EDPS Annual Report 2008: first mandate concludes with substantial progress in data protection compliance
The European Data Protection Supervisor (EDPS) has issued his Annual Report which covers 2008 as the fourth full year of activity of the EDPS as a new independent supervisory authority. This Report also concludes the first EDPS mandate and provides an opportunity to take stock of developments since the start.
The report shows that significant progress was achieved both in the EDPS supervisory and advisory tasks. Most Community institutions and bodies are making good progress in ensuring compliance with data protection rules, but there are still great challenges ahead. The EDPS supervision work is therefore putting more emphasis on measuring the level of compliance in practice, in particular through more systematic verifications on the spot, and on monitoring the implementation of recommendations in prior checking (*). The EDPS also further improved his performance as an advisor to the European institutions and submitted opinions on an increasing number of legislative proposals.
Peter Hustinx, Supervisor, says: "Respect for private life and protection of personal data can only become a reality if they are delivered in practice in the EU administration, and in new legislation having an impact on data protection. I am pleased to see that great progress has been made in both areas. As a supervisor, my aim is to stimulate responsibility and accountability in the EU administration, by setting targets where needed and more systematically measuring compliance, but without being unduly prescriptive. As an advisor, I will continue to actively promote that new legislation and policies are only adopted after due consideration of data protection requirements."
As regards the EDPS activities in supervision, the report highlights the following main features:
- a record number of prior-checking opinions relating to processing operations of personal data in Community institutions and bodies, mainly covering the following issues: health data, recruitment of staff and selection of candidates, staff evaluation, identity management systems, access control and security investigations;
- the handling of critical issues being addressed for the first time, including access control with iris scanning or fingerprint authentication, monitoring of the use of the Internet by staff, and video-surveillance systems.
- the development of the EDPS inspection policy and the completion of a first series of on the spot inspections to measure compliance in practice.
In his advisory role, the EDPS put special emphasis on:
- new initiatives in the area of freedom, security and justice, in particular the adoption of the Data Protection Framework Decision in police and judicial cooperation in criminal matters. Other policy areas such as the review of the Directive on privacy and electronic communications, public access to documents and cross-border healthcare were also quite prominent;
- the issue of exchange of information, and more specifically the establishment of information systems and access to those systems, notably as regards the Commission's EU border management package, transatlantic information sharing for law enforcement purposes, the protection of children using the Internet, the European eJustice Strategy and the Internal Market Information System;
the use of new technologies and developments taking place in the Information Society, such as RFID and ambient intelligence, and possible contributions of the EDPS to the EU research and technological developments.