OCR of the Document

View the Document >>

Andrea Jelinek, Chair, European Data Protection Board, Statement for the Record for the Senate Committee on Commerce, Science, and Transportation, “Consumer Data Privacy: Examining Lessons from the European Union’s General Data Protection Regulation and the California Consumer Privacy Act.” October 10, 2018. Unclassified.

United States Senate Committee on Commerce Science and Transportation Hearing “Consumer Data Privacy Examining the European Union’s General Data Protection Regulation and the California Consumer Privacy Act” Wednesday October 10 2018 10 00 a m Andrea Jelinek Chair of the European Data Protection Board Mr Chairman Honorable Senators My name is Andrea Jelinek I am the Head of the Austrian DPA and the Chair of the EDPB Thank you for inviting me to address you on a piece of legislation that has caused quite a few ripples in Europe and beyond the European Union’s General Data Protection Regulation or GDPR As Chair of the European Data Protection Board which brings together the national supervisory authorities and the supervisor in charge of the European institutions my task is to make sure we are all on the same page A key task of the Board is to ensure the consistent application of the GDPR and to provide guidance to this end My aim today is to shed some 1 light on how the GDPR works and the philosophy and concepts behind it I hope this testimony contributes to the extremely timely debate on the adoption of a comparable law in the US at federal level It is often asserted that the EU and the US have a different approach to privacy and freedom of information based on different historic backgrounds In the EU secrecy of communications and the protection of personal data are enshrined in the European Charter of Fundamental Rights Europe’s complex history has shaped its views on privacy and data protection and caused EU citizens to be in favour of strict data protection rules Does that mean Americans are less worried about the protection of their personal data than Europeans are It doesn’t seem that way 24% of social media users in the US are not at all confident in the ability of these platforms to keep their personal information safe And 64% of Americans have experienced a significant data breach pertaining to their personal data or accounts We can only expect that number to go up with the latest Facebook revelations Pew Research Centre 2 The volume of digital information in the world doubles every two years artificial intelligence systems and data processing deeply modify our way of life and the governance of our societies If we do not modify the rules of the data processing game with legislative initiatives it will turn into a losing game for the economy society and for each individual Both in the EU and the US people are more vocal about their right to data protection than ever before The Facebook data breaches or misuse of data and other revelations have caught people’s attention up to a point where it is necessary to reestablish trust Trust has always been at the core of the economy and this is even more true in today’s digital society Businesses have started coming around too And not just because they need to comply with the GDPR but because they see that their clients and employees alike expect their personal data to be treated in a safe manner More legislators and business leaders are stepping forward to say the time for overarching federal level privacy legislation in the US has come I think for example of Brendan Eich CEO of Brave Software and former CEO of Mozilla who wrote to this very committee making the case for “GDPR-like standards” What shape such a law should take is of course up 3 to US policy makers to decide The EU’s GDPR and its functioning can perhaps serve as an inspiration Is the GDPR the perfect recipe Maybe not but it is the result of an intensive consultation and collaboration process with all stakeholders and builds on rules that have been in place in Europe for more than 20 years The GDPR does not change these rules but ensures greater effectiveness We often describe this as an evolution rather than a revolution The GDPR is designed to ensure as a single set of rules the data protection rights and liberties of data subjects in the EU The harmonisation of the legal landscape means two things one overarching law rather than sectoral rules and the principle of “one continent one law” These “common rules of the game” create a level playing field and ensure that data can move easily between operators while guaranteeing the consistent protection of individuals The goal is to have one set of privacy rules that are interpreted in a uniform way throughout the continent This represents a significant reduction in compliance costs for companies active in more than one EU country as well as increased legal certainty These are very tangible benefits of the GDPR especially for foreign operators and smaller companies that do not always 4 have the resources to deal with complex and diversified legal environments Under the GDPR data can only be processed on the basis of “core principles” including the requirement that data collection and processing shall be lawful adequate accurate transparent proportionate to the purpose for which it is undertaken and kept only for as long as necessary Individuals must be informed about the main aspects of the processing of their data and are empowered to exercise rights on their data such as to obtain access or demand erasure when the data is incorrect or processed unlawfully The philosophy behind the GDPR is to put individuals at the centre of privacy practices building on human rights and values like dignity Companies must take a closer look at what data they are collecting what they use it for and how they keep and share it Accountability is one of the GDPR’s core principles and the EU was inspired in this aspect by some of the principles stemming from your common law system It relies heavily on businesses’ capacity to self-regulate Organisations are responsible for complying with the GDPR and must be able to demonstrate their compliance 5 The so-called “risk-based approach” which you find at the heart of the GDPR means that operators that limit the impact of their processing operations are exempt from a number of obligations This approach reduces the regulatory burden for companies that carry out basic mundane processing operations It also creates incentives to develop innovative privacy-friendly solutions from the earliest stages of development - “privacy by design” The market offer of new privacy or data security enhancing products is growing In other words investing in privacy pays off and creates new commercial opportunities One of the greatest achievements of the GDPR is the ‘onestop-shop’ mechanism which means a single lead supervisory authority is responsible for drafting a decision in a crossborder case International or multinational companies operating in different countries have only one interlocutor to deal with the Lead SA is in the country in which the company has its main EU establishment Any decisions taken by the lead supervisory authority are valid across the EU How does this work in practice When a cross-border complaint is filed the cooperation mechanism kicks in The LSA acts as the main point of contact and drafts a preliminary decision This decision is then shared with the SAs concerned 6 If no objections are raised the SAs are deemed in agreement with the draft decision If objections are raised and the LSA decides to reject them the so-called consistency mechanism is triggered and the case is referred to the European Data Protection Board The Board will then act as arbitrator and issue a binding decision On the basis of this decision the LSA will adopt its decision which can be challenged by the courts The ‘one-stop-shop’ mechanism significantly reduces the administrative burden for organisations as they do not need to consult with different regulators but receive one single position applicable in all EU countries Complainants too only have one point of contact i e the supervisory authority in their country It is often said that the US approach to data protection promotes technological innovation and economic growth which is important for people living on both sides of the Atlantic Let me give you my opinion on that without trust there is no economic growth and no innovation at the end of the day That being said the GDPR is carefully calibrated so as to not hinder economic development while keeping in mind the fundamental right of the individuals 7 One of the main goals of the GDPR was actually to enable a more functional information economy within the EU with more transparency for citizens which should lead to more trust Companies should be allowed to continue to use and share data as long as they do so in a transparent and lawful manner respecting the rights of individuals The key lies in establishing an equilibrium between the respect of personal data and the commercial use of data collection and management That equilibrium had become impossible to maintain without a new legislative initiative supported by all stakeholders It has only been four months since the entry into application of the GDPR but the first responses from the business community are largely positive Businesses have made substantial efforts to be compliant and to restore trust with consumers There are countless examples of businesses asking their customers with straightforward and clear sign-up forms whether they can process customers’ personal details with easy-to-understand explanations as to why the company needs these data As European data protection authorities we have rolled up our sleeves and actively engaged in a dialogue with stakeholders This has included the adoption of 18 sets of 8 detailed guidelines on all novel aspects of the GDPR following broad public consultations to which many U S companies contributed This work will continue as new questions will keep emerging How do we ensure that the GDPR is enforced The European supervisory authorities are not the fining machines we’ve been made out to be by some The 2% or 4 % numbers that are often reported are maximum ceilings that will only apply to the most serious infringements Fines are a last resort just one of the tools which data protection authorities can use to enforce the GDPR and only after a thorough investigation of the facts and always on the basis of the specific circumstances of each case Fines must be effective proportionate and dissuasive Supervisory Authority corrective powers also include the issuing of warnings and reprimands ordering a company to bring processing operations in compliance with the GDPR within a specific time frame ordering the controller to communicate a data breach to the public and imposing a ban on processing I hope and trust that my testimony on the GDPR and its first effects might contribute to your debate on the need for a US 9 data protection law at federal level I’m grateful to be here with you today and thank you again for the invitation to share our views As European data protection authorities we stand ready to share our experience and further discuss these issues with all interested parties Let me conclude with the words of one of the greatest U S legal experts and one of the founders of modern privacy law Luis Brandeis the “right to be left alone is the most comprehensive of rights and the right most valued by free people” Ninety years have passed since Justice Brandeis so eloquently captured what privacy is about but these words have never been truer than they are today in our digital world 10