Myth-busting: what Commission proposals on data protection do and don't mean
On 25 January 2012, the Commission presented its data protection reform proposal. It sparked an intense, vibrant, fascinating debate. Here's what the reform does and does not do. It's important not to get side-tracked.
The Reform DOES
… Boost growth and encourage the flow of data
Sharing data has become crucial for economic growth. Privacy protection and the free flow of data are complementary not contradictory concepts.
To flourish, the digital economy needs trust. Many people do not have confidence about giving out their personal data online. This means they are less likely to use online services and other technologies. According to a GSMA study, nine out of ten smartphone users are concerned about mobile apps collecting their data without their consent, and say they want to know when the data on their smartphone is being shared with a third party.
Strong, reliable, consistently applied rules will make data processing safer, cheaper and inspire people’s confidence. Confidence in turn drives growth. This is a message that is well understood worldwide. In a letter to the European Parliament strongly supporting the data protection reform package, 25 major US consumer organizations stressed that “stronger privacy standards in Europe will benefit consumers around the globe”.
… Put individuals in control of their data
Effective data protection means putting individuals in control of their personal information: by strengthening existing rights and by increasing access to those rights. The idea is simple. It's your data. You should have a say in how it's used.
Some present such rights as a threat but this is due to a number of misconceptions about the Commission's proposal.
Consent is at present – and will remain under the proposed Regulation – only one of the several grounds allowing for the lawful processing of data. Processing can also be based on the performance of a contract, on a legal obligation, a public interest or on the legitimate interests of the controller, etc. The Commission does not want to move the goalposts.
But when your consent is required for the processing of your data, that consent must be explicit: staying silent is not the same thing as saying yes. At the same time, explicit consent does not necessarily have to be given in writing: a person can agree to the processing of their data by clicking on icons or ticking a box on a website. This won't mean constant pop-ups because consent can be given for multiple operations.
… Allow business to get on with doing what it does best
The Commission’s proposals extend the number of ways in which businesses can show that they meet high standards of protection when they transfer personal data beyond the EU's borders.
It's a long list. Businesses operating globally will benefit from clear rules that set out how they can use binding corporate rules (BCRs) and standard contractual clauses to transfer personal data securely. The proposal also abolishes many cumbersome prior-authorization procedures. Under certain conditions, it will be possible to transfer data outside the Union on the basis of codes of conduct. Safe Harbour will not be affected.
The proposed new EU rules on adequacy take full account of privacy systems in other countries. It's not about having a system identical to that of the EU but about ensuring the same level of data protection in practice. Experience shows that this approach works.
… Reduce the number of data breaches
Fast action to tackle data breaches hurts criminals, not legitimate business.
Why shouldn't data breaches be notified within 24 hours if that is feasible? The Commission's proposal does not ask for anything more.
Stolen records are most valuable to criminals immediately after they have been stolen – as soon as people have been notified they can protect themselves. Informing people quickly that their personal data has fallen into the wrong hands is crucial. This is backed up by statistics: countries which require quick notifications have fewer data breaches. Clearly, strong rules in this area encourage companies to manage personal data more securely.
The Reform DOES NOT…
… Mean history will be re-written
Those hoping that the right to be forgotten will allow them to clean their credit history are going to be disappointed.
The Commission’s proposal builds on the existing right to demand that personal data should be deleted if they are no longer needed for any legitimate purpose. This covers all kinds of everyday situations. For example, children may not understand the risks involved in making their personal information available – only to regret it when they grow up. They should be able to delete that information if they want to.
The right to be forgotten is not about rewriting history! The Commission’s proposal protects freedom of expression and the freedom of the media, as well as historical and scientific research. Equally, personal data may be kept for as long as they are needed to carry out a contract or to meet a legal obligation. In short, the right to be forgotten is not absolute.
And the rights of businesses are also protected. If the personal data in question has been made public (for example, posted on the Internet), a company must make a genuine effort to ensure third parties know about the request to delete the data. Evidently a company will not be able to wipe out every trace left in search indexes and that is not what we are asking for. But companies should take every reasonable step to ensure that third parties, to whom the information has been passed on, are informed that the individual would like it deleted. In most cases this will involve nothing more than writing an email.
… Give the Commission a blank cheque to regulate
The executive powers given to the Commission by the data protection reform package are not a blank cheque. These executive powers will only allow non-essential elements of the legislation to be adjusted to new developments, under the scrutiny of the European Parliament and the Council of Ministers. Without this flexibility to adapt to technological change, the new law would inevitably be too prescriptive and less open to innovation. As always, the Commission will fully consult stakeholders before using its powers.
European law foresees these kinds of executive powers for a reason – to ensure that the technical elements of our rules can be adapted quickly to changing realities, without having to go through the full and lengthy legislative procedure required to adopt new legislation.
… Weaken international cooperation to combat crime
Data exchanges between law enforcement authorities will not be made more difficult. The view that the adoption of the proposed law enforcement Directive would call into question hundreds of existing and well-functioning bilateral agreements in this sector is unfounded and exaggerated. Only those agreements that involve personal information sharing which are lacking appropriate data protection safeguards will need to be re-examined. As regards cooperation with the US, the comprehensive law enforcement data protection agreement, which is currently being negotiated, should add guarantees on data protection to the existing agreements underpinning transatlantic cooperation in justice and police affairs.
It is time to create a new gold standard of data protection based on clear and strong laws:
- to deliver what business wants;
- to deliver what citizens want;
- and to bring European data protection rules into the digital age.