One of the big topics as we head into 2012 is definitely protection of personal data. The Commission will propose a reform of the current 15-year-old framework in a few weeks. The main issues were already clearly flagged in the Commission communication just over a year ago. My colleague Viviane Reding has spoken about this already a lot in the past few months, setting out her thinking on a number of concrete elements that will be put forward, such as harmonising and better enforcing rules across the EU. From the Digital Agenda perspective, I’m working very closely with Viviane on this, for two reasons:
First, because data protection is an important part of wider cloud computing issues. After 12 months of intensive discussions and consultations, I am currently preparing the first in a series of concrete announcements related to the European Cloud Computing Strategy. I want Europe to be not only cloud-friendly but cloud-active: the right common rules could enhance cloud development, but the wrong choices on data protection would cut off lots of potential uses and business offerings before they’ve even started. At the World Economic Forum in Davos, I will announce a concrete project aimed at making it easier for buyers – particularly public sector buyers – to cooperate on requirement definitions and possibly pool their resources when procuring Cloud Computing services.
And second because there’s more to data protection than cloud computing (and vice versa) since data protection is relevant to almost all digital activity. In particular when we use the Internet, almost anywhere we go, we leave data traces behind. And we are all of us rightly concerned with the question of what companies, and governments, do with this personal data.
When it comes to individual privacy in the digital age, my view is clear: I want to see the principles of transparency, fairness and user control running through everything. Transparency so that citizens know exactly what the deal is. Fairness so that citizens are not forced into sharing their data. And user control so that citizens can decide – in a simple, informed and effective manner – what they allow others to know. And all of this should be combined with better regulation principles, imposing only the minimum legal and administrative burdens needed to achieve these goals.
To begin with, I should stress that any future set of rules will need to carry on achieving the sound objectives of the current legislation: including curtailing intrusive and misleading business models and practices. Data protection must continue to protect citizens and ensure that companies are absolutely clear to citizens about how their data is used.
But these rules must take account of the impact on businesses as well as on citizens. And we can’t afford to stifle innovative entrepreneurs and new ideas. If we are too rigid and controlling, we will serve no-one’s interests. Because, faced with too many restrictive rules and obligations, would-be data controllers may just take their bright ideas outside the EU – or give up all together. If that happens, Europeans’ data might be absolutely safe – but equally they would not get to access potentially beneficial new services. So we would have, so to speak, thrown out the baby with the bathwater.
So, how do we find this balance in practice? Here are some ideas.
a. Technological benefits for everybody
The new uses of technology don’t just pose risks for privacy and data protection principles: they also mean opportunities. For example, by requiring companies to make data available to the concerned individuals using interoperable standards, citizens can easily use it for their own purposes – or easily switch to a competitor.
Likewise we need to look at techniques like encryption or anonymisation, which can reduce the risk of breaching privacy in practice. Otherwise, we risk missing out on the huge opportunities of ‘big data’ – like to analyse anonymised health data on a large scale, analysis which could in the long run save countless lives. So we need rules flexible enough to accommodate such situations in which a company holds data that could identify individuals only if combined with other information that they don’t have.
As we specify how data needs to be protected, we must ensure that our rules actually fit with how technology works. Data protection cannot simply be about setting rights in stone and then finding out they don’t make sense in practice. Otherwise we will end up in a situation where (for example) data protection obligations force companies to collect more data than they otherwise would have done. Likewise, when it comes to a “right to be forgotten”, we need to frame it in a way that can be implemented in the internet as it functions in the real world.
Data protection rules also need to fit how the digital world is evolving – fast! For example, teenagers now regard social networking as being as normal as homework. So we need to work with the grain, and not against it.
b. Clear rules and no unnecessary burdens
Nobody benefits from rules that are unclear. Ambiguity could prevent people from trying out new ideas for fear of the consequences, even where those ideas would be perfectly legal. This legislative review gives us a chance to clarify some key concepts that have divided experts (and lobbyists!) for a decade and a half.
And we must keep a sense of proportion. There is no perfect, cast-iron way to protect data: more can always be done. But there is also always a trade-off in terms of burdens and practicability. We need to take a hard look at what adds value and what doesn’t. Where we tighten the law, we can also consider ways to lighten the administrative burden in relation to data protection authorities. Data protection rules only help if they are enforced – and indeed the current perception of under-enforcement represents a de facto discrimination against law-abiding companies – and effective sanctions are part of that. But they need to be proportionate to the circumstances of individual cases and linked to clear requirements to avoid chilling effects.
In a digital single market, businesses and users benefit from a unified European approach to data protection. Companies and citizens alike just want know who is protecting their rights – and ideally, to deal with just one authority. Likewise, different sectors should be subject to the same rules if there is no material difference in their situations. For example, we already have rules on notification of data breaches in place for the telecoms sector which could serve as a basis for the general rules. What’s more, to have a level playing field in a world driven by the Internet, we also need all companies who in reality serve the European market and process Europeans’ data to be part of the system of rules.
d. International data
Data should be protected when sent abroad, too. But again, we should keep a sense of proportion. The same three principles as apply in the EU – transparency, fairness, and user control – can and should apply equally well to international transfers of data, and should of course also be achieved through proportionate burdens and efficient procedures.
The Commission is working in all these directions. And I am confident that the Commission will propose “technology savvy” protection for all of us – rules which protect our rights, while taking full account of both the risks and opportunities of the digital age.