European Data Protection Supervisor
European Data Protection Supervisor

EDPS Annual Report 2010: an increased effort is required to ensure effective data protection in practice

EDPS Annual Report 2010: an increased effort is required to ensure effective data protection in practice


EDPS Annual Report 2010: an increased effort is required to ensure effective data protection in practice

Today Peter Hustinx, European Data Protection Supervisor (EDPS), and Giovanni Buttarelli, Assistant Supervisor, presented their Annual Report of activities for 2010 to the press. This Report covers the sixth full year of activity of the EDPS as a new, independent supervisory body.
The year 2010 saw some major trends and policy opportunities which are driving forward a more effective protection of personal data. They include the increasingly visible impact of the Lisbon Treaty which, by providing a strong legal basis for comprehensive data protection in all areas of EU policy, has firmly placed data protection at the heart of the EU policy agenda. It also encompasses the ongoing review of the EU legal data protection framework, which is raising high expectations, particularly in view of the growing importance of data protection in the international arena. Finally, the Stockholm programme and the EU Digital Agenda are both highly significant for privacy and data protection.

Peter Hustinx, the EDPS, says: "The Annual Report clearly shows that 2010 has been a very busy, dynamic, but also very productive year for everyone at the EDPS and for data
protection in general. This is fully in line with the need to increase our efforts to ensure a more effective protection of privacy and personal data in a changing world which is
increasingly global, Internet driven and dependent on the wide spread use of ICTs in all areas of life. This trend affects every single one of us, so it is crucially important for the EU
as a whole and for the activities of the EU administration."


  • The need to increase our efforts to ensure effective data protection can be seen in EDPS activities over 2010. As regards the EDPS' supervisory role, the main highlights include:
  •  a fundamental change of gear in relation to the enforcement of the Data Protection Regulation in the EU administration in order to ensure a more robust approach to enforcement. The new policy sets forth a number of criteria designed to ensure a
  • proactive, consistent and transparent application of the EDPS' enforcement powers;
  •  an increase in the scope of EDPS supervision which, since the entry into force of the Lisbon Treaty, applies to all EU institutions and bodies, including areas outside the scope of what used to be Community law;
  •  the adoption of 55 prior-check opinions relating to processing operations of personal data in the EU administration. These include core business activities, such as the Early Warning Response System for the exchange of information on communicable diseases, and standard administrative procedures, such as staff evaluation, recruitment and
  • promotions;
  • an increase in the complexity of complaints received. In 2010, 94 complaints were received, of which around two thirds were inadmissible because they related to issues at national level. Admissible complaints mainly related to questions of access and rectification, misuse, excessive collection and deletion of data. In 11 cases, the EDPS concluded that data protection rules had been violated.

In his advisory role, the EDPS accorded special emphasis to:

  • the modernisation of the EU legal framework for data protection: the EDPS has consistently recommended an ambitious approach to developing a modern, comprehensive framework for data protection, covering all areas of EU policy and ensuring effective protection in practice;
  • the Stockholm Programme and the EU Digital Agenda: these two key policy programmes have great relevance for data protection and are therefore closely monitored
  • as part of the EDPS' advisory role. They also demonstrate that data protection is a crucial element of legitimacy and effectiveness in both these areas;
  • a record number of 19 legislative opinions: in 2010 opinions were adopted on a number of subjects including major issues concerning the EU Internal Security Agenda, the EU Counter-Terrorism Strategy, a Global Approach to transfers of PNR data to third countries, Information Management in the Area of Freedom, Security and Justice, "Privacy by Design" in the Digital Agenda, and finally the ACTA Agreement.
  • the EDPS' role in Court cases: the most significant ruling handed down by the European Court of Justice in 2010 was in Case C-518/07, Commission v. Federal Republic of Germany. In this judgment the Court insisted on the need for the "complete
  • independence" of data protection supervisory authorities, which will have an important impact on the new legal framework.

In the area of cooperation, the EDPS worked closely together with national data protection authorities in the Article 29 Data Protection Working Party to focus on the interpretation of key provisions of the Data Protection Directive and to provide a common input to the review of the EU legal framework. Important work was also done in "coordinated supervision" of the EURODAC system and the Customs Information System, where the responsibilities for supervision are shared with national colleagues.
The main priorities for the EDPS in the coming year include:

  •  the review of the Data Retention Directive: in his recent opinion on the Evaluation Report of the Directive, the EDPS concluded that the Directive does not meet the requirements imposed by the fundamental rights to privacy and data protection. In particular, further investigation of necessity and proportionality is necessary;
  • monitoring the implementation of the information technology components of Europe 2020 foreseen under the Digital Agenda, such as RFID, cloud computing, eGovernment and online enforcement of intellectual property rights;
  • other initiatives that may significantly affect data protection, such as initiatives in the area of transport (e.g. use of body scanners at airports, use of recording equipment in road
  • transport, e-Mobility package) and large-scale data exchanges that might take place in the Internal Market information System;
  •  analysing the consequences related to new processing operations and ensuring that the principles of Accountability and Privacy by Design are properly implemented by the EU administration;
  • monitoring the implementation of the data protection rules by the EU institutions and bodies, by launching both general and targeted monitoring exercises. On-the-spot inspections will be carried out in those cases where the EDPS has serious grounds to believe that the compliance mechanism is being blocked, in parallel to inspections and audits to be launched in the field of large-scale IT systems under the remit of the EDPS;
  • participating actively in the "coordinated supervision" of large-scale IT systems, such as Eurodac, the Customs Information System and – from mid 2011 – the Visa Information System, and carrying out regular security audits.