Tag Archives: Viviane Reding

LIBE Committee votes all the amendments of the General Data Protection Regulation * No more “right to be forgotten”? * And why is everybody so excited/alarmed?

According to a press release of the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament, “a major overhaul of current EU data protection rules, to put people in control of their personal data while at the same time making it easier for companies to move across Europe” was voted on Monday.

The vote has been described as being “historic” and “a breakthrough”, the latter being declared by Jan Philipp Albrecht, the man of the hour, who was the rapporteur MEP for the General Data Protection Regulation proposal. According to Albrecht, “this evening’s vote is a breakthrough for data protection rules in Europe, ensuring that they are up to the the challenges of the digital age. This legislation introduces overarching EU rules on data protection, replacing the current patchwork of national laws”.

The Commissioner of Justice, Viviane Reding, was as excited about the news as Albrecht. She twitted shortly after the vote concluded: “With a large majority vote, @Europarl_EN committee has sent a strong signal tonight: as of today data protection is made in #Europe”.

However, all this excitement could be seen as premature, when one thinks that the European Council has still to achieve a common ground regarding the draft regulation. This means that the governments of all the 28 EU Member States must conclude the debates on the GDPR and come up with the Council’s own amendments. After the final draft of the Council is ready, the Parliament and the Council must also achieve a common ground regarding the GDPR before they vote it and it will enter into force.

Forget the “right to be forgotten”

The text of the draft GDPR voted by the LIBE committee has not yet been published. The only official indications with regard to its content are entailed in the press release previously cited. According to it, we find out that the controversial “right to be forgotten”, originally enshrined in Article 17 of the GDPR proposal, will lose its catchy name and probably the main reason it received so much attention. The good news is that the content of the right seems to remain the same:

“any person would have the right to have their personal data erased if he/she requests it. To strengthen this right, if a person asks a data controller (e.g. an Internet company) to erase his/her data, the firm should also forward the request to others where the data are replicated. The “right to erasure” would cover the “right to be forgotten” as proposed by the Commission”.

The reverse of general excitement: why the “Safe Harbor” panic?

While the EU officials directly involved in the GDPR legislative process are applauding the vote of the LIBE committee, voices from the US started to panic because of the imminent danger which apparently threatens (“torpedoes“?) the Safe Harbor agreement, already imagining a world without it.

Both the extreme happiness and panic are not justified at this point of the legislative process. There are still difficult stages to surpass before this piece of legislation will enter into force. The will of the governments of the 28 MSs rarely mirrors the vision of the European Parliament. As such, unfortunately, we will have to wait a bit more before affirming that data protection is made in #Europe.

 

 

 

 

 

Advertisements

Reding on pseudonymous data: We should encourage companies to use pseudonyms rather than the actual names

Commissioner Viviane Reding intervened in the Justice Council on March 8, 2013, on matters related to the adoption of the Data Protection Regulations. She referred among other things to the issue of pseudonymous data, saying that incentives should be created for companies to use such data instead of the names of the data subject. Nevertheless, Reding insisted that it should always be kept in mind that pseudonymous data is personal data and that it should be subject in general to the data protection legal regime.

Reding:

“Anonymous data is easy to deal with. It is outside the scope of the instrument. There is no risk. The Commission’s proposal makes this clear.

Pseudonymous data is more difficult. I understand the principle. We should encourage companies to use pseudonyms rather than the actual names of persons. This makes sense. It is in the interest of citizens. For pseudonyms to be used, you need to create incentives. Lighter obligations on privacy by design or on notification of breaches are candidates.

The inclusion of a notion of pseudonymous data has also been suggested by the European Parliament’s Rapporteur, Jan-Philipp Albrecht. This demonstrates that there is convergence between the Council and the Parliament on key elements of this file.

But I would sound a note of caution: Pseudonymous data is personal data. It relates to an identified or identifiable natural person and has to be protected under the Charter and EU law. Risks to privacy remain and are real. A single piece of data such as an email address can create a link between a very accurate profile and a person. It is particularly important to keep this in mind since pseudonymous data is often used in the health sector.

So I am happy to work on the notion of pseudonymous data but I will be vigilant. We need a robust definition and robust safeguards. Pseudonymous data must not become a Trojan horse at the heart of the Regulation, allowing the non-application of its provisions.”

 You can find the entire intervention HERE.

Commission downplays Parliament EU-US data privacy concerns

EUObserver writes about how Justice Commissioner Viviane Reding has insisted that US authorities cannot override EU laws on data privacy, following concerns expressed by MEPs that certain US laws and legal subpoenas could force EU companies to disclose personal data to US law enforcement agencies.

In an oral question to the Commission, liberal MEPs drew attention to US legislation, including the Medicare Act and the Patriot Act, which, they said, could require the submission of personal data stored in Europe to the US authorities.

Read the rest here: http://euobserver.com/871/115299

European Commissioner reveals views on Binding Corporate Rules

Binding corporate rules are codes of practice that are set up and adopted by multinational corporations or groups of companies that want to operate both within and outside the EU, as a way of showing they comply with EU legislation covering the transfer of personal data outside the union.

ZDNet.uk writes that “EU promises harmony on corporate data law”.

Viviane Reding is leading a major review of the EU’s data protection laws, and has this week given several speeches on the subject. One of those talks, to the International Association of Privacy Professionals (IAPP), detailed the changes she hopes to make to the system of binding corporate rules.

“Binding corporate rules are indeed a very smart data protection tool, but we all know that they could do even better,” Reding said, explaining changes intended to strengthen and simplify the system while also ensuring that it covers modern forms of data processing, such as cloud computing.

For example, the document may demonstrate how those handling data outside the EU will comply with the standards expected within the union. The rules are voluntary to establish but, once adopted, are legally binding.

At the moment, a group wanting to set up binding corporate rules will choose a national data protection authority (DPA), such as the UK’s Information Commissioner’s Office (ICO), to approve the rules. Once it has given its own approval, that DPA will circulate the document around the DPAs of every other EU member state where the group is active, for the approval of every one of those DPAs.

Source: ZDNet.uk, via European Commission

The situation under the current [1995 Data Protection] Directive means that your one set of rules must be checked by multiple authorities with different — and at times maybe contradictory — practices in place,

Reding said on Tuesday. “I see this legal fragmentation as a costly administrative burden. It wastes time and money. It is detrimental to the credibility and efficiency of data protection authorities and data protection tools.”

Harmonise legislation

Reding, who is on a mission to harmonise EU data protection legislation, said there should be just one point of contact for companies among the various DPAs. She added that, once one DPA had approved a set of binding corporate rules, all European DPAs will have to recognise them.

Smaller companies that operate on a global scale should also be encouraged to adopt binding corporate rules, the commissioner added.

“Binding corporate rules will no longer be a tool ‘for experts only’. They should be compatible with small innovative companies’ endeavours to operate on a global scale; companies should be able to transfer their data freely and safely — anywhere and in conformity with the law,” Reding said, explaining that the rules will cover everything from paper-based filing systems to complex cloud computing systems.

READ MORE: http://www.zdnet.co.uk/news/regulation/2011/12/01/eu-promises-harmony-on-corporate-data-law-40094553/

The Publication of the New EU Data Protection Directive, Delayed

The details of the reform of the Directive 95/46/EC was supposed to be published in November. But a representative of the European Commission announced last week that the publication will be delayed.

Matthew Newman, a spokesperson for European Commission Vice President Viviane Reding, told the IAPP Europe Data Protection Digest that “this is a comprehensive reform” and the timing for publication is “within 20 weeks.” 

In a speech in May, Reding boiled down the reform to “four important changes,” including making the directive enforceable for countries outside the EU that “target” EU citizens; including “data protection by design;” revising the rules on adequacy as well as streamlining and strengthening “procedures for international data transfers,” and the creation of a “mechanism” for third-country providers–possibly an “EU Safe Harbour system.”

Read more about the reform HERE.