9 December 2014 Volha attended the 5th Annual European Data Protection and Privacy Conference: Towards a Coordinated Privacy Framework for Europe, which was organised by Forum Europe and held at the Management Centre Europe in Brussels. The event was attended by more than 300 delegates and, according to its organisers, provided “a key multi-stakeholder platform for debate on data protection and privacy in Europe”.
The Conference addressed the following key questions:
- What sticking points remain to complete the tripartite negotiations between the Parliament, Council and Commission?
- While the legislation is unlikely to come into force before 2017, are European and international businesses clear on what their obligations will be, and how will the new rules impact on digital trade?
- What does this year’s ruling by the Court of Justice of the EU regarding the right to be forgotten mean for the evolving understanding of data privacy and security?
- How can the EU and national Data Protection Authorities work to ensure that, in practice, the balance between freedom of expression, privacy and economic growth is ensured?
- What steps can international actors take to create a global privacy framework? How would this help to maximise cross-border digital trade?
Speaking at Session 1 ‘Assessing the progress of the European Data Protection Regulation – on track for completion?’, Věra Jourová, Commissioner for Justice, Consumers and Gender Equality of the European Commission, confirmed that data protection was one of the key ten priorities for the new Commission, a priority which was to be addressed in the context of the existing sensitivity to mass surveillance and new challenges to data protection and privacy. Discussing the issue of restoring trust, she pointed out that this was the task not just of the Commission, but of the companies themselves. The Commissioner stressed the need for strong citizens’ rights to data protection and privacy in the digital world and a level playing field for the digital industry. She called for the “gold standard in data protection”; in her words, “we owe it to our citizens and our businesses”.
Jan Albrecht MEP, Rapporteur on General Data Protection Regulation of the European Parliament, emphasised that, while the EU digital market needed a unified data protection framework, as things stood, the overall deadline for the data protection reform was in danger of not being met.
In his keynote speech Kelly Welsh, General Counsel of the US Department of Commerce, pointed out that finding the right balance between big data and privacy presented big challenges. At the same time, as kinds and amounts of data collected continued to expand and costs of storing and analysing it continued to fall, benefits of utilising big data were “significant and pervasive”. As for risks, the speaker argued that they were not equally serious, with something like confidentiality of health records being much more important than risks associated with the use of purchasing habits data. This position is reflected in the sector-specific data protection laws in the USA. The US position also informed the speaker’s emphasis on self-regulation and the role of technological solutions to data protection challenges. The Counsel concluded by stressing that borderless secure data flows were crucial for economic growth and that data localisation requirements were damaging to it.
The panellists of the debate that followed emphasised different issues related to the proposed Data Protection Regulation (DPR). Thus, Kostas Rossoglou, Senior Legal Officer from BEUC, stressed the issue of trust and argued that extra territorial scope of the DPR was key. Cameron Kerry, Senior Counsel from Sidley Austin LLP, argued that proposed provisions on explicit consent, data minimisation and definition of profiling were obstacles for leveraging big data, including the use of predictive analytics. Karen Thomson, Head of Strategic Information Governance of the NHS England, stressed the difficulties associated with balancing the right to be forgotten and the integrity of health records. During the debate, Isabelle Vereecken, Belgian DPA, drew attention to the issue of pseudonymous data in light of the existing powerful combinatorial analytical capacities. In response, a representative of Experian argued that the industry did not consider pseudonymous data to be personal data.
Speaking at Session 2 ‘The future of data privacy in Europe – have we got our privacy concepts and principles right?’, Thomas Zerdick, Deputy Head of Unit, Data Protection, DG Justice of the European Commission, was very optimistic in arguing that the proposed DPR was “cloud-proof and big data-proof”. Perhaps unsurprisingly, Thomas Boué, Director, Government Affairs, EMEA, BSA/The Software Alliance, stressed that most of the data generated today was not personal data and that it opened up a field of innovation, which was beneficial not just for companies, but also for individuals and for the society at large. While drawing attention to the fact that many technology companies were concerned about governments’ access to data, he remained silent on the important issue of technology travel between different private (commercial) and public domains and its implications.
Definitely, one of the highlights of the Conference was the speech by Viviane Reding MEP, Member, International Trade Committee of the European Parliament (previously Vice-President and Commissioner responsible for Justice, Fundamental Rights and Citizenship). She was very clear about big data requiring “big rights” and personal data belonging “to the people and not to the companies”. She stressed the need for Europe to become serious about these issues at home, if it wished to be taken seriously internationally. In this respect, she reiterated her previous call for the EU citizens to be given equal protection in the USA to that of the US citizens. Reding also criticised attempts by the USA to “use back doors” to push for exemptions to data protection during on-going bilateral trade negotiations; in her words, “ethical arguments and considerations matter” and “data protection is not a tariff, it is a fundamental right”, so “it cannot be negotiated in the same way”.
Speaking at Session 3 ‘International interoperability – balancing privacy and international data flows’, Rupert Schlegelmilch, Director, Services and Investment, Intellectual Property and Public Procurement, DG Trade of the European Commission, emphasised that all trade and services today were dependant on data transfers and that up to 80% of the data flows could be personalised. He argued that, while in the globalised world localisation was not the answer, adequate rules were indeed needed if data flows were to continue to take place. Ted Dean, Deputy Assistant Secretary for Services of the US Department of Commerce, addressed the role of the Safe Harbour, which had been the target of much criticisms by the EU institutions, and pointed out that around 3,900 of the US companies were certified under Safe Harbour and that instances of violations (e.g. false claims regarding Safe Harbour certification) were the target of enforcement action by the Federal Trade Commission.
Full Conference Agenda is available at: http://eu-ems.com/agenda.asp?event_id=234&page_id=2021
Photos of the event are available at: http://eu-ems.com/practical.asp?event_id=234&page_id=2218