Annual Report 2022

Mid-Term Strategy Review - ‘Shaping a Safer Digital Future’

The EDPS 2020-2024 Strategy “Shaping a Safer Digital Future” was derived on the cusp of global change. Written in early 2020, it sets out three strategic focal pillars for the EDPS: Foresight, Action, and Solidarity. Yet even our best foresight experts could not have predicted the paradigm shift that was to follow. The COVID-19 pandemic, the war on Ukraine, and the global economic crisis, all formed part of the challenging environment that we were confronted with, following the adoption of our 2020 strategy.

This is why in 2022, we decided to conduct a mid-term review of our 2020-2024 strategy.
Commenced with the intention of evaluating progress made on the objectives listed in the strategy, the mid-term review formed a crucial moment for considering whether a shift of institutional direction was needed in light of the changing global environment. The following chapter of the Annual Report presents the results of the mid-term review and sets out the EDPS’ refocused vision and priorities for the remainder of the strategy.

Procedure of the mid-term review

A bottom-up approach to the mid-term review was implemented which saw the strategy’s evaluation conducted from within. This decision was adopted with the intention of harnessing the fresh perspectives of the EDPS staff, bearing in mind the institutional growth that has taken place since 2020. This approach allowed us to leverage the in-house interdisciplinary knowledge and experience of the EDPS staff, to identify key focal areas for our work in the coming years.

The mid-term review was conducted in two stages. The first stage consisted of a gap analysis.
This analysis was conducted on the basis of a mapping exercise which all EDPS staff took part in.
This exercise was officially kick started through a discussion between the Supervisor and the EDPS staff, in which the Supervisor shared the planned procedure for open reflection and consideration of the staff. Following valuable input received at staff level, the mapping exercise was launched. The mapping exercise presented an overview of the 57 objectives listed in the EDPS 2020-2024 strategy on which the EDPS staff reflected on whether and to what extent objectives had been met. Following this preliminary assessment, a gap analysis was conducted to identify the state of progress of the objectives.

Results of the mapping exercise revealed the substantial progress that we made to implement and achieve the objectives listed in the strategy. Of the 57 objectives listed in the strategy, the gap analysis revealed that 15 objectives have been accomplished so far, 40 are ongoing, and only 2 are at an early process of implementation.

The positive results of the gap analysis formed the foundations for the second stage of the mid-term review. In this second consultative stage, the EDPS staff were consulted on the future of the EDPS and asked to consider how the new realities of our environment may warrant a shift in priorities for the remainder of the strategy. Specific attention was devoted to identifying focal areas which the EDPS would like to concentrate increased efforts on for the remainder of the strategy.

Outcomes of the mid-term review: from shaping a safer digital future, to championing its formation

The results of the consultation stage led to the emergence of several institutional priorities, which we consider to be key and we commit to dedicating additional attention and resources to, for the remainder of the 2020-2024 strategy.

Priority #1: Effective enforcement of data protection in a new regulatory landscape

With the adoption of multiple legislative initiatives in the digital field, the EDPS, together with the community of data protection authorities (DPAs), finds itself in a significantly more complex regulatory environment. This new regulatory landscape, which involves legislation such as the Data Governance Act (DGA), the Digital Markets Act (DMA) and Digital Services Act (DSA) on the one hand, and the proposed Artificial Intelligence Act and Data Act on the other, results in new regulatory functions and regulatory authorities being envisioned by the legislator.

Whilst these acts in principle state not to prejudice nor to amend the GDPR (or Regulation (EU) 2018/1725), several provisions in these new or forthcoming regulations explicitly refer to GDPR definitions, concepts and obligations. Moreover, whilst the processing of personal data is central to the activities regulated by each act, data protection authorities are not designated as the main competent authorities.

Enforcement is entrusted - either completely or to a very significant extent - to authorities whose missions primarily concern policy objectives other than data protection or privacy. Consequently, there is a need to ensure a coherent approach to regulatory activities across the digital sphere. We will therefore work to conceptualise our role regarding these authorities, and to identify the expectations of these authorities regarding the EDPS.

Building on its consolidated and widely acknowledged experience of ensuring a coherent approach in the digital ecosystem, we will therefore steer and actively engage in the work of relevant coordination forums provided for by law, such as the High Level Group of the DMA and other relevant coordination fora provided for by law, both as the EDPS and as a member of the European Data Protection Board (EDPB), as appropriate.

We will also actively promote strong cooperation with the relevant bodies in instances where a specific coordination body is not provided for by law, but where enforcement will require a close dialogue with the authorities tasked with applying provisions with privacy and data protection implications.

Moreover, we will strive to ensure that data protection principles and rules are not undermined by the application and enforcement of new legislation. The EDPS will therefore continue to engage in an advisory function in order to monitor and highlight potential consequences arising from the practical implementation of new regulatory frameworks. Enforcement action will also be considered where necessary.

It is within this context that the EDPS is also faced with its potential role as supervisory authority of the EU institutions, offices, bodies and agencies (EUIs) for Artificial Intelligence. Both from an organisational and a methodological perspective, intensive preparations are envisaged to ensure that we are ready to fulfil our new task from the beginning.

The Digital Euro project is also of high strategic importance to us and requires close cooperation amongst experts with policy, legal, technological and supervision expertise. Whilst much will depend on the design choices made, the Digital Euro project will undoubtedly have significant implications for privacy and data protection. Other proposals concerning the financial sector will also warrant close scrutiny, such as the legislative open finance framework proposal, which will aim to enable data sharing and third-party access for a wide range of financial sectors and products. We will therefore consider with utmost attention the possible interplay with the Data Governance Act and the Data Act.

The EDPS Conference held in June 2022 on “The Future of Data Protection: Effective Enforcement in the Digital World” triggered significant and much needed progress in the public debate on the enforcement of the General Data Protection Regulation (GDPR). The related developments, in particular the so-called EDPB Vienna Statement, and the announced proposal of the European Commission for a Regulation harmonising certain aspects of national procedural rules, show that efforts on the potential improvements to the functioning of the GDPR will continue to dominate the debate in the years to come. The success of the EDPS Conference, in terms of public interest and impact, shows there is a significant role for the EDPS, as an independent EU institution, in this debate to advocate for pan-European approaches that ensure that the EU Charter of Fundamental Rights is respected fully.

Priority #2: Interoperability as a challenge requiring an overhauled supervisory approach

With the onset of interoperability, the EDPS is facing substantial obligations to ensure an effective supervisory approach. With the introduction of the EU’s interoperability framework which adopts a new approach to the management of data for borders and security, we are subsequently also rethinking its methodology for the supervision of large-scale IT systems. The proposed interoperability changes by the EU’s framework would see the linking of several large-scale IT systems with the Europol and Interpol databases, which would constitute a data flow ecosystem that amplifies the risks to data subjects generated by the operation of the underlying systems.

There are several challenges that we have identified that will need to be addressed. The complexity of the overall architecture and fragmentation of data protection rules calls for recalibrated supervision which focuses on data flows, rather than on the separate monitoring of data processing in different systems. Similarly, the introduction of additional data processing activities that were not initially laid down in the legal instrument regulating the establishment of each of the underlying large-scale IT systems calls for thorough scrutiny of the purpose limitation principle. Moreover, there may be decisions taken that have a substantial impact on data protection related to comitology procedures and transfers of responsibilities to the EU Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA). The absence of a single channel through which to exercise data subject rights simultaneously across all systems may lead to a fragmentation of these rights.

The EDPS will therefore focus on the following three priority areas, which will form a basis for our supervision of the interoperability framework until the end of the mandate:

(1) Data subject rights - Aiming at addressing the risk of fragmentation of data subject rights with the variety of interoperable databases with multiple controllers, we will explore the potential for coordinated supervision (including joint reflection with DPAs on streamlining procedures for data subjects’ rights). In addition, we will aim to develop a proactive approach to data subject rights, in particular the right to information.

(2) Audit strategy - Developing a tailor-made strategy for data protection audits in the large-scale IT systems and the interoperability components, adapted to the new ecosystem, possibly constituting a shift from auditing siloed systems to data flows. The strategy will include a joint approach to auditing interoperability by taking into account further auditing obligations towards EU Agencies (Europol, Frontex, Eurojust), in order to safeguard purpose limitation and verify that those entities are accessing and processing data in line with their respective mandates. This joint approach will contain a legal and a technical part. Furthermore, since the large-scale IT systems’ regulations explicitly request the EDPS to perform “audits in accordance with international audit standards”, a common interpretation of this requirement will be necessary.

3) Algorithmic profiling - Work on algorithmic profiling will aim in particular to position the EDPS regarding the application of this tool within the interoperability framework (ETIAS and VIS) and more generally focusing in particular on issues of discrimination, reliability, proportionality, and transparency. The supervision of algorithmic profiling is a complex issue that is only at early stages and requires cooperation with other agencies and bodies in the field of human rights and non-discrimination, and possibly other actors from civil society and academia. Such supervision will support our input to the work of both the ETIAS - the European Travel Information and Authorisation System and Visa Information System Fundamental Rights Guidance Boards and will aim to develop appropriate monitoring and supervisory tools for this new area of supervision.

Priority #3: International cooperation to promote global common approaches on privacy and data protection challenges

We consider that actively engaging in international cooperation is of fundamental importance.
Doing so allows us to engage with a wider community, beyond Europe, and to promote a common understanding and approaches towards data protection and privacy challenges. We plan to further increase our efforts in the field of international cooperation, as several topics of high strategic importance are discussed in international fora.

In particular, we intend to foster coordination of the actions and strategy of EDPB members in international fora, further engage in the work carried out in the context of the GPA - Global Privacy Assembly, the Council of Europe, as well as within the G7 DPAs Roundtable, and the OECD - Organisation for Economic Co-operation and Development, by ensuring active participation and effective representation of European authorities’ and EDPB’s views. We will also aim to further step up cooperation with international organisations as well as with regional data protection networks.

Priority #4: Rethinking EDPS processes to ensure efficiency in a fast-changing environment

The EDPS 2020-2024 strategy is being implemented in a period in which crises have occurred one after another. From the COVID-19 pandemic, to the Russian invasion of Ukraine, to rising energy and inflation costs, we have had to adapt our working methods and processes in order to continue delivering on our output. Whilst we have managed to deliver, in principle, on the commitments made in the strategy, internal analysis shows a need to further readjust approaches to certain processes, with the aim of improving our efficiency and long-term standards, both as an EU public administration and as a data protection authority.

In the latter case, this relates, amongst others, to deliverables such as following up on data breach notifications, resolving complaints, or the ability to proactively target critical compliance-related topics via investigations or audits. Further reflection on new tools allowing online or remote assessment of compliance will take place. At the same time, human resource and budgetary constraints pose a significant obstacle for the fulfilment of the EDPS supervisory tasks.

In the same vein, the war in Ukraine brings new stand-alone tasks to the EDPS. In 2021, the European Commission proposed a legislative package to amend the Eurojust Regulation to allow for the processing of evidence collected for the purpose of investigating war crimes committed by Russia. In 2022, another legislative amendment was passed, designating Eurojust as the European hub for preservation, storage and analysis of evidence on core international crimes. We have been attributed an important role in the setting up of the new evidence database. In January 2023, the European Commission announced the creation of the International Centre for the Prosecution of the Crime of Aggression (ICPA) at Eurojust. All these legislative changes have already resulted or will result in substantial additional tasks for us. Given the political importance of the EU’s support to Ukraine, as well as the considerable workload attached to it, our activities in this area will be recognised as one of our key priorities.

With the increasing public interest in the work of the EDPS, as shown by, amongst others, the number of access to documents requests, we also commit to higher standards of transparency, not only as part of good administration, but also as an important way of making our work accessible to individuals. We also commit to continuing to ensure high levels of data protection and accountability, and to lead by example not only by complying with legal requirements, but also by exploring and making use of first-rate privacy and data protection-friendly tools and services. Concerning cybersecurity, we will have to adapt to new regulations aimed at ensuring a high common level of cybersecurity across the EUIs.

3.1.
Using our powers to protect individuals

As the data protection authority in charge of supervising the EU institutions, bodies, offices and agencies (EUIs), our goal is to ensure that they comply with EU data protection law, to protect individuals and their fundamental rights to privacy and data protection.

To help achieve this, we provide EUIs with guidance, issue recommendations, remarks and Opinions, carry out audits, offer training sessions, as well as other resources to equip them with the suitable tools to put data protection into practice throughout their day-to-day tasks, decisions or measures requiring the processing of individuals’ personal data.

3.1.1.
Supervising the Area of Freedom, Security and Justice

Amongst the topics on which our intervention was needed, particular focus of our work permeated to supervising the EU’s Area of Freedom Security and Justice (AFSJ), which covers policy areas ranging from the management of external borders, judicial cooperation in civil and criminal matters, as well as asylum, migration, combatting crime. AFSJ includes EU Agencies, such as Europol - the EU Agency for law enforcement cooperation, Frontex - the EU Border and Coast Guard Agency, EPPO - the European Public Prosecutor’s Office, Eurojust - the EU Agency for Criminal Justice Cooperation. Therefore our role in this area was particularly important, given the sensitive nature of the information being processed, and the considerable impact this may have if mishandled.

3.1.2.
Transfers of personal data to non EU/EEA countries

The topic of international transfers of personal data to countries outside the EU or the European Economic Area (EEA) also commanded our attention increasingly over the years, including in 2022, demanding us to mobilise substantial resources so that the level of protection of individuals’ personal data is ensured.

To this end, we carried out a certain number of initiatives, and provided advice and recommendations on how EUIs should meet the requirements of EU data protection law when using services or entering into contracts with entities located outside the EU/EEA.

The use of non-EU/EEA products and services

Our initiatives include our ongoing investigations into EUIs’ use of products and cloud services from entities based outside the EU/EEA, in particular the European Commission’s use of Microsoft Office 365, the issuance of guidelines and policies, as well as providing trainings to EUIs. These efforts aim to raise EUIs’ awareness of the risks posed by using tools or conducting data processing activities that imply transfers of data outside the EU/EEA. We also aim to raise EUIs’ awareness of the contractual clauses and administrative arrangements, as well as other measures to put in place to ensure that individuals’ personal data is protected in an essentially equivalent way outside of the EU/EEA.

As part of our work in this area, and in light of our EDPS powers, we authorised a number of transfers of personal data to non-EU/EEA countries, where EUIs were able to prove robust procedures and safeguarding measures to ensure that these transfers guaranteed the protection of individuals’ personal data.

With the aim of leading by example in this field, we are also working towards using alternative products and services that are based in the EU/EEA, and we are encouraging EUIs to consider this as well.

3.1.3.
Auditing Large-Scale IT Systems

One of our key roles is to ensure the protection of personal data and privacy in the context of
large-scale IT systems in the Area of Freedom, Security, and Justice. One of our functions is to audit these systems to ensure that they comply with data protection and privacy regulations.

In carrying out our auditing function, we evaluate the technical and organisational measures put in place by system operators, ensuring that systems are designed with privacy-by-design principles.
We also promote best practices by sharing findings and recommendations from audits with other EU data protection authorities, fostering a culture of excellence in data protection and privacy across the EU.

With our auditing activities, we work to raise awareness amongst EUIs and the general public about the importance of data protection and privacy in large-scale IT systems. By fulfilling this vital role, we help safeguard the personal information of EU citizens and ensure that large-scale IT systems adhere to the highest data protection and privacy standards.

In October 2022 we carried out an onsite audit of three large-scale IT systems, at eu-LISA - European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice’s premises in Strasbourg:

Eurodac, the European Asylum Dactyloscopy Database, which assists in the processing of asylum applications.

SIS II, which supports internal security and the exchange of information on individuals and objects between national police, border control, customs, visa and judicial authorities.

VIS, which supports the application of the EU common visa policy and facilitates border checks and consular cooperation.

The audit included the review of methodology and practices eu-LISA employs to develop and test systems whilst ensuring that security and data protection by design and by default principles are applied. Additionally, we audited the measures related to IT Security Governance, security incidents and personal data breaches, and we checked the application of the recommendations from our previous audits.

3.2.
Protecting our independence

New Europol Regulation: EDPS legal action in the Court of Justice of the
European Union

On 16 September 2022, we requested that the Court of Justice of the European Union (CJEU) annuls two provisions of the newly amended Europol Regulation, which came into force on 28 June 2022 (Case T-578/22 – EDPS v Parliament and Council). The two provisions have an impact on personal data operations carried out in the past by Europol. In doing so, the provisions seriously undermine legal certainty for individuals’ personal data and threaten the independence of the EDPS.

3.3.
Shaping a safer digital future

As set out in our EDPS Strategy 2020-2024, we value initiatives where data generated in Europe is converted into value for European companies and individuals, and processed according to European values, to shape a safer digital future. Following this direction, we provided advice to the EU legislator on a wide range of matters: health, artificial intelligence, initiatives to help combat crime, for example.

We normally provide advice to the EU legislator on proposed legislation in the form of Opinions or Formal Comments. Our Opinions are issued in response to mandatory requests by the European Commission, which is legally obliged to seek our guidance on any legislative proposal, as well as recommendations and proposals to the Council in the context of international agreements with an impact on data protection. Formal Comments are issued in response to a request from the European Commission on draft implementing or delegated acts.

Where a legislative or other relevant proposal is of particular importance for the protection of personal data, the European Commission may also consult the European Data Protection Board (EDPB). In such cases, the EDPS and EDPB work together to issue a Joint Opinion.

The EU Data Act

We issued a Joint Opinion with the EDPB on the proposal for the Data Act, which aims to establish harmonised rules on the access to, and use of, data generated from a broad range of products and services, including connected objects (‘Internet of Things’), medical or health devices and virtual assistants.

The Opinion highlighted that data must be processed according to European values if we aim to shape a safer digital future. As new opportunities for data use are created, it must be ensured that the existing data protection framework remains fully intact. We also underscored that access to data by public authorities should always be properly defined and limited to what is strictly necessary and proportionate, which is not the case under the draft Data Act.

The European Health Data Space

We also issued a Joint Opinion on the Proposal for the European Health Data Space in which we advocated for strong protection of electronic health data.

The Proposal for the European Health Data Space is the first of a series of proposals for domain-specific common European data spaces. It will be an integral part of building a European Health Union aiming at enabling the EU to make full use of the potential offered by a safe and secure exchange, use and reuse of health data.

Together with the EDPB, we expressed several concerns, notably on the secondary use of electronic health data.

Artificial Intelligence

As highlighted in our EDPS 2020-2024 Strategy, Artificial Intelligence (AI) is increasingly deployed in public services and criminal justice. Our role is to ensure that this new technology is used in compliance with EU data protection law and respects individuals’ privacy.

In addition to other initiatives we have produced, or participated in, we issued an Opinion on the Recommendation for a Council Decision authorising the opening of negotiations on behalf of the European Union for a Council of Europe convention on artificial intelligence, human rights, democracy and the rule of law (AI Convention), which we consider as an important step to develop the first legally binding international instrument on AI according to the European standards and values on human rights, democracy and the rule of law, complementing the EU Artificial Intelligence Act.
Nevertheless, we highlighted the need to include appropriate, strong and clear data protection safeguards to protect individuals who may be affected by the use of AI systems.

Combatting crime

We issued a selection of Opinions on diverse Proposals in the field of criminal law.

For example one of our Opinions, jointly issued with the EDPB, focused on a proposed Regulation to prevent and combat child sexual abuse (CSAM). We expressed support to the goals and aims of the Proposal, whilst, however, expressing concern that it may present more risks to individuals, and, by extension, to society at large, than to the criminals pursued for CSAM.

Another notable example where we provided our recommendations and guidance concerned the topic of international cooperation to fight crime. In particular, we issued an Opinion on two Proposals: one to authorise EU Member States to sign the Second Additional Protocol to the Budapest Convention on Cybercrime, and the other to authorise EU Member States to ratify this same Protocol.

Whilst investigating and prosecuting crime is a legitimate aim, for which international cooperation, including the exchange of information, plays an important role, we emphasised the importance for the EU to have sustainable agreements for sharing personal data with non-EU countries for law enforcement purposes. These agreements should be fully compatible with EU law, including the fundamental rights to privacy and data protection.

3.4.
The Future of Data Protection: Effective Enforcement in the Digital World

In June 2022, we organised our EDPS Conference, titled “The Future of Data Protection: Effective Enforcement in the Digital World”, which brought together over 2,000 participants, both in Brussels and online. Featuring over one-hundred speakers; three main sessions; sixteen breakout sessions;
nine individual keynote remarks; and five side events. The two-day event fostered crucial conversations on the future of data protection, with a particular focus on the enforcement of the General Data Protection Regulation (GDPR).

Our long-term vision for the future of data protection is clear: it is necessary to approach enforcement in a pan-European way to ensure real and consistent high level protection of individuals and to deliver the promise of the GDPR.

3.5.
Technology Monitoring & Foresight

One of the three core pillars of the EDPS strategy for 2020-2024 is foresight, namely, our commitment to being a smart institution that takes the long-term view of trends in data protection and the legal, societal and technological context.

One of the ways we put foresight into practice is to engage with experts, specialists and data protection authorities. We aim to understand technologies, analyse their privacy and data protection implications on individuals, with the aim of sharing knowledge and nudging the development of these new and emerging technologies in a privacy-compliant way. TechSonar and TechDispatch are two of our initiatives in this area.

TechSonar aims to anticipate emerging technology trends. The main aim of this initiative is to better understand future developments in the technology sector from a data protection perspective. Based on our collective effort, via scouting of trends, brainstorming, review, publishing, advocacy and continuous monitoring, we aim to contribute to the wider debate on foresight within the EUIs. Published on 10 November 2022, the second annual TechSonar report delves into five technologies worth monitoring this upcoming year. These are: central bank digital currency; metaverse; synthetic data; federated learning; and fake news detection systems.

TechDispatch aims to explain emerging technology developments. The TechDispatch reports, for which we won a Global Privacy Assembly award in 2021, are part of the wider EDPS activities on technology monitoring. Each TechDispatch provides factual descriptions of a new technology, preliminarily assesses possible impacts on privacy and the protection of personal data, as we understand them now, and provides links to further recommended reading. This year’s TechDispatch, published in July 2022, focuses on Fediverse and Federated Social Media Platforms.

3.6.
Digital Innovation

Promoting data protection friendly tools that respect, and prioritise, individuals’ fundamental rights throughout their development and use is one of our core aims of the EDPS Strategy 2020-2024. To match these objectives, we have sought, and continue to seek, alternative tools, particularly communication and collaborative tools, that comply with EU data protection laws and standards.
By using these alternative tools ourselves, we aim to encourage EUIs to follow our example. This way, we can collectively minimise our reliance on monopoly providers, to avoid detrimental lock-in.

We play a significant role in promoting digital innovation by leading by example, for example by using open-source applications and platforms that offer privacy-friendly alternatives to products and services provided by big tech companies. Our commitment to privacy extends to both social networks and collaboration tools, with initiatives such as EU Video, EU Voice, and the pilot Nextcloud projects.

In February 2022, we launched the pilot phase of two social media platforms: EU Voice, to publish regular posts on our activities, and EU Video, to publish videos, as additional, alternative, communication channels to interact with our audience. Both platforms are part of decentralised, free and open-source social media networks that connect users in a privacy-oriented environment, based on Mastodon and PeerTube software. Both projects emphasise data protection and user privacy, ensuring that EUIs have access to communication tools that align with European values and principles, without compromising their personal information.

In addition to social networks, we support the adoption of alternative collaboration tools that prioritise privacy. The pilot Nextcloud project is a prime example of this commitment. Nextcloud is an open-source, self-hosted cloud platform that allows users to securely store, share, and collaborate on files, calendars, and contacts. By promoting and using privacy-conscious tools like Nextcloud, we demonstrate a commitment to fostering a digital ecosystem that upholds data protection and privacy principles, ultimately encouraging the development of innovative and more privacy-friendly alternatives.

In June 2022, during the EDPS conference “The Future of Data Protection: Effective Enforcement in the Digital World”, we also developed a bespoke videoconferencing solution which fully respected the data transfer requirements under the GDPR and Regulation (EU) 2018/1725, allowing us to lead by example and pave the way for compliance with data protection requirements. As the data protection authority competent for supervising all EUIs, it was important to us to show that it is possible to demonstrate exemplary compliance when it comes to videoconferencing tools, and in particular to comply with data transfers rules when it comes to transferring personal data to countries outside of the EU and EEA.

3.7.
Communicating data protection

Explaining what we are doing and why, in a transparent, clear, and interactive way is part of our goals as an organisation, because it is important for EU citizens to understand their data protection rights, and how these may be impacted.

An increasingly growing online presence

The EDPS has a well-established online presence on several social media channels, namely Twitter (29,1k), LinkedIn, where we have exceeded 63.000 followers this year, YouTube (2,75k), EU Voice (5,1k) and EU Video (0,69k) with which we are able to us to reach a global audience easily and quickly.

At large, we create content to promote visibility-enhancing campaigns and also live-reporting of the EDPS’ participation in events.

Bringing data protection closer to the public

Data protection can be quite complex at times; hence, we put our effort to issue content that suits both experts and non-experts in data protection matters, bringing our work closer to the public.

This includes producing monthly newsletters, providing short, bite-size explanations about our latest initiatives and how these may impact the public; producing factsheets, in which we break down key data protection concepts, as well as executing social media campaigns, and collaborating with other EUIs to raise awareness on data protection matters. Going further in this direction this year, we launched a new podcast series, Newsletter Digest, to reach out to a larger audience, informing them about what we do to protect their data.

Media and Public Relations

We frequently interact with the media, especially through our press releases on significant data protection initiatives having a wide impact across the EU. This year, several topics garnered the most attention, with follow-ups or interview requests, such as the supervision of Europol and Frontex, or our EDPS Conference in June.

Likewise, we maintain our relationship with the public, by addressing public requests on our work and competences as an EU institution, and by organising study visits in our premises.

Picking up the pace after COVID-19

As the COVID-19 restrictions were gradually minimised, we were able to resume events, increase
in-person activities, whilst still adapting these events to a post-COVID world. Our events and activities were designed for both online and in-person attendance; at the same time, this helped us reduce our environmental impact as an organisation. Markedly, we successfully hosted two large hybrid events: the Conference on “The Future of Data Protection: Effective Enforcement in the Digital World” in June 2022, hosting 2000 people both online and in-person, and our “Supervision Conference: Data protection and criminal justice” in November 2022, with over 200 people both online and in-person. For most of our events, we have put our best foot forward to go “greener” by sourcing from local catering, avoiding food waste and sourcing our brand material locally and made from reusable materials.

Collaborative Communication

In 2022, we have worked with other EUIs, collaborating on common communication activities.
In October, we joined forces with ENISA - the European Union Agency for Cybersecurity, and the European Commission, to put forward a campaign for the European cybersecurity month (ECSM), marking its 10th anniversary. In another instance, we provided ideas and support in data protection matters for the purposes of inter-institutional online communication (IOCC). In particular with EU Voice and EU Video pilot project, we extensively cooperated with IOCC in order to provide editorial guidelines and servers’ policies as well as to help EUIs taking part in the project.

3.8.
An evolving organisation

To support our objectives, in particular those set out in our EDPS 2020-2024 Strategy, we have expanded our organisation, and made other changes to better reflect our way of working.

We adjusted the internal organisation of the EDPS, creating a dedicated Legal Service, and the Governance and Internal Compliance Sector, to bring about the necessary expertise to be able to carry out certain tasks.

Delivering on our goals also means that we must manage our resources carefully. In this respect, substantial effort was invested in the planning, executing and auditing our budget.

We also made the necessary preparations to open an EDPS liaison office in Strasbourg, which will be officially inaugurated in early 2023, to reinforce inter-institutional and international cooperation, and to be able to provide additional advisory support on data protection matters.

Key Performance Indicators 2022

We use a number of key performance indicators (KPIs) to help us monitor our performance in light of the main objectives set out in the EDPS Strategy. This allows us to adjust our activities, if required, to increase the impact of our work and the effective use of resources.

The KPI scoreboard below contains a brief description of each KPI and the results on 31 December 2022. These results are measured against initial targets, or against the results of the previous year, used as an indicator.

In 2022, we met or surpassed - in some cases significantly - the targets set in eight out of nine KPIs, with one exception being KPI8 - Occupancy rate of the establishment plan. These results illustrate well the positive path we have kept in implementing our strategic objectives throughout the year.

Our overarching aim as the data protection authority of EU institutions, bodies, offices and agencies (EUIs) is to ensure that they comply with the applicable EU data protection law, Regulation (EU) 2018/1725, so that individuals’ fundamental rights to privacy and data protection are duly respected.

To help achieve this, we provide EUIs with guidance, recommendations, training sessions and other resources, to equip them with the adequate tools to put data protection into practice throughout their day-to-day tasks, decisions or measures requiring the processing of individuals’ personal data.

Whilst we share advice with EUIs on many different topics, special focus this year was put on adapting our guidance regarding COVID-19’s evolving situation, activities involving transfers of personal data outside the EU/European Economic Area (EU/EEA), cooperating with EUIs’ data protection officers, to name a few examples.

We also placed particular importance on holding EUIs accountable for their actions impacting privacy and the protection of personal data, by conducting investigations, addressing complaints and carrying out audits, when and if necessary.

4.1.
COVID-19: monitoring data processing activities

In 2022, we continued to provide EUIs with the support they needed to adapt their measures related to COVID-19 as the situation evolved, by, for example, helping them make an inventory of the measures introduced during this health crisis to ensure that these are temporary, thus avoiding excessive collection of individuals’ personal data that may no longer be necessary.

4.1.1.
Adapting and updating our guidance

In March 2022, we published a report on the new processing operations and IT tools that EUIs introduced during the COVID-19 pandemic to ensure business continuity. This included, for example, IT tools used or enhanced by EUIs to enable teleworking, new processing operations put in place by EUIs in charge of tasks related to public health. Our report notably addressed compliance of these activities with Regulation (EU) 2018/1725.

We published this report with acknowledgement that the dynamic evolution of a global health crisis, such as COVID-19, means that EUIs have had to continually adapt their processing operations.
With this report, we aimed to support them in what appeared to be a long-lasting challenge, which will likely continue to have an impact in the coming years. Adoption of this report enabled us to provide further guidance to EUIs with regard to data protection aspects that deserve closer consideration. Indeed, reporting on EUIs’ activities allowed us to take stock of issues, actions and progress made during the pandemic.

The results of the survey, displayed in the report, also play a vital role in informing our work and fed into our mission of updating and developing guidance for EUIs and their respective data protection officers, to ensure that individuals’ personal data is protected.

4.1.2.
Data protection implications of COVID Passes

In 2022, we also continued to deliver a number of Opinions on matters related to COVID-19.

The use of COVID certificates and passes, to access EUIs’ buildings for example, and the implications that these may have on individuals’ data protection, remained a topic where our guidance was needed. We delivered three Supervisory Opinions covering this issue, in which we highlighted the importance of ensuring that measures introduced during a global health crisis, like COVID-19, should be limited in time and only to the extent that they are necessary and proportional in light of the objectives pursued, especially given the increase of data collected during COVID-19. We also made it clear that personal data initially collected for the management of this health crisis should not be repurposed for other objectives. EUIs should also review the evolution of the epidemiological situation, and modify or abort their measures accordingly.

In our Opinion concerning the verification of COVID-19 certificates in Luxembourg, we urged the European Commission (EC) to review whether extending the verification of COVID-19 certificates to individuals who are neither staff members, nor visitors of their premises, was necessary and proportional. Furthermore, we recommended that additional information is included in the draft Decision concerning the application of appropriate safeguards for carrying out and verifying COVID-19 self-diagnostic tests.

We also issued an Opinion on the requirements of using a Super Green Pass to access the Joint Research Centre (JRC) site. We advised the EC to assess and document whether it is necessary and proportional to use this pass to enter the JRC.

Recommendations were also submitted to the European Parliament (EP) in response to the EP’s decision to extend the use of the EU Digital COVID-19 certificate (EUDCC) to all individuals entering the EP’s building. In particular, we asked the EP to further clarify the circumstances and modalities in which a manual verification of the EUDCC may take place, under the institution’s internal decisions.
In addition to assessing whether national health and safety legislation is applicable, we recommended that the EP verifies if appropriate technical and organisational measures were put in place, in line with the Regulation (EU) 2018/1765, to protect individuals’ health data.

4.1.3.
Sensitive information: processing health data

We also adopted an Opinion on the processing of certain health data related to medical vulnerability and COVID-19, by the European Investment Bank’s (EIB) Occupational Health Service.

Given that individuals’ health information is sensitive, we reminded the EIB that this type of data can only be processed for specific reasons, such as public health, and that if processed, the EUI should put in place suitable and specific measures guaranteeing that the processing is done in a secure way.

We also highlighted that the processing of health data should be conducted in a transparent and fair way, by providing clear information to individuals about how their health data is processed, for example. Complementing our other recommendations, we advised that this data should only be processed by staff bound by professional secrecy.

4.2.
Protecting individuals’ personal data in EUIs

Whether EUIs outsource some of their activities, conduct recruitment procedures or any other initiatives, we support them to cultivate a mindset of treating the protection of individuals’ personal data as a priority, by providing them with tailored advice when we are consulted on specific matters, or when we deem it necessary.

4.2.1.
Outsourcing activities: defining data protection responsibilities

When outsourcing certain activities, EUIs may face several data protection implications.

In such cases, EUIs may be confronted with issues of responsibility, such as defining who is responsible for the purpose, type and means of processing personal data - known as controllers, and who is responsible for processing personal data - known as processors. This information, as well as the circumstances in which personal data may be processed, must be known to the concerned EUI to ensure the protection of individuals.

Against this background, EUIs often request our advice on whether external service providers should be considered as joint or separate controllers, or processors.

For example, we issued an Opinion in April 2022 regarding the status of legal advisers and other private services procured by the European Investment Bank (EIB). We recommended that, in order for private service providers to only act as processors, and for the EIB to maintain control over these processing operations, detailed instructions on the processing of personal data should be provided by the EIB. Additionally, in its capacity as controller, the EIB must ensure that contracts governing the processing activities include the responsibilities and tasks of the processor, as well as information on individuals’ data protection rights.

In two other of our Opinions, we advocated that an EUI should not be considered as a controller when processing is carried out by an external service provider, when the latter is subject to specific legal requirements regarding the processing of personal data.

Ultimately, the qualification of a service provider as a controller or processor should be the result of careful consideration by the EUI on the role it aims to and must play, depending on the nature, scope, context and purposes of the processing.

4.2.2.
Restricting individuals’ rights

We issued a Supervisory Opinion, in October 2022, on the processing of personal data for historical archives by the European Central Bank (ECB), the EU institution in charge of supervising banks and the financial system of the EU.

Under EU data protection law, EUIs are allowed to derogate from certain data protection rights of individuals, for example when personal data is processed for archiving purposes in the public interest, subject to certain conditions.  

The EDPS’ main recommendations included in its Supervisory Opinion are the following:

• the ECB should ensure that it provides information to individuals about the subsequent transfer of their personal data to the historical archives at the same time as providing information about the processing of their personal data when it is initially collected;
• the ECB should clarify certain concepts, such as the concept of “sensitive personal data” envisaged for processing;
• contrary to what the ECB currently envisages, the right to data portability - a right that gives an individual the possibility to receive their personal data in a machine-readable format to be able to transmit it to another controller - should not be subject to a derogation, as it appears that this right is not applicable in the archiving context; and
• the ECB should seek support from their data protection officer before taking any decision to derogate from individuals’ data protection rights.

4.2.3.
Processing employees’ personal data

In 2022, Eurojust, the EU Agency for Criminal Justice Cooperation, sought our advice concerning the data protection implications of a new activity-recording tool to record the amount of time dedicated to various activities laid down in the Annual Work Plan by human resources to conduct activities more efficiently. This tool would imply the processing of the personal data of EUIs’ employees.

Whilst the activity-recording tool may greatly benefit Eurojust, we expressed our scepticism towards the data processing operations which will be performed when the tool is deployed.

In our Opinion, we recommended that an executive decision, stating the exact terms of the processing operation, is included by Eurojust to complement Eurojust’s Financial Regulation.
This would include the purpose of processing; the criteria to determine the controller; the type of data subjected to processing; the purpose for which this data is processed; as well as several other measures necessary to guarantee lawful and fair processing.

Furthermore, we strongly advised the institution to double-check if the specificity of the activities and the size of the Units allow for the singling out of individuals. If this turns out to be the case, we advised that Eurojust adapts the information provided to individuals accordingly. Finally, we expressed our view that the legal framework in the contract entered between Eurojust, the processor and the
sub-processor, should be updated.

4.2.4.
Data protection and competition law

In May 2022, we also issued a Supervisory Opinion pertaining to the processing of personal data in the context of competition law investigations, highlighting that Regulation (EU) 2018/1725 and EU competition law rules should be applied in a manner that is mutually compatible and enables them to be applied consistently.

4.3.
Conducting data protection audits

Audits are one of the tools we use to verify how data protection is applied in practice in EUIs.
During an audit, we are able to verify compliance on the spot, and make recommendations when identifying areas for improvement. We sometimes share our findings publicly to promote public awareness of the risks, rules, safeguards and rights related to the processing of individuals’ data.

In 2022, we conducted a total of 6 audits concerning:

• Europol - the EU Agency for Law Enforcement Cooperation;
• Frontex - the European Border and Coast Guard Agency;
• three large-scale information systems operated centrally by eu-LISA: the Visa Information System, the Schengen Information System II and Eurodac;
• e-recruitment procedures at ESMA - the European Securities and Markets Authority;
• the CdT - the Translation Centre for EUIs.

Due to the improved COVID-19 situation, we were able to conduct five of our audits in-person - known as on-the-spot audits, and only one audit was conducted remotely.

Two of our on-the-spot audits this year concerned Europol and Frontex on their data protection activities. We also carried out three on-the-spot audits at eu-LISA, where we checked data protection compliance when using large-scale information systems, specifically the Visa Information System, the Schengen Information System II, which are systems used in the EU for border management, and Eurodac, the EU’s fingerprint database for identifying asylum seekers and irregular migrants.

4.3.1.
E-recruitment procedures

Our only remotely-conducted audit involved the processing of personal data in the context of recruitment, specifically when carrying out online assessments with remote invigilation adopted by a number of EUIs to adapt to the new circumstances of the COVID-19 pandemic.

Upon completing our audit on EUIs’ e-recruitment processes, we recommended to assess whether practicing e-recruitment procedures is necessary post-COVID-19, whether a data protection impact assessment is required to assess the impact on individuals’ personal data in this context; and to reconsider transfers of personal data when using a contractor located outside the EU/EEA to carry out the e-recruitment process.

We are currently assessing how the audited EUIs responded to these recommendations. By ensuring that our guidance is applied in this area, we aim to protect individuals.

4.3.2.
Schengen: privacy and freedom of movement

As part of our auditing work, and as the supervisory authority of certain EU’s large-scale IT systems, we contributed, as an observer, to the Schengen Evaluation and Monitoring Mechanism (SCHEVAL) in the area of data protection.

SCHEVAL is a peer evaluation exercise assessing whether the rights and obligations related to Schengen (Schengen evaluations) are correctly applied by its members, which includes most EU Member States and several non-EU countries, and aims to enhance the freedom of movement for millions of individuals.

In 2022, we participated in four SCHEVAL missions in Luxembourg, Spain, Iceland and Denmark.
In particular, we contributed to assessing the role and powers of national data protection authorities (DPAs), as well as the data protection rules, including transparency and security, applied to the Visa Information System and Schengen information System databases, and pushed for public awareness and cooperation amongst DPAs.

Our participation in SCHEVAL is one of the opportunities we have to constructively cooperate in the work of EU Member States’ DPAs, and therefore ensure that data protection law is applied in a consistent and coherent way across EU.

4.4.
Handling complaints

Whilst we dedicate a large part of our resources to provide EUIs with timely advice on their activities impacting individuals’ privacy and personal data, we also investigate complaints submitted by individuals who believe their data protection rights have not been respected by EUIs.

It is our duty to ensure that EUIs lead by example on data protection matters, and that they are held accountable if they fail to comply with data protection laws. In doing so, we help protect individuals’ fundamental rights and enable them to take ownership of their personal data.

In 2022, we received 367 complaints; that’s 47 more complaints than in 2021. Out of the 367 complaints handled, 65 were admissible and 302 were inadmissible. A complaint may be inadmissible, and therefore cannot be addressed by us, if, for instance, they are against private entities, national authorities and/or international organisations. During the year, the EDPS handled and finalised 47 complaint cases.

In 2022, we issued our first complaint decision that implemented the Schrems II judgment of the CJEU.

The complaint was lodged by 6 members of the European Parliament (EP) and concerned alleged infringements relating to information to be given to individuals and transfers or personal data to the United States of America (USA), in relation to an EP’s website that offered COVID-19 testing to its staff members.

Following an extensive investigation of the complaint, we found a number of infringements, in particular, the EP’s failure to fulfil its responsibilities as controller, its failure to use a processor that provides sufficient guarantees to implement appropriate technical and organisational measures, and its failure to comply with the principles of transparency and accountability, and uphold individuals’ right to information and access to their data.

Furthermore, we found that the EP should not have relied on standard contractual clauses without having demonstrated that the personal data transferred to the USA were given an essentially equivalent level of protection.

In addition, we concluded that the EP used a tracking cookie without properly informing individuals. We decided to issue a reprimand to the EP for its infringements of Regulation (EU) 2018/1725, as well as an EDPS Order to update its data protection notices on the concerned website, in order to provide all relevant information relating to the processing of personal data. In determining the corrective powers to use, we took into account the possibly large number of individuals affected by the aforementioned infringements and the impact these had on their fundamental rights and freedoms, as well as the processing’s duration.

In 2022, we also handled a complaint concerning an alleged infringement of Regulation (EU) 2018/1725 in the handling of a public access to documents request (ATD).

According to the complainant, the EUI disclosed their personal data to a third party when it gave access to un-redacted documents when responding to an ATD. The person that had made the ATD informed the controller about the possible personal data breach, but the EUI did not report the breach to the EDPS in a timely manner, nor did it inform the complainant about the breach, as it failed to detect the incident as a breach of Regulation (EU) 2018/1725.

We found that the EUI, as a consequence of its failure to identify and immediately react to the data breach, had indeed failed to notify the breach to us within the deadline prescribed by Regulation (EU) 2018/1725, and failed to communicate the data breach to the complainant. We decided to reprimand the EUI for these infringements.

Zoom in on our complaint procedures

The data protection law for EUIs, Regulation (EU) 2018/1725, states that the EDPS must handle complaints and investigate the subject matter of the complaint, to the extent that is appropriate.
To ensure that we handle complaints in an efficient and relevant way, we have reviewed this year our rules of procedure and added the requirement that complainants should, in principle, lodge a complaint within two years after becoming aware of the facts.

Our main reasons for deciding not to handle older cases are threefold. Firstly, for reasons of accuracy. Cases where the facts occurred a long time ago are always more complicated to investigate.
Fact-finding becomes difficult, for example, due to organisational or structural changes, such as relevant employees retiring or leaving the EUI concerned. As such, the likelihood of establishing that an infringement has occurred is much lower.

Secondly, for reasons of legal certainty. Handling older cases may mean that we need to continue analysing facts under the previous data protection regulation applicable to EUIs, Regulation (EC) 45/2001, which is no longer in force.

Thirdly, for reasons of good administration. Older complaints often mean that the current impact on the individual is lower. This could be because they are no longer employed by the EUI in question or simply because of the passing of time. We have therefore decided to concentrate our efforts on handling more recent cases where the current impact on individuals is higher and our decisions will have a greater effect.

In exceptional and duly motivated cases, we can nevertheless decide to investigate complaints that are lodged outside of the deadline if, for example, there were legitimate reasons for the complainant not to act in time or if the alleged infringements are serious.

4.5.
International data transfers

As the data protection authority of EUIs, we have the power to open an investigation when we have a strong suspicion that an EUI may have breached EU data protection law. By opening an investigation, we aim to check whether an infringement of the applicable data protection rules, in particular the Regulation (EU) 2018/1725, has occurred and to establish its circumstances.

The topic of international transfers - when personal data is transferred to countries or entities outside the EU or European Economic Area (EEA) - has garnered our attention increasingly over the last few years, demanding us to mobilise a significant percentage of our resources into tackling and monitoring related issues. This topic is particularly relevant given EUIs’, including the EDPS, reliance on products and services from entities based outside the EU/EEA.

Our main goal in this area is to ensure that there is an essentially equivalent level of protection of individuals’ personal data outside the EU/EEA as guaranteed in the EU/EEA. Pursuing this objective, we have developed strategic advice for EUIs, opened investigations and used our corrective or authorisation powers when necessary.

In particular, our investigations in 2022 focused on transfers of personal data to non-EU/EEA countries, specifically looking at EUIs’ contracts with private entities, in particular large ICT providers. We also looked at arrangements between EUIs and non-EU/EEA countries or public bodies, or international organisations.

Aiming to lead by example in this area, we are working towards using alternative products and services that are based in the EU/EEA, and encouraging EUIs to consider the use of such EU/EEA-based products and services.

4.5.1.
Ongoing investigations following the Schrems II judgment

Following the 2020 Schrems II Judgment of the Court of Justice of the European Union, reaffirming the importance of maintaining a high level of protection of personal data transferred from the EU to non-EU/EEA countries, we issued a strategic document aiming to monitor EUIs’ compliance with the judgement.

Upon executing the EDPS’ Schrems II strategy, we found that the levels of awareness and compliance with EU data protection law amongst EUIs when carrying out transfers of personal data outside the EU/EEA appeared to be relatively low. However, since the EDPS’ 2020 Order to all EUIs to carry out a transfer mapping exercise, and further guidance, the overall level of awareness and compliance in this area has progressed. Nevertheless, there is a need for further improvement, especially when it comes to implementing measures that will, in addition to contractual measures, mitigate the risks arising from non-EU/EEA legislation.

As part of our Schrems II strategy, we decided to focus our investigative activities on EUIs’ use of cloud-based services. The use of cloud-based services frequently raises questions related to the role of the providers and data transfers. These are areas where critical compliance issues with Regulation (EU) 2018/1725 and Schrems II judgment can occur.

The investigations that we are carrying out in this area are part of a continuous cooperation between the EDPS and the EUIs to ensure a high level of protection of the fundamental rights to protection of personal data and to privacy. We also aim to highlight the need to properly assess the necessity and proportionality of the personal data processing in cloud services, including looking into alternative solutions or providers that imply less interference with fundamental rights.

In May 2021, we launched two EDPS investigations in particular. One concerns all EUIs, covering transfers of personal data when using cloud services provided by Microsoft and Amazon Web Services under Cloud II contracts. The other investigation concerns the European Commission’s use of Microsoft Office 365. The two investigations were pursued in 2022 and will continue in 2023. They are
complex - both in terms of substance and procedure - and require significant investment of resources.

4.5.2.
A pre-investigation: international data transfers

In 2022, we pre-investigated the use of the cloud service Trello, a US-based company, by an EUI.

During our pre-investigation, we requested information that could prove EUIs’ compliance with the requirements set out in Chapter V of Regulation (EU) 2018/1725 concerning transfers of personal data outside EU/EEA countries. These requirements include, for example, ensuring that the level of protection of individuals guaranteed by that Regulation is not undermined when their personal data is transferred outside the EU/EEA. We also asked for information on whether the processing of individuals’ personal data was processed in a secure way. This information was necessary to determine whether to open a formal investigation.

In the course of our pre-investigation, we were informed by the EUI in question that it had not given its approval for the use of Trello by its employees. The EUI also informed us that it would carry out its own IT assessment of Trello and that it would issue a recommendation to its departments not to use this tool.

4.5.3.
A complete investigation: reprimanding Frontex

On 1 April 2022, we reprimanded  the European Border and Coast Guard Agency (Frontex) for a breach of Regulation (EU) 2018/1725.

We issued this decision following an investigation on Frontex’s move to a hybrid cloud consisting of Microsoft Office 365, Amazon Web Services (AWS) and Microsoft Azure, following an investigation initiated in June 2020.

Our investigation looked at Frontex’s compliance with Regulation (EU) 2018/1725, taking into account EDPS Guidelines on the use of cloud computing services issued in 2018, which outline the approach that EUIs should take to ensure the protection of personal data when considering the option of using cloud computing services for their IT systems.

We found that Frontex moved to the cloud without a timely, exhaustive assessment of the data protection risks and without the identification of appropriate mitigating measures or relevant safeguards for processing.

Frontex also failed to demonstrate the necessity of the planned cloud services, as it has not shown that the chosen solution, Microsoft 365, was the outcome of a thorough process whereby the existence of data protection compliant, alternative products and services meeting Frontex’s specific needs were assessed.

In addition, Frontex failed to demonstrate that it limited Microsoft’s collection of personal data to what is necessary, based on an identified legal basis and established purposes. Therefore breaching the accountability principle, as well as its obligations as a controller and the requirements of data protection by design and by default - which are principles to apply throughout the use and development of technologies, to ensure that these are privacy compliant.

On top of the reprimand, we ordered Frontex to review its Data Protection Impact Assessment and the Record of Processing activities relating to the processing of personal data in cloud services.

We stressed that it is the controller’s responsibility towards competent authority and towards individuals whose data is processed to clearly identify the activities requiring the processing of personal data and to assess the impact on individuals’ fundamental rights. This analysis must be carried out properly before taking any decisions to process personal data.

4.5.4.
Tools to transfer personal data: contractual clauses and administrative arrangements

We are regularly requested to authorise transfer tools, notably contractual clauses and administrative arrangements, which are one of the ways EUIs are able to transfer personal data to non-EU/EEA countries or international organisations, whilst still ensuring that individuals’ information is adequately protected. In 2022, we granted authorisations both for contractual clauses and administrative arrangements.

When granting authorisations to EUIs, we highlighted that transfers of personal data may only occur if done in compliance with EU law. This implies that the protection of individuals’ data is essentially equivalent as guaranteed in the EU/EEA.

We also provide suggestions on how to carry out transfer impact assessments which help identify necessary effective supplementary measures that should be put in place in the context of transfers.

With our guidance, we always emphasise that if no essentially equivalent level of protection is ensured, notably with effective supplementary measures, the transfers will not be allowed. We also underscored the importance for EUIs to remain in control of the whole chain of processing and that EU law is respected, in particular in case of transfers.

This work is part of our strategy to ensure that ongoing and future international transfers comply with the EU Charter of Fundamental Rights, applicable EU data protection legislation and the Schrems II judgement of the CJEU.

Data transfers in the field of air traffic management

In December 2022, the EDPS authorised an Administrative Arrangement between the Single European Sky ATM Research 3 Joint Undertaking (SESAR) and the European Organisation for the Safety of Air Navigation (Eurocontrol). An Administrative Arrangement maps out the procedures, safeguarding measures, and other relevant measures to ensure that transfers of personal data outside the EU or the EEA or to international organisations are carried out whilst ensuring an essentially equivalent level of protection of individuals’ personal data to that guaranteed inside the EU and the EEA.

SESAR is a European public-private partnership that aims to help Europe’s aviation infrastructure and related technologies to be better prepared for future demands in this area. Eurocontrol is a member of SESAR. SESAR staff will be moving to Eurocontrol’s premises and will benefit from Eurocontrol’s logistics and infrastructure support, such as IT resources, access control services, etc., which involve transfers of personal data.

Upon assessing the Administrative Arrangement in question, we commented on a number of recurring issues that come up in cases involving transfers to international organisations. In particular, we recommended that an independent oversight mechanism, functionally autonomous within Eurocontrol, is put in place. This independent oversight must also have the authority to issue decisions binding Eurocontrol. We also advised that a mechanism that enables individuals to obtain effective redress and remedies free of charge, including compensatory measures, is put in place as well.

As a way to resolve some of these issues, Eurocontrol aims to modernise its data protection framework by the end of 2023. In the meantime, Eurocontrol and SESAR will rely on the International Court of Arbitration of the International Chamber of Commerce to fulfil the role of oversight and judicial redress temporarily. On that basis, we authorised the Administrative Arrangement temporarily, effective until 30 June 2024.

Communication tools and data transfers

In October 2022, we issued a Decision temporarily and conditionally authorising the use of contractual clauses between the Court of Justice of the EU (the Court) and Cisco Systems Inc. US, which provides online communication tools. The Court’s use of this tool and related services results in transfers of personal data of the Court’s users.

This Decision is a follow-up to an earlier Decision from August 2021, in which we imposed 11 conditions that the Court had to follow. Upon verification, we concluded that, while areas of partial or
non-compliance remained, the Court had taken steps towards complying with recommendations.

In our 2022 Decision, we reiterated the importance of taking into account the impact of privileges and immunities protecting EUIs’ data in the context of transfers of personal data. As a result of the specific legal context of EUIs, we also underlined the need to adapt, and seek the EDPS’ authorisation for the standard data protection clauses for transferring personal data adopted under the General Data Protection Regulation to the obligations under Regulation (EU) 2018/1725 applicable to EUIs.

Our 2022 Decision authorises the use of contractual clauses until 31 October 2024 and the Court must ensure compliance by 1 March 2024. We will verify this compliance gradually through reports submitted by the Court demonstrating actions taken to achieve this.

4.5.5.
The use of non-EU products and services: towards EU institutions’
compliance

In addition to our ongoing investigations into EUIs’ use of products and cloud services from entities based outside the EU/EEA, in particular the European Commission’s use of Microsoft Office 365, we have also issued guidelines and policies, as well as provided training sessions to EUIs.

These efforts aim to raise EUIs’ awareness of the risks posed by using tools or conducting data processing activities that imply transfers of data outside the EU/EEA. We also aim to raise EUIs’ awareness of the contractual safeguards and other measures to put in place to ensure that individuals’ personal data is protected in an essentially equivalent way outside of the EU/EEA.

Our guidance this year focused on ensuring that EUIs use services and products based outside the
EU/EEA only when strictly necessary, hence encouraging them to seek alternatives that would not involve international transfers. We also advised EUIs on how to renegotiate their contracts with providers to ensure that EUIs have full control over the processing of data, and how to use transfer tools provided in Regulation (EU) 2018/1725, such as standard contractual clauses and administrative arrangements properly to protect individuals.

Centralising our advice and recommendations provided to EUIs in this area, we published in April 2022 a short factsheet, in which we stressed that EUIs must ensure that the whole chain of processing by them and on their behalf meets the requirements of Regulation (EU) 2018/1725 to effectively protect the rights of individuals. When EUIs procure tools with which they process personal data or when they engage the services of processors to process personal data on their behalf, they bear legal obligations as the controller of that processing. In line with the principles of data protection by design and by default, EUIs must also consider the most data protection and privacy-friendly solutions.

Given the importance of this topic, we also actively participated in the ongoing 2022 Coordinated Enforcement Action (CEF) of the European Data Protection Board. The coordinated action, which started on 15 February 2022, includes a series of actions taken by 22 data protection authorities of the EU, including the EDPS, to ensure that public bodies in the EU and EUIs comply with EU data protection law when they use cloud-based services. The first results of the coordinated action were gathered in the EDPB Report on the 2022 Coordinated Enforcement Action.

4.5.6.
Seeking alternatives: using EU products and services

Being an independent supervisory authority does not only consist of monitoring how EUIs process personal data, but also means holding our organisation, the EDPS, accountable too.

Rallying all competencies together as an organisation, we analysed the data protection opportunities and challenges relating to the procurement of
Software-as-a-Service (SaaS) and other hosting services from an EU-based provider, between November 2021 and April 2022.

We identified the data protection requirements that needed to be considered, building criteria for selecting EU-based providers before launching any procurement procedures. In addition, we listed the data protection guarantees that the chosen provider would have to comply with. This included ensuring that processing only takes place in EU/EEA countries and that extra-territorial legislation of countries outside the EU/EEA does not apply. Furthermore, we established which technical, organisational and security measures must be put in place by the EDPS and the provider.

Leading by example as an organisation, by using alternative tools that respect individuals’ privacy, is a solid step towards making data protection by design and by default a reality. By demonstrating that this is possible, we, in turn, encourage other EUIs to follow this path. This is why we worked on procedures and negotiated the procurement of EU-based SaaS and other hosting services that EUIs can also benefit from. As such, we concluded and will lead an inter-institutional contract for the Nextcloud software hosted by TAS France. The services under this contract will be rolled out at the beginning of 2023 as a pilot project.

4.6.
Cooperating with EU institutions and their data protection officers

Building and maintaining a strong cooperation with EUIs, their employees and data protection officers allows us to work hand-in-hand to protect individuals’ personal data, according to EU data protection law.

4.6.1.
The network of data protection officers

To help bridge the gap between data protection law, in particular Regulation (EU) 2018/1725, and its practical application, we continuously foster collaboration with 70 data protection officers (DPOs) of the EUIs, which compose the network of DPOs, established over 18 years ago.

The role of DPOs has become increasingly important over the years, especially since the adoption of the General Data Protection Regulation and Regulation (EU) 2018/1765. With their knowledge of data protection, their EU institution and its activities, DPOs are able to provide independent, tailored advice and measures on data protection matters, whilst meeting the needs of their organisation.

As part of our collaboration with DPOs, two meetings are held each year. The objectives of these meetings are to take stock of the work done in the data protection field, and to approach challenges that have or may arise in a solution-focused way to achieve compliance with data protection law, and therefore protect individuals’ data. We can then provide support accordingly.

The two meetings held in 2022 were especially anticipated as it was the first time since 2019 that we were able to meet in person with the network of DPOs due to the COVID-19 pandemic. A group of DPOs, the DPO Support Group, actively contribute to their organisation, by suggesting topics for the agenda, preparing case studies and co-facilitating workshops, for example.

Amongst the multitude of topics discussed, particular focus was put on the use of social media by EUIs, personal data breaches, handling individuals’ requests to access their personal data, and other practical guidance based on issues either encountered by data protection officers, or issues that have been subject to case law. To maximise their interactivity, workshops, activities and presentations were organised to facilitate discussions amongst DPOs, and between DPOs and the EDPS.

These exchanges provide helpful feedback from DPOs, which, in turn, contribute to informing our work when producing guidelines, organising training sessions and providing advice.

4.6.2.
Delivering training

Another way we collaborate with DPOs and their EUIs is through the organisation of regular training sessions at the European School of Administration (EUSA).

We also organise on-demand training sessions which are tailored to the EUIs’ core activities and the related data protection challenges they may encounter. Participants of these training sessions are EUI’s members of staff, who may have a varied understanding of data protection, and their DPO(s).

A new, easily accessible data protection learning plan

To increase awareness on the topic of data protection even more and make it easier to comprehend, we launched in March 2022, a Learning and Development Plan (Learning Plan) for EUIs’ employees including a series of online training courses and recorded online talks prepared with EUSA.

The Learning Plan starts with an introduction to the data protection rules applicable to the EUIs – Regulation (EU) 2018/1725 (or EUDPR), with a course titled “EDPS course on Data Protection - EUDPR fast-track training course for practical application in your daily tasks”.

The advanced level of the Learning Plan is composed of various online talks, presentations, case studies. They provide detailed explanations on data protection rules and principles that apply when processing individuals’ personal data in different circumstances often encountered by EUIs and their staff when planning events, carrying out procurement procedures and other outsourcing activities, for example when using social media. It also focuses on the data protection implications of using ICT tools, on personal data breaches, and on transfers of personal data, as well as many other topics.

With this Learning Plan, EUIs’ staff can learn at their own pace, as these courses can be accessed at any time via the EU institutions’ learning platform, EU Learn.

Training sessions: a way to ensure data protection compliance

Additionally, we provided 22 training sessions to EUI staff, as well as externally, addressing for example students or judges.

Some training sessions covered the enabling and restricting of individuals’ data protection rights, such as their rights to access, rectification, erasure, in the context of EUIs’ selection procedures and other administrative enquiries. In other training sessions, the topic of data protection and audits was discussed. In particular, how to apply the principles of data minimisation and purpose limitation - to process only data that is strictly necessary for the objectives pursued - when audits are conducted by the EDPS.

In another series of training sessions, EUIs’ staff learned about common issues raised in recent DPA and judicial cases concerning social media. Issues discussed included the role of the social media platform provider, the reuse and sharing of data, data security, as well as pervasive tracking and profiling.
Training sessions were also organised on international data transfers (outside the EU/EEA) and the use of cloud services by EUIs.

This work is aligned with our greater efforts to provide EUIs with appropriate tools to enable them to effectively safeguard individuals’ personal data, when conducting their daily activities. It is crucial for EUI members of staff to acquire sufficient knowledge of data protection and be aware of their obligations under EU data protection law.

4.7.
Supervising the Area of Freedom, Security and Justice

As part of our work, we also supervise the data processing operations of the following bodies and agencies:

• the European Union Agency for Law Enforcement Cooperation (Europol);
• the European Union Agency for Criminal Justice Cooperation (Eurojust);
• the European Public Prosecutors’ Office (EPPO);
• the European Border and Coast Guard Agency (Frontex);
• the European Union Agency for Asylum (EUAA);
• the European Union Agency for the Operational Management of Large Scale IT Systems in the Area of Freedom, Security and Justice (euLISA).

These bodies and agencies are part of the Area of Freedom Security and Justice (AFSJ). AFSJ covers policy areas that range from the management of the European Union’s external borders to the judicial cooperation in civil and criminal matters. It also includes asylum and immigration policies, police cooperation and the fight against crime, such as terrorism; organised crime; trafficking of human beings; drugs.

With its patchwork of measures, the legal framework in the AFSJ is fragmented. Despite these discrepancies, we are determined to enforce data protection rules consistently, in line with the rules contained in Regulation (EU) 2018/1725, in particular Chapter IX.

Supervision of this area builds on the need to actively promote justice and the rule of law as a way to promote a vision of digitalisation that enables us to value and respect all individuals. Indeed we believe, as highlighted in our EDPS Strategy 2020-2024, the full potential of data should be dedicated to the good of society and with respect to human rights, dignity and the rule of law.

We therefore approach our supervision of the AFSJ as a whole, taking a holistic view, in order to exercise our supervisory powers. Yet, we also take into account the specificities of each of these Agencies and Bodies, in terms of the nature and scope of their personal data processing operations, whenever needed and relevant.

Additionally, to enhance our supervision work in the AFSJ field, we collaborate closely with the Coordinated Supervision Committees within the European Data Protection Board (EDPB). The EDPB, of which we are a member, provides us with a platform to strengthen our collaboration with the data protection authorities of the EU in charge of the supervision of Europol, Eurojust and EPPO.
This therefore allows us to ensure a consistent application of data protection rules across the EU, especially in relation to transfers of personal data outside the EU/EEA in the field of law enforcement.

In 2022, our supervisory activities in the AFSJ focused on the following issues:

• Monitoring the application of the principle of data protection by design in new IT systems and processes, where we identified a lack of systematic approach in this area. We also identified some deficiencies in the data protection risk assessment process at Europol which, in turn, also affected Europol’s ability to plan effective mitigation measures.
• Paying specific attention to the efficient application of individuals’ data protection rights, in particular in the context of our investigations of complaints against Europol.

• Developing and strengthening cooperation with EU/EEA’s data protection authorities in order to develop joint supervision, both through our participation to the Coordinated Supervision Committee and specific joint supervisory activities together with these authorities. This resulted in particular in the signing of a Working Arrangement with the Portuguese DPA in the context of EPPO. We also actively participated in the drafting of Article 37 Law Enforcement Directive Guidelines in the context of the EDPB.
• Supervising Frontex, which has revealed that the vague or excessively complex wording of the Agency’s Regulation is creating uncertainties regarding the exact scope of their tasks, opening the door to different interpretations, in particular in the context of personal data collection for purposes of identifying suspects of cross-border crime, of risk analysis, or EUROSUR - the European Border Surveillance System.
• Following-up closely the correct application of data protection safeguards by Eurojust in the context of the development of the war crime module; an activity which will continue in 2023.

4.7.1.
Accountability and data protection by design

In 2022, we focused on the methodology and processes put in place by AFSJ Agencies and Bodies to uphold the principle of data protection by design.

Data protection by design aims to build data protection and privacy into the design of processing operations, information systems, and the development of technologies, for example, in order to comply with data protection obligations and laws. Organisations are required to take into account the protection of the rights of individuals, both before and during their processing activities, by putting in place the appropriate technical and organisational measures to ensure that they fulfil their data protection obligations. This requires to have appropriate methodologies and processes in place.

To achieve data protection by design practically, AFSJ Agencies’ and Bodies’ data controllers are obliged to draft Data Protection Impact Assessments (DPIAs) and submit them for prior consultation to us when the processing involves high risks for individuals. This also contributes to fostering accountability.
It remains crucial that, through DPIAs and prior consultation tools, the most risky processing operations are properly assessed, given the already sensitive nature of the police and judicial cooperation and border management fields.

Methods and processes applied to design new systems

This year, we advised several AFSJ Agencies and Bodies on how to achieve data protection compliance during the development of their software for new IT systems. We were able to provide advice by assessing their compliance with envisaged data processing operations, analysing in particular the risks that these may pose to individuals and the mitigating safeguards planned. We explored how AFSJ Agencies and Bodies can integrate the principles of transparency, lawfulness, fairness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability to each step of each software development and testing process.

For example, in March 2022, we opened an enquiry into Europol’s New Environment for Operations (NEO), because of our concerns regarding Europol’s fragmented approach, impacting its compliance with data protection by design, and its keeping of records of processing activities. To carry out our enquiry, we collected information on the IT processes used in the context of NEO, to develop and test new NEO components. This allows us to look into the application of data protection by design in more detail to check if this is done effectively.

We also provided our support to Eurojust in its move to a more effective and efficient Case Management System (CMS). For the development of the CMS, Eurojust chose to use a contractor for a study and market research to see if there are any existing solutions that would meet the Agency’s needs.
We therefore looked at the data protection by design aspects of the development of this new CMS. Given that a contractor is being used, applying measures upholding these data protection principles is different and required us to examine the data protection elements defined by the contractor, to ensure compliance.

Similarly, we carried out an audit at Frontex. We inspected two aspects in particular. We first examined the IT security surrounding the activities and production of reports for the screenings, debriefings and intelligence reports, including data flows, data repositories, external data exchanges, state-of-the-art technical infrastructure.
We then looked at Frontex’s new IT systems, which were being developed by both external contractors, as well as internally. This required us to both look into the contractors’ obligation regarding data protection by design and Frontex’s way of including data protection by design into their internal development processes.

Verifying whether data protection by design is being applied in Europol’s, Eurojust’s and Frontex’s activities will continue throughout 2023.

4.7.2.
Advising on data protection obligations

In 2022, we issued 9 Supervisory Opinions. That’s 7 concerning Europol, 1 concerning EPPO and 1 concerning Eurojust. All of these Supervisory Opinions were issued on measures and operations envisaged by AFSJ Agencies and Bodies that may affect individuals’ personal data.

Europol

Some of the Supervisory Opinions we issued concerning Europol related to its New Environment for Operations. For example, we issued a Supervisory Opinion on SIREN, a read-only analytical and visualisation tool under the umbrella of the Visualisation and Analysis Toolbox (VAT). To ensure full compliance with data protection law, we recommended that Europol ensures that the processing of personal data is limited to what is necessary, otherwise known as purpose limitation. We also advised that mechanisms and measures are put in place to mitigate the risks of errors linked to the use of SIREN’s analytical capabilities, by conducting regular checks and updating IT log-ins and accesses.

We also looked at Europol’s data refinery area, including tools for data transformation, triaging, and visualisation. We considered that Europol had insufficiently described the processing operations and the specific risks stemming from the data refinery area. Consequently, we were unable to make concrete proposals on Europol’s compliance in this area. Nevertheless, we identified some of the high risks that may affect individuals and their personal data, which we recommended Europol to address promptly.

We issued other Supervisory Opinions on a variety of topics.

For example, we commented on a number of Europol’s IT systems. Specifically concerning:

• Europol’s use of the Schengen Information System (SIS II) to process individuals’ fingerprints;
• the participation of Europol in the pilot project for a European Police Record System (EPRIS) aiming to automate the searching of police records indexes of its participating EU Member States;
• QUEST+ - an interface used to exchange personal data between EU Member States’ systems and the Europol Information System;
• the development of PERCI, the European platform for taking down illegal content online.

For most of these IT systems, we found that Europol had not identified all of the specific risks that these systems posed to individuals’ privacy and data protection rights. In our view, this issue resulted from an incorrect, or incomplete, data protection impact assessment, which, in turn, also affected Europol’s ability to plan effective mitigation measures, especially in light of the sensitive data processed, such as data related to health, religious belief, sexual orientation, in the event of a data breach for example.
To this end, we issued 8 recommendations tending to improve the internal data protection risk assessment process. Our recommendations were issued in a report following our Annual Inspection conducted in 2021.

Aside from addressing these recurrent issues, we also provided more specific recommendations on these IT Systems.

Regarding Europol’s use of SIS II, we provided further recommendations on purpose limitation - to limit the collection of data for a specific purpose - on processes relating to access to information, and on data accuracy and data security.

Concerning QUEST+, we urged Europol to ensure that this system does not allow searches of individuals’ personal data that have not been through the full extraction process, to uphold the principles of data minimisation and data accuracy. The data extraction process involves checking for personal data related to crime within a large volume of data that has been collected and to discard personal data that is not relevant.

Addressing the use of PERCI, we provided more tailored recommendations relating to transfers of personal data from outside the EU/EEA, on cloud-computing security, for example.

EPPO

In July 2022, we were consulted by EPPO concerning its newly planned IT environment for operational analysis. This new environment was deemed necessary because EPPO’s case management system (CMS) is not equipped with tools to analyse large files, such as voluminous financial documentation.

As such, EPPO sought our advice to be able to use the Case Analysis Tool Environment (CATE), as a separate and secured environment that allows them to import data from the CMS, conduct the analysis and export the results back to the case file. We therefore made recommendations on this tool, addressing issues related to the categorisation of individuals’ personal data, how long this data is to be retained, and the development of a policy when using these tools to ensure that individuals’ personal data is protected.

Eurojust

Eurojust consulted us on two occasions for the setup of their new automated data management and storage facility, CICED - Core International Crimes Evidence Database. This new project is essential to Eurojust in its role as a European hub for storing, preserving and analysing evidence of genocide, crimes against humanity and war crimes.

As a supervisory authority, our contribution here was particularly important to ensure that Eurojust can fulfil its role of protecting individuals from crime by seeking justice, whilst ensuring that individuals’ personal data is protected, particularly when dealing with sensitive evidence. We therefore touched base with Eurojust at every stage of CICED’s development, from transmitting big files from national authorities to Eurojust. The development of CICED is ongoing, and will continue to be a focus of our work throughout 2023.

4.7.3.
Police cooperation

Europol’s processing of large datasets

In 2022, we finalised our investigation on “Europol’s big data challenge”, initially launched in 2019.
This resulted in the EDPS ordering Europol to erase data concerning individuals with no established link to criminal activity - known as Data Subject Categorisation, on 10 January 2022.

Our EDPS Order followed an EDPS Admonishment that we issued in September 2020 because Europol continued to store large volumes of data with no Data Subject Categorisation, which poses a risk to individuals’ fundamental rights. While some measures have been put in place by Europol since then, Europol has not complied with our requests to define an appropriate data retention period to filter and to extract the personal data permitted for analysis under the Europol Regulation. This means that Europol was keeping this data for longer than necessary, contrary to the principles of data minimisation and storage limitation, enshrined in the Europol Regulation.  

In light of the above, we decided to use our corrective powers, imposing a 6-month retention period to Europol to filter and to extract individuals’ personal data. Datasets older than 6 months that have not undergone this Data Subject Categorisation must be erased. This means that Europol will no longer be permitted to retain data about people who have not been linked to a crime or a criminal activity for long periods with no set deadline. We have granted a 12-month period for Europol to comply with the Decision for the datasets already received before this decision was notified to Europol.

As such, throughout 2022, our efforts focused on making sure that Europol complied with the EDPS Order. One of the ways we checked this compliance is by reviewing Europol’s quarterly reports evidencing the progress achieved regarding the erasure of datasets that were not compliant with the Europol Regulation. This continues to be a challenge, especially since Europol’s Regulation was amended and entered into force in June 2022, legalising retroactively the possibility for Europol to process large data sets which may include individuals’ personal data that has no link with criminal activity. In this context, we have asked Europol to provide updates on the application of the EDPS Order.

The impact of Europol’s amended Regulation

The amendments to the Europol Regulation, Regulation (EU) 2022/991, that entered into force in June 2022, have shifted the balance between data protection and Europol’s operational needs, as it expands considerably the Agency’s mandate regarding exchanges of personal data with private parties, the use of artificial intelligence, and the processing of large datasets. We believe that these changes heighten the risks to individuals’ personal data.

In particular, the amended Europol Regulation provides for a new legal basis for Europol to process large datasets which haven’t undergone the categorisation process; these datasets were the subject of the EDPS Order.

One of these provisions, article 18a, allows Europol to retain personal data, including and excluding information linked to crime, for up to three years. Whilst the other provision, article 18 (6a), allows Europol to retain personal data, including and excluding information linked to crime, for the entire duration of an investigation, however long it may be. These rules would apply according to specific circumstances. The amended Europol Regulation mandates the Management Board to further specify the conditions of application of these articles, subject to prior formal consultation of the EDPS.

In this context, prior to the amended Regulation coming into force, we were informally consulted by Europol on draft texts. However, Europol’s Management Board opted to adopt the Decision without prior formal consultation of the EDPS. Considering the aggravating risks these new processing activities pose to individuals, we decided to use, for the first time, our corrective power to refer a matter to the Commission, the Council and the European Parliament. There are a few reasons that brought us to making this decision. Aside from the substance of the problematic provisions, Europol infringed the EDPS powers and our decision-making agency by not consulting us formally on such significant matters, which is a legal requirement stemming from the Europol Regulation.

As a follow-up, Europol did consult us formally. In turn, we were able to issue a Supervisory Opinion, clarifying our interpretation of the scope of application of Article 18a of the amended Europol Regulation, which allows Europol to process datasets without an attributed data subject category for the purpose of supporting a specific ongoing criminal investigation upon request of a Member State, EPPO, Eurojust or a non-EU/EEA country for the whole duration of the investigation, and beyond, under specific circumstances.

We consider that Article 18a is a stand-alone provision which is meant to apply to specific cases, such as ongoing specific criminal investigations, that require the processing of large and complex datasets, for which Europol is better placed to detect cross-border links, such as the ones that prompted the creation of operational taskforces Fraternité, EMMA, LIMIT or Greenlight. These operational task forces are temporary, specialised teams of Europol experts and law enforcement officials from EU Member States that are brought together to work on specific operational tasks. The scope of Article 18a is thus not defined by the nature of the datasets received (with or without a Data Subject Classification) but rather by the need to support a specific ongoing criminal investigation at the request of the contributor.

Handling complaints to protect individuals’ rights

In addition to providing advice to AFSJ Agencies and Bodies on how to comply with EU data protection law, we also addressed complaints made by individuals if they believe that their data protection rights have been infringed.

We also reviewed our procedures in this area in an effort to streamline our work, to improve our efficiency by increasing on-the-spot checks, scrutinising AFSJ Agencies’ and Bodies’ internal handling of individuals’ data requests, and collaborating closely with EU Member States’ data protection authorities when investigating complaints.

In 2022, we received 6 new complaints against Europol. Out of these 6 complaints, we issued 3 decisions, 2 of which resulted in using EDPS corrective powers, the remaining complaint is part of our ongoing work.

Concerning the first complaint for which we used our EDPS corrective powers, we found that Europol had breached its legal obligation to provide access to a complainant’s personal data, without sufficient justification. In addition, Europol did not properly document the legal and factual reasons for this decision, thereby breaching its obligations under the Europol Regulation and the EU Charter of Fundamental Rights. Further, it transpired that Europol had not consulted the competent EU Member States’ national authorities before issuing this decision.

Concerning the second complaint for which we also used our corrective powers, we found that Europol had violated the legal deadline laid down in the Europol Regulation which obliges the Agency to reply to individuals’ access requests within three months.

For both of these complaints, we decided to admonish Europol for breaching several legal obligations. In one of them, we also ordered the Agency to provide access to the complainants with their data.

4.7.4.
Supervising data protection in EU border management

Increasing our scrutiny of Frontex

Over the last few years, Frontex - the EU Agency responsible for coordinating and developing European border management in line with the EU Charter of Fundamental Rights - has grown substantially, becoming one of the largest EU Agencies.

To match this evolution, we have doubled down on our support in supervising Frontex’s activities that have an impact on data protection.

Processing of personal data in joint operations

One of Frontex’s main tasks is to help EU Member States when they require technical and operational assistance at external borders, by coordinating and organising joint operations, which involve the collection of individuals’ personal data.

We first conducted an operational visit at Frontex’s headquarters, on 29 and 30 March 2022. The aim of the visit was to gain a better understanding of Frontex’s activities and role in the context of joint operations.

Information gathered during our visit also contributed to the preparation of our audit, held in October 2022, in which we focused on whether the collection and further use of personal data for risks analysis and for purposes of identifying suspects of cross-border crime was compliant with data protection law, in particular in the context of Frontex’s interviews with irregular migrants.

Frontex’s rules on processing of personal data

In June 2022, we issued two Supervisory Opinions on two decisions adopted by the Management Board of Frontex on their rules for processing personal data.

The first Supervisory Opinion concerned Frontex’s internal rules applicable to all of its personal data processing activities. The second Supervisory Opinion concerned Frontex’s personal data processing activities related to the identification of suspects involved in cross-border crimes.

In these Opinions, we expressed two main concerns.

Firstly, the lack of a clear definition of key data protection elements in the Agency’s internal rules, for example a lack of explanation on the specific purposes for which personal data about migrants and asylum seekers is collected, and on the categories of data collected for these purposes. We expressly highlighted that these elements are necessary to ensure that the data processing is foreseeable to individuals’ concerned, according to the requirements of the EU Charter of Fundament Rights.

Secondly, we noted that several internal rules seemed to expand Frontex’s role and tasks as a law enforcement authority which, under the Treaty on the Functioning of the EU, is the responsibility of another EU Agency. As such, we highlighted that Frontex’s role in this area should be strictly limited to supporting the EU Agency and the EU Member States’ authorities in charge of law enforcement tasks.

Transfers of personal data across external borders

We also provided advice in the context of transfers of personal data across external borders.

EUROSUR is a framework for information exchange and cooperation between EU Member States and Frontex to improve situational awareness and increase reaction capability at external borders. It is a multi-purpose system that aims to prevent, detect and combat illegal immigration and cross-border crime, and contributes to protecting migrants’ lives.

Frontex submitted a request for authorisation of transfers to the Republic of Niger, in the context of a Working Arrangement establishing operational cooperation between Frontex and the Republic of Niger, as they plan to exchange personal data to counter irregular migration and cross-border organised crime. The Working Arrangement involved the transfer and exchange of personal data such as the exchange of identification numbers of aircraft which could in turn identify individuals, including migrants and asylum seekers. We assessed whether this data would be afforded an equivalent level of protection outside the EU/EEA. We found that the working arrangement did not meet the strict conditions imposed by the Frontex Regulation on transfers of personal data to non-EU/EEA countries.

The transfer impact assessment conducted by Frontex revealed that while the Niger data protection law appears to offer a similar level of protection as in the EU, there is a risk that such law is not applied or complied with in practice. It also revealed that the identification numbers of aircraft, which could be used to identify passengers, potentially including migrants and asylum seekers, travelling on that aircraft may fall under the scope of repressive migration legislation. The transfer impact assessment referred in this context to a series of security-oriented legislative and policy measures undertaken by the Republic of Niger, resulting in reforms which have undermined the human rights of migrants. Therefore, we requested Frontex either to remove provisions for the exchange of data within EUROSUR; propose supplementary measures for this transfer; or demonstrate that problematic legislation will not be applied in practice to the transferred data.

Against this background, we visited the Agency’s headquarters to understand better the personal data processing activities involved in EUROSUR. Following this visit, we are particularly concerned about the lack of clarity in the EBCG Regulation about the categories of personal data that can be processed and the scope of application of the data protection provisions to EUROSUR.

Digital borders: protecting the rights of people on the move

We continued to take on an active role within the Supervision Coordination Groups, which were established to coordinate the supervision of the EU’s large-scale IT Systems, for example the Schengen Information System II (SIS II), or the Visa Information System (VIS).

In addition to reporting on audits carried out in SIS, VIS, we worked on a common audit reporting framework in the Supervision Coordination Group of Eurodac, the EU large-scale IT system contributing to the management of asylum applications by storing and processing migrants’ and asylum seekers’ fingerprints. Our work aims to streamline data protection inspections in this field.

More information regarding the SCGs and their activities are published on the respective webpages of the VIS, SIS, Eurodac and CIS SCGs on the EDPS website.

Preparing for a new EU large-scale IT system

2022 saw ongoing preparations for the entry into force of a new EU large-scale IT system: the European Travel Information Authorisation System (ETIAS), created to identify security, irregular migration or high epidemic risks posed by visa-exempt visitors travelling to the Schengen Member States.

It is in this context that we contributed to the setting up of the ETIAS Fundamental Rights Guidance Board (EFRGB), which was formally established and held its first meeting in November 2022.

The EFRGB, of which the EDPS is a member, will assess, and issue recommendations, on the impact and risks that the processing of ETIAS applications has on individuals’ fundamental rights, especially concerning the system of algorithmic profiling. Based on different factors, including our assessments, the EFRGB examines, in particular, the impact of ETIAS’ operation on individuals’ rights to privacy, personal data protection and risks to discriminatory practices.

We also advised that the EFRGB sets up a Working Group for ETIAS’ Screening Board of applications of visa-exempt visitors travelling to Schengen Member States, and to set up a Working Group on ETIAS Risk Screening Operations, composed of Frontex, Europol and ETIAS National Units who are in charge of related processing of data.

Biometric data

The EU Agency for Operational Management of Large-scale IT systems in the Area of Freedom, Security and Justice, eu-LISA, sought our guidance regarding the significant risks associated with biometric matching technologies used in the Entry Exit System (EES) and the Shared Biometric Matching Service (sBMS), and on the measures to mitigate these risks.

We evaluated eu-LISA’s need to adhere to legally required high accuracy standards, the potential risks to data subjects, and the inappropriateness of synthetic data for ensuring the matching engine’s precision. Consequently, we allowed the extraordinary use of sampled VIS production data to guarantee the biometric matching engine’s legal compliance concerning EES accuracy specifications.

In this context, before commencing operations, we mandated eu-LISA to enhance the DPIAs for both the sBMS and EES, as well as implement supplementary measures for the accuracy measurement process. These measures encompassed addressing risks arising from bias (e.g. age, gender, and ethnic origin), performance deterioration, and lack of synchronicity between various systems, in addition to establishing the minimal required amount of genuine biometric data for accuracy evaluations.

4.7.5.
Supervising data protection in criminal justice

We have worked closely with EPPO and Eurojust to ensure their compliance with data protection law, in particular in the application of data protection safeguards to protect individuals.

Supervision of EPPO

In 2022, the EDPS and EPPO continued to develop their relationship with an operational visit that took place in April. Presentations and on-the-spot demonstrations of how personal data is processed by EPPO were carried out, helping us gather knowledge about the agency’s systems, practices and procedures. Meetings with European Prosecutors, European Delegated Prosecutors, EPPO staff and their DPO also provided us with additional material for further analysis and preparation of EPPO audits.

Throughout the year, 19 bilateral meetings were organised between EPPO’s DPO office and the EDPS, during which we provided advice on the set up of new systems, changes to EPPO’s internal rules governing procedures with an impact on data protection, as well as their cooperation with external partners which may involve transfers of personal data.

Eurojust

With 24 meetings held with the DPO of Eurojust, our working relations with Eurojust were particularly intense, following the Agency’s new role as European hub for preservation, storage and analysis of evidence in cases concerning core international crimes, such as genocide, crimes against humanity and war crimes. During these meetings, we discussed a variety of data protection issues - from
prior-consultations to the development of a new case management system for the Agency to cooperate with external partners and ongoing complaints.

4.7.6.
EDPS takes legal action as new Europol Regulation puts rule of law and EDPS independence under threat

On 16 September 2022, we requested that the Court of Justice of the European Union (CJEU) annuls two provisions of the newly amended Europol Regulation (registered as Case T-578/22, EDPS v Parliament and Council). The two provisions, which came into force on 28 June 2022, have an impact on personal data operations carried out in the past by Europol. In doing so, the provisions seriously undermine legal certainty for individuals’ personal data and threaten our independence.

These new provisions, Articles 74a and 74b, have the effect of legalising retroactively Europol’s practice of processing large volumes of individuals’ personal data with no established link to criminal activity. This type of personal data processing is something that we had found to be in breach of the Europol Regulation, which we made clear in its Order issued on 3 January 2022 requesting Europol to delete concerned datasets within a predefined and clear time limit.

We noted that the co-legislators have decided to retroactively make this type of data processing legal, therefore overriding the EDPS Order. When data was collected under the previous Europol Regulation, individuals could expect that if their personal data was transmitted to Europol, Europol would be obliged to check within six months whether there was a link to criminal activity. Otherwise, as instructed by us, this data was supposed to be erased at the very latest by 4 January 2023. The new provisions of the Europol Regulation allow Europol to continue processing the data that has not yet been erased, despite our Order.

The co-legislators’ choice to introduce such amendments undermines the independent exercise of powers by supervisory authorities. The contested provisions establish a worrying precedent with the risk of authorities anticipating possible counter-reactions of the legislator aimed at overriding their supervision activities, depending on political will. Data protection supervisory authorities, in this case the EDPS, could be compelled to consider political preferences or may be subject to undue political pressure in a manner that undermines their independence as enshrined in the EU Charter of Fundamental Rights.