Credit kexino.com, creative commons license
One of the big topics as we head into 2012 is definitely protection of personal data. The Commission will propose a reform of the current 15-year-old framework in a few weeks. The main issues were already clearly flagged in the Commission communication just over a year ago. My colleague Viviane Reding has spoken about this already a lot in the past few months, setting out her thinking on a number of concrete elements that will be put forward, such as harmonising and better enforcing rules across the EU. From the Digital Agenda perspective, I’m working very closely with Viviane on this, for two reasons:
First, because data protection is an important part of wider cloud computing issues. After 12 months of intensive discussions and consultations, I am currently preparing the first in a series of concrete announcements related to the European Cloud Computing Strategy. I want Europe to be not only cloud-friendly but cloud-active: the right common rules could enhance cloud development, but the wrong choices on data protection would cut off lots of potential uses and business offerings before they’ve even started. At the World Economic Forum in Davos, I will announce a concrete project aimed at making it easier for buyers – particularly public sector buyers – to cooperate on requirement definitions and possibly pool their resources when procuring Cloud Computing services.
And second because there’s more to data protection than cloud computing (and vice versa) since data protection is relevant to almost all digital activity. In particular when we use the Internet, almost anywhere we go, we leave data traces behind. And we are all of us rightly concerned with the question of what companies, and governments, do with this personal data.
When it comes to individual privacy in the digital age, my view is clear: I want to see the principles of transparency, fairness and user control running through everything. Transparency so that citizens know exactly what the deal is. Fairness so that citizens are not forced into sharing their data. And user control so that citizens can decide – in a simple, informed and effective manner – what they allow others to know. And all of this should be combined with better regulation principles, imposing only the minimum legal and administrative burdens needed to achieve these goals.
I have already set out my thinking in relation to the ePrivacy Directive. But it also applies to data protection more generally.
To begin with, I should stress that any future set of rules will need to carry on achieving the sound objectives of the current legislation: including curtailing intrusive and misleading business models and practices. Data protection must continue to protect citizens and ensure that companies are absolutely clear to citizens about how their data is used.
But these rules must take account of the impact on businesses as well as on citizens. And we can’t afford to stifle innovative entrepreneurs and new ideas. If we are too rigid and controlling, we will serve no-one’s interests. Because, faced with too many restrictive rules and obligations, would-be data controllers may just take their bright ideas outside the EU – or give up all together. If that happens, Europeans’ data might be absolutely safe – but equally they would not get to access potentially beneficial new services. So we would have, so to speak, thrown out the baby with the bathwater.
So, how do we find this balance in practice? Here are some ideas.
a. Technological benefits for everybody
The new uses of technology don’t just pose risks for privacy and data protection principles: they also mean opportunities. For example, by requiring companies to make data available to the concerned individuals using interoperable standards, citizens can easily use it for their own purposes – or easily switch to a competitor.
Likewise we need to look at techniques like encryption or anonymisation, which can reduce the risk of breaching privacy in practice. Otherwise, we risk missing out on the huge opportunities of ‘big data’ – like to analyse anonymised health data on a large scale, analysis which could in the long run save countless lives. So we need rules flexible enough to accommodate such situations in which a company holds data that could identify individuals only if combined with other information that they don’t have.
As we specify how data needs to be protected, we must ensure that our rules actually fit with how technology works. Data protection cannot simply be about setting rights in stone and then finding out they don’t make sense in practice. Otherwise we will end up in a situation where (for example) data protection obligations force companies to collect more data than they otherwise would have done. Likewise, when it comes to a “right to be forgotten”, we need to frame it in a way that can be implemented in the internet as it functions in the real world.
Data protection rules also need to fit how the digital world is evolving – fast! For example, teenagers now regard social networking as being as normal as homework. So we need to work with the grain, and not against it.
b. Clear rules and no unnecessary burdens
Nobody benefits from rules that are unclear. Ambiguity could prevent people from trying out new ideas for fear of the consequences, even where those ideas would be perfectly legal. This legislative review gives us a chance to clarify some key concepts that have divided experts (and lobbyists!) for a decade and a half.
And we must keep a sense of proportion. There is no perfect, cast-iron way to protect data: more can always be done. But there is also always a trade-off in terms of burdens and practicability. We need to take a hard look at what adds value and what doesn’t. Where we tighten the law, we can also consider ways to lighten the administrative burden in relation to data protection authorities. Data protection rules only help if they are enforced – and indeed the current perception of under-enforcement represents a de facto discrimination against law-abiding companies – and effective sanctions are part of that. But they need to be proportionate to the circumstances of individual cases and linked to clear requirements to avoid chilling effects.
c. Harmonisation
In a digital single market, businesses and users benefit from a unified European approach to data protection. Companies and citizens alike just want know who is protecting their rights – and ideally, to deal with just one authority. Likewise, different sectors should be subject to the same rules if there is no material difference in their situations. For example, we already have rules on notification of data breaches in place for the telecoms sector which could serve as a basis for the general rules. What’s more, to have a level playing field in a world driven by the Internet, we also need all companies who in reality serve the European market and process Europeans’ data to be part of the system of rules.
d. International data
Data should be protected when sent abroad, too. But again, we should keep a sense of proportion. The same three principles as apply in the EU – transparency, fairness, and user control – can and should apply equally well to international transfers of data, and should of course also be achieved through proportionate burdens and efficient procedures.
The Commission is working in all these directions. And I am confident that the Commission will propose “technology savvy” protection for all of us – rules which protect our rights, while taking full account of both the risks and opportunities of the digital age.
Email This Post
RSS comments feed on this entry
International data will be the trickiest part of the EU, especially as members are not currently as integrated. It will be interesting seeing what you come up with to tackle this issue
Here’s additional information for German-speaking readers about the severe dangers of this project.
It could be a passable way to introduce a EuSSR dictatorship depriving citizens of their rights. That data protection reform may pave the way for a further decline of civil rights and a considerably deteriorated jurisdiction.
You’d think the EU harmonizes with China…
Tightening data protection rules is of severe importance. The litmus test is whether the United States Trade Representatives would like it. When they are furious and getting nuts, put their shoes on the table, lobby like mad rhino then we do exactly the right thing to protect the rights of our citizens abroad. Especially in the context of cloud services we cannot permit US based services to spy on our markets. When in Rome do like the Romans do. When in Europe respect our rules and values!
The internet for the first time forces countries to adopt a singular economic system across its distribution and that puts enormous pressure on the agreements needed between countries.
While on the surface the U.S. proclaims to be in support of free-markets (and I am, living and working there), the implementation of a free-market requires regulations so every participant enjoys the same definition of freedom, and protects other participants using that same definition. Free-markets are not a free-for-all, meaning you are allowed to just do what you want. The way financial systems in violation of free-market principles have been able to run amuck with our economic systems.
The implementation of a true free-market system is now, really for the first time, being implemented globally with the internet as its distribution. I applaud Neelie’s work to balance the defunct free-for-all with meaningful regulation that secures everyones definition of freedom. But I would suggest to tread carefully, for I see those who do not understand the basic fundamentals of a free-market implement regulations that throw the economic baby out with the bath water all to frequently.
Die EU-Diktatur in ihrem Lauf hält weder Ochs noch Esel auf …
Dear Neelie,
Please have a look at http://www.qiy.com if you are really interested in personal data protection. This solution can give Europeans back its identity!
Finally a first step into the right direction, however keep in mind that the citizens also need to realize what they do with their confidential information. It’s like getting a burglar alarm, but leaving the door wide open!
Rules need to be defined, but we also would like to see more awareness and training.
Nevertheless this is the correct way to go because regulation needs to keep up with the ever changing technology . More to find @ our independent web portal.
If you’re talking about SOPA, then I can’t agree with you.
I’m not going to support this law. More than that: I’m against it. I’m ready to walk out on the streets of my town and join the strike or whatever it is called.
Dear Mrs Kroes,i fully support your opposition to the us soap and pipa acts. The main reasoning behind my support is follows . If the US goerment wants to control acess of internet content in their sovereignty that is their right(debatable but for the sake of argument please accept it ). But infrastructure that resides on us soil to control the internet access world wide to me is unacceptable. if they want to procequte foreign citizens the existing legislation is adequate. if the existing legal frame is not “fast enaught” to companies and media corporations of us interest let me ask the following question if i may. Suppose there is a case of piracy related to content of EU interests (european movie , song etc) in the states will the US goverment act with the same zele and pation?RespectfullyBilly KantartzisIT consultant
Yes, Data should be protected when sent abroad..
Rak Swalayan | Rak Toko | Rak Minimarket | Rak Supermarket
http://www.rakswalayan.com
This concept seems to be pretty outstanding as the problem of data protection is one of the sharpest ones during decades of years. This solution sounds really rational and smart, let’s see how they will develop it.
Joseph Bowers, owner of website that helps to convert flv to mp4
They are insourcing again with a SaaS cloud emphasis after booting IBM then CSC. VF figured out that it’s better and cheaper than any outsourcing solution.