European Commission Viviane Reding

Vice-President of the European Commission, EU Justice Commissioner

CEPS/Brussels

[W]e kicked the tyres and saw that repairs are needed. For Safe Harbour to be fully roadworthy the U.S. will have to service it. This summer, we will see how well those repairs were carried out. Safe Harbour has to be strengthened or it will be suspended.

It is a window of opportunity for restricting the powers of intelligence services and completing the negotiations on the long overdue Umbrella Agreement. We need to turn opportunities into enforceable rights.

I have spoken to the U.S. Secretary of Justice Eric Holder and to the U.S. Secretary of Commerce, Penny Pritzker, to underline that for us Europeans, it is essential these announcements are followed up by legislative action before the summer.

On the state of the EU data protection reform negotiations:

There has been a lot of hypocrisy in the debate. For instance, those who called for a high level of data protection in Europe, while simultaneously arguing that the Regulation should be replaced by a Directive. (…) We have listened to these arguments for two years. Round and round in circles while, every day, the headlines have reminded us of why the reform is important.

Discussions are mature. The text is ready. It is just a matter of political will.

Europe needs a data protection compact (see IP/14/70):

We should all draw lessons from these examples and our recent experiences. Here are mine: eight principles that should govern the way data is processed by the public and the private sector. They form a Data Protection Compact for Europe.

[The data protection compact] would enable us Europeans to exercise our right of digital self-determination. Not to depend on decisions made elsewhere, but to decide ourselves how we want to protect the personal data of our citizens; while keeping our internal market open and competitive.

SPEECH:
Ladies and Gentlemen,

Two years ago, on 25 January 2012, a great debate began in Europe. A debate about data protection in a world of total connectivity. About privacy in a world where data flows across borders as easily as the air we breathe. About the future of the digital economy.

9 months ago, the debate took an unexpected turn. The first stories about PRISM were published. Since then, headlines have been dominated by stories about government surveillance. In my dialogues with citizens across the Union, the sense of shock was palpable. We have learned that the times of mass surveillance are not relegated to the past.

Data collection by companies and surveillance by governments. These issues are connected, not separate. The surveillance revelations involve companies whose services we all use on a daily basis. Backdoors have been built, encryption has been weakened. Concerns about government surveillance drive consumers away from digital services. From a citizen's perspective, the underlying issue is the same in both cases. Data should not be kept simply because storage is cheap. Data should not be processed simply because algorithms are refined. Safeguards should apply and citizens should have rights.

Ladies and Gentlemen,

Trust in the data driven economy, already worryingly low, fell further when the first NSA slides were published. The priority should be to restore it. Today I will speak about how this can be done.

• 
  First, I will outline what concrete steps need to be taken to restore trust in personal data processing by companies and Governments;
  
• 
  Second, I will tell you where Europe stands in this debate;
  
• 
  Third, I will take a broader view and argue that we need a data protection compact for Europe.
  

The surveillance scandals have been a wake-up call, and Europe is responding.

The Commission took a firm stance from the first surveillance revelations, saying loud and clear that mass surveillance is unacceptable. We set out the steps that should be taken to rebuild trust in EU-U.S. data flows. Three steps are of particular importance.

I have spoken to the U.S. Secretary of Justice Eric Holder and to the U.S. Secretary of Commerce, Penny Pritzker, to underline that for us Europeans, it is essential these announcements are followed up by legislative action before the summer.

Trust in the transatlantic relationship is being rebuilt. European concerns are being taken into account in the U.S. reform. This is the right way forward. We need to keep up the pace and we need to keep talking to each other. This is what partners do: not spying on each other, but talking to each other.

B. Rebuilding trust in the digital economy

Restoring trust in the transatlantic relations is not the only area where action is needed. Because trust in the way private enterprises process data is low too. 92% of Europeans are concerned about mobile apps collecting their data without their consent. 89% of people say they want to know when the data on their smartphone is being shared with a third party.

Why are the figures so poor?

Because citizens know that companies use their personal data in ways that they cannot control or influence.

Some say that this is a question of individuals’ knowledge being overtaken by technological change. But what does a citizen do when he or she understands, disagrees even, but cannot act? Let’s take a simple example. What happens when a citizen wants to play a game on a tablet. He or she has to pay for the app, but doesn’t want personal data, for instance location data, to be collected. He or she might also be spied upon. Now I know why the 'Angry Birds' look so angry. Often with applications, the rule is ‘take it or leave it’. That’s when trust evaporates. That's when people feel forced to part with their privacy.

I believe that this is a question of individuals’ rights being overridden by technological change. That’s why it is important to put individuals back in control by updating their rights. Explicit consent, the right to be forgotten, the right to data portability and the right to be informed of personal data breaches are important elements. They will help close the growing rift between citizens and the companies with which they share their data, willingly or otherwise.

And people should see that their rights are enforced in a meaningful way. Take the change to Google's privacy policy decided in March 2012. Several national data protection authorities in the EU found that this does not comply with existing data protection rules. Google has been sanctioned in two countries, France and Spain, and is under investigation in four other countries, including Germany. In Spain, Google was fined the maximum amount of EUR 900,000, while in France, whose data protection authority is one of the most feared in Europe, the fine levied was EUR 150 000, also the highest possible sum. Taking Google's 2012 performance figures, the fine in France represents 0.0003% of its global turnover. For them, this looks more like pocket money than a fine.

Is it surprising to anyone that two whole years after the case emerged, it is still unclear whether Google will amend its privacy policy or not?

We need a law that no-one can ignore. Rules that not only bark but bite! Showing citizens that a strong EU data protection framework effectively protects and upholds their rights will help to rebuild trust.

My message is simple. Let’s believe in granting people meaningful rights. The European Union and its Member States are founded on the rights of citizens. It is by recognising the rights of individuals that European societies are considered amongst the most decent in human history. Let’s act to make sure that our principles apply online as well as offline. Let’s give citizens control over their data.

This is why the Data Protection Reform proposals are central to our efforts to restore trust in the digital economy. They are the answer to citizens’ fears that nothing can be done, a reassertion of citizens’ rights over their own data.

The European Parliament understood. On 21 October 2013, the LIBE Committee voted overwhelmingly in favour of the reform. The Parliament realised the issue was bigger than the distinction between left and right. Political groups from the EPP to the S&D via the Liberals and the Greens agreed on a single text. The European Parliament wants a strong Regulation, with strong sanctions to ensure that it is respected.

A few days later, when our Heads of State and Government were asked the same question, some wanted to be ambitious. President Hollande, Prime Minister Letta, Prime Minister Tusk supported President Barroso. Unfortunately, others blinked. It seems that some chose to pay more attention to the spin of lobbyists than to the concerns of Europe’s citizens. The result: since, the European Council acts by consensus, the digital economy summit was inconclusive. European leaders could only agree to complete the data protection reform in a "timely" manner, and at the latest by the end of 2014.

This is a lowest and slowest common denominator approach! Such an approach is particularly inappropriate in the field of data protection. It is inappropriate as our citizens expect ambition and speedy progress when it comes to the protection of their personal data. And it is also procedurally inappropriate as, in the field of data protection, Europe does not decide by unanimity, but by qualified majority in the Council of Ministers, in co-decision with the European Parliament. It is thus high time to move away from the lowest and slowest common denominator towards high standards, a high level of protection of personal data, and a speedy completion of the work of the co-legislators.

It is true that some companies and a few governments continue to see data protection as an obstacle rather than as a solution; privacy rights as compliance costs, and not as an asset. Yet data protection goes right to the core of our daily lives. It's about making sure that the people operating your smartphone don’t know more about your life than your family does. It's about your insurance policy not going up every time you type the name of an illness into a search engine. It's about your teenage profile not being looked at forever.

There has been a lot of hypocrisy in the debate. There were those who called for a high level of data protection in Europe, while simultaneously arguing that the Regulation should be replaced by a Directive. A Directive would mean the status quo. It would mean 28 Member States doing what they want. It would mean data protection on paper but not in practice.

We have listened to these arguments for two years. Round and round in circles while, every day, the headlines have reminded us of why the reform is important. Waiting patiently – or maybe not so patiently – as Big Data has been generated against the will of the people.

And yet in practice where do we stand? Discussions are mature. The text is ready. It is just a matter of political will.

If the EU wants to be credible in its efforts to rebuild trust, if it wants to act as an example for other continents, it also has to get its own house in order. Let me give you three examples.

It has been reported that under the TEMPORA programme, GCHQ – the UK signal intelligence centre – intercepts and stores data from fibre-optic cables that transmit data across the Atlantic and to Western Europe. If so, the data of UK and other EU citizens is collected, on an enormous scale, every day. Traffic data, recordings of phone calls, the content of email messages, entries on Facebook.

When the reports about TEMPORA emerged, the European Commission wrote to the UK Government expressing its concerns and asking questions about the nature and the scope of the programme. The response was short: hands off, this is national security.

Where there is no link to EU law, national security is an area of Member State competence. The hands of the Commission are tied. But let me be clear. If I come across a single email, a single piece of evidence that the TEMPORA programme is not used purely for national security purposes, I will launch infringement proceedings. The mass collection of personal data is unacceptable.

I see with some satisfaction that the legality of TEMPORA and its compliance with the fundamental right to privacy is currently being analysed by the European Court of Human Rights, following legal challenges from numerous citizens, notably from the UK. I have full confidence in the Court in Strasbourg to listen to these citizens from the UK and their concerns. And to uphold their right to privacy against mass surveillance without limitations.

Second example: the independence of Germany's Federal Data Protection Authority

The existence of strong independent supervisory authorities is essential in securing the rights and protection of data subjects. Yet in some Member States, data protection authorities are not sufficiently independent.

Take the case of Germany’s Federal Data Protection Authority. The federal data protection Commissioner carries out his duties under the supervision of the Minister of the Interior. This is set out by German law. It means that the Minister can take disciplinary measures against the data protection commissioner. In the event of a dispute, the decision of the Minister will prevail. Is effective supervision really possible under these circumstances?

The new German Government believes in data protection. I trust that it will correct this situation. Just as it has been corrected in the case of the German Länder and their data protection authorities.

I have spoken about the Member States. The EU itself should also look carefully at some of its laws. Neither the Commission, the Council, nor the European Parliament can be proud of the Data Retention Directive.

The Directive requires telecom companies to store all telephony metadata. This includes geo-location data. The Directive went from proposal to statute book in 6 months. The Advocate-General of the European Court of Justice has recently said out-loud what many of us have been thinking. The data is kept for too long, it is too easily accessed and the risk of abuse is too great. It takes the spirit of the 9/11 aftermath too far. The Advocate-General does not say that data does not need to be retained. He says that greater safeguards need to apply. The Opinion contains a recipe for all those who want the Data Retention Directive to strike the right balance between rights and security.

One cannot simply use "national security" as a trump card and disregard citizens' rights. That is what others used to do. The European Data Retention law needs a health check. The EU Charter of Fundamental Rights is the medicine.

We should all draw lessons from these examples and our recent experiences. Here are mine: eight principles that should govern the way data is processed by the public and the private sector. They form a Data Protection Compact for Europe.

My fourth principle relates to surveillance. Data collection should be targeted and be limited to what is proportionate to the objectives that have been set. If this element of proportionality is lost, citizens' acceptance will be lost as well. Blanket surveillance of electronic communications data is not acceptable. It amounts to arbitrary interference with the private lives of citizens. We can't treat all citizens like suspects. In the past you couldn't sit in someone's basement and read their letters. Today you shouldn't sit in an office and trawl through their emails.

And finally a message to our American friends. Data Protection rules should apply irrespective of the nationality of the person concerned. Applying different standards to nationals and non-nationals makes no sense in view of the open nature of the internet. Ultimately, distinguishing between the rights of individuals depending on their nationality and place of residence impedes the free flow of data. Europe should be very proud of the fact that it treats data protection as a fundamental right – a fundamental right on which every human-being can rely. Companies have understood this – a big tech giant has just announced it will give its users the option of storing their data in Europe, where it's safe. I hope many other companies will take similar initiatives in the coming weeks and months.

Ladies and Gentlemen,

The principles I have set out would restore trust in the way in which companies and governments process data. Citizens would benefit because offline rights would apply online. The digital economy would benefit because its growth would be sustainable. National security would benefit because the laws which help secure it would be more legitimate.

The internet would also benefit. Citizens have been destabilised by what they have learned over the past months. If trust is not restored, they will want their data to remain within borders. It is in the interest of a free internet and of an open internet that we apply these principles and that we empower citizens. That we give our citizens the rights that they deserve.

SPEECH/14/62