Speaking at the British Bankers’ Association’s Data Protection and Privacy Conference in London on June 20, 2011, Viviane Reding, Vice President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, signaled her intention to streamline data protection to “simplify the regulatory environment” and “substantially reduce the administrative burden” for businesses.  In return, Reding expects businesses to ensure “safe and transparent digital products and services.”

Reding highlighted data security as a key concern for consumers, particularly in the context of online transactions.  She referred to a recent EU survey which indicated that “while 62% of people trust banks to protect their data, 35% do not.”  In Reding’s view, companies must improve their efforts to protect consumers’ data.  She stated her intention to introduce a mandatory requirement that organizations provide notification of all serious data security breaches.  In her view, the notification of serious breaches would be a proportionate step and would enhance consumers’ confidence in organizations’ security and oversight controls.  Further, mandatory notification would create an incentive for businesses to proactively conduct risk assessments and implement the measures necessary to safeguard data.

Under the revised EU Directive 2002/58/EC (the “e-Privacy Directive”), which came into force on May 25, 2011, telecommunications firms and internet service providers are already subject to mandatory data breach notification requirements.  Reding’s proposals would extend that obligation across all business sectors, which, in her view, would help businesses to regain the trust of users of the Internet and online services.  She said that companies must “do more to keep their customers’ personal data secure,” particularly in light of recent data theft scandals.

Reding indicated her agreement with the themes of a recent speech given by the United Kingdom’s Lord Chancellor and Secretary of State for Justice Kenneth Clarke in which he endorsed the fundamental principles of the existing Data Protection Directive but rejected a prescriptive “one-size-fits-all” approach to applying data protection principles.  Reding added that existing data protection rules need to be “more relevant to modern methods of business.”

Read the text of the speech Viviane Reding gave at the British Bankers’ Association’s Data Protection and Privacy Conference on June 20, 2011.