Data is the currency of today’s digital economy. Collected, analysed and moved across the globe, personal data has acquired enormous economic significance. According to some estimates, the value of European citizens’ personal data has the potential to grow to nearly €1 trillion annually by 2020.
But personal data isn’t just valuable on account of its economic significance. We, as human beings, value our personal data precisely because it’s personal – it’s part of us. So, it is only natural that we want to safeguard it.
Whilst it is important to seize the opportunities offered by the global digital economy, it is equally important to respond to consumers’ growing demands for stronger data security and privacy protection.
These were two fundamental considerations when it came to up-dating the EU’s data protection legislation. Both of them are reflected in the data protection reform package which entered into force in May 2016 and will be applicable as of May 2018.
For citizens, the General Data Protection Regulation is an essential step towards strengthening their fundamental rights in the digital age and building their trust in the digital economy.
The new Regulation will give citizens more control over their personal data and make it easier to access it. For example, they will have a “right to be forgotten.” If an individual no longer wants their data to be processed then it will be deleted, provided that there are no legitimate grounds for retaining it. In addition, individuals will have the right to know when their data has been hacked. Companies and organisations will have to notify the national supervisory authority of data breaches which put individuals at risk, and communicate to the data subject all high risk breaches as soon as possible so that users can take appropriate measures.
Giving individuals more control over their personal data will strengthen consumer trust in the digital economy. Stronger consumer trust will, in turn, allow businesses to fully seize the opportunities in the Digital Single Market.
Businesses will also benefit from the new Regulation, since it provides clarity and consistency regarding the rules to be applied. Essentially, the rules will make it simpler and cheaper for companies to do business throughout the EU.
A single, pan-European data protection law will replace the current inconsistent patchwork of national laws. Companies will deal with one law, not 28. The financial benefits of this are estimated to be €2.3 billion per year.
Similarly, companies will deal with one single supervisory authority, rather than 28. A ‘one-stop-shop’ will streamline cooperation between the data protection authorities on issues with implications for all of Europe. Companies will profit from faster decisions and from less red tape.
The new EU data protection rules will apply not only to European companies, but also to foreign companies offering products and services to EU citizens, or monitoring their behaviour. In other words, the same rules will apply to all companies operating in the EU regardless of where they come from. This will level the playing field between European and non-European companies and promote fair competition in a globalised world.
The digital economy is, after all, global. The internet and digitization of goods and services has transformed the world’s economy. The transfer of data, including personal data, across borders has become part of the daily operations of companies of all sizes, across all sectors, in all parts of the world.
It is therefore important that we promote our European data protection values at international level. We must ensure that when Europeans’ personal data is transferred abroad, the protection travels with it.
Hence, our data protection rules offer a range of mechanisms to transfer personal data from EU countries to non-EU countries: adequacy decisions, standard contractual clauses, binding corporate rules, certification mechanisms and codes of conduct. This constitutes a broad and varied ‘toolkit’ to enable data flows in different situations, while also ensuring a high level of protection.
We are making good use of the tools in this ‘toolkit’. In August last year, we launched the EU-U.S. Privacy Shield to better protect personal data transferred across the Atlantic, while ensuring legal certainty for businesses.
Going forward, we will now prioritise discussions for new adequacy decisions with key trading partners, starting from Japan and Korea.
We also will work together with countries interested in adopting strong data protection laws and support them to adopt data protection principles that match EU standards. Nowadays, there are over 100 countries that have enacted data privacy laws. Around 35 countries are currently drafting data protection laws.
If data is the currency of the digital economy, then strong data protection rules are an essential precondition for the prosperity of such an economy. They are the foundations on which we can ensure the free flow of data across borders, both within the EU and worldwide. They are also the foundations upon which consumers will build their trust in the digital economy.