Data Protection and the Digital Single

Market

29/4/2016, LondonWojciech Wiewiórowski

European Data Protection Assistant SupervisorPrivacy: the Competitive Advantage

© M. Narojek for GIODO 2011

33

EDPSThe EDPS is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies. A number of specific duties of the EDPS are laid down in Regulation 45/2001. The three main fields of work are

• Supervisory tasks• Consultative tasks: to advise EU legislator

on proposals for new legislation as well as on implementing measures. Technical advances, notably in the IT sector, with an impact on data protection are monitored.

• Cooperative tasks: involving work in close collaboration with national data protection authorities (Article 29 Working Party)

4

The role of European Data Protection Supervisor• The European Data Protection Supervisor (EDPS) is the independent

supervisory authority for the processing of personal data by the EU administration;

• Privacy and data protection are fundamental rights – see Articles 7 and 8 of the Charter of Fundamental Rights;

• Independent supervision is an integral part of the right to data protection – see Article 16(2) TFEU and 8(3) Charter;

• What we do: – monitoring and verifying compliance with Regulation (EC) 45/2001,– giving advice to controllers, – advising the co-legislators on new legislation, – cooperating with Member States’ DPAs,– handling complaints, conducting inspections– Monitoring technological developments– Promoting data protection aware design and development

5

Our objectives

I. Data protection goes digitalII. Forging global partnerships

III. Opening a new chapter for EU data protection

6

Big Data = Big Responsibility

7

Convention 108 – Council of Europe

8

European Union

9

Reform of Data Protection Lawin the European Union

10

Reform of Data Protection Lawin the European Union

COM(2012) 11/4 draft

Proposal for aREGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on the protection of individuals with regard to the processing of personal data and on the free movement of such data

(General Data Protection Regulation)

11

Reform of Data Protection Lawin the European Union

COM(2012) 10 final

2012/0010 (COD)

Proposal for aDIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal

offences or the execution of criminal penalties, and the free movement of such data

Picture: archive of J.P.Albrecht

14

Data Protection and the Digital Single Market

The GDPR is meant to play a decisive role in fostering the digital growth, in close relationship with the Digital Single Market Strategy.

In the strategy, the "data economy" is recognized as a crucial element for enhancing the UE competitiveness, and data are explicitly named as "catalyst for the economic growth".

Yet acknowledging the enormous economic potential of personal data, the protection of those data has to be guaranteed against unlawful and imbalanced uses.

The new Regulation is expected to face a big challenge in the scenario framed by the Strategy, where not only it will provide an enhanced level of protection of personal data but also it may act as a real driver for innovation, namely promoting a new form of innovation based on consumers' trust and privacy.

This would mean indirectly affecting market players' revenue models by means of specific regulatory tools.

15

Users ' empowerment in the GDPR

Empowering and making consumers aware of their choices. To do so, the GDPR has reinforced the set of data subject's rights, by introducing:

- the right to erasure/to be forgotten (Art. 17), under conditions such as consent withdrawal (lacking other grounds for processing) or unlawful processing. This, of course, will imply the obligation for the data controller to inform the other controllers processing the personal data of the request to erase them;

- the right to Personal Data Portability (Art. 20), in a structured, commonly used and machine - readable format, and whether technically feasible, directly from one controller to another;

- the right to object and not to be subjected to automated decisions, including profiling (Art. 21 -22). Even in case the decision on profiling is lawful (as necessary for a contract or based on consent) the controller is asked "to implement suitable measures to safeguards the data subjects' rights and freedoms (...) ".

16

Companies' compliance requirements

The GDPR has not only provided data subjects with enhanced rights and freedoms, but it also has required companies to specifically introduce tools to comply and show compliance with the new set of rules.

- a Data Protection Impact Assessment, to be performed whenever the processing operation is likely to result in a high risk for the rights and freedoms of individuals (Art. 35);

- the appointment of a Data Protection Officer under the listed three conditions (public authority/core activity requiring regular and systematic monitoring of data subject on a large scale/core activity consisting of a processing on a large scale of special categories of data)(Art. 37);

- Data protection certification mechanisms, seals and marks as to demonstrate compliance with the new rules (Art 42);

- the implementation of "appropriate technical and organizational measures, as pseudonimysation, which are designed to implement data protection principles, as data minimization" (Article 25, par. 1).

17

Data Protection as a Regulatory enabler for promoting

privacy-based solutionsData protection is not merely to be conceived a set of rules companies have to fully comply with in 2

years' time, but also it is to be seen as an incredible commercial tool that companies can use to catch users and compete with rivals.

This would be made possible by the increasing awareness around privacy-related issues.

Users are nowadays very much aware of privacy implications of their commercial choices: they know they trade their personal data in exchange for a "free" service. Many just accept privacy polices without even being aware of their content, but the generation of digital natives has started to change their approach towards the security and the confidentiality of their communications and started to attribute value to it. Some even agree on paying a "fee" to get a more - privacy friendly service.

18

• Privacy-based revenue models are valuable candidates for representing the more suitable

alternatives to revenue models based on personal data harvesting and tracking.

• They would indeed serve simultaneously the scopes of both protection of personal data and consumer empowerment and protection, and ultimately ensure a coherent enforcement

of rights in a Digital Single Market based on trust, letting it to flourish.

19

Big Data = Big Responsibility

Thank you for your attention!

www.edps.europa.euedps@edps.europa.eu

@EU_EDPS