"Take Google as an example," said Viviane Reding, vice president of the European Commission and EU justice commissioner. She explained that its privacy policy had been ruled in breach of European data protection laws; pointed out that both France and Spain have already levied the maximum fines possible; and added, "the fine in France represents 0.0003% of [Google's] global turnover," which she described as pocket money.
"Is it surprising to anyone," she asked, "that two whole years after the case emerged, it is still unclear whether Google will amend its privacy policy or not? Europeans need to get serious. And that is why our reform introduces stiff sanctions that can reach as much as 2% of the global annual turnover of a company. In the Google case, that would have meant a fine of EUR 731 million (USD 1 billion). A sum much harder to brush off."
Although there is no further mention of Google in her speech, and certainly no explicit reference to Peter Fleischer, it is clear that the whole speech is a refutation of his views. "Whatever comes next," he wrote in a blog posting earlier this year, "will be the most important privacy legislation in the world, setting the global standards. I'm hopeful that this pause will give lawmakers time to write a better, more modern and more balanced law."
But Reding's speech shows no inclination for further compromise. She was receiving the Aenne Burda Award for Creative Leadership at the international Digital-Life Design (DLD) Conference in Munich. "This award," she said, "will be an additional motivation for me to keep going, and a reminder of the power of perseverance, of the importance of fighting for your dreams and never giving up."
She pointed out that the European Parliament had already agreed to 'a broad compromise, backing the European Commission's proposals.' But, "Member States, however, have been stalling." The emphasis is hers, and the bitterness barely disguised. "Even after the shocking revelations of mass spying and surveillance that continue to dominate the headlines, they have so far mainly reacted with words. EU Heads of State and Government have committed to a 'timely' adoption of the new framework. But in real terms there has been little action."
She re-iterated the Commission's view that the GDPR will benefit both business and consumers. The uniformity across Europe "will be especially important for smaller companies and start-ups, who will find it easier to break into new markets"; an idea directly refuting Google's and other lobbyists' claim that it will stifle innovation.
She also said that the reforms – especially the principles of data minimization and strict sanctions – would rebuild consumer trust, improve general security, and reduce business costs. "Just ask Sony," she explained. "Experts believe that a hacker attack on PlayStation accounts in 2011, in which the data of 77 million people was compromised, cost the firm between USD $1 and $2 billion. That is the cost of non-compliance. And this cost is both high and avoidable." In the UK, the privacy regulator added a £250,000 fine.
One thing is clear from Reding's speech: regardless of Fleischer's view that the current GDPR is dead, it is not. Reding may be forced to accept minor amendments before it is passed into European law, but she will not give up until the GDPR, largely as it now stands, becomes the new European data protection law.