Rede Ciobanu-Dordea
Ansprache des Direktors Grundrechte und Unionsbürgerschaft
der Generaldirektion Justiz, Freiheit und Sicherheit der EU-Kommission
„Die europäische Dimension des Datenschutzes"
Berliner Datenschutzrunde 2010
Deutsche Parlamentarische Gesellschaft, Berlin
11. März 2010, 10:45 - 11:10 Uhr
Ladies and gentlemen,
Dear German colleagues from the data protection field who have kindly invited me to speak here today,
We are gathered to discuss the future of data protection and the various aspects it entails. I am glad to see such a broad variety of speakers and attendees here today, as it is indeed a topic which affects us all, across the private and the public sector, and foremost as European citizens.
Data protection in the EU is primarily regulated by the Directive 95/46/EC on the protection of personal data and since 2008, in the field of police and judicial cooperation, by the Council Framework Decision 2008/977/JHA. The Directive 95/46/EC is built upon very strong data protection principles of proportionality, fairness, accuracy, transparency and the rights of the Europeans to transparency, information and control of their personal data, coupled with supervision by independent data protection authorities.
I would like to underline two very important aspects in this regard:
Unlike other countries (notably the US), EU legal rules on data protection do not discriminate between EU citizens and foreigners - the fundamental right to personal data protection is guaranteed to "every person" in Europe, citizens and non-citizens alike.
The Directive's harmonisation of national data protection laws is not limited to minimal harmonisation but amounts to harmonisation which is generally complete, leaving very little room for Member States to go below or beyond the level of protection. This approach was specifically emphasized by the European Court of Justice, already back in 2003.
The EU legal framework for data protection has also served as a respected standard for third countries when regulating data protection. Its effect and impact, within and outside the EU, have been of the utmost importance.
Yet 15 years later, although these principles remain equally sound, the world around it has changed. Globalization has seen an increasing role of third countries relating to data protection and has also come with an increasing interest of public authorities outside the European Union into privately held personal data within the EU. On the other hand, the internet of today is not the Netscape-running internet we knew back in 1995. The rise in new technologies, mobile internet devices and web-user generated content is putting individuals more on the forefront when it comes to the 'management' of their personal data, requiring a shift of focus of the policy makers.
Adding thereto are the changes brought about by the entry into force of the Lisbon Treaty. There is now a legally binding fundamental right to data protection - enshrined in Article 8 of the EU Charter of Fundamental Rights - and a single legal basis with Article 16 of the new Treaty on the functioning of the EU for adopting rules regulating personal data processing across the Union's and Member States' activities. Furthermore, the role of the European Parliament has been strengthened, by giving co-decision power now also in those fields which used to be in the "third pillar" which will have an important effect on the ways future data protection legal acts will come into existence.
The question has thus legitimately arisen whether today's framework is still fully equipped to deal with all these new challenges, a question coming in first place from within the Commission itself. Willing to hear from the various stakeholders, the European Commission has held a public consultation on the future of privacy, which features as part of the broader initiative to review the current EU data protection framework in its whole. This public consultation was intended to consult a broad sampling of stakeholders, centralized around three very open questions, leaving them as much leeway in identifying new challenges, signalling out areas which would need improvement, and make suggestions on how a future legal framework could better tackle certain problems.
Ladies and gentlemen,
The response was frankly overwhelming, stressing once more the perceived importance of data protection in today's world. More than 170 contributions have been received, from citizens, businesses and representative organisations, and public authorities, covering a broad variety of countries and industries.
Although still in assessment phase, preliminary results have shown a general consensus that the current legal framework - in particular the Directive 95/46/EC -, is rooted in very strong data principles and is still regarded as sound and remains aptly equipped to regulate data protection across the European Union. The technological neutrality of the Directive has also been widely celebrated and it is agreed not to step away from this paradigm.
It is mostly the application of these principles to the everyday reality that causes problems and where action is needed.
The main challenges identified in the received contributions are the divergences between Member States' legislations implementing the Directive - which potentially disrupt the internal market -, the wish for administrative simplification in dealing with Data Protection Authorities - for instance in the notification requirements -, the need to update definitions and concepts in light of new technologies, and a wish to better regulate international data transfers with third countries.
Our citizens also seem increasingly worried in what they perceive as a growing demand by public authorities in gathering and requesting personal data, inside and outside the EU, either directly or obtained via private actors and whether they will still be able to exercise their data protection rights when their data leaves the European Union. Public authorities on their side stress the importance of empowering the data subjects more in the future, through awareness campaigns and increased transparency, and feel they can play a bigger role in that area if they could autonomously set their own agenda and dispose of better enforcement tools.
A very noteworthy contribution has been the joint opinion of the Working Party established by Article 29 of the Directive together with the Working Party on Police and Judicial Cooperation. In their joint opinion, the national data protection authorities have meticulously identified key issues which have to be addressed in order to modernize and streamline the data protection framework, suggesting ways to better tackle these issues in the future. Their expertise and experience in the field makes this joint opinion a great contribution to the work of the Commission.
To summarize, these contributions have shown that data protection is at the heart of the European people, be it as citizens or as part of businesses, governments or other organisations. They have equally highlighted the vast impact these EU data protection rules have had over the years, within Europe but also outside: we have received contributions coming from virtually all sectors in society: financial, health, anti-doping, research, intellectual property, media etc, and from various organisations based in several third countries, once again underline how other countries have looked at the EU data protection rules for guidance. Lastly, it has also shown an increasing awareness of all actors in this 'game' that there is a mutual benefit to be gained in allowing data collection and transfer to operate within clearly defined rules and within a spirit of transparency. Individuals' trust in new technologies will be boosted when they know the integrity of their data is structurally protected - privacy by design - and when they feel they can clearly locate the accountable person who is processing their data. Businesses on their side will economically benefit from this renewed trust of technology users.
What are the next steps then?
Dear colleagues,
Vice-President Reding has already made clear that effective protection of personal data is indeed a priority of the new Commission. Ms Reding has repeatedly stressed that she intends to use all of the powers given by the Lisbon Treaty to effectively improve the European rules on the protection of personal data so that it may fully reflect its status of fundamental right in daily life.
As a consequence, at the Commission we are currently engaged in a thorough evaluation of the entire data protection legal framework, to a great extent focused on the Directive and the Framework Decision but also including the wide scope of instruments that contain data protection elements, such as contained in the legal instruments on Europol, Eurojust or the Schengen Information System to name but a few. The results of the public consultation will helpfully feed into that as they have already identified many issues we need to look at.
The same is true for the third implementation report we are currently preparing in parallel, which will equally identify possible difficulties and challenges in the application of the Directive in the Member States.
After the evaluation will have further identified key issues and challenges to be addressed, together with having singled out effective policy actions that can deal with these issues, we will then continue with an Impact Assessment of the retained policy options that in our view will reach the goals of unifying, modernizing, streamlining and updating the current legal framework. The final step will then be coming up with concrete legislative proposals.
For example, it might be necessary to increase harmonization of data protection legislation in Member States, clarify the application of some key rules and principles of data protection (such as consent and transparency), augment the framework by introducing additional principles (such as ‘privacy by design'), strengthen the effectiveness of the system by modernising arrangements (e.g. by limiting bureaucratic burdens), and extend the fundamental principles of data protection into one comprehensive EU legal framework, which also applies to police and judicial cooperation in criminal matters.
I have no doubt that the European Union will continue to fulfil its role as a key player in setting the standards for personal data protection, as it has done for the past 15 years. At the same time, we are realizing that we are but one actor on the world stage and that we benefit from joining efforts with other organisations or third countries - such as the Council of Europe, or the United States, Canada or Australia for example - in enforcing data protection standards and principles and ensuring that data subjects will never be deprived of exercising their rights independently of where the data is flowing to or of whom the data is held by.
I thank you all for your attention and I am looking forward to any questions you might have!
