Data protection and consumers' rights (debate)
The next item is the Commission statement on data protection and consumers' rights.
Vice-President of the Commission. - Mr President, I should like to begin by pointing out that Directive 95/46/EC (the 'Data Protection Directive') applies to data controllers established in the Community. It also applies to controllers not established on the territory of a Member State when such a controller uses equipment situated on the territory of a Member State, unless such equipment is used only for purposes of transit through the territory of the Community.
The Directive ensures rights to all individuals, whatever their nationality or place of residence and regardless of whether they act as consumers or not. It lays down substantive provisions imposing obligations on data controllers and recognising the rights of individuals. It also prescribes sanctions and appropriate remedies in the event of breaches and establishes enforcement mechanisms to make them effective.
We follow closely developments in technology and associated challenges, in particular those relating to the protection of privacy and personal data. As far as transatlantic cooperation is concerned, we maintain regular contact with the United States authorities responsible for monitoring safe harbour - the Department of Commerce and the Federal Trade Commission - in the context of which questions relating to the protection of personal data are addressed. Issues posed by new technologies and their worldwide deployment are also examined.
In this particular case, which is the merger of Google and Double Click, the case is still being analysed by the Commission in order to decide whether the envisaged merger is in line with Regulation 139/2004/EC (the 'Merger Regulation'). We will adopt a decision soon. However, it can be said that the Commission has carried out an extensive analysis of the economic aspects raised by the proposed merger in order to determine whether it is compatible with common market rules.
Companies are required to comply with national data protection laws implementing the Data Protection Directive, and national data protection authorities are the bodies responsible for enforcing compliance by those entities which process personal data within their territory.
A merger between different entities does not exonerate the parties to the merger from their obligations under national data protection principles. Indeed, any decision the Commission may take to approve a merger is without prejudice to the obligations imposed on the parties by Community legislation on the protection of privacy with regard to the processing of personal data.
Irrespective of the approval of the merger, the new entity, in its day-to-day business, will have to respect the fundamental rights recognised by all relevant instruments, including, but not limited to, privacy and data protection. National data protection authorities are therefore charged with the task of ensuring this compliance and, if necessary, taking appropriate measures to enforce compliance.
on behalf of the PPE-DE Group. - (DE) Mr President, Mr Vice-President of the Commission, ladies and gentlemen, the Internet is a great boon. None of us can imagine working without this new technology today. It also permits exchanges of data on a staggering scale. Nothing, however, is perfect, and the imperfections become clear when billions of file records are stored over long periods of time.
On the case under examination, Commissioner Frattini made it clear that the legal framework of the European Union had to be activated to examine the merger of Google and DoubleClick. We shall await the findings of that examination and then draw our political conclusions.
This does, however, beg the basic question as to how we deal with data protection on the Internet, because user companies, large or small, are not indifferent to the way in which their data are protected. There are no easy answers, because at the heart of this issue is the unanswered question whether an Internet Protocol address constitutes personal information. In the case of providers that allocate static addresses it does, but with a multitude of other providers the IP address does not automatically reveal the user's identity. In such cases, we believe there is actually a net loss of data protection, because collected data can even be disclosed to third parties.
Whether legal rules are needed must always be judged in the light of necessity and proportionality. Users, of course, obtain a host of benefits by publishing their data. The crucial point is that they take a conscious decision to pass on their data and that they can determine how the said data may be used. This means that users must have information rights, that is to say the right to be told what data pertaining to them are stored, and there must therefore be clear rules governing the transfer and sale of data to third parties.
For this reason, we should begin with voluntary commitments, ideally adopting a transatlantic approach - because we simply cannot regulate the Internet in the absence of common global initiatives - and if the voluntary commitments prove inadequate, we shall then have to discuss legal measures too.
on behalf of the PSE Group. - (EL) Mr President, when ordinary users go online, they are unaware that their most sensitive personal data, such as their political and philosophical beliefs, finances, purchases, travel and interests generally, are recorded while they perform simple searches, make purchases or take part in discussions. Indeed, private companies collecting such data are often not even European. Today neither European laws nor international agreements prevent large private companies from using our personal data. I would go so far as to say that nothing prevents third-country security authorities from accessing such data. Why does Europe have the responsibility and potential to become involved in this? Because, as Mr Frattini rightly said, the Data Protection Directive applies to electronic and Internet service providers within and outside Europe. Our personal data does not lose its importance and interest simply because a company is outside Europe.
I have three specific proposals, Mr President:
Firstly, private citizens themselves really must be called on to give their express consent to any collection, let alone use, of their personal data as, in any case, the directive I have mentioned stipulates. This must be posted not in small print, but clearly and explicitly. At present, even those citizens wishing to delete their data or prevent it from being shared with third parties are usually unable to navigate their way around confusing web pages. Sites are designed to be complicated, so that companies using special tools and software can later discover the users' interests and sell them products, or so that the security authorities can subsequently locate users for other reasons.
Secondly - and I am glad Mr Frattini has said this - the European Commission really must understand that the mergers of those companies are important in terms not only of financial analyses, but also of citizens' personal data, which is probably being abused by others, or could be in future. We are not merely a community of money and markets; we are, first and foremost, one of values.
Thirdly, Mr President, allow me to conclude: today's discussion opens up a very broad topic the surface of which we have barely scratched, although it concerns a worldwide problem. An international Charter of Fundamental Rights for Internet users is needed. Nothing of the sort exists at present. In this day and age, however, Big Brother will not appear, Mr President, because some dictatorship puts him there. Big Brother will do so because our whole lives are now recorded in the form of electronic traces on the Internet. If all of us together cannot find some basic principles to protect us, we shall wake up tomorrow to a very different and, I believe, far nastier world, however user-friendly, enjoyable and magical everything may seem to us today.
on behalf of the ALDE Group. - (NL) I would have liked really to see Mr Frattini's colleague Mrs Neelie Kroes sitting alongside him today, because I think the strict differentiation between market rules and privacy rules is outdated. We know that the merger between Google and DoubleClick is going to happen and of course the European Parliament does not want to meddle in the details of that merger, but we do want to know what guarantees of privacy will be given. Personal data have become big business. Information on clients, users and their habits and preferences gives companies an invaluable competitive edge. So the protection of personal data should no longer be viewed in isolation from competition policy.
The Commission has opted for a very traditional approach to competition which is no longer adequate to deal with 21st-century behavioural advertising. Competition must include privacy and consumer safeguards if mergers are going to result in mega-concerns that hold a lot of information on their users, as is the case with Google/DoubleClick, for example, or would potentially be the case following a tie-up between Microsoft and Yahoo, Yahoo and Rupert Murdoch, or Reed Elsevier and ChoicePoint, etc.
Personal data can be misused to exclude newcomers from the market and the point is that in a healthily competitive situation the consumer can insist on privacy, companies can be disciplined by consumers, as happened with Facebook, for example. And we have rules for media concentrations too. So why do we not include privacy protection in competition policy? IP addresses can be regarded as personal data. And that has potentially far-reaching implications for the industry, but for the user too. So European, but above all international, standards are urgently needed for this sector. The European Union must give a lead here and work on this whole issue with America, in consultation with the industry. I thus suggest that this be placed on the agenda for the Transatlantic Economic Council.
Lastly, it is in the interest of businesses too that people should feel confident that their privacy is properly safeguarded. Just now I mentioned the case of Facebook, where consumers used their muscle to make Facebook more careful about privacy. So I would urge the European Commission to take a different approach which combines competition policy, consumer protection and the protection of personal data or privacy into a single whole.
on behalf of the Verts/ALE Group. - (ES) Mr President, we are concerned about a merger which is not really a merger: it is the union of two complementary undertakings. One undertaking, Google, which has a myriad of data, more data than anyone in the world, and another undertaking, DoubleClick, which has the capacity to process those data on consumer habits, manipulate and channel them.
This matter should be of concern to the European Commission because it is a dangerous marriage for the citizens of Europe, and for the privacy of our daily habits. The structure of the merger may endanger that privacy, yet the national authorities do not have the capacity to know how those data are being manipulated, and neither will consumers know where their data are going or how they are being used by third parties.
. - (SV) Mr President, the consumer is defenceless on the Internet. If you want to use popular services, you cannot select the option 'do not collect data on me'. Nor can you find out what happens to your data. You do a search, you buy something. If one and the same company is able to combine all that information, it can gain an enormous marketing advantage and amass a wealth of information on all those who use the Internet. The same applies if you want to download a film legally on the Internet. Then you have to use the software of a single company, i.e. Windows.
We cannot protect ourselves against these large companies unless our legislators help us. How flimsy data protection can be becomes apparent when, for example, the fight against copyright infringements is also factored in. A file sharer gets his computer searched and all his private information perused. This information is then sent to media companies in order to establish what was copyright-protected and what was not. When media companies have access to police investigation material, how can you protect consumers? It is time data protection was given a powerful boost.
(DE) Mr President, I must admit that I like this 'catch the eye' arrangement, particularly the part before the countdown starts.
We undoubtedly have much to discuss in the realm of data protection. Some members from the Greens Group addressed the subject of data pertaining to private businesses and individuals. Mergers like the one between Google and DoubleClick certainly do raise some questions. Nevertheless, care should be taken not to confuse one thing with another. However many frogs croak, the result will only ever be a croaking sound. What I mean is that we should not forget the need to understand the underlying technical processes too.
We - and my political group is certainly no exception - often take a particularly close interest in matters relating to the Internet and, of course, data privacy and frequently respond to them in a highly emotional way. If I am to grasp how the Internet and data capture work, however, I must first understand the underlying technology.
In this respect, I believe there is much to be said for Mr Weber's approach of ascertaining first of all the extent to which IP addresses might constitute personal data within the meaning of Directive 2002/58 on privacy and electronic communications, for in some cases the IP address in conjunction with user data certainly can be the key to the collection of personal information. On the other hand, given the state of technological development today, when fridges, for example, can automatically retrieve recipes from the Internet, the question whether the IP address of my fridge truly constitutes personal data is obsolete.
(DE) Mr President, as the previous speaker rightly mentioned, the technical background to these rules has to be examined. We have a case here that is somewhat awkward in that it does not fall entirely under the heading of competition law, and yet it involves overstepping a critical mass, which poses serious problems.
At the end of the day, it will be more than difficult for national data-protection authorities and data-protection legislation to deal with any infringements arising from this merger, because the data passed on to DoubleClick will be further processed in a completely different way. We have a technical difficulty here that we must resolve. I believe that the accumulation of so much potential in the hands of one group is extremely bad for the market, because it excludes new competitors.
Vice-President of the Commission. - (IT) Mr President, ladies and gentlemen, I also believe that the concerns expressed by many speakers are concerns that we all share, in the sense that we do not as yet have a satisfactory system for protecting personal data as far as the new technologies and the Internet are concerned.
The same attention, possibly even more, has to be paid to protecting personal data during a counter-terrorism investigation as it does when my personal data are revealed not to a court, but to a private industrial group.
These are therefore serious concerns and, obviously, although relatively new, the idea that Mr Lambrinidis has put forward of a sort of world data protection map is completely in line with the global nature of the Internet.
As you know, and as I have just pointed out in my introduction, the existing rules are applied with reference to the territory in which a particular provider is established, but this geographical limit is not really in keeping with the Internet. That is therefore the direction in which I believe our work should be moving, and I also believe that it is important to find a link between competition aspects and aspects of policy to protect consumers, including their personal data.
This is something about which we are only beginning to talk and, as you know, the Commission is following developments in many spheres of data protection that are not covered by European legislation. These include initiatives by the Council of Europe, the United Nations and the International Conference on Data Protection.
Nevertheless, there is a risk that we have to keep in mind. Let me put the following question: might a world data protection map not weaken protection as it would have to cover an extraordinarily large number of people? If anything, that makes it clear that we have to consider our European legislation as an example - if I may be so bold - to be exported and not accept weaker data protection rules solely because those rules are to be applied in a much broader geographical context.
In conclusion, I can tell you that in order to set practical work in motion, the so-called 'Article 29 Working Party', of which all those involved in this work are aware, and which is a Working Party responsible for coordinating data protection measures, is preparing a reasoned opinion on data protection in relation to search engines and service providers.
In other words, we are tackling this aspect, and a questionnaire that will provide a starting point for this reasoned opinion has been sent out; the questionnaire covers data protection policies and has been sent to a very large number of senior figures, search engine managers and service providers. My view is that that the responses gathered and the opinion which, I am sure, will be published as swiftly as possible, hopefully before the summer recess, could perhaps for the first time provide a coordinated answer as to the problems involved and the directions that work should take.
The debate is closed.
Written statements (Rule 142)
in writing. - (RO) Nowadays more and more European citizens use Information Society services, be it financial services, intelligent transport systems, taxation systems for road infrastructure usage, computerised systems for healthcare, the Internet, surveillance and monitoring cameras, or use of biometric data. The security and safety of such services is vital for user confidence.
The security of electronic networks and computerised systems along with technologies for enhancing personal data protection are the main concern of the Strategy for a Safe Information Society, adopted by the Commission in 2006. In a Communication dated May 2007 the Commission presented , the potential risks related to the use of information technology, such as identity theft, surveillance or even fraud.
In order to achieve a safer Information Society the specific products and services should include mechanisms for data protection even from the design stage. Likewise, it is necessary that the processes and principles applicable to providing security in the Information Society be defined and accessible to all those involved in the design, operation and use of computerised systems. I ask the Commission to examine the necessity of certain Community regulations on the security of electronic communication services and computerised systems.
Any supplier of services specific to the Information Society must observe the national and international legislation on data protection.