European Commission s8
Total Page:16
File Type:pdf, Size:1020Kb
EUROPEAN COMMISSION
Viviane Reding Vice-President of the European Commission, EU Justice Commissioner
A data protection compact for Europe
CEPS/Brussels 28 January 2014
SPEECH/14/62 Main messages of the speech:
On Safe Harbour: [W]e kicked the tyres and saw that repairs are needed. For Safe Harbour to be fully roadworthy the U.S. will have to service it. This summer, we will see how well those repairs were carried out. Safe Harbour has to be strengthened or it will be suspended.
On President Obama's speech on the review of U.S. intelligence: It is a window of opportunity for restricting the powers of intelligence services and completing the negotiations on the long overdue Umbrella Agreement. We need to turn opportunities into enforceable rights. I have spoken to the U.S. Secretary of Justice Eric Holder and to the U.S. Secretary of Commerce, Penny Pritzker, to underline that for us Europeans, it is essential these announcements are followed up by legislative action before the summer.
On the state of the EU data protection reform negotiations: There has been a lot of hypocrisy in the debate. For instance, those who called for a high level of data protection in Europe, while simultaneously arguing that the Regulation should be replaced by a Directive. (…) We have listened to these arguments for two years. Round and round in circles while, every day, the headlines have reminded us of why the reform is important. Discussions are mature. The text is ready. It is just a matter of political will.
Europe needs a data protection compact (see IP/14/70): We should all draw lessons from these examples and our recent experiences. Here are mine: eight principles that should govern the way data is processed by the public and the private sector. They form a Data Protection Compact for Europe. [The data protection compact] would enable us Europeans to exercise our right of digital self-determination. Not to depend on decisions made elsewhere, but to decide ourselves how we want to protect the personal data of our citizens; while keeping our internal market open and competitive.
2 SPEECH:
Ladies and Gentlemen, Two years ago, on 25 January 2012, a great debate began in Europe. A debate about data protection in a world of total connectivity. About privacy in a world where data flows across borders as easily as the air we breathe. About the future of the digital economy. 9 months ago, the debate took an unexpected turn. The first stories about PRISM were published. Since then, headlines have been dominated by stories about government surveillance. In my dialogues with citizens across the Union, the sense of shock was palpable. We have learned that the times of mass surveillance are not relegated to the past. Data collection by companies and surveillance by governments. These issues are connected, not separate. The surveillance revelations involve companies whose services we all use on a daily basis. Backdoors have been built, encryption has been weakened. Concerns about government surveillance drive consumers away from digital services. From a citizen's perspective, the underlying issue is the same in both cases. Data should not be kept simply because storage is cheap. Data should not be processed simply because algorithms are refined. Safeguards should apply and citizens should have rights. Ladies and Gentlemen, Trust in the data driven economy, already worryingly low, fell further when the first NSA slides were published. The priority should be to restore it. Today I will speak about how this can be done. First, I will outline what concrete steps need to be taken to restore trust in personal data processing by companies and Governments; Second, I will tell you where Europe stands in this debate; Third, I will take a broader view and argue that we need a data protection compact for Europe.
I. Rebuilding trust in data processing The surveillance scandals have been a wake-up call, and Europe is responding.
A. Rebuilding trust in EU-U.S. data flows The Commission took a firm stance from the first surveillance revelations, saying loud and clear that mass surveillance is unacceptable. We set out the steps that should be taken to rebuild trust in EU-U.S. data flows. Three steps are of particular importance. First, we must make Safe Harbour safer. The Commission has made 13 concrete recommendations. 13 ways to improve all aspects of the functioning of Safe Harbour. Let me put it simply: we kicked the tyres and saw that repairs are needed. For Safe Harbour to be fully roadworthy the U.S. will have to service it. This summer, we will see how well those repairs were carried out. Safe Harbour has to be strengthened or it will be suspended.
3 Secondly, we have to agree on strong data protection rules in the law enforcement context. We need a robust EU-U.S. data protection agreement in the law enforcement sector (the so-called Umbrella Agreement) which ensures EU citizens keep their rights when their data is processed in the U.S. This is not theory. What if your name is identical to that of a suspect in a transatlantic criminal investigation? Your data accidentally gets collected and included on a U.S. black list. You should be able to have it deleted by the authorities – if necessary by a judge – once the mistake is discovered. Europeans (and Americans) have those rights in the EU. They should have them when their data is exchanged with the U.S. Thirdly, we must ensure that European concerns are addressed in the reform of U.S. surveillance programmes. President Obama's speech just 10 days ago is a step in the right direction. He recognised that the current data collection programmes go too far. New limits on bulk data collection will be imposed. He also responded to a long- standing request from the European Commission, namely to give European citizens who do not live in the U.S. rights and protection when their data is being processed across the Atlantic. In his Presidential Policy Directive, President Obama gave clear instructions for current safeguards that apply to U.S. citizens – such as the principle of data minimisation and retention – to in future be available to "all persons, regardless of their nationality or wherever they might reside". It is a window of opportunity for restricting the powers of intelligence services and completing the negotiations on the long overdue Umbrella Agreement. We need to turn opportunities into enforceable rights. I have spoken to the U.S. Secretary of Justice Eric Holder and to the U.S. Secretary of Commerce, Penny Pritzker, to underline that for us Europeans, it is essential these announcements are followed up by legislative action before the summer. Trust in the transatlantic relationship is being rebuilt. European concerns are being taken into account in the U.S. reform. This is the right way forward. We need to keep up the pace and we need to keep talking to each other. This is what partners do: not spying on each other, but talking to each other.
B. Rebuilding trust in the digital economy Restoring trust in the transatlantic relations is not the only area where action is needed. Because trust in the way private enterprises process data is low too. 92% of Europeans are concerned about mobile apps collecting their data without their consent. 89% of people say they want to know when the data on their smartphone is being shared with a third party. Why are the figures so poor? Because citizens know that companies use their personal data in ways that they cannot control or influence. Some say that this is a question of individuals’ knowledge being overtaken by technological change. But what does a citizen do when he or she understands, disagrees even, but cannot act? Let’s take a simple example. What happens when a citizen wants to play a game on a tablet. He or she has to pay for the app, but doesn’t want personal data, for instance location data, to be collected. He or she might also be spied upon. Now I know why the 'Angry Birds' look so angry. Often with applications, the rule is ‘take it or leave it’. That’s when trust evaporates. That's when people feel forced to part with their privacy.
4 I believe that this is a question of individuals’ rights being overridden by technological change. That’s why it is important to put individuals back in control by updating their rights. Explicit consent, the right to be forgotten, the right to data portability and the right to be informed of personal data breaches are important elements. They will help close the growing rift between citizens and the companies with which they share their data, willingly or otherwise. And people should see that their rights are enforced in a meaningful way. Take the change to Google's privacy policy decided in March 2012. Several national data protection authorities in the EU found that this does not comply with existing data protection rules. Google has been sanctioned in two countries, France and Spain, and is under investigation in four other countries, including Germany. In Spain, Google was fined the maximum amount of EUR 900,000, while in France, whose data protection authority is one of the most feared in Europe, the fine levied was EUR 150 000, also the highest possible sum. Taking Google's 2012 performance figures, the fine in France represents 0.0003% of its global turnover. For them, this looks more like pocket money than a fine. Is it surprising to anyone that two whole years after the case emerged, it is still unclear whether Google will amend its privacy policy or not? We need to get serious. And that is why our reform introduces stiff sanctions that can reach as much as 2% of global annual turnover of a company. In the Google case, that would have meant a fine of EUR 731 million (USD 1 billion). We need a law that no-one can ignore. Rules that not only bark but bite! Showing citizens that a strong EU data protection framework effectively protects and upholds their rights will help to rebuild trust. My message is simple. Let’s believe in granting people meaningful rights. The European Union and its Member States are founded on the rights of citizens. It is by recognising the rights of individuals that European societies are considered amongst the most decent in human history. Let’s act to make sure that our principles apply online as well as offline. Let’s give citizens control over their data. This is why the Data Protection Reform proposals are central to our efforts to restore trust in the digital economy. They are the answer to citizens’ fears that nothing can be done, a reassertion of citizens’ rights over their own data.
II. Current state of data protection in the EU
A. The state of play of the data protection reform The European Parliament understood. On 21 October 2013, the LIBE Committee voted overwhelmingly in favour of the reform. The Parliament realised the issue was bigger than the distinction between left and right. Political groups from the EPP to the S&D via the Liberals and the Greens agreed on a single text. The European Parliament wants a strong Regulation, with strong sanctions to ensure that it is respected. A few days later, when our Heads of State and Government were asked the same question, some wanted to be ambitious. President Hollande, Prime Minister Letta, Prime Minister Tusk supported President Barroso. Unfortunately, others blinked. It seems that some chose to pay more attention to the spin of lobbyists than to the concerns of Europe’s citizens. The result: since, the European Council acts by consensus, the digital economy summit was inconclusive. European leaders could only agree to complete the data protection reform in a "timely" manner, and at the latest by the end of 2014.
5 This is a lowest and slowest common denominator approach! Such an approach is particularly inappropriate in the field of data protection. It is inappropriate as our citizens expect ambition and speedy progress when it comes to the protection of their personal data. And it is also procedurally inappropriate as, in the field of data protection, Europe does not decide by unanimity, but by qualified majority in the Council of Ministers, in co- decision with the European Parliament. It is thus high time to move away from the lowest and slowest common denominator towards high standards, a high level of protection of personal data, and a speedy completion of the work of the co- legislators. It is true that some companies and a few governments continue to see data protection as an obstacle rather than as a solution; privacy rights as compliance costs, and not as an asset. Yet data protection goes right to the core of our daily lives. It's about making sure that the people operating your smartphone don’t know more about your life than your family does. It's about your insurance policy not going up every time you type the name of an illness into a search engine. It's about your teenage profile not being looked at forever. There has been a lot of hypocrisy in the debate. There were those who called for a high level of data protection in Europe, while simultaneously arguing that the Regulation should be replaced by a Directive. A Directive would mean the status quo. It would mean 28 Member States doing what they want. It would mean data protection on paper but not in practice. We have listened to these arguments for two years. Round and round in circles while, every day, the headlines have reminded us of why the reform is important. Waiting patiently – or maybe not so patiently – as Big Data has been generated against the will of the people. And yet in practice where do we stand? Discussions are mature. The text is ready. It is just a matter of political will.
B. Member State and EU law If the EU wants to be credible in its efforts to rebuild trust, if it wants to act as an example for other continents, it also has to get its own house in order. Let me give you three examples.
First example: the TEMPORA programme in the UK It has been reported that under the TEMPORA programme, GCHQ – the UK signal intelligence centre – intercepts and stores data from fibre-optic cables that transmit data across the Atlantic and to Western Europe. If so, the data of UK and other EU citizens is collected, on an enormous scale, every day. Traffic data, recordings of phone calls, the content of email messages, entries on Facebook. When the reports about TEMPORA emerged, the European Commission wrote to the UK Government expressing its concerns and asking questions about the nature and the scope of the programme. The response was short: hands off, this is national security. Where there is no link to EU law, national security is an area of Member State competence. The hands of the Commission are tied. But let me be clear. If I come across a single email, a single piece of evidence that the TEMPORA programme is not used purely for national security purposes, I will launch infringement proceedings. The mass collection of personal data is unacceptable.
6 I see with some satisfaction that the legality of TEMPORA and its compliance with the fundamental right to privacy is currently being analysed by the European Court of Human Rights, following legal challenges from numerous citizens, notably from the UK. I have full confidence in the Court in Strasbourg to listen to these citizens from the UK and their concerns. And to uphold their right to privacy against mass surveillance without limitations.
Second example: the independence of Germany's Federal Data Protection Authority The existence of strong independent supervisory authorities is essential in securing the rights and protection of data subjects. Yet in some Member States, data protection authorities are not sufficiently independent. Take the case of Germany’s Federal Data Protection Authority. The federal data protection Commissioner carries out his duties under the supervision of the Minister of the Interior. This is set out by German law. It means that the Minister can take disciplinary measures against the data protection commissioner. In the event of a dispute, the decision of the Minister will prevail. Is effective supervision really possible under these circumstances? The new German Government believes in data protection. I trust that it will correct this situation. Just as it has been corrected in the case of the German Länder and their data protection authorities.
Third example: the EU's Data Retention Directive I have spoken about the Member States. The EU itself should also look carefully at some of its laws. Neither the Commission, the Council, nor the European Parliament can be proud of the Data Retention Directive. The Directive requires telecom companies to store all telephony metadata. This includes geo-location data. The Directive went from proposal to statute book in 6 months. The Advocate-General of the European Court of Justice has recently said out-loud what many of us have been thinking. The data is kept for too long, it is too easily accessed and the risk of abuse is too great. It takes the spirit of the 9/11 aftermath too far. The Advocate- General does not say that data does not need to be retained. He says that greater safeguards need to apply. The Opinion contains a recipe for all those who want the Data Retention Directive to strike the right balance between rights and security. One cannot simply use "national security" as a trump card and disregard citizens' rights. That is what others used to do. The European Data Retention law needs a health check. The EU Charter of Fundamental Rights is the medicine.
III. A data protection compact for Europe We should all draw lessons from these examples and our recent experiences. Here are mine: eight principles that should govern the way data is processed by the public and the private sector. They form a Data Protection Compact for Europe. First of all, we need the data protection reform in the statute book. I wish to see full speed on data protection in 2014. Europe must act decisively to establish a robust data protection framework that can be the gold standard for the world. Otherwise others will move first and impose their standards on us.
7 Second, the reform should not distinguish between the private and the public sector. The 1995 directive deals with both. Introducing a distinction today, when citizens are more concerned about processing by the public sector, would not be acceptable. The same principles should apply to both. Citizens would simply not understand a split in times when the public sector collects, collates and sometimes even wants to sell private data. It is also a very difficult distinction to draw when a local authority can buy storage space on a private cloud. Third, laws setting out data protection rules or affecting privacy require public debate because they relate to civil liberties online. Take the Polish experience with ACTA and data protection reform. ACTA was not explained. It led to the biggest protests since the fall of Communism and the shock-waves reverberated throughout the European Parliament. The lesson was learnt by the Polish Government. Data protection was the subject of a public information campaign. It led to a joint position paper by the private employers association and the leading civil liberties NGO. My fourth principle relates to surveillance. Data collection should be targeted and be limited to what is proportionate to the objectives that have been set. If this element of proportionality is lost, citizens' acceptance will be lost as well. Blanket surveillance of electronic communications data is not acceptable. It amounts to arbitrary interference with the private lives of citizens. We can't treat all citizens like suspects. In the past you couldn't sit in someone's basement and read their letters. Today you shouldn't sit in an office and trawl through their emails. Fifth, laws need to be clear and laws need to be kept up to date. I was struck by the reaction of the author of the U.S. Patriot Act, Jim Sensenbrenner to the NSA revelations: "This is not what the Patriot Act was meant to do!". Technological change allowed the Patriot Act to be applied in ways that had not been imagined at the time it was written. I draw an important principle from this: It cannot be that States rely on outdated rules, drafted in a different technological age, to frame modern surveillance programmes. Such laws give citizens little or no idea about what is actually going on. Sixth, national security should be invoked sparingly. It should be the exception, rather than the rule. The need to protect national security can justify special rules. But not everything that relates to foreign relations is a matter of national security. I believe that it is dangerous to invoke national security where it is not really at stake. It undermines the legitimacy of laws that are vital for our security. Seventh, without a role for judicial authorities, there can be no real oversight. Executive oversight is good. Parliamentary oversight is necessary. Judicial oversight is key. Ultimately, whether processing is legitimate is a question of balance between different imperatives, the need to protect privacy and the importance of maintaining security. The judiciary is necessary to ensure that the pendulum does not swing too far. And finally a message to our American friends. Data Protection rules should apply irrespective of the nationality of the person concerned. Applying different standards to nationals and non-nationals makes no sense in view of the open nature of the internet. Ultimately, distinguishing between the rights of individuals depending on their nationality and place of residence impedes the free flow of data. Europe should be very proud of the fact that it treats data protection as a fundamental right – a fundamental right on which every human-being can rely. Companies have understood this – a big tech giant has just announced it will give its users the option of storing their data in Europe, where it's safe. I hope many other companies will take similar initiatives in the coming weeks and months.
8 Conclusion: data protection and an open internet Ladies and Gentlemen, The principles I have set out would restore trust in the way in which companies and governments process data. Citizens would benefit because offline rights would apply online. The digital economy would benefit because its growth would be sustainable. National security would benefit because the laws which help secure it would be more legitimate. The internet would also benefit. Citizens have been destabilised by what they have learned over the past months. If trust is not restored, they will want their data to remain within borders. It is in the interest of a free internet and of an open internet that we apply these principles and that we empower citizens. That we give our citizens the rights that they deserve. Last but not least, Europe would benefit. The recent revelations have shown: at the moment, national governments in Europe are unable to guarantee citizens' personal data is well protected. The Data Protection Compact would change this. It would enable us Europeans to exercise our right of digital self-determination. Not to depend on decisions made elsewhere, but to decide ourselves how we want to protect the personal data of our citizens; while keeping our internal market open and competitive. This is, after all, what Europe is all about. Europe is there to ensure that the rights and interests of our citizens are well protected. And, on that basis, to agree on terms with our partners in the world. Alongside the European Parliament and the majority of governments in Europe, I will continue fighting for this. Because our citizens deserve nothing less.
9