Viviane Reding, the Vice-President of the European Commission, is spearheading reform of Europe’s data protection laws. Reding, a scheduled speaker at the DLD conference in Munich January 22-24, negotiated a major overhaul of the Continent’s telecommunications sector as the member of the Commission responsible for Information Society and Media from 2004-2010. The reforms included a provision to force telcos to report data breaches and the prevention of supplier lock-in by allowing consumers to quickly move a telephone number from one network to another. She recently spoke to Informilo’s Jennifer L. Schenker about her plans to implement similar reforms to Europe’s data protection rules to bring them in line with the Internet age.
Q: How will your proposed reforms help put individuals in control of their own data?
A: Today many people, especially young people, are not aware of privacy policies when they create profiles on social networks. At the same time, adults are unaware that their search data can be used by online advertisers. The rules are clear – they require informed consent — but these rules are not being applied uniformly. That is why we need to reform the personal data legislation that dates back from 1995 – the pre-Internet age – to adapt it to the new Internet age. What is needed is clear, plain language informing the citizen what is happening with their data, how and when it is used, what the citizens’ rights are and what they have to do to exercise these rights.
Q. Do these rights include the right to be forgotten?
A: The right to be forgotten will be a central pillar of my reform proposals. People should be able to have their data deleted when data is no longer necessary for legitimate purposes. This should be a right and not only a possibility. The burden of proof should not be on the consumer but on data controllers. The companies that collect the data have to prove why they have to keep the data, rather than individuals having to prove that collecting their data is not necessary. When there has been a data breach – that means that people’s data have been unlawfully accessed – companies should have to notify consumers without delay. I have done that already in the telecom sector and am planning to extend it to the Internet now.
Q: What about supplier lock-in? Who owns the data?
A: We have already achieved number portability in the telecom sector. Portability of consumers’ data from social networking sites — be it photos or friends’ contacts — will be included in the new data protection rules.
Q: How long will it be before the legislation is put in place in member states?
A: I will make up my mind on the final form of the proposed legislation in the coming weeks and present it to the Council of Ministers and to the European Parliament. Then it will depend on their speed. Member states will also have to individually adapt national rules so it can take some years before the new rules are put into effect.
Q: How can you ensure that the new legislation is applied uniformly across the EU?
A: We know that one of the big problems today is the patchwork of legislation and interpretation of law in the European Union. Compliance costs companies some 2.9 billion euros per year in unnecessary fees. We want to get rid of this and have one data protection rule for all of Europe. The law will be the same for all 27 member states.
Q. Who will enforce the new rules in the EU and what sort of sanctions do you have in mind for companies that violate them?
A. National data protection authorities will enforce the rules. That is why a central pillar of the reform is the strengthening of national data protection authorities and ensuring they work very closely together. They must have the rights tools to act, including the possibility to sanction data breaches. Sanctions could be financial or administrative. This will give the legislation the necessary teeth so the rules can be enforced.
Q. Is there a chance this new legislation will be in conflict with rules in other regions, such as North America?
A. Europe is really a front runner in the way it protects the personal data of the individual. Of course, we need to work very closely together with other regions. Dialogue with the U.S. is essential to data protection issues. U.S. Senators John Kerry and John McCain recently proposed a commercial privacy bill of rights, arguing that the U.S. government must act to level the playing field for all collectors of personal data. This shows that things are moving in the U.S. and this is encouraging indeed.
Q: The World Economic Forum is working on the issue of data protection from a global perspective. Is the European Commission playing a role in those discussions?
A: Absolutely. For the last several years I have been going to Davos to meet the IT and media governors on this topic. Data protection is moving higher and higher on the agenda. I am again expecting a busy couple of days in Davos.