Speech - The EU data protection Regulation: Promoting technological innovation and safeguarding citizens' rights

European Commission

[Check Against Delivery]

Viviane Reding

European Commission Vice-President, EU Justice Commissioner

The EU data protection Regulation: Promoting technological innovation and safeguarding citizens' rights

Intervention at the Justice Council

Brussels, 4 March 2014

First of all, I would like to thank the Greek Presidency for having included the data protection package among its priorities. This reflects the calls of the Moraes report adopted on 12 February by the LIBE Committee of the European Parliament for the conclusion of the reform in 2014. The plenary of the European Parliament will vote on the data protection package on 12 March.

For this reason, the Commission welcomes the approach of the Presidency to deal with the two proposals, the Regulation and the Directive, as a single package and to negotiate them in parallel. At yesterday's COMIX meeting, the Commission explained why the Directive is important for European citizens and law enforcement authorities.

Dear colleagues, technological progress and globalisation have profoundly changed the way our data is collected, accessed and used. Today's discussion is an important one because we will address issues that go to the heart of the digital single market, issues that make the data protection reform relevant for the 21st century.

International aspects

We discussed the international aspects of the Regulation (territorial scope and international transfers) during our informal meeting on 23 January in Athens.

On territorial scope I recall the broad support that was voiced for making sure that non-European companies, when offering services to European consumers, apply the same rules and adhere to the same levels of protection of personal data as European companies. This is about creating a level playing-field between European and non-European businesses. About fair competition in a globalised world.

The Presidency also proposes we discuss international transfers of data. In today's world, where data flows as freely as the air we breathe, this is another crucial component of the proposal. At our informal discussion in Athens, we also achieved a common understanding on the key principles of this Chapter. In other words, we agreed on the basic legal toolbox that enables data to be transferred outside the EU.

The three tools that exist are transfers based on adequacy, on so-called appropriate safeguards (such as binding corporate rules) or on well framed derogations which are the exception not the rule. Taken together, the three channels offer a comprehensive and flexible set of solutions to businesses. The Commission can support the Presidency's text.

I also support the text proposed by the Presidency on key provisions of chapters I-IV. Getting each of these provisions right is essential for our effort to modernise our data protection rules and address issues at the heart of the digital economy.

Pseudonymisation

First, the introduction in the draft Regulation of the concept of pseudonymisation as an element of the risk-based approach. This is a topic that we first discussed precisely one year ago under Alan's chairmanship.

At that time I recognised that the use of pseudonymous data was a welcome technique. By excluding the name of the person in question, it limits the amount of personal data processed. That's why it enables large-scale processing to find common trends while providing for the protection of the individuals whose data is being processed. This is very important in the framework of pharmaceutical research for instance.

At the same time, the incentives we introduce for the use of pseudonymous data must not become a Trojan horse at the heart of the Regulation, allowing the non-application of its provisions.

The text is now a good one. The evolution towards pseudonymisation (rather than pseudonymous data) is positive as it encourages a process without creating a separate regime for a specific category of personal data.

The Regulation creates several incentives for businesses to make use of this technique. Companies who do so would satisfy the requirements for data protection by design and by default and for security of processing. They would also benefit from an exception from a data breach notification requirements.

This is a balanced solution.

The Right to Data Portability

The right to the portability of personal data in the private sector is an essential element of the proposal. Citizens should be able to transfer their data from one service provider, such as a social network, to another - just as they are able to keep their mobile number when changing telecoms operators. Choice drives competition. Data portability empowers citizens to decide what happens to their data and grants them tangible rights vis-à-vis businesses. It gives them real control over their personal data. This approach integrates the development of the online environment without encroaching on the technological neutrality of the Regulation.

Controllers and processors

With regard to the obligations of controllers and processors, the emphasis on service providers is justified, because the vast majority of businesses that process large volumes of data are processors. Take the cloud for instance.

The reference to optional "standardised" contracts between controllers and processors is a helpful tool. It will facilitate compliance with data protection rules and help cut red tape. Such contracts will help SMEs which may find themselves in a weak bargaining position compared to big Cloud processors.

Automated decision making / profiling

Finally, with respect to automated decision making and the question on the opportunity of establishing a specific regime on profiling - the Commission proposal follows the logic of the 1995 Directive while reinforcing the protection of individuals. The Commission has already proposed to expand the scope of the protection. Individuals will not only be protected against formal "decisions" but also against "measures" producing legal effects or significantly affecting them. For instance, the targeted marketing of specific medical products against cancer based on the search made by an individual on the internet would fall under this concept of "measure".

The current Directive does not prevent the creation of profiles of individuals as such, but it ensures that citizens will not be the subject of automated decision based on the profiles which could have negative consequences for them. This regime should be continued in the Regulation.

The Regulation strikes an appropriate balance between the rights of citizens and the need to encourage the emergence of innovative business models. Regulating the manner in which such profiles are created and used adds red tape for businesses and interferes with their research and innovation abilities.

In any case, as profiling involves the processing of personal data, all the general safeguards provided for in the Regulation (both substantive - such as rules on sensitive data - and procedural - such as data protection impact assessments) apply.

Dear colleagues, the theme of today's discussion is clear. It is about encouraging technological development and internet innovation. It is about steering these new technologies in a way that will protect citizens' rights to data protection.

The topics we are discussing today show the importance of advancing decisively on the data reform package in order to create a modern framework that tackles the challenges of the digital economy.

I look forward to our debate.