Following today’s agreement in the Council on Data Protection, in an exclusive op-ed, MEP Viviane Reding reminds us that the EU countries’ position seems to substantially water down the Commission’s proposal.
Viviane Reding is a centre-right Member of the European Parliament for Luxembourg. She is a member of the Parliament’s Committee on International Trade and rapporteur on the Trade in Services Agreement (TiSA). Until the end of last year, she was Vice-President of the European Commission, in charge of justice.
While the Council has finally approved its long-awaited position on the Regulation, it may seem that member states are releasing the brakes of the reform. In reality, their so-called General Approach shows that they are willing to pull them back so as to empty several parts of the proposed legislation from its substance.
These were the objectives of the proposed EU data protection Regulation I put on the table more than three years ago as Commissioner for Justice. Now Member of the European Parliament, I will not turn my back neither on pro-consumer policies nor on business-friendly measures.
More rights to consumers, not fewer
In some cases, the Council seems to be trying to remove the link between the individual and its data. For instance, it would be possible for a company to process data as long as it has a legitimate and overriding interest in this processing, even though the reasons are unrelated and incompatible with original purpose. This could put businesses in control of data, not individuals, thereby diluting the concepts of “purpose limitation”. In the same chapter, the concept of “data minimisation” is also at risk. A full right to digital self-determination means consumers must be able to decide for themselves, not depend on decisions made elsewhere.
Most worryingly, the Council seeks to broaden the possibilities to take measures based on profiling. Such automated processing could be used to perform a contract, without sufficient safeguards for the individual. The related provisions could bring the new data protection standards below the level of the 1995 rules. This is a no-go area as it bypasses the clear red line I set in 2012. The existing Directive dates back from the Digital Stone Age. The new rules must not take us back there. The Council must show it can deliver reforms that facilitate the daily lives of consumers, not reforms that loosen their rights.
The data belongs to people, not to companies. The decision on what people want to do with their data must be theirs too. If new rules don’t empower the citizens to re-take control over their data, trust in digital services won’t be rebuilt. What we need is not backwards-looking legislation, but a future-proof reform. These fundamental rights are enshrined in the Treaties. They are not an empty shell!
More economic benefits to businesses, not fewer
From the very beginning, the data protection regulation was conceived to cut costs and red tape for European businesses, especially for SMEs.
Putting into practice the principle of “one continent, one law” by proposing a regulation instead of a directive is the only way to follow. This requires establishing a single, pan-European law for data protection and replacing the current inconsistent patchwork of national laws. To put it in a nutshell: companies should deal with one law, not 28. The estimated benefits amount to €2.3 billion per year.
But the Council, in its general approach, considerably undermines this principle. Too often, the ministers chose the easy way out of their impasses by allowing member states flexibility. In 35 articles, these flexibility clauses weaken the consistency of the regulation. At the end, one wonders if it is still a regulation. Given the risk of a new legal patchwork, SMEs may think they are jumping out of a frying-pan into the fire.
Another central feature is the “One-stop-shop”. My proposal had a simple goal: companies should only have to deal with one single supervisory authority, not 28. It should be simpler and cheaper for companies to do business in a truly European digital single market. The Council’s position on this feature also distorted the coherence and comprehensibility of the mechanism.
The Commission’s original approach must be preserved. The upcoming trialogue negotiations must ensure reduction of costs and administrative burden for the economy. Coherent and common data protection rules are the basis of a functioning digital single market. SMEs and start-ups need these rules in order to unleash the full potential of the European market.
The data protection reform is a stepping stone towards the completion of the digital single market. The reform is a commitment to the protection of fundamental rights. The reform is a stimulus for the European economy. The Council made a first step by adopting its general approach. Now that the trialogue negotiations with the European Parliament and the European Commission are to start, I call upon my colleagues to firmly stick to the fundamental elements of my proposal, not to indecisively kneel before national governments. All actors must end silo mentality when dealing with digital issues. Europe needs more vision. Europe needs an ambitious data protection reform.