share the views of our colleagues on the other side of the Atlantic that regulatory action is needed on issues such as mobile data protection, privacy rules for children, profiling or consent. I see even some very clear inspirations in the US debate which are drawn from the Commission's reform proposals of 25 January. We will continue to work together towards interoperability while maintaining a high level of protection as we believe we need it on the basis of our European experience. 7

8 We can work towards an interoperable approach building on: - Binding corporate rules - Sectoral adequacies, and the continuation of the Safe Harbour Agreement - Existing mechanisms such as contractual clauses that are broadly used on both sides of the Atlantic. What is important to us Europeans is that individuals have a real possibility to obtain administrative and judicial redress. Administrative redress is to be guaranteed by an independent body. This right and the concrete possibility of redress will help protect their fundamental right to safe personal data. With enforceable legal provisions, we make sure that people's fundamental rights are respected. This is our goal in the ongoing negotiations with our American partners. But this is also our goal with regards to other third countries. Let me add that the European Commission is making concrete progress regarding New Zealand and Uruguay, which is why you will soon see positive developments in response to your very helpful opinion on this matter. The Article 31 Committee will be convened shortly so that the adequacy decisions for these two countries can be adopted shortly. Let me now talk about the other element of our Data Protection Package: the Directive on the protection of individuals with regard to the processing of personal data by police and judicial authorities for the purposes of preventing, investigating or detecting criminal offences. I know that not all of you are 100% happy with the level of ambition of the Directive. However, let me tell you why, under the current political circumstances, the Directive is nevertheless a very important improvement as compared to the present Framework Decision of The choice of a separate instrument, a Directive, was made to take account of the fact that, in this sensitive area, some flexibility needs to be left to Member States. It was also a choice of "Realpolitik". Last week I was in a meeting of the Ministers of the Interior here in Luxembourg and I can tell you very openly: most of them would prefer to have no Directive at all, and some even call into question the Framework Decision which, as you know, the vast majority of Member States have not implemented fully. I have therefore been realistic, but, as you know, I am not a Minister of the Interior, but a Commissioner of Justice. This is why you will have seen that on substance, the Directive contains the same principles enshrined in the Regulation. The Directive pursues as well the two-fold aim of ensuring a high protection for individuals while also ensuring a smooth exchange of information and cooperation between Member States' competent authorities to prevent crime. A big step forward compared to the Framework Decision is that the proposed Directive covers not only cross-border cooperation but also "domestic" processing by competent authorities within the Member States a matter which however is very controversial among Member States and where at the moment, I see more than half of Member States being opposed to this proposal, while I have detected some modest support in the European Parliament. This will be an issue on which I will need your strong and vocal support if you want the proposal to succeed. The new Directive also introduces an obligation to distinguish between data according to its reliability. The same goes for different categories of individuals: data on suspects or convicted persons should logically be subject to different rules than data on victims or witnesses of a crime. 8

9 Next Steps So what's next? First we must succeed in the negotiations, and keep the current momentum where we see strong interest and support for the protection of personal data, and subsequently the reinforcement of the powers of the enforcers the data protection authorities. On this we should continue to work in close cooperation. I am aware that the the Working Party 29 has requested we also address the case of the other data protection instruments, notably the rules that apply to the processing of personal data by the EU institutions. This is clearly part of the Commission's plans and will come in due time, but we should take one step at a time and primarily focus all our efforts on getting legislators to adopt the proposals that are on the table swiftly so they can become a much needed reality for our citizens and businesses. My plan is to have the data protection reform politically agreed by summer I would be grateful if you could support this. Because if Europe is not fast on this subject, data protection rules and standards will not be written here in Europe, but on other continents and by other players. Ladies and gentlemen, With your help, I hope that we will soon have a strong, coherent and future-proof framework for data protection, applied consistently across all Member States and across all European Union policies. We will make our data protection legislation fit for the digital age, for people, for businesses, for our economy and our society. This is a joint endeavour. But this is also a joint effort. I hope I can count on you, the data protection professionals, to turn our proposals into a reality. 9