European Data Protection Supervisor
Le Contrôleur Européen de la Protection des Données

Data Protection, Virtually

Data Protection, Virtually

Friday, 8 Mai, 2020

Since the last meeting of the network of data protection officers (DPOs) in the EU institutions and bodies (EUIs), in Florence on 7 November 2019, our lives have changed dramatically.

Our way of living and working has been disrupted as governments put in place measures to halt the spread of the Covid-19 virus.

While there are a number of challenges in adapting to this new normal, there are opportunities too. The pandemic stopped the DPO network from meeting in-person at the European Union Intellectual Property Office (EUIPO) in Alicante on 8 May 2020. Undeterred, the EDPS organised the first remote meeting with the network using videoconference facilities.

I had the honour to open this virtual meeting and highlight some of my recent interventions on Covid-19. The virus does not respect borders, so we need a pan-European approach in which data and technology may be part of the solution but are by no means a “silver bullet”. We should use data and technology as a tool to empower, rather than control, stigmatise or repress individuals. Moreover, we should ensure that measures deployed in times of crisis are temporary ones.

Tomorrow, 9 May 2020, is a special day for the EU and marks the 70th anniversary of Robert Schuman's vision for a united Europe. The EUIs will not open their doors to the public as we do every year. Nevertheless, what we owe to everyone living in the EU is to learn from our history and preserve our heritage. We have a responsibility to ensure that data is used for the good of all, especially the most vulnerable. Digital solidarity and responsible processing will allow data protection to serve humankind during this extraordinary test of our experience, knowledge, skills and values.

The prevalence of social media means that it has become an indispensable communication tool for the EUIs, as for many other organisations, particularly during this period of crisis. The morning began with an overview by my staff of the use of various social media by the EUIs. We then had a detailed exchange on the types of processing of personal data that can reasonably be expected when using social media platforms and we highlighted a number of inherent risks. Some of these risks can be mitigated by using alternative, independent social media platforms.

Social media is not only an important communication channel to engage with the public. Sometimes, social media is monitored to collect information. It is important to remember that just because data are freely available, organisations, including EUIs, cannot do whatever they want with them. Data protection law as well as other legislation, still applies.

Most users are unaware of the extent of social media monitoring and that monitoring often exceeds what they expected. In those cases, social media monitoring qualifies as high-risk data processing and a data protection impact assessment is needed. We highlighted that there are a number of elements for the EUIs to take into consideration when assessing the level of risk, such as the amount of data searched, the source from which they are extracted, the tools used and so on.

The level of risk must also be identified (from low to high), whether the EUIs collect publicly available information in the context of an investigation, follow known “influencers”, or monitor social media for preventive purposes.

Following this very topical discussion, we kicked off the afternoon with a presentation about best practice in the publication of data protection registers by the EUIs. In February, more than one year after the entry into force of the new Regulation, the EDPS launched an audit of this obligation.

The EDPS guidance (see Accountability on the Ground), specifies that the publication of data protection registers refers to publication on the internet. The intention of this presentation was to applaud those who comply with online publication, to encourage those who are almost there (i.e. whose published registers are almost complete) and to inspire those who still have a way to go.

You may recall that in April 2019, the EDPS launched a complex and detailed investigation into the use of Microsoft products and services by EUIs. Following our cooperation with the Dutch Ministry of Justice and Security, The Hague Forum was created which aims to find ways to take back control over the services and products offered by the big IT service providers and the need to collectively create standard contracts. We took the opportunity to highlight to DPOs the key outcomes of the investigation, get the views of the network and discuss the way forward.

The final and very pertinent session of the meeting was about the public health crisis and the need to find safe ways to reclaim some sort of normalcy in our lives. Member States, supported by the European Commission in their fight against the pandemic, are developing contact-tracing apps that use location data for monitoring the spread of the disease or process personal data in scientific research related to the virus. Some have called for the suspension of data protection law or its revision to deal with crisis. In its continued guidance to Member States since the beginning of the crisis, the EDPB has stressed that both the GDPR and e-Privacy rules allow for the processing of personal data for public health purposes, including in times of emergency, as long as adequate safeguards are put in place.

The EUIs are also considering new data processing operations in response to this crisis. To deal with the issues and to offer specific guidance to the EUIs, the EDPS created a Covid-19 Task Force.

To conclude the meeting, the Task Force gave the network an overview of their work and the advice being offered to EUIs. For example, how can EUIs ensure a safe environment for staff and visitors once offices re-open? What kinds of new IT tools are needed for staff to work remotely and efficiently? In a nutshell, the fundamental data protection principles continue to apply; EUIs must consider the legal basis, necessity, proportionality and consider the best way(s) to keep people informed.

I salute the continued cooperation between the EDPS and the DPOs of all 67 EU institutions and bodies and I look forward to our next meeting, virus or no virus. #StrongerTogether.