A European Data Protection Framework for the 21st century Paul NEMITZ Director DG JUSTICE – Fundamental Rights and Union Citizenship Why a new European framework for Data Protection? • The impact of technology and globalisation • A fragmented legal framework at EU level • Institutional changes: The Lisbon Treaty 2 What does COM aim to achieve? The objectives of the reform • Strengthening individuals’ rights, particularly online • Create a clear, consistent and uniformly • applied EU data protection framework • Facilitate international data flows while ensuring adequate protection 3 The Challenge of Technology • 92% of Europeans are concerned about mobile apps collecting their data without their consent. • 89% of people say they want to know when the data on their smartphone is being shared with a third party. They want the option to give or refuse permission. • 3 in 4 citizens do not feel in control of their data • Can our economy continue to grow without the trust of citizens? 4 How will these objectives be achieved? The Data Protection Regulation (I) • Replaces Data Protection Directive 95/46/EC • Sets out the general Data Protection framework in the EU • But maintains the same objectives: - Protecting the fundamental right to Data Protection AND - Ensuring the free flow of personal data between Member States 5 The Data Protection Regulation (II) PUTTING INDIVIDUALS IN CONTROL OF THEIR DATA • Better information about data processing • Consent to be given explicitly, whenever required • Easier rights of access and ‘data portability’ • ‘Right to be forgotten’ • Data breach notifications (DPAs and individuals) 6 The Data Protection Regulation (III) RULES FIT FOR THE DIGITAL SINGLE MARKET • One single law, directly applicable • Cutting red tape (e.g. abolishing general notifications) • ‘One-stop shop’ system for data protection in the EU: one single DPA to deal with a company 7 Economic Benefits • One single law – saves businesses EUR 2,3 billion per year through harmonisation and simplification of the regulatory environment • Cutting red tape – saves businesses EUR 130 million per year • ‘One-stop shop’ system reduces legal uncertainty about supervision and enforcement (difficult to quantify enhanced confidence and certainty) • Enhanced trust in individuals creates opportunity for business in the internal market (see next slide on opportunity cost of lack of trust) => SIMPLER AND MORE FLEXIBLE RULES BOOSTING CONFIDENCE, GROWTH, INNOVATION 8 Lack of confidence - ecommerce Reasons for not buying online (% of individuals that have not ordered online during last year), 2009 I have no need I prefer to shop in person, like to see product, loyalty to shops, force of habit Payment security concerns Privacy concerns Trust concerns lack of skills Relevant information about goods and services difficult to find on website Don't have a payment card allowing to pay over the Internet delivery of goods ordered over the Internet is a problem Speed of the Internet connection is too slow Others 0% 10% 20% 30% 40% 50% 60% 70% Data Protection Regulation – SME Concerns RULES TARGETED TO SMEs TO AVOID UNDUE BURDENS • General benefits: simplification of the regulatory environment – harmonisation and ”one-stop-shop” • No undue administrative burden on SMEs • “Think small first principle” organically a part of proposed Regulation (Recital 11) • Targeted provisions: • Large majority of SMEs exempted from Data Protection Officer obligation, unless engaged in risky processing • Narrowly targeted criteria for Data Protection Impact Assessments, unless engaged in risky processing • SMEs exempted from documentation obligations The Data Protection Regulation (IV) IMPROVEMENT IN DATA PROTECTION GOVERNANCE • Independent and stronger national DPAs • Swifter and more efficient cooperation between DPAs • A new ‘European Data Protection Board’ • EU level ‘consistency mechanism’ 11 The Data Protection Regulation (V) INTERNATIONAL TRANSFERS • Clearer rules on the application of EU law for controllers established outside • Clearer criteria on adequacy and central role of the Commission • More flexible instruments for global data flows (e.g. “Binding Corporate Rules”) 12 The Directive in the field of crim. justice and police cooperation (I) WHY A SEPARATE DIRECTIVE? • Replaces the Framework Decision ("minimum harmonisation" and limited powers of ECJ to enforce the rules) • Keeps the necessary flexibility to take account of the specific nature and needs of this area 13 The Directive in the field of crim. justice and police cooperation (II) • Extension to “domestic” (national) processing • Same general principles (lawfulness, necessity, proportionality etc.) • Harmonised limitations/derogations (e.g. access to data, right to information) 14 State of play at the end of 2012 • Council – slow but steady progress under DK and CY PRES. Article-by-article reading and horizontal themes (administrative burden, delegated/implementing acts, public sector flexibility). • EP – faster pace: LIBE Rapporteur Albrecht presented draft report 9 January 2013. Four other EP Committees involved : IMCO, JURI, ITRE, EMPL. 15 The way forward in 2013 • Council – reinvigorated pace of discussions under IE PRES. Continuation of first reading and horizontal discussion on administrative sanctions, right to be forgottten, 'household exemption') • EP - The EP rapporteurs have prepared their draft reports which will now be discussed in the relevant parliamentary committees. An EP plenary vote is expected around April. • Commission –continue to work closely and support EP and Council in their endeavour to achieve a political agreement on the data protection reform by the end of the Irish Presidency. Your contribution to the endeavour • COM needs "all hands on deck" to maintain a constructive debate. • Monitoring and reporting on national debates • Participation in online debates (especially through social media channels) • Advocacy and dissemination of arguments in favour of the reform • Myth-busting – crucial at a time of intense anti-EU populism in many Member States. 17 Thank you for your attention http://ec.europa.eu/justice/data-protection/index_en.htm