Viviane Reding : A data protection compact for Europe
1. We need the data protection reform in the EU statute book. I wish to see full speed on data protection in 2014. The European Parliament is overwhelmingly in favour of it. Now Member States need to take position on this now. It is high time to take the final steps.
2. The reform should not distinguish between the private and the public sectors. Citizens would simply not understand applying different principles in times when the public sector collects and collates data on the same scale as the private sector. It is also a very difficult distinction to draw when a local authority can buy storage space on a private cloud.
3. Laws setting out data protection rules or affecting privacy require public debate because they relate to civil liberties online. Take the Polish experience. ACTA was not publicly debated and both citizens and Polish Members of the European Parliament refused to accept the Agreement. Poland has learned from this experience: Today, the data protection reform is the subject of a wide public information campaign. It has led to constructive exchanges and a joint position paper by the private employers association and the leading civil liberties NGO.
4. Data collection should be limited to what is proportionate. If this element of proportionality is lost, citizens' acceptance will be lost as well. Blanket surveillance of electronic communications data is not acceptable. It amounts to arbitrary interference in with the private lives of citizens. Citizens should not all be treated like suspects.
5. Laws need to be clear and kept up to date. I was struck by the reaction of the author of the U.S. Patriot Act, Jim Sensenbrenner to the NSA revelations: "This is not what the Patriot Act was meant to do!". Technological change allowed the Patriot Act to be applied in ways that had not been imagined at the time it was written. States cannot rely on outdated rules, drafted in a different technological age, to frame modern surveillance programmes.
6. National security should be invoked sparingly. It should be the exception, rather than the rule. The need to protect national security can justify special rules. But not everything that relates to foreign relations is a matter of national security.
7. Without a role for judicial authorities, there can be no real oversight. Executive oversight is good. Parliamentary oversight is necessary. Judicial oversight is key. Ultimately, whether processing is legitimate is a question of balance between different imperatives, the need to protect privacy and the importance of maintaining security. The judiciary is necessary to ensure that the pendulum does not swing too far.
8. Data Protection rules should apply irrespective of the nationality of the person concerned. Applying different standards to nationals and non-nationals depending on their nationality and place of residence impedes the free flow of data. Europe should be very proud of the fact that it treats data protection as a fundamental right – a fundamental right on which every human being can rely.
The Data Protection Compact would enable us Europeans to exercise our right of digital self-determination. Not to depend on decisions made elsewhere, but to decide ourselves how we want to protect the personal data of our citizens, while keeping our internal market open and competitive.
Viviane Reding is European Commission Vice President and Commissioner for Justice