Reding defines new EU data privacy rules

Viviane Reding Picnik_0.jpg

In a speech yesterday (16 March) EU Justice Commissioner Viviane Reding spelled out new privacy rules for personal data held on the Internet, including a "right to be forgotten" that would allow users to permanently delete data held by companies.

Reding's proposals would overhaul the EU's 15 year-old Data Protection Directive. Her "four pillars" include urging more transparency from companies that process personal data, making privacy the default setting on websites and ensuring that all companies that operate in the European Union follow EU data protection rules.

"I am a firm believer in the necessity of enhancing individuals' control over their own data," she said.

The commissioner also argued that EU rules should apply independently of where the servers holding data are geographically located, saying "homogeneous privacy standards for European citizens should apply independently of the area of the world in which their data is being processed".

Search engine Google and social network Facebook came under the Commission's scrutiny last year for possible breaches of privacy.

In an apparent reference to Facebook, Reding said during her speech that "a US-based social network company that has millions of active users in Europe needs to comply with EU rules".

Data held by public authorities

Reding has also been deeply involved in sheltering the private data of EU citizens held by US authorities for counter-terrorism purposes, notably bank and passenger data.

She was sharply critical following a trip to the US last December, stating that "we have noted an apparent lack of interest on the US side to talk seriously about data protection".

Earlier this month Europol published a report finding that US requests for European banking data were "too general and too abstract to allow proper evaluation of the necessity of the requested data transfers".

Reding also mentioned the privacy of data held by public authorities. She said that "the Commission can now consider extending the general data protection rules to the areas of police and judicial cooperation in criminal matters. Limitations to rights in this area would need to comply with the general rules, and be clearly defined and proportionate".

Tony Bunyan, director of UK-based civil liberties organisation Statewatch, was more sceptical. "We need to know what the limits are going to be. There are a lot of questions to be answered," he said.


Data retention refers to the storage of traffic and location data resulting from electronic communications. 

The main legislative instrument at EU level governing this field is the Data Retention Directive, which was adopted in November 2006 after long debates on its scope. These resulted in a text which gave room for different applications at national level and which did not guarantee a sufficient level of harmonisation.

Data protection and privacy in electronic communications are also governed by the E-privacy Directive, which dates back to 2002. 

  • Summer 2011: Commission to formally present new Data Protection Directive.

Subscribe to our newsletters