On January 28, 2014, Data Protection Day, Vice-President of the European Commission and Commissioner for Justice Fundamental Rights and Citizenship Viviane Reding gave a speech in Brussels proposing a new data protection compact for Europe. She focused on three key themes: (1) the need to rebuild trust in data processing, (2) the current state of data protection in the EU, and (3) a new data protection compact for Europe.
The Need to Rebuild Trust
Following the recent National Security Agency (“NSA”) surveillance revelations, Commissioner Reding stated that the most important goal for 2014 is to restore the trust of citizens in how their data are safeguarded. To achieve this goal, she recommended that:
- Safe Harbor be strengthened by enforcing the 13 recommendations proposed by the European Commission in October 2013; and
- The EU and U.S. agree and finalize the “umbrella” agreement on the transfer and processing of personal information in the context of police and judicial cooperation in criminal matters, which is currently being negotiated, and would afford EU citizens the same rights as U.S. citizens when their data are exchanged with the United States.
Commissioner Reding also referred to the new rights of data subjects that would be introduced by the proposed EU General Data Protection Regulation (the “Proposed Regulation”), which include the right to be forgotten, the right to data portability, and the right to be informed of personal data breaches. Commissioner Reding called for more meaningful enforcement, citing as example recent fines levied against Google Inc. in the amounts of €900,000 (in Spain) and €150,000 (in France), which she described as “more like pocket money than a fine” to Google.
The State of Data Protection Reforms in the EU
Commissioner Reding emphasized the European Parliament’s “overwhelming” support for the Proposed Regulation in its compromise text adopted in October 2013. However, she criticized many European leaders and major companies for failing to uphold data protection as a fundamental goal, stating that “some companies and a few governments continue to see data protection as an obstacle rather than as a solution; privacy rights as compliance costs, and not as an asset.” She noted that, two years after the legislative proposals were first released, “Discussions are mature. The text is ready. It is just a matter of political will.”
A Data Protection Compact for Europe
Commissioner Reding concluded her speech by proposing eight principles that should govern the way personal data are processed in the public and the private sector:
- Europe should finalize the Proposed Regulation in 2014, as “[o]therwise others will move first and impose their standards on [Europe].”
- The Proposed Regulation should not distinguish between the private and the public sector, and should apply the same principles and standards to both.
- Laws affecting individuals’ privacy must be publicly consulted.
- In relation to surveillance activities, data collection must be targeted, limited and in proportion to the surveillance objectives.
- Laws need to be clear and kept up-to-date, otherwise they risk being applied “in ways that had not been imagined at the time [they were] written,” due to technological advancements.
- National security exemptions should be invoked sparingly, since “not everything that relates to foreign relations is a matter of national security.”
- Judicial authorities have an important role to play in deciding where the balance lies between protecting individuals’ privacy and maintaining nations’ security.
- Data protection rules should apply irrespective of the nationality and place of residence of the data subject.
Commissioner Reding emphasized that bolstering trust in the way companies and governments process personal data would benefit the digital economy, national security, the Internet and Europe as a whole.