Speech by European Commission Věra Jourová at the 9th Annual European Data Protection and Privacy Conference: What next for European and global data privacy?

Ladies and gentlemen,

It is already a ninth time that you organise this conference series dedicated to privacy. It would fair to say that you started to debate on this issue before it became popular and you deserve a big thank you for that.

I always say that data protection rules, GDPR or others, can only truly succeed if the conversation about them goes beyond the experts debate and I want to thank you for contributing to this.

Earlier this week, we had one anniversary of the event that made a difference in a global debate about privacy. On 18 of March 2018 the world has learnt the name of Mister Wylie and a dreadful story behind the Facebook / Cambridge Analytica scandal.

I happened to be in the US when this scandal occurred so I can tell you it generated a big shockwave that also reached Europe's shores. It was a stark remind for us, and a realisation for many others, that strong data protection rules in today's digital reality are not a luxury. They are a necessity.

I think this was an important moment in our debate about Europe's rules, too, because before that we witnessed a lot criticism, especially from the US. I heard that we were protectionist, that this is a legislation against US tech companies, I heard that the SMEs will pay the price and many other ‘doom and gloom' scenarios.

Today, almost ten months after the GDPR began to apply, we can already safely say that none of this really happened.

Now everyone's focus is on how to apply the new rules, on experience with compliance, and on the first enforcement cases.

Global convergence

The Cambridge Analytica case globalised the discussion about challenges to privacy in the digital world and proved to everyone that data protection is not just so called European obsession.

Europe and other countries around the world are facing similar challenges and we want to seize upon the same opportunities of the digital economy.

Therefore, it should not come as a surprise that more and more countries are adopting a common approach - from Chile to Japan, from Brazil to India, from Argentina to Indonesia, and from Tunisia to Kenya.

Countries all over the world are applying rules with very similar features: an overarching privacy law, with a core set of safeguards and rights, and enforced by an independent supervisory authority.

These developments show that more and more countries are recognising the importance of protecting privacy, for individuals, and for society as a whole.

I strongly believe that this type of convergence, based on strong laws and robust enforcement, can ensure the sustainability of our increasingly data-driven economy.

And the more countries have similar rules the easier it is to ensure free data flows and trade. In other words, convergence in privacy pays off!

We just put in place such an arrangement between the EU and Japan, creating the world's largest area of free and safe data flows. It clearly shows how strong data protection standards and trade can go hand in hand.

And of course, this is not the end, but merely the beginning of our cooperation - with Japan and with other countries. The Japanese adequacy findings set an example for future partnerships, eventually creating a network of adequacy findings where data can flow freely.

And with Japan, I look forward to intensify our cooperation and work together to promote strong data protection standards with other partners. In this regard, we are following with great interest the "Data Free Flow with Trust" initiative launched by Prime Minister Shinzō Abe.

So, basically today I see two camps, globally. A citizens-friendly camp that understands and appreciates that people should have more control and more freedom, even in the online environment. It is a liberal camp that shares the view that even the governments, or, especially the governments, have to respect limitations and safeguards when it comes to data processing of their citizens.

And there is the other camp that has more hands-off approach to privacy, prioritizes uninhibited access to data in the name of innovation or business interest.

I would like to use the momentum we have now to build a global coalition and promote free trade based on respect of strong privacy rules.

I also believe that our data protection rules could be helpful in creating a European model in many other areas.

There are discussions going on across Europe, but also in many other places, about Artificial Intelligence, 5G or responsibility for online content.

Our European model should put privacy at the core of all these discussions, together with other fundamental freedoms, core values, and our liberal mind-set.

In a few weeks' time, I will go to the US to also bring this message to my partners and colleagues ‘across the Atlantic'. Our cooperation on privacy with the US is going quite well and their commitment to the Privacy Shield is valuable, but I would really want the US to fully join our camp and work with us together on setting the global standards. It's time to see privacy as a part of the answers to many burning questions we are facing today, rather than as a problem.

First lessons 10 months after the application of the GDPR

Ladies and gentlemen,

Allow me to turn your attention now to the GDPR.

After the first ten months since it began to apply, we can already draw on some lessons.

For companies, compliance with the GDPR has proven to be an opportunity to put their data house in order by taking a closer look at what data they are collecting, what they use it for, how they keep and share it, and, whether they really need to collect and process all this data.

Answering these questions has often allowed business to reduce exposure to unnecessary risks. But it also allows them to get a better idea of what data they hold and to develop a more trustworthy relationship with their customer and commercial partners.

I hear from companies that they see other benefits from their privacy investments too, such as greater innovation, competitive advantages and lower costs relating to breaches.

We sometimes hear from SMEs that they have struggled on occasions to comply with the new rules. I believe this is, at least sometimes, the result of misunderstandings as to the actual scope of requirements.

The GDPR's risk-based approach means that SMEs that don't process huge amount of data will only have to deal with a rather limited set of obligations, many of which have existed for more than two decades.

Nevertheless, helping SMEs is my key priority. I used to have a small business myself, and I fully understand the troubles that different regulations can cause.

That's why we issued in January 2018 an online toolkit on the GDPR, with sixty questions and answers as well as many dedicated brochures.

SMEs also need simple tools to help them to comply. The Commission has therefore been allocating several sets of grants to support awareness-raising actions by Data Protection Authorities, in particular among SMEs.

These actions, which are ongoing, include the setting up of hotlines and the drafting of practical compliance tools.

Citizens also started to understand that they have new rights. They have started to ask questions and NGOs active in the field of data protection have also started to make use of the possibility to bring representative actions before data protection authorities and courts.

And, finally, our data protection authorities. I believe it is now clear to everyone that, contrary to some alarmist predictions, they did not become fining machines in the night between the 24th and 25th May 2018!

Firstly, fines are only one of the tools DPAs can use to enforce the GDPR. And when they use it, it is only after a thorough investigation of the facts of the case and always on the basis of the specific circumstances of each case.

Ladies and gentlemen,

What we have seen in these first months is that compliance is a dynamic process characterised by close dialogue between regulators and stakeholders.

This dialogue must continue, as new questions will keep emerging. And I want to praise Data Protection Authorities for actively and openly engaging with stakeholders.

We, the European Commission, will continue to contribute actively to the work of the European Data Protection Board, whose guidelines are of key importance to help stakeholders implement the GDPR. It is vital for the data protection authorities to forge a common EU approach.

To conclude, I would like to stress that the GPDR is not only a set of obligations. It is an opportunity for business and individuals to build trust, and this is not only a view from Brussels.

For example, according to a recent survey by Deloitte, more than half of the respondent organisations found that improving consumer trust was a highly important driver for complying with the GDPR. And another study by Cisco showed that - for businesses - gaining this trust translates into clear competitive advantages.

The GDPR is based on a modern approach to regulation that empowers users and rewards new ideas, methods and technologies to address privacy and data security.

The Commission will take stock of how it has gone, one year on from the application of the GDPR, in an event due to take place in June.

And, as foreseen by the GDPR, the Commission will report on the application of the new rules in 2020.

Thank you for your attention.

SPEECH/19/1776