European Data Protection Supervisor
European Data Protection Supervisor

Data Protection for Digital Communication

Data Protection for Digital Communication

Monday, 7 November, 2016

In October, the European Court of Justice ruled that, in many cases, the data collected by web servers, such as the IP addresses of users, is personal data. The decision underlined the need to put in place adequate safeguards to protect personal data when operating websites and other online services.

The EU institutions, and many other organisations, rely increasingly on online tools to communicate and interact with citizens. At the same time, the online transactions involved are becoming more complex. The implementation of effective data protection policies for the processing of all personal data used by web-based services is essential if we are to protect the rights of users. In particular, we need to address the use of cookies, online tracking, security and personal data transfers.

One of the roles of the EDPS is to act as an advisor to the other EU institutions and bodies. We provide guidance on how to ensure compliance with Regulation 45/2001, the data protection legislation applicable to their activities. Our Guidelines are one way in which we do this. They build on years of practical experience, which we have gained through our supervision work, on previous EDPS decisions and opinions (on administrative consultations, prior checks and complaints), and on the work done by the Article 29 Working Party.

Our most recent EDPS Guidelines, published today, provide practical advice on how to integrate data protection principles into the development and management of web-based services and mobile applications. Though they are targeted at the EU institutions, any organisation or individual interested in the subject might find them useful.

Guidelines can be particularly valuable when dealing with new technologies. Mobile applications, for example, present a particular challenge for the protection of personal data. Many apps take advantage of the portability of smart mobile devices and make use of tools associated with them, such as cameras, microphones and location detectors. However, though these tools increase the value of an app for users, their use also enables the collection of great quantities of personal data.

In addition to the expertise of the staff at the EDPS, particularly our IT Policy team, we also recognise the importance of consulting experts in the field. Our Guidelines on web-based services and mobile applications include input from IT managers and IT security specialists from the EU institutions and agencies. They also incorporate feedback from the data protection officers (DPOs) of the EU institutions, who are responsible for ensuring that their respective organisations comply with data protection rules. As well as providing guidance, our Guidelines serve as a reference document, against which the institutions can measure their activities. It is essential that they are legally robust, but also practical to implement.

Our interaction with the other EU institutions and bodies does not stop here, however. Twice every year, we meet with the DPO network, made up of around 60 DPOs from the EU institutions and bodies. These meetings are an opportunity to share experiences and gain feedback on the implementation of data protection policies.

At the most recent meeting, which took place at the end of October, we presented and discussed our Guidelines on web services and mobile applications. The meeting was also a chance for us to update DPOs on our activities regarding IT policy, including our work on Data Protection Impact Assessments (DPIAs), and to answer their questions. Our interactive approach to these meetings ensures that DPOs are able to engage fully with the topics discussed. In turn, we can learn from them, through better understanding how our advice works in practice. 

Our Guidelines on web services and mobile applications follow the publication, in late 2015, of Guidelines on mobile devices in the workplace and on eCommunications, as well as our guidance on Information Security Risk Management, published in March of this year. While they are based on the current legal framework for data protection, they will remain relevant when the new framework comes into force, particularly because of their emphasis on accountability, the ability of organisations to demonstrate compliance with their data protection obligations.