On 28 January 2016, the 47 countries of the Council of Europe as well as European institutions, agencies and bodies celebrated the tenth annual European Data Protection Day. This date marked the anniversary of the Council of Europe’s Convention 108 on the protection of personal information, the first legally binding international law in the field of data protection. 

Like every year, a compilation of activities organized on this occasion by data protection supervisory authorities and  public or private sector stakeholders contributed to raise awareness about the protection of personal data in Europe and beyond. Data protection issues, including their cross-border dimension, have always been present in citizens’ lives: at work, in their relations with public authorities, in the health field, when they buy goods or services, when they travel or surf the internet.Nevertheless, it is a well-known fact that European citizens are generally unfamiliar with data protection issues and unaware of their rights in this respect.

The aim of the Data Protection Day is to give European citizens the chance to understand what personal data is collected and processed about them and why, and what their rights are with respect to this processing. They should also be made aware of the risks inherent and associated with the illegal mishandling and unfair processing of their personal data. The objective of the Data Protection Day is therefore to inform and educate the public at large as to their day-to-day rights, but it may also provide data protection professionals with the opportunity of meeting data subjects.

The European Data Protection Supervisor (EDPS) marked the date with a series of events, including a conference co-hosted by the European Parliament and the EDPS for EU officials on the EU data protection reform. This year was, indeed, also the occasion to celebrate the 20^th anniversary of the existing European rules on data protection: the directive 95/46/CE adopted in 1995, when the Internet was still in its infancy.

In the opinion of the speakers at the conference “General Data Protection Regulation: a new chapter for EU data protection how the new Regulation will empower you to take control of your personal information”, this occasion will close an old phase and open a new one. The directive is indeed destined to be replaced by a new legislative package finally approved by the European Parliament’s civil liberties committee on 15^th  December 2015, informally approved by the Council and therefore close to the official approval by both the legislative institutions

The package includes two proposals: one general regulation on data protection (directly applicable in all the member states) and one directive specifically aimed at data protection in the police and the justice systems (to be transposed into national law).

What will change under the Regulation?

The Regulation updates and modernizes the principles enshrined in the 1995 Data Protection Directive to guarantee privacy rights. It focuses on: reinforcing individuals’ rights, strengthening the EU internal market, ensuring stronger enforcement of the rules, streamlining international transfers of personal data and setting global data protection standards. It is an essential step to strengthen citizens’ fundamental rights in the digital age and facilitate business by simplifying rules for companies in the Digital Single Market. A single law will also get rid of the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year. The Directive for the police and criminal justice sector protects citizens’ fundamental right to data protection whenever personal data is used by criminal law enforcement authorities. It will in particular ensure that the personal data of victims, witnesses, and suspects of crime are duly protected and will facilitate cross-border cooperation in the fight against crime and terrorism.

The new rules will address these concerns through:

• A « right to be forgotten »: When an individual no longer wants her/his data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted. This is about protecting the privacy of individuals, not about erasing past events or restricting freedom of the press.
• Easier access to one’s data: Individuals will have more information on how their data is processed and this information should be available in a clear and understandable way. A right to data portability will make it easier for individuals to transmit personal data between service providers.
• The right to know when one’s data has been hacked: Companies and organizations must notify the national supervisory authority of data breaches which put individuals at risk and communicate to the data subject all high risk breaches as soon as possible so that users can take appropriate measures.
• Data protection by design and by default: ‘Data protection by design’ and ‘Data protection by default’ are now essential elements in EU data protection rules. Data protection safeguards will be built into products and services from the earliest stage of development, and privacy-friendly default settings will be the norm – for example on social networks or mobile apps.
• Stronger enforcement of the rules: data protection authorities will be able to fine companies who do not comply with EU rules up to 4% of their global annual turnover.

The data protection reform will also geared towards stimulating economic growth by cutting costs and red tape for European business, also for small and medium enterprises.

Commenting on the agreement the Green MEP and European Parliament draftsperson/rapporteur on the data protection regulation Jan Philipp Albrecht stated: «  The new rules will give users back the right to decide on their own private data. Businesses that have accessed users’ data for a specific purpose would not be allowed to transfer the data without the user being asked. Users will have to give their consent by a clear and affirmative action for their data to be used. […] The new rules will give businesses legal certainty by creating one common data protection standard across Europe. This implies less bureaucracy and creates a level playing field for all business on the European market.”

As remarked, in a Joint Statement by Vice-President Ansip and Commissioner Jourová on the occasion of the 2016 Data Protection day: « Today, 28 January, marks the 10^th European Data Protection day. Exactly one year ago, the European Commission committed to reaching an agreement on EU data protection reform. Less than a year later, in December 2015, we delivered on this promise, reaching a historic agreement with the European Parliament and Council, on rules that guarantee individuals’ fundamental right to data protection and create opportunities for businesses and innovation.”

“The new rules will give citizens stronger rights, allowing them to have better control of their data and ensuring that their privacy remains protected in the digital age.  The digital future of Europe can only be built on trust. Citizens’ confidence in the online world is crucial for businesses to tap into big data’s vast economic potential. With one streamlined set of rules across the European Union, we will cut red tape and ensure legal certainty, so that both citizens and companies can benefit from the Digital Single Market.”

The Commissioners, then, pointed out that they are seeking the same security and degree of protection in the agreements with international partners, such as the US, in the framework of the ongoing renegotiations of the Safe Harbour mechanism. On 27 January, the two parties, the EU and the US, began the final round of negotiations in an attempt to complete the talks before the end of the month.

Elena Dal Monte

For further information

     -. European Commission – Fact Sheet http://europa.eu/rapid/press-release_MEMO-15-3802_en.htm Council of Europe   

     -. https://www.coe.int/t/dghl/standardsetting/dataprotection/Data_protection_day_en.asp Jan Philipp Albrecht, Member of the Greens / EFA group

     -. http://www.greens-efa.eu/36-details/albrecht-jan-philipp-11.html Celebrating 10 years of Eu Data Protection Day

     -. http://web.ep.streamovations.be/index.php/event/stream/160128-1000-special-edpsevent European Commission – Statement

     -. http://europa.eu/rapid/press-release_STATEMENT-16-181_en.htm European Commission – Press release

     -. http://europa.eu/rapid/press-release_IP-15-6321_en.htm European Commission – Fact Sheet

     -. http://europa.eu/rapid/press-release_MEMO-15-6385_en.htm

     -. https://secure.edps.europa.eu/EDPSWEB/edps/cache/offonce/EDPS/Events Image Source