 Ben, wrth gwrs, wrth gwrs, ychydig yn ddwyli. backing-tallul yn y ddechreu. Os rwy'n wneud am ddwyli'n cyrraech persbyg honno adael o'r sgwrs o gwirio'n ymwneud y gwirio'n maen nhw, o ddim yn gwymoni'n gwirio'n cyflawn. Yn i fi'n glennu hynny'n ei ddydd fawr i ddweud a dyno'r llygur mwyfio'n cyfrwyng. vertically or on a subject that I was saying to some people downstairs you know about seven or eight years ago if you mentioned data protection. eyes glazed over and people said. Oh thanks. To God I don't really need to know too much about that and you know get on with the real heart criminal stuff or something more interesting but it's now very much part of our day to day lives and so today that's why the institute is veryFA mae'n cael ei bod yn dŷodol i'r ysgolwyr yma, Tina Aestola, a'r ysgolwyr yn dŷodol yma, yw'r gwerthbeth gwaith. Mae'r hanes oedd yma. Mae'n hynny'n dŷodol i'r ysgolwyr. Mae'n dŷodol i'r ysgolwyr ac panrwyfydd yma i'r ysgolwyr. Rwy'n gweithio i'r ysgolwyr. mae'n rhan o'r gael y fathau sydd oedd yn ymweld i'r fathau sydd o'r fathau. Felly mae'n rhan o'r gael o'r gael o'r gael, ond mae'n ymweld i'n dwylo'r gweithio yn gallu ymddangos i'n mynd i'n gweithio ar y cyfnodd, yn ychydig i chi'n gweithio ar gyfer ymddangos i'r cyfnodd o'r company, i'n gweithio ar gyfer yr institution, i'n gweithio ar y cyfnodd, ac y dyfodol gweld yn fwyhwynt o ymdweud o'r cwmau. Y dyfodol general ystod yn fwy hwn o'r pethau o'r ffodol ac oedd ymdweud oherwydd i gael y llidein. Mae'n gweithio'r bod y gallu'n bwysig o'r ddweud o'r ddweud o'r ddweud o'r ddweud o'r ddweud o'r ddweud o'r ddweud o'r ddweud o'r ddweud o'r ddweud. a wnaethno'n gweithio fyddwyd ymweld i'n fwyaf i'r hynny. Mae'r gweithio, ymddwyd, ymweld, ymwrdd, ymddwyd, ymwrdd, ymddwyd, ymweld, ymweld, ymweld, felly'n gweithio, yn ddod yn unrhyw ymweld ar hyn o'r ddod. Ond oherwydd, mae'n dod ymddangos i'n ddau'r hyn sy'n bwysig a'r cyffredin yn gweithio i'r brif, ac aethon ni'n gofod yn gweithio bydd y cyfnod o ffodol o'r wneud am y bwysig yw'r cyfnodau a ffodol iawn. Mae'r cyfriddor rywfyrdd wedi'u rhoi bod y rhaid i'n dweud y dyfodol a'r gwleidio'r cyflwynyddol yn ym mhoes 2018, a dyfodol i'r gweithio'r cyflwynyddol i'r regislataeth. Mae ymdifud o'r gweithio'r gweithio yn erioed i'r gweithio'r gweithio i'r llwgau i'r gweithio i'r Llywodraeth. I'm going to ask Director General Astola to talk to us and then there will be time. Now her statement is on the record and I don't know whether you mind if the questions and answers are on or off the record. I forgot to ask it. As we wish well that's fine because there may be some members of the journalist profession here. So we listen to what you have to say. I should say that Mrs. Stola was a permanent secretary of the Finnish Ministry of Justice and she had responsibility for international and domestic law matters, courts, prisons and before that she headed up units for civil law and European law at the Department of Legislation. So there really is no area that you're not an expert on so we're really looking forward. Actually very much I have to say. Thank you very much indeed. And then no expert on anything. I think it's more like that. First of all thank you for the invitation. I'm really happy to be here. I've been in the country a couple of times. I've admired the nature and people have been extremely friendly always to me. And of course then you have fine songs and magnificent literature. So I'm sorry that I can only be here for the day. Today really I'm looking at a bit about the security and fundamental rights, data protection. Maybe what I'm saying is kind of a basis for the discussion. I'm not going to go to the nidic readings or the paragraphs. So to begin with it was really in the Lisbon Treaty that EU firmly set out a vision for a true European area of justice which ensures the rights for citizens across the Union. Justice became part of the normal EU policies. So the same decision making as in other areas. And since that justice area has grown. So we have worked hard to achieve a set of rules which strengthen our common values of democracy, respect of freedom and rule of law and which also respect the different legal systems and traditions of all EU countries. So these are the values which underpin a goal of building an area of justice, fundamental rights and security based on mutual trust. But in these challenging times with rise of populism, terrorism, cybercrime, hate crime and threats to our dignity and rights people really question whether things will improve. They question whether the institutions do really provide them security and protect them from challenges. I see that we really have to convince the Europeans not to forget and to embrace really the values and we must show that we respect and are able to protect their rights. So human rights protection and measures to ensure stronger security go hand in hand. And I say if Europe is essential for the protection of fundamental rights. For me it's really a combination without the respect for fundamental rights there is no security for citizens. The European Union has a legal framework which allows us to respond to threats to our security. But it requires at the same time respect for the principles of legality, necessity, proportionality and non-discrimination. I think this line is what you always hear when you talk about data protection for instance. The European Union has also a sound body of EU laws that are not only fundamental rights compliant but also fundamental rights proactive. And a stable and strong league of work is essential in the democratic regime where political situations can really change swiftly. We have been seeing these changes lately they are major and we have to be aware of them. A few words about justice and security. For me there is an inherent tension between justice and security policies. And this can be seen in the development of the areas in the EU. After the Amsterdam Treaty in 1999 there was the so-called Tampere programme which brought a lot of justice initiatives in EU policies. But after that there was the 2001 Twin Towers 9-11 and one could really see a shift towards security issues. And it was the Hague programme. And then the pendulum went again to different direction. It was a stock home paper where you could again see rights of the accused and rights in other senses to being promoted. Now we have had Paris and Brussels and again we see that there is a movement towards security. The idea is that with the new EU data protection rules, so the general data protection regulation, the GDPR, EU is full of these abbreviations and it takes a little bit of time of knowing them or half of them. And then the police directive. These new, both in the EU dimension as well as the approach to our third countries, they really ensure that the privacy of individuals in this, I would say, still relatively new digital world is insured and at the same time the next accessory security measures are effective, targeted and appropriate. So general security considerations and GDPR. We face many challenges to our security. We are sharing more and more of our personal data, names, addresses, photos, social media posts, our preferences and even bank details. And they say that this data sphere will be 10 times bigger already in 2025. So we need a strong protection for consumer trust in order to also have growth in the e-commerce area. A feeling of security in digital services and in personal data processing will give consumers the confidence that they can take the advantages that the digital world offers them. Cyberspace poses new risks and threats and we have to take them seriously. The revelation that computer-central processing units, the so-called CPUs, are prone to security flaws, including access to stored private data reminds us of that. So the baddies, the unscrupul of people may use such vulnerabilities to steal sensitive information, including passwords, medical records and of course banking information. We know from these massive data breaches such as those which were caused by WannaCry, Meltdown and Spectra attacks that the threat is real and is not just something imagined in Hollywood. And this is crucial. We should not forget also that Uber, there was this massive data breach with Uber which resulted in the theft of information, about 60 million users and drivers. And Uber failed to inform about this for a year. So the GDPR will allow us to respond adequately to such irresponsible behavior. And there will be a high level of protection for the citizens and there are clear rights. I'm not going through all of them, I'm just mentioning some. So one is to have the right to ask your personal data from somebody who has it, from the organization. The right to ask to transmit your data to a different service provider where feasible, so this right to portability. And the right to clear and understandable information when you are asked to give your consent. We all know these questions and we all click because we don't even understand what we are asked about. Or the right to be forgotten, a big right. At the same time the GDPR imposes clear obligations on the entity's processing personal data. Security requirements, purpose limitation, notification of data breaches, et cetera. But the GDPR allows for operators to process data for fraud prevention or for other law enforcement purposes. But this must be done in compliance with the regulation. Correspondingly, national enforcers, the data protection authorities, will have uniform powers everywhere in EU. Including the power to find up to 4% of the global turnover, annual global turnover. Then the relationship between enforcement and data protection. Security is a multifaceted concept which speaks both to public bodies as well as to private sector. But any action in the name of security cannot be justified just because data are available technically easy to get or useful rather than necessary. The Court of Justice of the European Union has delivered many judgments and opinions on this point and stressed the need to properly consider the necessity, proportionality and data protection safeguards. And this is of course particularly important when large amounts of personal data are kept for law enforcement purposes. For example, telecommunications data held by service providers or used in the context of passenger name record data. So the Court has set criteria for instance it should be targeted, there should be a suspicion of serious crime, there should be court authorization. So the data protection reform provides a legal solution for data protection safeguards which strengthen both security and privacy. But it also allows free flow of data within the union. For law enforcement the answer, the tool is in the police directive. This directive enhances cooperation between law enforcement authorities to fight crime, notably money laundering, terrorism, organized crime and cyber crime, and at the same time ensuring the respect for fundamental rights to protection of personal data. So we want to make sure that the law enforcement authorities help to protect peaceful societies and ensure that law and justice, rule of law, ensure the rule of law and justice online. My commissioner always says that there has to be the same rule of law in online as it is in the real life. They must treat personal data including that of victims and witnesses of crime in a current and lawful way. So some words which describe this in the directive are the data has to be adequate, relevant, not excessive, accurate, up to date, and it should not be kept no longer than needed. Then moving to the international arena, the approach of data protection is that the protection travels with the data. So the commission understands very well the economic and security importance of international data flows and firmly believes that ensuring a high level of data protection can go in hand in hand with policy of facilitating such data flows. There was a communication a year ago in January in exchanging and protecting personal data in a globalized world and that describes the vision and strategy to promote kind of upward convergence of data protection standards around the world. So this strategy builds on the GDPR toolbox for international transfers. An adequacy decision stands for the most privileged relationship the EU can have with other countries in the field of data protection and data flows. Adequacy findings are one, although not only one of the key elements of this strategy. In these decisions the commission assesses the level of the data protection of a third country. It should be, as the court has said, essentially equivalent. If this is assessed, then the commission can take the so-called adequacy decision on the basis of which then the data can flow. But there are other possibilities also if the country's level of data protection is not enough. There can be the standard clauses which can be used. And also if there's a company which has, which works in many countries, it can have internal rules which take care of the data protection. In the shelms ruling which was about the safe harbour arrangement with the US, the court confirmed that any third country access to personal data following enforcement or national security purposes has to be limited what is necessary and proportionate. Again the same words, proportionality comes up every time. So it's not only about the question that the companies in these third countries take care of the data protection. It's also about the question how public authorities have access to EU citizens. Not only EU citizens, people residing in EU, their data in the third countries. So we are looking at these government access possibilities in other countries and we have to determine that when we are working with the adequacy decisions. And this has been, they have to apply by the, they have to be essentially equivalent to the GDPR and also to the police directive. So commission has learned from the shelms case and we are taking this issue to government access very seriously. And it is a standard routine element in our adequacy assessment. And we have now carried out such an assessment of course in, it's an in depth. It was really the thorough work with the US in the privacy shield which we probably know about. And now we are discussing both with Japan and South Korea and I think the following countries will probably be India and Brazil. So, and we are also monitoring the functioning of existing adequacy decisions. And we have then an intensive dialogue with these third countries whose adequacy we have assessed. And as far as the transfers of personal data across the Atlantic are concerned, we have obtained with the privacy shield commitments from the US government. These commitments together with the applicable law in US ensure that any access to personal data for law enforcement or national security purposes is limited to what is necessary and proportionate. There was the first review of privacy shield last September in Washington. And we could see that the Americans had really put in place structures with which to work in this field. And we also were informed how they work in the public or the public authority access. It's clear that no state tells exactly, we wouldn't tell exactly how we are doing things. But we were given assurances, we were given examples and also about the remedies of the people, how to access courts should they think that their privacy has been intruded. So there's a commission, I don't think it's a communication on this review which tells our view on that. We still thought that they could be more proactive in some ways, but we saw that the kind of a machinery was in place. In parallel, we have also negotiated earlier already the so-called umbrella agreement with US. And this puts in place a comprehensive high-level data protection framework for EU-US law enforcement corporation. So the agreement covers all personal data, names, addresses, criminal records, etc. Exchange between EU and US authorities, competent for the prevention, detection, investigation and prosecution of criminal offences, including terrorism. So that umbrella is not the legal basis for transferring the data. There have to be exist other rules for that bilateral agreements or such. But this agreement puts on top of that the requirements that have to be fulfilled in data protection. The way forward, it was mentioned already, May 25, the new rules of GDPR and police directive come in force. And all the member states should have implemented the directive and made the changes necessary in order for the regulation to work well. But the clock is really ticking. And it's not a trivial matter to protect this data. And we need to make sure that member states, the data protection supervisory authorities, civil society and business, apply the rules correctly and in a coherent way. So last week, we published a communication outlining the steps that the Commission has undertaken in this area and also what needs to be done. We also issued a guidance to help repair citizens, businesses and other organisations for these rules. And we launched a practical tool, a website in all EU languages. The language of the GDPR is not easy. So it is important that it is also written in a understandable way for people. And of course I know there is a lot of activity going in this area. But we have also financed or giving grants to member state organisations so that they could do the work because really the work has to be done in the member states. So for me data protection is one example where really at EU level we can have an impact on people's lives in member states. As the data travels so fast from country to country, we have to have common rules. And data protection speaks about self-determination, empowerment and construction of the self. So I don't repeat any more my basic line which I repeat now. Security and data protection go hand in hand. They are not opposite to each other. Thank you.