The Privacy Platform Meeting: Reding outlines the way forward

By EDRi · March 23, 2011

This article is also available in:
Deutsch: [Privacy Platform Meeting: Kommissarin Reding skizziert den Weg |]

On 16 March 2011, Sophie In’t Veld’s Privacy Platform met in the European
Parliament to discuss the state of play for the review of the data
protection directive.

The cross-party meeting was co-chaired by EU Parliament members from the
EPP, S&D, ALDE, the Greens and GUE. Speakers at the event included
Vice-President of the Commission responsible for justice, fundamental rights
and citizenship Viviane Reding and Axel Voss, German EPP member responsible
for the Communication on a comprehensive approach to data protection in the
EU in the European Parliament.

Like most meetings which aim to tackle this massive Directive, it was
difficult to narrow discussions and focus on concrete problems or possible
solutions. However, there was an emphasis on fundamental rights from many

In her keynote speech, Ms. Reding said that data protection was her “top
legislative priority”, while still hinting at the idea that a Regulation
could replace the existing Directive, at least in part. She plans to enhance
control and build individual rights in four pillars:

1. The right to be forgotten. Individuals have the right to withdraw consent
to data processing, and it will be up to the data controllers to prove
the need to collect or retain personal data.

2. Greater transparency. For data subjects, the use, collection and
retention of personal data must be made clear, intelligible, easy to
understand and easy to find. She made particular reference to social
networking services and children.

3. Privacy by default. The term is different from the vaguely defined but
often cited Privacy by Design, which Reding says is more of a technical
solution. “Privacy settings often require considerable operational effort in
order to be put in place,” she said, so these settings are not a
reliable indication of true consent, adding that “this needs to be changed”.

4. Data protection regardless of data location. The data subject will enjoy
protection, independent of the geographical region where the data is being
collected and processed, without exception for third-party providers.

On enforcement, she cautioned that the EU would not hesitate to take action
against non-EU companies that broke EU rules on the collection and retention
of data. She proposed the establishment of national privacy watchdogs to
investigate non-EU data controllers. She declared that “a US-based social
network company that has millions of active users in Europe needs to comply
with EU rules”.

Mr. Voss and Commissioner Reding seemed to have divergent views on data
protection. Where Commissioner Reding understands these rights as
fundamental principles each human being is granted under all circumstances,
Voss often questions how far data protection laws should stretch. This was
particularly apparent when discussing data protection for criminals and
anonymity and pseudonymity on the web.

Ms. In’t Veld brought up the “rubber stamping” of consent, urging that the
revised Directive should address this adequately. Commissioner Reding agreed
that consent without choice cannot be considered “consent”. Ensuring true
transparency and choice, she explained, is one of the components of Privacy
by Default.

A Dutch Pirate from the audience asked the panel how it planed to
realistically protect the data of EU citizens regardless of geographical
location, citing the request by the US authorities to access the Twitter
data of individuals who may be linked to Julian Assange, the founder of
WikiLeaks. Ms. In’t Veld said there would soon be a meeting in the LIBE
Committee to address this issue explicitly.

Mr. Voss’ working document will be published and presented in the committee
on 11 April. The vote in the committee will follow on 24 or 25 May, and the
plenary vote on 22 June 2011. In advance of this, the EPP Group in the
European Parliament will hold a hearing on 31 March – the invitation
explains that “nowadays, the debate seems to be narrowly focussed on the
perspective of consumer protection and the safeguarding of a free internet.
We think there is more to discuss!”

As for the finalised version of the Data Protection Directive, the
Commission plans to deliver it sometime in summer of 2011.

EU privacy law will extend to US social networks, vows Commissioner

Commissioner Reding’s keynote speech, Your data, your rights: safeguarding
your rights in a
connected world (16.03.2011)

EPP Hearing invitation

(contribution by Raegan MacDonald – EDRi)