Ladies and gentlemen, Today’s conference comes a little more than eight months after the GDPR began to apply. But Europe’s journey on data protection is much longer and many of you in this room have been on board of a data protection ship even when others were announcing ‘the end of privacy’.
I would like you to reflect for one moment on how far we have come to get to this point.
A few years ago, a conference like this one would have brought “experts” together. Outside of the data protection community, some critics argued this is a European obsession!
They said that people simply do not care about their personal data or that legislation is not the right tool to deal with such issues. I think that many events of the past years but also the success of this conference, the number of participants and the diversity of speakers proves this theory wrong.
I realised that we have come a long way when in November last year I went for the first time to the WebSummit in Lisbon. The event is very business oriented, yet in the first hours of the conference all I heard was a praise of privacy, data protection and of the GDPR.
For me that was a symbolic moment that many of those who tried to criticise the GDPR in the making, finally embraced it and understood why we need it.
Of course the massive data breaches or revelations of the mishandling of personal data, such as in the Facebook Cambridge Analytica scandal helped our case.
They remind us what is at stake – from preserving our most intimate sphere to protecting the functioning of our democracies and ensuring the sustainability of our increasingly data-driven economy.
The title of the panel that will take place shortly is ‘defending the GDPR’.
But I do not feel the GDPR is any longer under heavy attack. It is the EU response to the challenges of a modern, digital world and a tool for businesses to try to regain the lost trust. And I do not see any offers of a better response.
On the contrary, our European ship has now reached many global ports.
When we look around the world, from Asia to Latin America, we see that a growing number of countries are adopting new privacy laws that are inspired by our European law. For example, a comprehensive legislation that applies across industries and sectors, a core set of enforceable rights and enforcement by an independent supervisory authority.
This approach allows us to continue and expand our adequacy dialogues that allow for secure flow of data between the countries. Just a couple of weeks ago we recognised Japan in this way, and received the same honour from Japan. With this, we created the biggest area of free and secure data flow in the world.
And this is just the right thing to do when this Friday the important trade deal between the EU and Japan will enter into force.
More so, I think the real testimony of our joint success is that last week many leaders and prime ministers in Davos called for global data governance and data flows based on security and trust. Prime Minister Abe wants to make it a key theme during the G20 meeting in Osaka.
Europe is well equipped to play a key role in this debate.
There is one place though where I didn’t expect a privacy debate to change very much under my mandate. Yet, it’s nice to be proven wrong sometimes.
The US recently started a debate about horizontal privacy legislation and we have participated in their public consultations.
I think this is an important development, because the convergence between the EU and the US on data protection would strengthen the Privacy Shield and send a clear signal to those who still have some doubt that strong rules are not a luxury; it’s a necessity.
The fact that privacy and data security are becoming truly global issues should not come as a surprise. The world is facing similar challenges and wants to seize similar opportunities of the digital economy.
People around the world want to see their privacy protected. Consumers want their data to be safe. In turn, businesses recognise that strong privacy protections give them a competitive advantage as confidence in their services increases.
This developing convergence in privacy standards at international level allows data to flow easily. It therefore boosts trade, while improving the level of protection of personal data when transferred abroad.
Ladies and gentlemen,
Privacy belongs to everyone! But does the GDPR succeed in guaranteeing individuals their rights?
Let me return to the question you will be asking in the next panel debate. The GDPR has been in place for eight months. And we can already draw some lessons. But what have we learnt? Did it defend itself?
By complying with the GDPR, companies have had the chance to put their data house in order by taking a closer look at what data they are collecting, what they use it for, how they keep and share it, and whether they really need to collect and process all this data.
It has allowed businesses to reduce exposure to unnecessary risks and to get a better idea of what data they hold and develop a more trustworthy relationship with their customer and commercial partners.
Citizens also took advantage of the GDPR. From what we hear from Data Protection Authorities, since May, EU citizens sent more than 95,000 data protection complaints to the national authorities. And NGOs active in the field of data protection have started to use the possibility to bring collective actions before data protection authorities and courts.
But, it is also now clear that, contrary to some alarmist predictions, our data protection authorities did not become fining machines. Firstly, because fines are only one of the tools the DPAs can use to enforce the GDPR. And, when they use it, it is only after a thorough investigation of the facts of the case and always on the basis of the circumstances of each case.
However, the recent fines by CNIL on Facebook show that the DPAs make full use of the powers the GDPR have given them.
What we have seen in these first months is that compliance is a dynamic process that involves close dialogue between regulators and stakeholders. In that context, following broad public consultations, European DPAs have adopted sixteen detailed guidelines on all novel aspects of the GDPR. This work will continue as new questions emerge, and I want to praise the DPAs for their active and open engagement with stakeholders.
It is essential for the data protection authorities to forge a common EU approach and a European culture of data privacy.
Ladies and gentlemen, To conclude, let me just say that I don’t think GDPR is just plain sailing. We all have a lot of work to do and we still need to answer some important questions. This is why we will organise a “one year after” conference in June to look at the experience of business and citizens in particular.
But it’s clear we have now wind in our sales. We have a window of opportunity to promote this gold standard we have established and inspire others.
For this to happen, we still need more work to do so people and businesses can fully embrace and understand concepts and ideas that are still at times very complex. This is why we have relaunched this Monday our targeted campaigns for citizens and for small businesses.
I think we are in a very good place to lead this debate, as the GDPR is based on a modern approach to regulation, which empowers users and rewards new ideas and technologies that address privacy and data security. This should also guide us in our further discussions on topics such as artificial intelligence.
I trust that you will take these thoughts forward in your panel discussions.
Thank you for your attention.