Speech: Speaking points by Commissioner Jourová on the occasion of the first anniversary of the General Data Protection Regulation (GDPR)
Ladies and Gentlemen,
I am happy to welcome you today here at the House of European History. I would like to thank director Constanze Itzel for hosting us today. She is travelling for work today, so couldn't be with us.
On 25 May, this weekend, the modern data protection law, known as the GDPR, is celebrating its first birthday.
This is a young legislation but given its impact and its relevance, I am sure it adds itself to our joint European history of integration.
One of the main reasons why the EU i adopted the new data protection law is to adapt our data protection rules to the digital reality of today and the future.
Before the GDPR we had a patchwork of national rules, outdated business requirements and ineffective enforcement.
Even as data became oil of 21st century, our rules were stuck in the past.
Today, this has changed. People's privacy is better protected. And a year into new rules is a good occasion to take stock of where we are.
We are starting to see positive trends when it comes to innovation and data security or when it comes to citizens making use of their new rights.
Last year we heard complaints and criticism, today we hear calls around the globe for comprehensive data protection rules similar to the GDPR.
After Cambridge Analytica and other scandals, there is no doubt that strong data protection is a must - not only for individuals, but also for democracy.
When fighting for the GDPR we made a number of promises. Let me refer to four of them.
First -‘one continent - one law'.
While GDPR is directly applicable in all Member States, national legislation is needed in some areas. Most of the governments have already done the hard job, but I would like to urge three remaining Member States to adopt their national data protection legislation as soon as possible (Greece, Portugal and Slovenia).
Also, we are currently reviewing how the Member States are implementing GDPR. We need to avoid fragmentation, especially through additional conditions for data processing or the so-called gold plating.
And if needed, we will not hesitate to make use of the tools at our disposal to prevent this.
We also promised citizens more control over their data. To give them more power to deal with companies that mishandle their data.
To do that, we're working hard on raising people's awareness of their rights.
The results of the new Eurobarometer survey show that more than two-thirds of citizens today have heard of the GDPR!
What is more, nearly six in ten people know that there is a data protection authority in their country. This is a significant increase from four in ten people back in 2015.
This is an encouraging sign. More individuals are aware of the importance of data protection are exercising these rights.
At the same time, NGOs have started to make use of the possibility to bring representative actions before data protection authorities and courts.
The third promise we made was to make it easier for business to comply and support privacy friendly innovation.
After considerable adjustments to new rules and despite early forecasts of doom, many companies now report hey are reaping benefits from their privacy investments.
These benefits include increased security of personal data, mitigating losses from breaches and more innovation. The GDPR is also rewarding new ideas, methods and technologies to address privacy and data security.
Many companies say now that privacy is increasingly becoming a competitive advantage in their markets.
From the French Quant to Czech Seznam, a lot of European companies see the focus on privacy as an opportunity.
The forth promise we made is for strong and uniform enforcement of the rules. The GDPR gave strong powers to EU data protection authorities to tackle violations of the new rules. One year on, the newly established European Data Protection Board has registered almost 450 cross-border cases around Europe and is working well together to solve them. The fears that they will become sanctioning machines have not materialised. On the contrary, they see themselves as partners for dialogue with business and other stakeholders.
More so, on the international front, I see the increasing global convergence. This offers new opportunities to facilitate data flows, while improving the level of protection of the data of our citizens when transferred abroad.
It's a win-win situation for Europe and its international partners.
As shown by the recent EU-Japan mutual adequacy arrangement, convergence in privacy pays off: what we have created with Japan is the world's largest area of free and safe data flows.
We are currently working on similar arrangements with several other countries, from Latin America to Asia.
At multilateral level, we support initiatives aiming at creating "data bridges" between different systems sharing a similar approach to data protection, based on strong laws and robust enforcement. I think in particular of the "Data Free Flow with Trust" initiative launched by Japan's Prime Minister Shinzō Abe.
I plan to be busy with the GDPR until the very last day of my mandate. I have four main priorities.
One, I will watch for uniform application and implementation of the rules in Member States - we have to ensure that our promise of one continent; one law will be fulfilled.
I will continue supporting efficient and pragmatic enforcement by the European Data Protection Board. For that we need to create the European culture of privacy among data protection authorities. In the first year the Board made progress, but I want to continue to play a part in this process.
Third - I want to help businesses, especially smaller firms, to comply, mainly by promoting the innovative tools of the GDPR such as standard contractual clauses, certification or code of conducts.
This will make it easier for them to share data whenthey contract processing services, within the EU orabroad.
In sum, I feel the mood around GDPR has shifted. GDPR is now seen globally as our fundament on which we can build our European responses to Artificial Intelligence, machine learning, social media or election integrity.
We will take stock of one year of application of the GDPR in an event in June, where I will be releasing the full Eurobarometer results about what citizens feel about the GDPR. We will report how the new rules have been applied on the ground, next year, in 2020.
We have a strong plan on data protection and we know what to do next.