Keynote Speech by Vice-President Jourová on ‘Data Privacy post-Covid-19' at Euroactive's Virtual Conference on Data Privacy - Main contents
Thank you for organising this event and for putting together such interesting group of speakers.
The conversation about data protection and privacy is a global conversation and I am very happy about it.
Data protection and privacy, just like all fundamental rights, are even more important in the context of the pandemic and the increased digitalisation of our lives. To me it is clear that to preserve rights, especially in a digital reality, we need comprehensive rules that confer enforceable rights to individuals. A modern approach to regulation with a core set of individual rights are key to the response to the global challenges we face today. This stretches all the way from election campaigning, through AI, Internet of things to the COVID-19 pandemic.
GDPR in the COVID-19 context
One of the things the COVID-19 pandemic made us realise, probably more than ever before, is how privacy is fundamental in preserving our freedom even in difficult times.
To fight the virus or help the recovery of our economies, innovative digital solutions can really make a difference.
If we want these solutions to be reliable and effective, citizens need to trust them. Robust data protection safeguards are a key component of that trust.
Contrary to what we sometimes hear, we do not have to choose between, on the one hand, the protection of personal data, and, on the other hand, public health, security, or economic well-being. Rather than involving such false trade-offs, privacy is a prerequisite for allowing citizens to embrace innovative solutions without fear.
And we have experienced that “on the ground” in the last year: as we concluded in the GDPR evaluation report, published in June 2020, our data protection rules provide for a flexible legal framework, which is fit for purpose also in times of the COVID-19 pandemic.
In particular, the Commission put forward common standards of privacy safeguards for apps supporting the fight against COVID-19. This helped develop voluntary and secure contact tracing and warning apps that respect people's privacy and are interoperable so that these apps work seamlessly everywhere in the EU, across borders and across operating systems.
Embedding privacy protections in the fight against COVID-19 is also part of our current work in developing a EU-wide “digital green certificate”. This certificate will include basic data such as the result of the test or information about vaccine to help retain free movement of people across Europe.
And, above all, this is about preserving who we are. Our values and rights should not be a collateral damage of COVID-19.
So let me be clear about one thing: data protection and privacy is part of the solution. It is a solution today, in response to the pandemic, but also more generally, as technology continues to transform our lives in ways previously unknown to us.
This is also why I am very pleased to have a glimpse of the results of the 2021 Data Privacy Study ‘Forged by the Pandemic: The Age of Privacy' that is presented today. I see that organisations that invest in privacy and ‘get privacy right', actually profit from this. Indeed, they appear to have a return on investment in several areas: from reducing sales delays and enabling innovation, to achieving greater operational efficiency, and building loyalty and trust with their customers.
The other side of the coin is that customers shun organisations that are not transparent about their data practices and protection.
It is also encouraging that the study shows that the commitment to privacy has strengthened during the pandemic. I am happy that customers and businesses acknowledge that setting a consistent set of rules for data protection can boost users' confidence.
I have always believed that we need to create a “virtuous circle” between robust privacy rights, enhanced consumer's confidence and contribution to sustainable economic development, online and offline.
International data flows
The pandemic also showed how data flows are essential to so many aspects of our life: trade, continuity of business, governmental, education or cultural activities, but also simply social interactions.
The question is how to effectively protect individual rights like privacy in our borderless, interconnected digital world where transferring data takes a click or two. And how to do it in respect of our EU data protection standards.
This question has become even more relevant after the Schrems II ruling. The Court required effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law.
Our answer in the EU, since the first piece of European legislation in 1995, is not to erect barriers, but to create bridges. To be open and allow data to flow provided that there is continuity of protection. Promoting strong privacy standards and data flows - and thus trade - can and should be complementary objectives.
The way I see it, we are facing similar global challenges and I am glad to see an increasing number of countries are converging towards putting in place modern data protection regimes.
This is a truly global trend running, from Brazil to Japan, from California to Korea, or from Kenya to India.
In a world that is often fragmented, this increasing convergence offers new opportunities to harness the digital economy. The recent statement of the G7 Leaders of 19 February 2021 on the economic recovery from COVID-19 referred to facilitating data free flows with trust.
I believe there is a now a momentum to work amongst like-minded partners and to reap the tangible benefits of this convergence. This is why the EU continues to roll-out an ambitious agenda on international data flows.
In January 2019, with their mutual adequacy decisions, the EU and Japan created the world's largest area of safe data flows. We are currently also about to conclude negotiations of a similar deal with South Korea. We have also started discussing with other Asian and Latin American countries.
Closer to us, as you probably know, on 19 February 2021, the Commission launched the adoption process for two adequacy decisions for transfers of personal data to the UK.
This is an important component of our new relationship with the UK. Our plan is to adopt these adequacy decisions in the coming months, after having received an opinion of the European Data Protection Board and a vote from Member States' representatives in the framework of so-called “comitology procedure”. In the meantime, data can flow between the EU and the UK through a so-called “bridging clause” provided by the Trade and Cooperation Agreement.
Another priority is to develop a successor arrangement to the Privacy Shield, after its invalidation by the Court of Justice in the Schrems II judgement. And this time, we need to get it right.
We understand and welcome that there is a similar willingness on the US side. Our teams have been in contact over the past months at technical level and we are ready to build on this exploratory work and intensify our talks.
I am delighted to see Mr Christopher Hoff, who heads these talks on the US side, participating in today's event. He will probably share with us his take on the upcoming negotiations.
But I'm sure that we can all agree that the only way to ensure stability of data flows and deliver the legal certainty that stakeholders need is to develop a new instrument that is fully compliant with the standards set out by the case law of the European Court of Justice, including in its Schrems II judgment.
Finding a legally solid and sustainable arrangement is in our mutual interest.
We understand that these are complex and sensitive issues that relate to the delicate but crucial balance between national security and privacy.
At the same time, I believe that, as like-minded partners, we should be able to find appropriate solutions as we have to address principles that are cherished on both sides of the Atlantic: access to court, enforceable individual rights and limitations against disproportionate interferences with privacy. It should be possible for the US to develop solutions on these issues with a close partner such as the EU.
To me, these discussions go beyond data protection. As democracies, we cherish very similar values and we need to use them as our compass in many of today's discussion, be it 5G, AI or even our approach to social media.
Now, with the Biden administration, we feel in Europe that the United States as we know it is back.
I actually believe that this provides an opportunity for the EU and the US to develop a framework that builds on shared values of human dignity, democratic principles and the rule of law. I dare to say that democracy without strong privacy and data protection will expose itself to many risks stemming from the digital world.
I can only hope that the US administration will see it in similar way and that we will be able to work together at bilateral and multilateral level.
I'm thinking for instance of the very promising ongoing work on developing common standards to facilitate data flows for access to data by public authorities.
I cannot agree more with what State Secretary Blinken said a few days ago, in his first major foreign policy speech. He said: “we know that new technologies aren't automatically beneficial. And those who use them don't always have good intentions. We need to make sure technologies protect your privacy, make the world safer and healthier, and make democracies more resilient. And [w]e're going to bring our friends and partners together to shape behaviour around emerging technologies and establish guardrails against misuse”.
I can assure Secretary Blinken that we in the EU are certainly ready to work with the US on these issues.
In Europe, we are proud of making our approach to digital transition based strongly on values and innovation. This is the only way to reap the economic benefits, while at the same time, provide security for people and create conditions for them to develop trust to this innovation.
Thank you very much.