Ladies and gentlemen,
It's a great honour to speak at what is probably the best global event on privacy. Our colleagues from the European Data Protection Supervisor and Mr Buttarelli have done a very impressive job organising it and attracting so many distinguished guest.
And while this conference gathers a lot of privacy experts and supporters, every year our discussions are reaching a wider audience, including those for whom the data laws are created – i.e. data subjects known also outside the privacy expert groups as - the people.
I heard you had four very productive days. I am curious about the results of your discussions as we are together here speaking about the future of the world. The issues of privacy are becoming very important ethical and global issues. Today talks will be about ethics – very good idea.
This is a very special year for data protection globally, but for the EU in particular. The EU’s robust new rules at last became a reality in May when the GDPR began to apply.
Now, everyone’s focus is on applying the rules correctly, on experience with compliance, and on the first cases of enforcement.
We have come a long way.
Just a few years ago outside of the data protection community many were arguing that the idea of privacy in the digital era was outdated. They said it was a European obsession; that people do not care about their personal data; and that legislation is not the right way to deal with such an issue.
Well, the success of this conference, the number of participants and the diversity of speakers and maybe little unexpected, but promising, announcements from some US participants proves them wrong.
Furthermore, massive data breaches and the mishandling of personal data in the Facebook/Cambridge Analytica case sent shockwaves through our democratic systems and remind us what is at stake: from preserving our most intimate sphere to protecting the functioning of our democracies and ensuring the sustainability of our increasingly data-driven economy.
That is where the main theme of this conference – ‘digital ethics’ – comes in. Ethics bring together between these different dimensions of privacy by making sure that any activity involving the processing of data remains fair for the individual.
And I am very pleased that we don't only discuss legal aspects, even though I am a lawyer, but we focus this year on something more tangible for the people – the ethics.
The success of our efforts to bring privacy to the core of the debate will only succeed if people will use their rights or demand new ones.
The GDPR is the EU’s response to new challenges. I am sure we are making the right choice to modernise and harmonise Europe’s privacy rules.
But Europe is not alone. There are signs of developing convergence at international level.
A growing number of countries around the world are adopting rules that have elements in common with the GDPR. Their rules are comprehensive, applying across industries and sectors; they comprise of a core set of enforceable rights; and they provide for enforcement by an independent supervisory authority.
Also, more countries are becoming members of the Council of Europe's “Convention 108”.
But we should not be surprised that privacy and data security are becoming truly global issues.
In Brussels, Seoul, New Delhi, Brasilia, Tokyo, Pretoria and now in Capitol Hill (hopefully) and Silicon Valley, we all face similar challenges and want to seize similar opportunities of the digital economy.
Apple and Facebook has strongly recognised this yesterday in this very conference. Of course I welcome this announcements and I hope this will materialise in their constructive approach in the US debate.
People around the world want their privacy protected; consumers want their data to be safe.
And businesses recognise that strong privacy protections give them a competitive advantage as confidence in their services increases.
The developing convergence in privacy standards at international level offers new opportunities to facilitate data flows and, therefore, international trade. It also improves the level of protection of personal data when transferred abroad.
The recent agreement reached with Japan on a mutual adequacy finding for instance, will create the world’s largest area of free and safe data flows.
And the Japanese adequacy finding sets an example for future partnerships with other countries.
Fostering such convergence also means that we can also learn from each other. The exchange of experience and best practices with other systems can help with the implementation of the GDPR for example.
A dialogue and exchange of experience is dynamic and mutually beneficial. It is crucial for understanding emerging legal or technological solutions and for addressing new challenges that are becoming more global in nature and scope.
That is why we need forums like this one, which gathers privacy regulators, practitioners, technologists and academics from all over the world.
[Privacy belongs to everyone]
Ladies and gentlemen,
So, five months since the application of the GDPR, what have we learnt?
For companies, compliance with the GDPR gave them the chance to put their ‘data house’ in order. They had to take a closer look at what they were collecting; what they use it for; how to keep and share it; and to reflect on the need to collect and process all this data.
In doing these checks companies have often reduced their exposure to unnecessary risks. They have also a better idea of the data they hold and they can build a trusting relationship with their customers and commercial partners.
Citizens have also benefitted from the GDPR. Data Protection Authorities have told us that the number of complaints has risen since the rules entered into application.
And NGOs working in data protection have started to bring collective actions before data protection authorities and courts.
Lastly, the key to success of the GDPR are in my view, the data protection authorites.
I believe it is now clear to everyone - including the alarmists - that the data protection authorities did not become sanctioning machines overnight on 25 May when the GDPR came into force!
Let me stress that fines are only one of the tools DPAs can use to enforce the GDPR. And they can use it only after a thorough investigation of the facts and always bearing in mind the specific circumstances of each case.
These first few months have shown us that compliance is a dynamic process. And it involves close dialogue between regulators and stakeholders.
In that respect, the European DPAs have certainly ‘rolled up their sleeves’. In the last two years, they have adopted eighteen sets of detailed guidelines on all aspects of the GDPR, following broad public consultations to which many non-European companies even participated.
I understand this work may continue as new questions emerge and I want to praise the DPAs for their active and open engagement with stakeholders.
It is essential for the data protection authorities to forge a common EU approach. Therefore, the European Commission will pursue its active support to the work of the European Data Protection Board whose guidelines are key for assisting stakeholders to implement the GDPR. It is a big task for all of us to ensure consistency of the rules across the 28 countries of the EU.
To conclude, I want to be clear that the GDPR is not just a set of obligations.
It is an opportunity for business and individuals to build trust. And to revolutionise culture surrounding data practices, not only by legal compliance but also by changing and embracing privacy ethics.
In this context, in June I will organise an event to take stock where are we 1 year since the application of the GDPR.
And ethical aspects here will be the key in order not to abuse the new powers or in order not to undermine the new obligations.
Ladies and Gentlemen,
the GDPR takes a modern approach to regulation by empowering users and rewarding new ideas, methods and technologies, while addressing people’s genuine privacy and data security concerns.
I wish you a successful conference and fruitful exchanges, which I look forward to hearing about.