The newly installed head of data protection is making it clear tougher new privacy rules will remain a key focus as the European Union overhauls its data regulations.
European Data Protection Supervisor Giovanni Buttarelli noted that privacy and personal data have morphed from largely academic concerns to headline news in the wake of Edward Snowden’s revelations about U.S. mass surveillance, highly publicized hacks, and the European court ruling on the right to be forgotten.
“The tectonic plates of data laws are shifting, and in many ways Europe is at the epicenter of this realignment,” Buttarelli said during a speech in Washington this week before members of the U.S. Council on Foreign Relations and the Digital and Cyberspace Policy Program.
Buttarelli, who assumed his position in December for a five-year term, said political and technological developments have created “a perfect storm” in prompting calls for reforms in the 28-member bloc. While the reform of the EU’s 20-year-old framework has been under way for years, Snowden’s NSA bombshells created a greater sense of urgency for lawmakers.
“We need to place the individual more firmly at the heart of technological development, through transparency, user control, and accountability,” Buttarelli said.
The principles of the 1995 policy, including providing for individual consent and rights to access the personal data collected, are still sound, Buttarelli said. But the framework needs to be broadened to cover the advent of big data, cloud computing, and other advances, he said.
He called the 2012 proposal by the European Commission, which is winding its way through various committees and European Parliament, “ambitious and far-reaching.”
“It will affect everyone in the world who processes personal data affecting individuals in the EU for commercial purposes, for purposes of public administration, any purpose which is not a purely ‘personal or household’ activity,” Buttarelli said in his speech. The proposal would apply directly to any data controller, and lays out obligations both for enterprises collecting data and those processing data on behalf of another entity.
The revised directive “will have real teeth,” Buttarelli said, noting proposed fines could be as much as 5 percent of a company’s annual global turnover.
“That’s why this reform is sending shock waves around boardrooms around the world,” Buttarelli said. “That’s why a record 4,000 amendments were tabled.”
Buttarelli noted the much-discussed “right to be forgotten” court ruling, which gave individuals in the EU rights to request search engines remove certain personal data from search results, was not in fact a major change. Rather, he said, it reaffirmed the responsibility of companies processing personal data to respect individuals’ rights.
An article in the Wall Street Journal this week noted the widening gap between European and U.S. approaches to data protection. A safe harbor provision between the EU and U.S., allowing U.S. companies to collect data from their EU customers, has come into the crosshairs of some MEPs and German regulators who want an end to the agreement, the article said.
Buttarelli touched on the safe harbor agreement in his speech, noting that he supports global “interoperability” on data protection rules as long as any deals are a two-way street.
“Bilateral agreements even with our closest strategic partners cannot be a back door for weakening the protection of the rights for which generations have fought,” Buttarelli said.
The WSJ said Buttarelli disagreed with President Obama’s characterization that some of the proposed EU data reforms, such as forcing companies to keep European data in Europe and therefore subject to its regulations, are aimed at protecting commercial interests rather than personal data. The proposals are aimed at giving individuals control over sensitive information rather than slowing the flow of data, Buttarelli said.
Before taking over as head of the European Data Protection Supervisor (EDPS), Buttarelli served as the agency’s assistant supervisor and as head of Italy’s data protection regulator.