5th EU Conference on Data Protection, Brussels


The conference kicked off with keynotes from Vera Jourova, EU Justice Commissioner and from Jan Albrecht MEP, rapporteur on the Data protection regulation who both called for a quick adoption of the regulation and wanted to put more pressure on the Council. It went on with panel discussions where some business representatives showed the importance of getting the data protection regulation right while representatives of the US FTC insisted on the need to keep good relationships with the US and find a common level playing field on data protection.

Vera Jourova, EU Justice Commissioner and Jan Albrecht MEP

Commissioner Jourova insisted on the need to preserve good negotiations with the US counterparts on the data protection issue. MEP Albrecht stressed it was the 5th annual data protection conference and that the Data Protection regulation had been discussed for 3 years now, so Europe cannot afford to wait longer. The EU needs to have partners having the same level of data protection and there is also a need of a legally certain and reliable pillar. He commented quickly on the state of negotiations of the data protection regulation, stating that the Council did not manage to close the deal on the whole draft, but agreed on the one stop shop principle. However, a compromise is needed on the one stop shop for data controllers but also with effective redress for citizens so Data Protection authorities must coordinate together.

Jekaterina Macuka – Latvian Ministry of justice, Latvian representative in art 29 Working Party

She reminded the audience that the understanding of privacy is changing each year. The Data Protection directive of 1995 was created at the time when there were no Facebook, no LinkedIn, Twitter and smartphones, so with these new challenges, new regulation is needed. There is also a need of a competitive approach and to reach something balanced. Regulation should help controllers and data subjects. Data Protection Authorities should not concentrate on punishments and fines but protection and mechanism to make two parties live with it. The focus will also be on the right of data subjects.

Kelly Welsh, General Counsel, US Department of Commerce

He evoked the recent reviews and dangers on big data pointed out by the Obama administration, and thus protecting privacy rights and enabling big data is quite challenging but very promising. Big data will drive new disruptive business models, better energies with smart grids, better transports and better enablers for all consumers and companies will be evaluated on how they leverage data.

But there are also new challenges around privacy and autonomy, such as in health care, where there is a need to find a balance between benefits and risks, and to preserve the confidentiality of health record. All this will challenge how we think data is sensitive, also for social media.

Education is another field where the benefits of big data are tremendous. The schools will receive next generation internet access and teachers training, with real time adaptation to students’ level. But this also means important implications for privacy, including behavioural data, which can improve reading and learning patterns but can also be used to build consumer profile of students, though protected by children online privacy act; The California law restricts use of educational data by third parties.

In addition to policy, the US focuses on how to leverage technology to improve privacy protection. A Code of conduct is under development from telecoms and others on facial-recognition technologies and with differential privacy to minimize privacy risks. Protecting the Safe Harbour is key because a fragmented approach will send a wrong approach to global digital economy.

Panel debate

This panel featured Kostas Rossoglou from BEUC (consumers’ organization), Chris Sherwood from the Allegro group, Cameron Kerry from Sidley Austin LLP and Isabelle Vereecken from the Belgian Commission de la Protection de la Vie Private.

BEUC insisted on the purpose limitation principle, i.e. that the data collected for one purpose should be for this one only. Legitimate interests should only be the last resort and it is important to have strong and proportionate sanctions.

Chris Sherwood, Allegro group, reminded the audience that the directive 95/46 had been durable because it is principle- based and technology neutral. Though it needs adaptation because society has changed and the idea of a Data Protection regulation is good, but it needs to get it right. The problem is that the political approach based on defensive approach, vis- à- vis US internet companies. In practice this defensive look impedes the development of EU internet companies. The main problem is that the current text is a series of provisions that taken globally create reverse incentives. He called to have a system-based approach looking at the regulation as a whole, otherwise if don’t do this, EU will be making a historic mistake.

Cameron Kerry exposed first his background, where he had been the chief US Department of Commerce negotiator on Data protection for a while. He reiterated the need to preserve the benefit of economic growth and big data evolution with the right approach to privacy too. He backed up the emerging definition of secondary processing, at a context-based approach, with unambiguous consent rather than explicit. Data minimization is an obstacle to big data. He also made a plea to keep Safe Harbour and not damage the EU/US relationship. He also insisted on the need to look at competition and fairness laws to reduce competition disruption rather than relaxing privacy laws and stressed that risk of deanonymisation was bigger on mobile.

Isabelle Vereecken listed the points that are still being discussed by the Council, including inter-alia:

–          The one stop shop

–          The risk-based approach

–          Trans border data flows

–          Safe Harbour

–          Sub processing activities: processors also need to be compliant. Many processors are now big companies and must be liable on data security, but now cloud computing and intervention of multiple actors a danger, sub processing activities have to be framed and sub processor have to be made liable.

Keynote from Viviane Reding MEP and former EU Justice Commissioner

Mrs Reding stated first that the right to privacy is a fundamental right and should remain as such. What is the Council waiting for? Council only needed 6 months to decide on the data retention! In her eyes, the Data Protection reform is sine qua non to build Digital Single Market. Data belongs to the people and hence the decision must be the decision of the people. Cutting costs and red tape for SMEs, the territoriality principle and the rules need to be enforced by any company. There is no time to lose on the Safe Harbour and umbrella agreement. Legislative action is needed in the Congress to grant EU citizens the same data protection rights as US citizens in the US. 11 of 13 recommendations on Safe Harbour have been agreed on but the last 2 are the most problematic and concern national state security exemption. She said that negotiations on TTIP and TISA reports in 2015 will present opportunity to draw red lines.