European institutions will be covered by the EU's new data protection regime, says Viviane Reding. The same rules must apply to everyone, the EU justice commissioner says in an interview, where she also discusses the brewing storm over alleged US snooping on European offices.
Viviane Reding is the European Commission vice president responsible for justice, fundamental rights and citizenship. She spoke to EurActiv’s Jeremy Fleming in Brussels.
The new data protection regulation includes a provision exempting the EU institutions. Instead a special annex to the new rules will require the Commission to update an existing law affecting the institutions (45/2001). Why do the institutions require this special treatment?
Today, EU institutions are subject to an often stricter treatment than companies or other public authorities in the member states. These rules are set out in a very detailed regulation [45/2001]. They say for example that every EU institution and body has to have a data protection officer; we also have to carry out prior checking with this data protection officer and with the European Data Protection Supervisor [EDPS], as well as prior consultation with him on all administrative measures and legislative proposals relating to data protection.
I see how certain people would like to accuse the EU institutions of not applying rules that we propose to member states. But this is a red herring. It is a non-argument employed by those who want to slow down progress on the data protection reform negotiations.
What counts is that in the end, the same rules will apply to everyone: EU, governments and the private sector. This is what the Commission has been saying since 2010.
Is it really so hard to have the institutions subject to the substantive regulation. If doing so would cause problems with existing applications of rule 45/2001, why not just scrap 45/2001?
Abolishing Regulation 45/2001 would also mean abolishing the European Data Protection Supervisor, which is established by that law. The question is not whether EU institutions or bodies should or should not be bound by the new data protection legal framework. Clearly, they should be. Rather the question is what the best way is to do it while having the new data protection rules in place as swiftly as possible.
Under the presidency proposal, the Commission would state its intention to change rule 45/2001 bringing it into line with the regulation, but this would happen after the general regulation had been adopted, but around the same time as implementation. Why can 45/2001 not be changed in time for the adoption of the regulation?
The Commission has said all along that the 2001 regulation will have to be updated once the data protection reform has been adopted to make sure these laws are in line.
There is two years' time between the adoption of the general data protection Regulation and its entry into application. This gives sufficient time to have the amendments to Regulation 45/2001 adopted by the Council and by the European Parliament so that the rules applicable in the member states and the rules applicable to EU institutions and bodies enter into application simultaneously. On this basis, one common regime will apply to both Member States and EU institutions and bodies.
On Prism, have you had any response on your recent request for further information?
I am still awaiting a written response to the questions I sent to Attorney General [Eric] Holder on 10 June.
I hope that Eric Holder can confirm again to you what was explained during our meeting on 14 June. Because our assessment will depend on this confirmation on the basis of concrete facts.
The challenge we are facing will not fade away as time goes by. Both in the EU and the US, we need to prove that governments and businesses that process personal data can be trusted.
Has the July meeting been arranged to exchange views with the US authorities?
The US authorities and the European Commission agreed to quickly set up a Transatlantic group of data protection and security experts to discuss these issues and their implications for the protection of personal data of EU citizens.
Following our meeting in Dublin, I have written a second letter to Attorney General Holder asking for this meeting to be set up as soon as possible, during the month of July. The Commission and the Council are finalising the preparations for the EU's participation in this transatlantic group so a first meeting can be held in July.
William Hague, the UK foreign secretary, said in the House of Commons on 10 June that: “Any data obtained by us from the United States involving UK nationals is subject to proper UK statutory controls and safeguards, including the relevant sections of the Intelligence Services Act, the Human Rights Act and the Regulation of Investigatory Powers Act.” He did not mention EU citizens. Does this concern you?
I wrote to on 25 June 2013, to Secretary of State for Foreign Affairs William Hague to express my concern about the recent media reports and ask for clarifications regarding the Tempora programme and its proportionality.
This is yet another case which shows why we need a clear legal framework at the European level that strikes the right balance between the protection of personal data and the processing of data for security purposes.
Notably the Commission would like to know more about the scope of the programme – whether it is restricted to national security, or whether its scope is broader covering also other areas; whether data collection and processing is limited to individual cases or whether it is accessed and processed in bulk; whether the data remains in the UK or whether it is transferred and what judicial avenues are available to for citizens to seek redress.
In view of the urgency of this situation, I asked Mr Hague to get back to me by the end of last week but have yet to receive a reply.
Do you think Edward Snowden has performed a useful whistleblowing service, or is he a thief of US state secrets?
Mr Snowden's role in all this is not the real issue at stake. What the debate around Prism really shows is that a clear legal framework for the protection of personal data is not a luxury or constraint but a necessity.
Data protection is a fundamental right in the European Union and European citizens expect this right to be protected.
This much is clear: Direct access of US law enforcement authorities to the data of EU citizens on servers of US companies should only be possible in clearly defined, exceptional and judicially reviewable situations.
Prism has been a wake-up call for Europe.
Should EU countries allow Mr Snowden free passage through European airspace?
This would really be a question for the member states to decide.
What do you make of the reports that the US has been spying on the EU delegations and will you seek any further assurances on this in addition to Prism?
I have made it clear: Partners do not spy on each other. We cannot negotiate over a big transatlantic market if there is the slightest doubt that our partners are carrying out spying activities on the offices of our negotiators. The American authorities should eliminate any such doubt swiftly.
The Commission has asked the US for clarifications on the allegations and is now expecting a clear and transparent reply. This is in addition to what was already asked on Prism.