This evening, the new European Data Protection Supervisor (EDPS) unveiled his Strategy for 2015-2019 to senior representatives of the EU institutions. Following his appointment three months ago, Giovanni Buttarelli summarised the objectives for his five-year mandate and the actions his Office will take to turn his vision into reality. His presentation hosted at the European Commission, was followed by remarks from Commission First Vice-President, Frans Timmermans and Chair of the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE), Claude Moraes.
Giovanni Buttarelli, EDPS, said: “This is a crucial moment for data protection, a period of unprecedented change and political importance, not only in the EU but globally. Our aims and ambitions for the next five years build on our strengths, successes and lessons learned. Together with our legal and technological expertise, we are uniquely placed to assist the EU to find effective, practical and innovative solutions that will respect our fundamental rights in the new digital world. Our goal is for the EU to speak - in full cooperation with colleagues at national level - with one voice on data protection, a voice which is credible, informed and relevant.”
The EDPS has identified three strategic objectives and a number of actions to fulfill them.
- Data protection 'goes digital'
To reap the benefits of new technologies and preserve the rights of the individual, the new EDPS aims to be an epicentre for creative ideas and innovative solutions, customising existing data protection principles to fit the global digital arena.
Accountability in handling personal information is a global challenge; the EDPS will work across policy areas to promote technologies that enhance privacy, transparency, user control and accountability in big data processing.
- Forge global partnerships
Data protection laws are national, but personal information is not. The EDPS will invest in global partnerships with privacy and data protection authorities, fellow experts, non-EU countries, and international organisations to work towards a social consensus on principles that can inform binding laws, the design of business operations and technologies and the scope for interoperability of different data protection systems.
Wojciech Wiewiórowski, Assistant EDPS, said: "Europe needs to be at the forefront in shaping a global, digital standard for privacy and data protection which centres on the rights of the individual. The way that we respond now to rapid change and challenges, including threats to security, will have consequences for us and future generations that inherit the digital world. With a uniquely EU perspective, the EDPS is the natural facilitator for European and global cooperation on such issues."
- Opening a new chapter for EU data protection
The reform of the EU data protection rules is urgent. While technological innovation races ahead, institutional reactions are slow. It is vital to adopt a new set of rules to make data protection easier, clearer and less bureaucratic in the future.
In close cooperation with our colleagues in the Article 29 Working Party, the EDPS will be a more proactive partner in the discussions between the European Commission, Parliament and Council on the reform, in particular in the final trilogue. We will look for practical and workable solutions that avoid red tape and are flexible enough to accommodate technological innovation and cross-border data flows.
Because of its novelty and global dimension, the Strategy will be also presented at a number of international events over the next two weeks.
Privacy and data protection are fundamental rights in the EU. Data protection is a fundamental right, protected by European law and enshrined in Article 8 of the Charter of Fundamental Rights of the European Union.
More specifically, the rules for data protection in the EU institutions - as well as the duties of the European Data Protection Supervisor (EDPS) - are set out in Regulation (EC) No 45/2001. The EDPS is a relatively new but increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.
Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are members of the institution, appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 4 December 2014. Together with the basic requirement of independence, the EDPS remit (1) includes:
(1) Vacancy notice for the European Data Protection Supervisor COM/2014/10354 (2014/C 163 A/02), OJ C 163 A/6 28.5.2014.
- developing and communicating an overall vision, thinking in global terms and proposing concrete recommendations and practical solutions;
- providing policy guidance so as to meet new and unforeseen challenges in the area of data protection;
- representing at the highest levels and developing and maintaining effective relationships with a diverse community of stakeholders in other EU institutions, Member States, non-EU countries and other national or international organisations. The Supervisors are supported by the Office of the EDPS, a dynamic team of skilled and experienced lawyers, IT specialists and administrators which aims to serve as an impartial centre of excellence for enforcing and reinforcing EU data protection and privacy standards, both in practice and in law.
Personal information or data: Any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
Processing of personal data: According to Article 2(b) of Regulation (EC) No 45/2001, processing of personal data refers to "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction." See the glossary on the EDPS website.
EU Data Protection Reform package: on 25 January 2012, the European Commission adopted its reform package, comprising two legislative proposals: a general Regulation on data protection (directly applicable in all Member States) and a specific Directive (to be transposed into national laws) on data protection in the area of police and justice. In addition to his Opinion of 7 March 2012 elaborating his position on both proposals, the EDPS sent further comments on 15 March 2013. The two proposals have been discussed extensively in the European Parliament and the Council. The EDPS has continued to have regular contact with the relevant services of the three main institutions throughout this process, either following our comments or Opinions to the European Commission or in discussions and negotiations in the European Parliament and Council.
Big data: Gigantic digital datasets held by corporations, governments and other large organisations, which are then extensively analysed using computer algorithms. See also Article 29 Working Party Opinion 03/2013 on purpose limitation p.35.