Data protection for the digital generation: the countdown to the GDPR begins
With new data protection rules now recognised as law, the EU must turn its attention to ensuring that they are successfully implemented, the European Data Protection Supervisor said to the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE), as he presented his 2015 Annual Report.
Giovanni Buttarelli, EDPS, said: "The GDPR is one of the EU's greatest achievements in recent years and a document of which it should be proud. However, our job is not yet complete. We must ensure that the GDPR is fully and effectively implemented and that we close the package with equally effective agreements on Regulation 45/2001 and the ePrivacy Directive. Only then will we be able to ensure that the EU upholds its promise of effective data protection for the digital age."
The EDPS focused considerable efforts in 2015 on ensuring the successful adoption of new and effective data protection rules, providing legislators with detailed recommendations in the form of an app. He now turns his attention to the successful implementation of these rules and the reform of the current Regulation, which will apply to the work of the EDPS and the other EU institutions and bodies.
Wojciech Wiewiórowski, Assistant EDPS, said: "The EU institutions must lead by example. Over the next two years, the EDPS will continue to cooperate closely with data protection officers from all EU institutions and bodies and to provide them with support and advice, as they prepare for the changes that will come into force in May 2018."
Our work on this has already started. For example, the EDPS plans to produce a toolkit on necessity, which is a key concept in the new reform. The toolkit aims to better equip EU legislators responsible for preparing and scrutinising measures which involve the processing of personal data and which might interfere with the rights to privacy, data protection and other rights and freedoms laid down in the Charter of Fundamental Rights of the EU.
The EDPS will also continue his work with fellow EU data protection authorities in the Article 29 Working Party (WP29) to prepare for the European Data Protection Board (EDPB). The Board, which will replace the WP29, is a vital element of the reform and must be fully functional from day one.
The EDPS launched several new initiatives in 2015, such as those on data ethics and big data. He also worked closely with the WP29 to analyse the consequences of the Court of Justice of the European Union's ruling on Safe Harbour and advise the Commission on alternative solutions. These and other initiatives will continue into 2016 and beyond to ensure that the EU remains at the forefront of data protection and privacy policy in the years to come.
Background information
Privacy and data protection are fundamental rights in the EU. Data protection is a fundamental right, protected by European law and enshrined in Article 8 of the Charter of Fundamental Rights of the European Union.
More specifically, the rules for data protection in the EU institutions - as well as the duties of the European Data Protection Supervisor (EDPS) - are set out in Regulation (EC) No 45/2001. The EDPS is a relatively new but increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.
Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are members of the institution, appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 4 December 2014.
EDPS Strategy 2015-2019: Unveiled on 2 March 2015, the 2015-2019 plan summarises the major data protection and privacy challenges over the coming years; three strategic objectives and 10 accompanying actions for meeting those challenges; how to deliver the strategy through effective resource management, clear communication and evaluation of our performance.
Personal information or data: Any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
Processing of personal data: According to Article 2(b) of Regulation (EC) No 45/2001, processing of personal data refers to "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction." See the glossary on the EDPS website.
Big data: Gigantic digital datasets held by corporations, governments and other large organisations, which are then extensively analysed using computer algorithms. See also Article 29 Working Party Opinion 03/2013 on purpose limitation p.35.
EU Data Protection Reform package:
On 25 January 2012, the European Commission adopted its reform package, comprising two legislative proposals:
- a general Regulation on data protection which was adopted on 24 May 2016, applicable as of 25 May 2018; and
- a specific Directive on data protection in the area of police and justice, adopted on 5 May 2016, applicable as of 6 May 2018.
The official texts of the Regulation and the Directive are now recognised as law across the European Union (EU). Member States have two years to ensure that they are fully implementable in their countries by May 2018.