Protection of personal data: now part of our DNA
(...) So, let me be as clear as possible. The protection of personal data has developed over decades, both at national and European level, and is now part of our DNA. The Council of Europe played a pioneering role in formulating the basic concepts and principles of data protection in a Convention in 1981, which since then has been ratified by more than 40 European countries, including all EU member states.
Moreover, we also know that the objectives of the Digital Agenda and the EU2020 strategy of a "smart, sustainable and inclusive" Europe are not achievable without strong safeguards for privacy and data protection. In this perspective, even a priority such as economic recovery has become linked to data protection reform. No wonder that the Commission is defending its proposals also with a reference to more jobs linked to the digital economy.
But make no mistakes: there is no space to go back in this exercise. Some late comers in the debate seem to argue their case in terms that suggest that the current legal framework does not exist or does not apply to them. In my view, the main focus should instead be on making the present legal safeguards more effective in practice, so as to ensure that they will help us to face the current and future challenges of a digital world.
(...)
Although the Commission proposal for a Regulation still raises quite a few questions at this stage, there is also a growing consensus about its main lines.
First, the scope of EU law will be extended: it will also apply whenever goods or services are offered at the European market, or when residents of the EU are being monitored. This means a 'level playing' field where Internet service providers and other key actors will be covered, regardless of whether they operate from the EU or from a third country.
Secondly, the position of data subjects will be reinforced so as to ensure an adequate control over the collection and use of their personal data. This will come from more transparency of data processing, stricter rules on consent, and more effective rights of access, correction and erasure of data, including rights to be forgotten and to data portability.
Thirdly, the controller's responsibility will be emphasized by duties to ensure and demonstrate compliance with data protection requirements, to conduct timely data protection impact assessments, and to ensure that all relevant privacy aspects are included in new developments from the start ("Privacy by Design").
Fourthly, the position of independent authorities will be reinforced, with stronger and uniform powers for more effective supervision and enforcement, including the possibility of heavy fines and other effective sanctions.
Finally, the Data Protection Regulation will ensure more harmonisation and consistency across the EU. Supervisory authorities will also be cooperating more closely on issues with a European or international dimension.
I think that a result along these lines by the end of this year or by early 2014 would provide a very good basis for ensuring a more responsible use of the internet.Finally, let me say that I fully agree with the need to achieve a good balance between different fundamental rights, and more generally, between different legitimate interests, but I see no reason to believe that the proposed Data Protection Regulation would not be entirely in line with that approach.
