So a bit of history was made yesterday. The adoption by the European Parliament of the General Data Protection Regulation, following the decision by the Council last week, is quite simply a landmark in human rights law. It is the biggest attempt so far by a legislator to grapple with the realities of global, ubiquitous data in the internet era.
'The processing of personal data,' according to Recital 4 of the Regulation, 'should be designed to serve mankind'. The GDPR is very long and very detailed, but at its core is the individual - and the preservation of her dignity in the digital society. The regulation renews safeguards and reinforces individual's rights as well as adding new ones, and it increases transparency of processing. Any controller who targets services at people in Europe or monitors their activities will be clearly liable under EU law for how they process this data. Companies and public authorities will from now on be accountable for their data practices: they will be treated like adults, no longer required to notify every single processing operation. They will be assumed to have in place appropriate measures for complying with the new rules, and they must be able to demonstrate their compliance. Failure to respect the rights of individuals may now result in rigorous administrative and financial sanctions. The right to data portability should help empower individuals to choose to whom they entrust their information, and to change their minds and move the data to another service provider.
As for independent data authorities, as I argued in, they will also become more accountable for making new rules flexible and future-proof, with timely, relevant and user-friendly guidance, with greater alignment and coherence in how enforce, raise awareness and handle complaints. They will be obliged to cooperate and to share information, and to stay up-to-date with technological developments.
Adopted alongside the GDPR, the directive on data protection rules for the police and criminal justice sector will provides a modern platform for data sharing by crime fighting across the EU.
Europe has faced enormous, even existential, difficulties in recent years. Brussels itself suffered last month the sort of mindless violence to which other countries and regions of the world have become sadly accustomed. But in these modernised, trailblazing new rules on personal data processing, the EU has achieved something of which it can be justly proud.
And yet this week has also exposed the scale of the challenge which remains, six years after the entry into force of the Lisbon Treaty and the incorporation of the Charter of Fundamental Rights into primary EU law. The Article 29 Working Party has registered its serious concerns with the sustainability of the EU-US Privacy Shield agreement. Last week I, along with several other data protection commissioners from around the world, had a series of discussions with our interlocutors in Washington, D.C. The clear message was that the US Administration had made great efforts in the negotiations and that this was borne out of sincere respect for Europe as a strategic partner with shared democratic values. I will shortly provide my advice to the institutions on how we can ensure that we set a lasting international precedent for data flows which respect the rights and freedoms of the individual.
Also this week has seen the adoption of an EU directive requiring airline passenger name records to be handed over to Member State law enforcement bodies. The EDPS hasthe justification for this measure in the light of the case law of the Court of Justice of the EU. EU PNR was passed two days after a hearing in the CJEU in which national data retention laws under the EU ePrivacy Directive (Directive 2002/58/EC) were subjected to tough scrutiny. More than ever, as noted in the , there is a pressing need for a mature and informed conversation on security and privacy.
The struggle continues. But for now let’s celebrate Thursday 14 April 2016 as truly historic day for fundamental rights in Europe.