The EDPS’ 2020 Highlights

The year 2020 was unique for the world and, by extension, for the European Data Protection Supervisor (EDPS). Like many other organisations, the EDPS had to adapt its working methods as an employer, but also its work since the COVID-19 health crisis strengthened the call for the protection of individuals’ privacy, with the appearance of contact tracing apps and other technologies used for the fight against COVID-19. While technology can certainly contribute to limiting the spread of COVID-19, our priority remains to ensure that individuals’ personal data and right to privacy is protected.

2020 also marked new beginnings for the EDPS. On 30 June 2020, we presented our Strategy 2020-2024. The Strategy’s overarching aim is to shape a safer digital future, with three core pillars outlining the guiding actions and objectives for the EDPS to the end of 2024: Foresight, Action and Solidarity.

These three pillars, and our Strategy as a whole, were the driving force for our work in 2020.

Data protection in a global health crisis

The COVID-19 pandemic has taught us that privacy, like any other fundamental right, is nothing without solidarity. With this in mind, we have worked closely within the EDPS and with the European Data Protection Board (EDPB), the data protection officers (DPOs) of EU institutions, bodies, offices and agencies (EUIs), as well as with other European and international privacy and technology experts, to protect individuals and their personal data.

Our first initiative in this context was to immediately establish an internal task force to actively monitor and assess governmental and private sector responses to the COVID-19 pandemic. Throughout 2020, the COVID-19 task force has followed and anticipated future developments with an impact on data protection and privacy, allowing the EDPS to serve as a catalyst for a privacy-driven response and as a point of reference for stakeholders across and beyond Europe.

As the EU data protection authority of EUIs, we supported EUIs in their effort to safeguard their employees’ health in a privacy-compliant way by issuing our Orientations on body temperature checks, manual contact tracing, and reactions of EUIs as employers.

We also took on an active role at regional and international level with our participation and leadership in international fora such as the Global Privacy Assembly (GPA) (formerly the International Conference of Data Protection and Privacy Commissioners) and other conferences. In particular, we engaged with experts from the public health community in the European Union (EU) and other international organisations to better understand the needs for epidemiological surveillance and to accurately measure the efficiency and purpose of the tools being developed with regard to personal data protection, for example, by developing together practical guidance on data protection by design.

EUIs’ compliance with data protection law

Providing the necessary tools for EUIs

As the data protection authority for EUIs, the EDPS provides them with the necessary tools to comply with Regulation (EU) 2018/1725.

We have achieved this during 2020 through various initiatives, ranging from issuing strategic documents and publishing our investigations, to reinforcing our collaboration with the data protection officers of the EUIs by providing training to raise their awareness of data protection issues and their responsibilities.

The EDPS used existing, and developed new, tools and promoted a coherent approach to the application of data protection during 2020 in order to support EUIs to continue to lead by example in safeguarding digital rights and responsible data processing, according to the Action and Foresight pillars of our Strategy 2020-2024.

We have advised and guided EUIs with regard to tools, such as Data Protection Impact Assessments (DPIAs), and provided relevant training in order to share knowledge, expertise and contribute to the smart administration of the EUI environment. We have utilised a range of methods, such as our ‘DPIA in a nutshell’ Factsheet, a Report on how EUIs carry out DPIAs which contains lessons learned and best practices observed by the EUIs, a survey to determine specifically how EUIs have been using DPIAs and a video on the same subject for DPOs. We also continue to regularly update our Wiki, a resource created in November 2019 for data protection officers and data protection coordinators to help them comply with Regulation (EU) 2018/1725. We have also been working on developing version 1.0 of the Website Evidence Collector to help DPAs, data controllers, data protection practitioners and web developers to help them ensure that their websites are compliant with the General Data Protection Regulation (GDPR) and Regulation (EU) 2018/1725.

Supervising the Area of Freedom Security and Justice

We launched our supervision of the EU agency for judicial cooperation, Eurojust (12 December 2019) and are increasing the supervision of the European Public Prosecutor’s Office’s (EPPO) data protection- related activities.

On 5 October 2020, we rendered public our inquiry on the EU Agency for Law Enforcement Cooperation’s (Europol) big data challenge, namely Europol’s processing of large datasets received from EU Member States and other operational partners, or collected in the context of open source intelligence activities. We found that the processing did not comply with the provisions of Regulation 2016/794, in particular with the principle of data minimisation. We admonished Europol to implement all necessary and appropriate measures to mitigate the risks for individuals’ data created by the processing of large datasets.

The Hague Forum

On 2 July 2020, The Hague Forum, co-established by the EDPS, met for the second time, bringing together EUIs and other international organisations to exchange information and strengthen their negotiation power with ICT service providers, including cloud service and communications providers. On this occasion, we issued a Public Paper detailing our findings and recommendations on the use of Microsoft products and services by EUIs, in which we emphasise that, when EUIs enter into contractual relationships with IT service providers, the terms of these contracts should reinforce the EUIs control over how and why personal data is processed.

Compliance with “Schrems II” ruling

The EDPS issued its Strategy for EUIs to comply with the ‘Schrems II’ ruling following the judgment of the Court of Justice of the European Union on 16 July 2020. The judgement reaffirms, among other issues, the importance of maintaining a high level of protection of personal data transferred from the European Union to non-EU countries. The EDPS strategy includes a roadmap of actions for EUIs to ensure that ongoing and future international transfers are carried out in accordance with EU data protection law.

Safeguarding digital rights

The overarching objective of the EDPS is to promote a safer digital future for the EU. Our work on legislative consultations is instrumental to achieving this objective.

The EDPS promotes a positive vision of digitisation that enables us to value and respect all individuals, as per the Solidarity pillar of our Strategy 2020-2024. Therefore, we issue and address Opinions and recommendations to the EU legislators on the impact that their initiatives may have on individuals and their right to data protection to ensure that they promote digital justice and privacy for all within their initiatives.

The EDPS is also interested in policy initiatives to promote ‘digital sovereignty’ to help ensure that data generated in Europe is processed in accordance with European values. At the same time, we are committed to help overcome the detrimental vendor’s lock-in syndrome in the EUIs.

Opinion on a new EU-UK partnership

On 24 February 2020, the EDPS issued an Opinion on the opening of negotiations for a new partnership with the United Kingdom (UK). The EDPS supports a partnership which affirms the EU and UK commitment to and respect for a high level of data protection and the EU data protection rules. In its Opinion, the EDPS makes recommendations regarding commitments to respect fundamental rights (including data protection) equivalent to those for the economy and security, defining priorities for international cooperation other than law enforcement particularly between public authorities (including EUIs) and assessing transfers of personal data in the light of the CJEU Opinion 1/15 for the economic and security partnerships.

Opinion on the European strategy for data

The EDPS adopted an Opinion on 16 June 2020 to emphasise that the European strategy for data should stay true to European values, in particular respect for the fundamental rights of individuals such as the right to data protection.

Opinion on combatting child abuse online

On 10 November 2020, the EDPS issued an Opinion on a proposal for temporary derogations from the ePrivacy directive for the purpose of combatting child sexual abuse online. In its Opinion, the EDPS stresses that measures to detect, remove and report child abuse must be accompanied by a comprehensive legal framework which meets the requirements of Articles 7 and 8 of the Charter of Fundamental Rights of the EU. Moreover, in order to satisfy the requirement of proportionality, the legislation must set clear and precise rules governing the scope and application of the relevant measures and imposing minimum safeguards to provide sufficient guarantees of the protection of personal data against the risk of abuse.

Opinion on the New Pact on Migration and Asylum

On 30 November 2020, the EDPS issued an Opinion on the New Pact on Migration and Asylum to ensure that the proposal for more effective management of asylum and immigration incorporates a DPIA to help identify and address the relevant data protection implications.

Opinion on the European Health Data Space

The EDPS published a Preliminary Opinion on 17 November 2020 on the European Health Data Space (EHDS), to ensure that this platform for exchanging health data and fostering medical and scientific research prioritises the protection of individuals’ personal data within its development.

Monitoring technologies

The EDPS aims to be a recognised and respected centre of expertise that helps understand the impact of the design, deployment and evolution of digital technology upon the fundamental rights to privacy and data protection, and accordingly we have included this in the Foresight pillar of our Strategy 2020-2024. Therefore, we placed strategic importance during 2020 and for the foreseeable future upon integrating the technological dimension of data protection into our work. As a DPA, we also continue to closely examine the potential risks and opportunities offered by technological advances, seek to understand the possible benefits of new technologies and encourage the integration of data protection by design and data protection by default in the innovation process.

Examples include, but are not limited to, our contribution during 2020 to developing strong oversight, audit and assessment capabilities for technologies and tools that are increasingly ‘endemic’ to our digital ecosystem, such as artificial intelligence and facial recognition.

TechDispatch

The EDPS also continued to build upon existing initiatives such as our TechDispatch reports, launched in July 2019, for the EDPS to contribute to the ongoing discussion on new technologies and data protection. Focusing on a different emerging technology each issue, we aim to provide information on the technology itself, an assessment of its possible impact on privacy and data protection and links to further reading on the topic.

Internet Privacy Engineering Network

The EDPS has also continued to organise sessions and workshops (albeit virtually) of the Internet Privacy Engineering Network (IPEN), which we founded in 2014, to allow us to bridge the gap between legal experts and engineers when implementing data protection safeguards and monitor the state of the art of privacy enhancing technologies. With this endeavour, we continue to develop core knowledge about how essential and emerging technologies work for privacy and data protection by exchanging views academia and innovators in the private sector, among other relevant actors.

The EDPS as a member of the EDPB

The EDPS believes that a strong expression of genuine European solidarity, burden sharing and common approach is necessary to ensure the enforcement of data protection rules. We strongly believe in this and have included this in our Action pillar of the Strategy 2020-2024.

As an example of how we put this conviction into practice, the EDPS, as a member of the EDPB, works closely with other DPAs for the consistent application of data protection laws across the EU.

In June 2020, the EDPS proposed the establishment of a Support Pool of Experts (SPE) within the EDPB, with the aim to assist DPAs in dealing with complex and resource intensive cases.

The EDPS also assisted the EDPB in other ways, for example in regard to the EDPB’s:

• cooperation with the European Commission in the context of the latter’s initial and in-depth investigation during 2020 of the proposed Google-Fitbit merger;
• Statement and FAQ during July 2020 to provide the first answers on the impact of the “Schrems II” ruling; and
• Guidelines 9/2020 on relevant and reasoned objection.

International cooperation in data protection

As per the Foresight pillar of our Strategy 2020-2024, the EDPS aims to be alert to and aware of the new trends in technology and data protection. In 2020, the EDPS has continued to dedicate substantial time in promoting global data protection convergence and cross-border dialogue. Despite the pandemic-related challenges, we have continued to exchange best practices and information with international organisations and interlocutors outside Europe, as well as developing European and international cooperation measures, and promoting joint enforcement actions and active mutual assistance.

In 2020, we have pursued this objective via fora, such as the GPA; the Computers, Privacy and Data Protection Conference (CPDP) and international organisations workshops, addressing the data protection challenges arising – among others – with the use of new technologies, within the fight against COVID-19 and in law enforcement.

Internal administration

The EDPS Human Resources, Budget and Administration Unit (HRBA) has provided support throughout 2020 to ensure that both the EDPS Management and operational teams have the financial, human and administrative resources and tools to achieve the goals set out in our Strategy 2020-2024.

In light of the COVID-19 pandemic, the HRBA has had to adapt its organisation during 2020 to ensure business continuity, by developing an innovative action plan to enhance the functioning of the EDPS and the wellbeing of its staff, in particular preparing the workforce for teleworking.

The EDPS continued to grow in 2020, both in terms of financial and human resources. This required agility, flexibility and creativity on the part of HRBA, particularly given the exceptionally difficult context of the COVID-19 pandemic.

HRBA introduced new initiatives in 2020 to enhance the well-being of EDPS staff – such as internal coaching and other support activities – and will continue to pursue these endeavours in 2021. This ensures that we remain a socially responsible organisation and manifests our belief that staff with higher levels of well-being learn and work more effectively, are more creative, have better relationships, are more social in their behaviour, and ultimately feel more satisfied with their working life.

Communicating data protection

Public interest in, and engagement with, data protection and the work of DPAs only continues to grow. This has and continues to be even more the case in light of the COVID-19 pandemic, which has increased the acceleration of the digitalisation of individuals’ daily lives. People feel more aware of and concerned about their digital footprint and the importance of protecting their personal data.

During the COVID-19 pandemic, it has been of particular importance to adapt and continue to strengthen the EDPS’ online presence in order to fully connect with the relevant audience and stakeholders. The EDPS Information and Communication Team has achieved this objective using a variety of methods, in particular via EDPS blogposts, social media campaigns and monthly newsletters.

The Team’s efforts focused on other objectives as well, in particular promoting the EDPS Strategy 2020-2024 and developing a new visual identity for the EDPS.

Key performance indicators

We use a number of key performance indicators (KPIs) to help us monitor our performance in light of the main objectives set out in the EDPS Strategy.

This ensures that we are able to adjust our activities, if required, to increase the impact of our work and the effective use of resources.

The KPI scoreboard below contains a brief description of each KPI and the results on 31 December 2020. These results are measured against initial targets, or against the results of the previous year, used as an indicator.

The outbreak of the COVID-19 pandemic, and its far-reaching consequences at every level, substantially changed the context and circumstances in which the EDPS had to operate. Therefore, the KPIs monitoring this year’s results should be read with this context in mind.

In 2020, we met or surpassed - in some cases significantly - the targets set in five out of eight KPIs. This includes, KPI 1 on the number of initiatives related to our technology and privacy work; KPI 2 measuring the number of activities on cross-disciplinary actions; KPI 3 concerning the number of cases dealt with at international level; KPI 4 on the number of Opinions and Comments issued in 2020; as well as KPI 6 demonstrating an increase of our followers on our social media platforms.

KPI 5, measuring EUIs level of satisfaction on guidance and training received in 2020 was not assessed; the vast majority of training and meetings were conducted remotely, and satisfaction surveys were not conducted due to the technical limitations that could not allow us to ensure anonymous feedback. The small number of in-person sessions that took place in 2020 are not sufficiently representative to draw meaningful conclusions; as a result, this KPI has not been assessed in 2020.

KPI 7 reflects the outcome of the periodic staff satisfaction survey, which occurs every two years. The survey was launched in June 2020, three months after the beginning of the COVID-19 crisis amid a climate of anxiety and uncertainty. These extraordinary circumstances may, in part, explain why we failed to reach the set target. In addition, the participation rate was rather low (45%) and there were quite a lot of newcomers for whom it may have been difficult to answer some of the questions in the survey.

KPI 8 on budget implementation shows that, in 2020, 72.97% of the EDPS’s allocated budget was implemented, a substantially lower figure compared to 2019’s budget implementation figure of 92% and well below the 90% target. This is mainly due to the COVID-19 pandemic which dramatically affected the activities of the EDPS. When the Belgian government declared the first lockdown in March 2020, severe (ongoing) restrictions were enforced on the movement of staff and other individuals. This directly impacted the missions’ expenses and experts’ reimbursements expenses which constitute a major part of the budget. Other budget items were indirectly affected as well (e.g. the interpretation expenses). There were some other external factors which also impacted budget execution to a lesser extent (delays in the availability of offices in the Montoyer 30 building and postponement of the related works). We expect that the pandemic will also have a substantial impact on the year 2021 as travel restrictions are expected to continue until the vaccination campaign is in its advanced stage.

KEY PERFORMANCE INDICATORS		Results on 31.12.2020	Target 2020
KPI 1 Internal indicator	Number of initiatives, including publications, on technology monitoring and on promoting technologies to enhance privacy and data protection organised or co-organised by EDPS	9 initiatives	9 initiatives
KPI 2 Internal & External Indicator	Number of activities focused on cross-disciplinary policy solutions (internal & external)	8 activities	8 activities
KPI 3 Internal indicator	Number of cases dealt with at international level (EDPB, CoE, OECD, GPEN, International Conferences) for which EDPS has provided a substantial written contribution	42 Cases	10 Cases
KPI 4 External indicator	Number of Opinions/Comments issued in response to consultation requests (COM, EP, Council, DPAs...)	6 Opinions 25 Formal Comments	10 Opinions / Comments
KPI 5 External indicator	Level of satisfaction of DPO’s/DPC’s/controllers on cooperation with EDPS and guidance, including satisfaction of data subjects as to training	/	70%
KPI 6 External indicator	Number of followers on the EDPS social media accounts	62970 (LI: 38400, T:22493, YT: 2077)	Previous year’s results + 10%
KPI 7 Internal indicator	Level of Staff satisfaction	71%	75%
KPI 8 Internal indicator	Budget implementation	72,97%	90%