Does a single market need just one data-protection regime? With current controversies about privacy rules running very hot, Viviane Reding, Vice-President of the European Commission explains in an interview with EUROPP editors Chris Gilson and Julian Kirchherr why its recent proposal to change the existing rules (now two decades old) can benefit citizens and enterprises alike.
Is there really a need for stronger data protection laws for European citizens, given that many already give away their private data for free, for example on social media sites?
Uploading photos or updating friends on what you are up to on a social network is an everyday activity for most people these days. Data travels around the globe instantly and is stored beyond borders in the cloud. But people are not always sure what happens to their data, where it goes or how it is processed. In a recent opinion poll, 72 per cent of people across the EU said they were concerned about how companies deal with their data.
Personal data is the currency of today’s modern digital market. Like any currency, it needs stability and trust. Only if consumers can ‘trust’ that their data is well protected, will they continue to entrust businesses and authorities with it, buy online and accept new services. That is why we are proposing new rules so they can control their own data. Reliable, consistently applied rules make data processing safer, cheaper and inspire users’ confidence – all of which serves to boost innovation and competitiveness.
Protection of personal data is a fundamental right in the EU, and people want to know their data is secure. Our aim is to put people in control of their own data – so they can access it, move it or delete it if they want to. This includes the right to be forgotten. We want to explicitly clarify that people shall have the right – and not only the ‘possibility’ – to withdraw the consent they have given out themselves to the processing of their personal data.
People should also be swiftly informed if their personal data is lost, stolen or hacked. Companies and organisations will have to inform the data protection authorities and the people concerned without undue delay. As a general rule, for me that means ‘within 24 hours’.
Why would strong data protection rules foster growth and competitiveness in Europe?
At present, businesses have to deal with 27 separate sets of data protection rules if they want to trade across the EU and 27 national data protection authorities – even more if you count the separate regulators in Germany’s 16 Länder! So we know that one of the big problems today is the patchwork of data protection legislation (and interpretation of that law) across the European Union. Compliance costs and administrative burdens for companies are large.
By having a single set of rules on data protection that are valid across the EU, businesses will reduce costs from lower legal fees They will need to deal with only one data protection rule and only one national data protection authority for all of Europe. This will also save money by avoiding unnecessary notification requirements and multiple, unnecessary fees. We have calculated that all this will save firms around €2.3 billion a year.
A strong, clear and uniform legal framework at EU level will cut red tape and costs for business. It will be a regulatory one-stop shop for businesses: they will only have to deal with the data protection authority in the EU country where they are based. This will help to unleash the potential of the EU’s digital Single Market and foster economic growth, innovation and job creation.
You want it to be mandatory for organisations with more than 250 employees to appoint data protection officers. Businesses are worried that this might be too much red tape. How will such a proposal save money?
Most large organisations already have a data protection officer in place, so this will not be a heavy burden. Nor does it mean that they have to recruit a full-time person to do the job – very often it will simply mean giving an existing employee the task of knowing the rules and taking responsibility for them. Small organisations, such as local hospitals, could, for example, share a data protection authority at regional level.
If all goes well, when will your proposal be approved and implemented? Do you expect that major changes to the proposals will take place?
The European Commission’s proposals now pass to the European Parliament and to the 27 national governments represented in the Council of the EU. These two institutions will discuss the proposals in detail, vote on any amendments and finally agree on a legal text.
So far the responses to the proposals have been very positive. The four main political party groups in the European Parliament have all welcomed the Commission’s proposals. So have most of the national data protection authorities. Now they need to look at the details, of course. But my goal is to have an agreement in summer 2013 so that the new rules can become law swiftly.
Viviane Reding spoke at the LSE event yesterday morning on ‘The importance of strong data protection rules for growth and competitiveness’.
About the author
Viviane Reding has been the Vice-president of the European Commission, responsible for Justice, Fundamentals Rights and Citizenship since February 2010. In 1999 she joined the European Commission as Commissioner responsible for Education, Culture, Youth, Media and Sports until 2004, and then as Commissioner responsible for Information Society and Media from 2004 to 2010. Prior to her political career, Viviane Reding started off as a journalist at the newspaper Luxembourg Wort in Luxembourg, where she served as President of the Luxembourg Union of Journalists from 1986 until 1998.