Speech to the American Chamber of Commerce

Ladies and gentlemen,

I am delighted to have this opportunity to launch today’s forum on Data Protection, Regulation and Innovation and I want to thank you for inviting me here to do so. Your discussions are timely, and I look forward to receiving your conclusions in due course. I speak today not only as current Chair of the Justice and Home Affairs Council but as a Minister in an Irish Government which is conscious both of the key role which the IT and Information Services sectors continue to play in Ireland’s economic recovery and of the need for a coherent and practical set of data protection rules at national and European Union levels.

As you know, one of the priorities of the Irish Presidency of the Council of the European Union, and one of my specific objectives, is to achieve political agreement on key aspects of the proposed reform of the European Union’s data protection regime. I want to take this opportunity, therefore, to explain why this reform is so important for the EU and for Ireland and to provide some insights into the ongoing discussions.

Why do we need reform?
When the current regulatory framework €“ the EU Data Protection Directive €“ was adopted in 1995, individuals were, by and large, passive subjects of the processing of their personal data in large-scale data bases. And in 1995, unlike today, only a small minority had access to personal computers, mobile phones and Internet

Much has changed in the intervening period. Individuals are no longer merely passive data subjects whose personal data are processed by others, but active controllers who themselves routinely process the personal data of other people.

And we voluntarily supply large amounts of personal data about ourselves, our interests and our lifestyles when purchasing goods and services on the Internet and using other online services. Many of us €“ especially young people €“ actively or, in some cases, perhaps unconsciously publish and share personal data about ourselves and, frequently, about other family members and friends on social networking sites.

All of us here today have witnessed an information technology revolution in our lifetimes, and the pace of technological change shows no sign of slackening. Indeed, the launch of new online services and new data-sharing possibilities has become commonplace and routine.

These technological advances and associated new business models such as cloud computing, present new opportunities for business but they also pose new, and increasingly common, risks for privacy. In order to ensure the sustainability of technological progress, new rules are needed which will both protect individuals’ privacy rights and facilitate business in the digital age.

EU reform proposals
In 2010, the Lisbon Treaty introduced a new legal basis for strengthened data protection standards in the European Union. In January 2012, the European Commission tabled proposals for a radical shakeup of the current regulatory framework and these proposals are currently being discussed separately in the Council of the European Union and in the European Parliament. Adoption of the reform package is subject to co-decision between both institutions.

A key objective of the European Commission’s reform proposals, which we wholeheartedly support, is to increase individuals’ control over their own personal data. We must seek to ensure that data protection standards keep pace with the emerging technologies and new business models. Otherwise citizen confidence and trust in the digital environment will not be sufficient to enable us to realise the full potential of the digital economy and the economic growth, new jobs and dynamic innovation which it can deliver.

I firmly believe that we need a new regulatory framework that will protect our citizens and at the same time enable companies to take full advantage of the European Union’s single market of 500 million consumers. The potential is enormous: according to some estimates, the Union’s GDP could grow by a further 4% by 2020 if the necessary steps are taken to create a streamlined digital single market.

Benefits for business
Doing business in the European Union will be easier and less costly when the proposed reform package is enacted and implemented.

Firstly, it will increase legal certainty for controllers and processors by replacing the current bewildering patchwork of national data protection laws in Member States with a uniform set of rules applicable throughout the entire European Union: one digital market subject to a uniform set of data protection rules

Secondly, under the proposed ‘one-stop-shop’ rule, controllers and processors will in future have to deal only with the regulator of the Member State in which their ‘main establishment’ is located. The benefits of being able to deal in future with only one data protection authority, using one language rather than many, are, I think, obvious.

Thirdly, the new rules will clarify conditions for the transfer of personal data to non-EU countries, including by means of binding corporate rules in the case of related corporate entities. Improved arrangements for international transfers €“ an increasingly common aspect of today’s more globalised economy €“ will help to ensure that data transfers become less bureaucratic and more legally secure.

Business concerns
I am, of course, aware of specific concerns in relation to some of the Commission’s proposals and more general concerns that some elements of the reform package may entail additional administrative burdens and compliance costs for companies, including small and medium-sized enterprises. These are concerns which must be taken seriously.

Specific issues

‘Right-to-be-forgotten’
The objective of the new ‘right-to-be-forgotten’ is to require controllers who may be storing an individual’s personal data to erase such data when requested by the individual concerned, provided the data are no longer needed for any legitimate purpose. This is intended to apply in particular to personal data supplied while the individual concerned was a child.

Where the personal data have been made public by the controller, the controller will be required to take all reasonable steps to inform third parties that may be processing the data concerned of the individual’s request to erase any link to, or copy of, the data concerned.

This new right is intended to address, in particular, the risks of possible financial, reputational or psychological detriment to individuals in the context of social networking activities.

The practicability and possible costs associated with this new right have been highlighted in discussions of the reform proposals. However, it is worth noting that it is not an unqualified right: freedom of expression will be protected and erasure will not be required where the controller is otherwise legally required to retain the data. Moreover, in cases where the data have been made public, the obligation on the controller is “to take all reasonable steps” to inform relevant third parties. This takes account of the fact that in many cases the controller may have no knowledge of, or influence over, third parties to whom those data have been disclosed.

Administrative fines
The reform package also contains proposals for the imposition of hefty administrative fines for intentional or negligent infringements of the Regulation. The Commission has proposed that the fine in each individual case should be “effective, proportionate and dissuasive” in order to ensure that the new safeguards are taken seriously and are implemented in an effective manner.

During the discussions at the Informal JHA Council which I hosted here in Dublin in January, there was broad support among Ministers for giving the data protection authorities of Member States a broader range of sanctioning powers, including greater use of warnings, reprimands and corrective action orders, and more discretion when determining levels of administrative fines. We will have regard to Ministers’ views as we prepare revised proposals in due course.

Explicit consent
I am of course aware that the Commission’s proposal for a strengthened consent threshold has given rise to concerns. This aspect has not yet been discussed specifically by Justice Ministers but it is worth noting that consent requirements are already present in the 1995 Directive and they have been transposed into the national laws giving effect to it.

It is also worth noting that consent is but one of several grounds on which the personal data of an individual may be processed. Increasingly, such processing takes place in the context of a contract between the individual and service provider and the reform proposals continue to recognise the validity of that contractual relationship as a basis for the processing of personal data.

General concerns

Risk-based approach
At the formal JHA Council meeting in early March, I reported to Justice Ministers on the intensive technical work which had been underway since the start of the Irish Presidency and obtained their approval on several important points. Firstly, the Council endorsed our ongoing efforts to introduce a more risk-based approach in the proposed Regulation. A risk-based approach would mean that the security obligations on controllers and processors would be proportionate to the risk of misuse of the personal data in the event of unauthorised disclosure or loss. If, for example, a stolen laptop contains personal data which has been encrypted the risk of misuse is far lower than if the data have not been encrypted. In the former case, there may be no pressing need to inform the data protection authority of the security breach or to inform those whose data have been encrypted. Our task now is to develop criteria to enable controllers and processors to distinguish risk levels and also to explore the use of pseudonymous data as a means of calibrating controllers’ and processor’s data protection obligations.

At the March Council meeting, there was broad agreement on the need for controllers and processors to carry out data protection impact assessments where intended processing operations would appear to involve specific data protection risks, and support also for the requirement for those companies to engage in dialogue with the data protection authority where impact assessments indicate that the proposed processing operations are indeed likely to present a high degree of specific risk.

As regards the Commission’s proposed mandatory appointment of a data protection officer within companies engaged in certain types of data processing operations, the majority of Ministers expressed support for a voluntary approach. The majority view was that the appointment of a data protection officer may be regarded as a model of best practice but it should not be imposed as a mandatory requirement.

Finally, in the context of the risk-based approach there was broad support for drawing up and incentivising the application of approved codes of conduct and the use of approved data protection certification mechanisms. It is intended that business sectors would have a role in the drawing up of such codes of conduct and the development of certification mechanisms, including data protection seals and marks. I believe that the process of drawing up codes of conduct and developing privacy seals and marks would benefit greatly from the input of business sectors and I would encourage them to adopt a supportive and pro-active approach at both EU and national levels.

Flexibility for the public sector
At an early stage of the discussions several Member States stated that they need more flexibility regarding data protection rules for the public sector in order to enable them to apply these rules in the context of their own constitutional, legal and institutional arrangements.

We have therefore embarked on the process of investigating whether and how the Regulation can take sufficient account of the specificities of the public sector in Member States. This has raised difficult questions of defining the demarcation lines between the private and public sectors and the adjustment of some data protection rules in order specifically to take into account unique aspects of the public sector including, for example, public records and state archives. This work is ongoing.

Office of the Data Protection Commissioner
The Government, and I as Minister, fully respect the statutory independence of the Office of the Data Protection Commissioner in Ireland and are well aware of its important role in the development of the digital economy. We strongly support the Office of the Data Protection Commissioner and I can say I have already ensured that budgetary allocations for 2013 provide for a 20% increase in the budget for that Office in 2013 and a range of additional staffing resources. I have also committed to providing, on an ongoing basis, whatever additional resources are necessary to enable the Data Protection Commissioner to continue to discharge the vital functions of his Office.

Conclusion
The data protection reform proposals are undoubtedly one of the most important reform packages being discussed at EU level at present. Data protection affects all of us, whether in our private capacity as an individual or in our business or professional capacity as users of personal data.

Progress in this area is a priority of the Irish Presidency of the Council of the European Union. We are working hard to achieve that progress and have already devoted 18 working days to data protection to-date and have scheduled at least another 7 days before the end of June.

Data protection has also been given priority at political level. At the Informal Justice and Home Affairs Council which I hosted here in Dublin in January, ‘the right to be forgotten’, ‘household exemption’ and ‘administrative sanctions’ were discussed by Ministers. The March Justice and Home Affairs Council discussed proposals for a strengthened ‘risk based’ approach in the draft Regulation as well as the need to provide more flexibility for Member States’ public sectors.

The data protection reform package was also an important topic in my meetings with the European Parliament when I outlined the Presidency priorities in the Justice and Home Affairs areas at the start of the Presidency.

Data protection will also be on the agenda of the June Justice and Home Affairs Council. One of my specific objectives for the June meeting is to achieve political agreement on key aspects of the proposed reform. I would however like to emphasise my conclusions at the March JHA Council, namely it is important that we move forward carefully and that at the end of the process we have an instrument that ensures the best possible legal environment in respect of data protection both for business and for citizens.

Once again, I wish you success in your discussions today. I hope that by outlining some of the key emerging policy issues at EU level, I have provided some useful input into today’s proceedings.