Transcript The Data Protection Regulation (II)

A European Data Protection
Framework for the 21st century
Paul NEMITZ
Director
DG JUSTICE – Fundamental Rights and Union Citizenship
Why a new European framework for
Data Protection?
• The impact of technology and globalisation
• A fragmented legal framework at EU level
• Institutional changes: The Lisbon Treaty
2
What does COM aim to achieve?
The objectives of the reform
•  Strengthening individuals’ rights, particularly
online
•  Create a clear, consistent and uniformly
•
applied EU data protection framework
•  Facilitate international data flows while
ensuring adequate protection
3
The Challenge of Technology
•  92% of Europeans are concerned about mobile apps
collecting their data without their consent.
•  89% of people say they want to know when the data on
their smartphone is being shared with a third party.
They want the option to give or refuse permission.
•  3 in 4 citizens do not feel in control of their data
• Can our economy continue to grow without the trust
of citizens?
4
How will these objectives be achieved?
The Data Protection Regulation (I)
• Replaces Data Protection Directive 95/46/EC
• Sets out the general Data Protection framework in
the EU
• But maintains the same objectives:
- Protecting the fundamental right to Data Protection
AND
- Ensuring the free flow of personal data between
Member States
5
The Data Protection Regulation (II)
PUTTING INDIVIDUALS IN CONTROL OF THEIR DATA
• Better information about data processing
• Consent to be given explicitly, whenever required
• Easier rights of access and ‘data portability’
• ‘Right to be forgotten’
• Data breach notifications (DPAs and individuals)
6
The Data Protection Regulation (III)
RULES FIT FOR THE DIGITAL SINGLE MARKET
• One single law, directly applicable
• Cutting red tape (e.g. abolishing general
notifications)
• ‘One-stop shop’ system for data protection in the
EU: one single DPA to deal with a company
7
Economic Benefits
• One single law – saves businesses EUR 2,3 billion per
year through harmonisation and simplification of the
regulatory environment
• Cutting red tape – saves businesses EUR 130 million
per year
• ‘One-stop shop’ system reduces legal uncertainty
about supervision and enforcement (difficult to quantify
enhanced confidence and certainty)
• Enhanced trust in individuals creates opportunity
for business in the internal market (see next slide on
opportunity cost of lack of trust)
=> SIMPLER AND MORE FLEXIBLE RULES
BOOSTING CONFIDENCE, GROWTH, INNOVATION
8
Lack of confidence - ecommerce
Reasons for not buying online (% of individuals that have not ordered online during last year), 2009
I have no need
I prefer to shop in person, like to see
product, loyalty to shops, force of habit
Payment security concerns
Privacy concerns
Trust concerns
lack of skills
Relevant information about goods and
services difficult to find on website
Don't have a payment card allowing to pay
over the Internet
delivery of goods ordered over the Internet is
a problem
Speed of the Internet connection is too slow
Others
0%
10%
20%
30%
40%
50%
60%
70%
Data Protection Regulation – SME Concerns
RULES TARGETED TO SMEs TO AVOID UNDUE BURDENS
• General benefits: simplification of the regulatory
environment – harmonisation and ”one-stop-shop”
• No undue administrative burden on SMEs
• “Think small first principle” organically a part of
proposed Regulation (Recital 11)
• Targeted provisions:
• Large majority of SMEs exempted from Data Protection Officer
obligation, unless engaged in risky processing
• Narrowly targeted criteria for Data Protection Impact Assessments,
unless engaged in risky processing
• SMEs exempted from documentation obligations
The Data Protection Regulation (IV)
IMPROVEMENT IN DATA PROTECTION GOVERNANCE
• Independent and stronger national DPAs
• Swifter and more efficient cooperation between DPAs
• A new ‘European Data Protection Board’
• EU level ‘consistency mechanism’
11
The Data Protection Regulation (V)
INTERNATIONAL TRANSFERS
• Clearer rules on the application of EU law for
controllers established outside
• Clearer criteria on adequacy and central role of
the Commission
• More flexible instruments for global data flows
(e.g. “Binding Corporate Rules”)
12
The Directive in the field of
crim. justice and police cooperation (I)
WHY A SEPARATE DIRECTIVE?
• Replaces the Framework Decision ("minimum
harmonisation" and limited powers of ECJ to
enforce the rules)
• Keeps the necessary flexibility to take
account of the specific nature and needs of
this area
13
The Directive in the field of
crim. justice and police cooperation (II)
• Extension to “domestic” (national) processing
• Same general principles (lawfulness, necessity,
proportionality etc.)
• Harmonised limitations/derogations (e.g.
access to data, right to information)
14
State of play at the end of 2012
• Council – slow but steady progress under DK and CY
PRES. Article-by-article reading and horizontal themes
(administrative burden, delegated/implementing acts,
public sector flexibility).
• EP – faster pace: LIBE Rapporteur Albrecht
presented draft report 9 January 2013. Four other EP
Committees involved : IMCO, JURI, ITRE, EMPL.
15
The way forward in 2013
• Council – reinvigorated pace of discussions under IE
PRES. Continuation of first reading and horizontal
discussion on administrative sanctions, right to be
forgottten, 'household exemption')
• EP - The EP rapporteurs have prepared their draft
reports which will now be discussed in the relevant
parliamentary committees. An EP plenary vote is
expected around April.
• Commission –continue to work closely and support EP
and Council in their endeavour to achieve a political
agreement on the data protection reform by the end of
the Irish Presidency.
Your contribution to the endeavour
• COM needs "all hands on deck" to maintain a
constructive debate.
• Monitoring and reporting on national debates
• Participation in online debates (especially through
social media channels)
• Advocacy and dissemination of arguments in favour
of the reform
• Myth-busting – crucial at a time of intense anti-EU
populism in many Member States.
17
Thank you for your attention
http://ec.europa.eu/justice/data-protection/index_en.htm