Remarks by Vice-President Vĕra Jourová at the 10th Annual European Data Protection & Privacy Conference

Met dank overgenomen van Europese Commissie (EC) i, gepubliceerd op dinsdag 8 december 2020.

I am pleased that we can finally meet, although online. Every year, I am looking forward to the European Data Protection and Privacy Conference and I am glad that even the pandemic didn't stop the organisers and particpants for discussing the most relevant issues for data protection.

I would like to discuss with you two issues: first, it is the data protection itself and where we are with the GDPR. Two, I would like to touch upon other issues, where data protection is important element of our policy response.

GDPR is ‘crisis-proof'

First of all, I was pleased to see that the GDPR, which we created defying so many difficulties has proven to be “crisis-proof”: it was not an obstacle to the processing of personal data, even health data, if they are necessary to fight the COVID-19 pandemic. Of course, the necessary conditions and appropriate safeguards need to be in place. This is exactly how what we meant with the GDPR. You can use our data, but do it right.

Data and technology have helped us in the fight against the pandemic, in the gradual lifting of the restrictions, and in keeping our borders open.

We recognise that technology can benefit us and help us to combat the virus. This is the reason why, in our April guidance, we supported the development of so-called contact tracing apps. These apps alert people who have been in close proximity to an infected person for a certain duration, so that they can take necessary actions to protect themselves and the people around them. In this way, the infection transmission can be rapidly interrupted.

Of course, we stressed that these apps have to be voluntary, secure, interoperable and respect people's privacy. The identity of the COVID infected person will always remain anonymous.

Furthermore, the apps should function everywhere in the EU, across borders and across operating systems. This is why, together with the Member States, we took a common approach for efficient contact tracing and warning apps. Users installing one app and travelling to another participating European country can benefit from contact tracing and receiving alerts.

GDPR is a milestone and a big success - but implementation work is ongoing

Earlier this year we have prepared a report assessing the GDPR. We have noted that over all, GDPR has been a success-story.

But we should remain humble because it is also work in progress: we need to continue working together - with the European Data Protection Board and the European Data Protection Supervisor - to further fine-tune concepts and approaches, to make them more pragmatic and understandable.

European citizens were empowered to use their rights and take control of their data. At the same time, European companies could compete and innovate benefitting from a level playing field. Even the former critics of the GDPR are now acknowledging its value.

Now we are entering the next phase, where strong data protection guarantees will increasingly be a competitive advantage.

But we also need to improve certain aspects, in particular regarding enforcement: this needs to be timely and effective. I am confident that the Data Protection Authorities will make full use of their corrective powers to enforce these rules. Member States need to provide them with adequate resources that reflect their multiple tasks.

Also, the GDPR needs to be interpreted in the same way across the EU. Cooperation in cross-border cases and within the European Data Protection Board will be vital to achieve this. Only this way will we achieve a truly common European data protection culture across our Union.

I hear, over and again, that especially smaller firms (SMEs) struggle with the implementation of the GDPR. I would like to call upon Data Protection Authorities to develop practical tools and support them. I would like to address them and say that they can benefit from financial support through grants, aimed at supporting these efforts.

Effective implementation and enforcement are necessary to acquire people's trust that their data will be handled properly. This trust is crucial for businesses seeking new opportunities in the digital economy.

GDPR in the heart of the digital transition: the Digital Services Act

The GDPR rules and principles will be embedded in all our proposals that touch upon emerging technologies: regulation on Artificial Intelligence, blockchain, Internet of Things and facial recognition will be compliant with our data protection rules.

A human-centric data-driven economy means that data protection goes hand in hand with innovation.

Our strong data protection rules have become foundation on which we are shaping our European response to digital transition. They are an important element of our digital soul.

Let me take the example of the Digital Services Act (DSA). This Act will clarify the responsibilities of actors in the digital economy, who will have due diligence obligations.

We will expect providers of digital services to act responsibly to protect users from illegal content. Providers will also have to be transparent when moderating content and using algorithms and content recommender systems.

In designing the DSA rules and procedures, the GDPR has been a source of inspiration and good practices.

To ensure appropriate enforcement, the DSA will build on the basis created by the GDPR and reinforce the cooperation among competent authorities as well as coordination at the EU level.

Regarding issues related to data, the DSA will increase the obligations of platforms to comply with information requests submitted by supervisory authorities. The DSA may enable researchers to access data from platforms, but under certain strict conditions and with the objective of verifying compliance with the new rules. These provisions will be fully aligned with the GDPR.

This is an example of how with other pieces of legislation we further clarify and enable some provisions of the GDPR.

GDPR in the heart of the digital transition: Artificial Intelligence

I would also like to refer to the work on AI, this technology that can help us in so many important areas (e.g. education matching individual children's needs; new diagnosis, treatment and prevention of COVID-19 by results' analysis of chest imaging etc.).

We are conscious of the fact that data-driven AI systems can be biased and that automated decision-making systems can be flawed or inaccurate. We should not let them violate other rights and e.g. allow discrimination. We should not let AI replace human decision-making, especially in sensitive areas. We will also not let it be used for surveillance purposes infringing individuals' rights.

We will be looking at transparency and traceability of AI systems work. We will put forward a proportionate and risk-based legal framework for AI.

Our European values and respect for individual's fundamental rights, such as data protection, will be embedded in this proposal - for the sake of individuals but also to stimulate innovation and Europe's competitiveness.

GDPR and the European Democracy Action Plan (EDAP)

We have spoken about GDPR and economy, especially digital economy, but my recent work on the European Democracy Action Plan was a reminder that GDPR is also relevant for democracy, especially when it comes to political campaigning.

We all know that digital advertising, also in political context, is based on amassing huge amount of personal data, on profiling and on micro-targeting, often underpinned by AI. I strongly believe that the methods of selling products should not be the same when it comes to promoting political ideas.

We have made it clear already in 2018 that political parties and other actors involved in elections need to respect GDPR that provides special protection for political views and imposes limitations for micro-targeting and other automated decision-making practices.

I have a strong suspicion that we will see still lack of compliance in this field. I want to therefore call again on EDPB and data protection authorities to be particularly vigilant and act forcefully when it comes to data processing for political purposes.

But even outside the electoral context we are facing crucial challenges for our democracies: I am thinking of disinformation and foreign interference that attempt to manipulate people at an unprecedented scale, using social media as a tool.

This is why we announced working on a new legislative proposals to ensure greater transparency of paid political advertising.

This is why we will overhaul the code of practice on disinformation to strengthen it and close the existing gaps, especially in a way the online platforms address this problem.

Civil society and researchers are also calling for greater transparency from the online platforms and as relevant better access to data, particularly from Facebook.

Here again, I am happy to see that the GDPR does not- prohibit that platforms share data with the researchers to unveil patterns of disinformation. The GDPR is not a valid excuse for platforms not to share data.

Conclusions

Ladies and gentlemen,

This is my sixth year when I work on the data protection issues. We have had many ups and also some spectacular downs.

But I must say I am really happy to see how the debate is evolving in Europe, but also globally.

Strong data protection rules are finally seen as necessity, not a luxury.

Strong data protection rules are becoming an important element of other policy areas, especially those in the digital sphere.

Strong data protection rules are not only competitive differentiator, but a great example of how translate our values in legislative terms.

Now, as we are shaping our response to other aspects of the online world, GDPR serves as important inspiration. The lessons we learnt from it are increasing relevant.

I am very proud I had a chance to participate in this pioneering work with many people around our virtual table.

I am confident that the GDPR will help us, as an instrument, in all the challenges that we will be facing in the new, digital decade: it is a fundamental value that will guide us through the digital transition.