European Data Protection Assistant Data Supervisor discusses the change in the digital market to be driven by the GDPR

1. Data Protection
and the Digital Single
Market
29/4/2016, London
Wojciech Wiewiórowski
European Data Protection Assistant Supervisor
Privacy: the Competitive Advantage

2. © M. Narojek for GIODO 2011

3. 3
3
EDPS
The EDPS is an independent supervisory
authority devoted to protecting personal
data and privacy and promoting good
practice in the EU institutions and bodies.
A number of specific duties of the EDPS
are laid down in Regulation 45/2001. The
three main fields of work are
• Supervisory tasks
• Consultative tasks: to advise EU legislator
on proposals for new legislation as well as on
implementing measures. Technical
advances, notably in the IT sector, with an
impact on data protection are monitored.
• Cooperative tasks: involving work in close
collaboration with national data protection
authorities (Article 29 Working Party)

4. 4
The role of European Data Protection Supervisor
• The European Data Protection Supervisor (EDPS) is the independent
supervisory authority for the processing of personal data by the EU
administration;
• Privacy and data protection are fundamental rights – see Articles 7 and
8 of the Charter of Fundamental Rights;
• Independent supervision is an integral part of the right to data protection –
see Article 16(2) TFEU and 8(3) Charter;
• What we do:
– monitoring and verifying compliance with Regulation (EC) 45/2001,
– giving advice to controllers,
– advising the co-legislators on new legislation,
– cooperating with Member States’ DPAs,
– handling complaints, conducting inspections
– Monitoring technological developments
– Promoting data protection aware design and development

5. 5
Our objectives
I. Data protection goes digital
II. Forging global partnerships
III. Opening a new chapter for EU data
protection

6. 6
Big Data = Big Responsibility

7. 7
Convention 108 – Council of Europe

8. 8
European Union

9. 9
Reform of Data Protection Law
in the European Union

10. 10
Reform of Data Protection Law
in the European Union
COM(2012) 11/4 draft
Proposal for a
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE
COUNCIL
on the protection of individuals with regard to the processing of
personal data and on the free movement of such data
(General Data Protection Regulation)

11. 11
Reform of Data Protection Law
in the European Union
COM(2012) 10 final
2012/0010 (COD)
Proposal for a
DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
on the protection of individuals with regard to the processing of
personal data by competent authorities for the purposes of
prevention, investigation, detection or prosecution of criminal
offences or the execution of criminal penalties,
and the free movement of such data

13. Picture: archive of J.P.Albrecht

14. 14
Data Protection
and the Digital Single Market
The GDPR is meant to play a decisive role in fostering the digital growth, in
close relationship with the Digital Single Market Strategy.
In the strategy, the "data economy" is recognized as a crucial element for
enhancing the UE competitiveness, and data are explicitly named as
"catalyst for the economic growth".
Yet acknowledging the enormous economic potential of personal data,
the protection of those data has to be guaranteed against unlawful and
imbalanced uses.
The new Regulation is expected to face a big challenge in the scenario
framed by the Strategy, where not only it will provide an enhanced level
of protection of personal data but also it may act as a real driver for
innovation, namely promoting a new form of innovation based on
consumers' trust and privacy.
This would mean indirectly affecting market players' revenue models by
means of specific regulatory tools.

15. 15
Users ' empowerment in the GDPR
Empowering and making consumers aware of their choices. To do so, the
GDPR has reinforced the set of data subject's rights, by introducing:
- the right to erasure/to be forgotten (Art. 17), under conditions such as
consent withdrawal (lacking other grounds for processing) or unlawful
processing. This, of course, will imply the obligation for the data controller
to inform the other controllers processing the personal data of the
request to erase them;
- the right to Personal Data Portability (Art. 20), in a structured,
commonly used and machine - readable format, and whether technically
feasible, directly from one controller to another;
- the right to object and not to be subjected to automated decisions,
including profiling (Art. 21 -22). Even in case the decision on profiling is
lawful (as necessary for a contract or based on consent) the controller is
asked "to implement suitable measures to safeguards the data subjects'
rights and freedoms (...) ".

16. 16
Companies' compliance requirements
The GDPR has not only provided data subjects with enhanced rights and
freedoms, but it also has required companies to specifically introduce
tools to comply and show compliance with the new set of rules.
- a Data Protection Impact Assessment, to be performed whenever the
processing operation is likely to result in a high risk for the rights and
freedoms of individuals (Art. 35);
- the appointment of a Data Protection Officer under the listed three
conditions (public authority/core activity requiring regular and systematic
monitoring of data subject on a large scale/core activity consisting of a
processing on a large scale of special categories of data)(Art. 37);
- Data protection certification mechanisms, seals and marks as to
demonstrate compliance with the new rules (Art 42);
- the implementation of "appropriate technical and organizational
measures, as pseudonimysation, which are designed to implement data
protection principles, as data minimization" (Article 25, par. 1).

17. 17
Data Protection as a Regulatory
enabler for promoting
privacy-based solutions
Data protection is not merely to be conceived a set of rules companies have
to fully comply with in 2 years' time, but also it is to be seen as an
incredible commercial tool that companies can use to catch users and
compete with rivals.
This would be made possible by the increasing awareness around privacy-
related issues.
Users are nowadays very much aware of privacy implications of their
commercial choices: they know they trade their personal data in
exchange for a "free" service. Many just accept privacy polices without
even being aware of their content, but the generation of digital natives
has started to change their approach towards the security and the
confidentiality of their communications and started to attribute value to it.
Some even agree on paying a "fee" to get a more - privacy friendly
service.

18. 18
• Privacy-based revenue models are valuable
candidates for representing the more suitable
alternatives to revenue models based
on personal data harvesting and tracking.
• They would indeed serve simultaneously
the scopes of both protection of personal data
and consumer empowerment and protection,
and ultimately ensure a coherent enforcement
of rights in a Digital Single Market based on trust,
letting it to flourish.

19. 19
Big Data = Big Responsibility

20. Thank you for your attention!
www.edps.europa.eu
edps@edps.europa.eu
@EU_EDPS