European Data Protection Supervisor
European Data Protection Supervisor

Privacy-friendly policymaking made easier: EDPS issues the necessity toolkit

Privacy-friendly policymaking made easier: EDPS issues the necessity toolkit

12/04/2017
12
Apr
2017

Privacy-friendly policymaking made easier: EDPS issues the necessity toolkit

As part of our commitment to facilitating responsible and informed policymaking, the EDPS has today published a necessity toolkit. The toolkit is designed to help policymakers identify the impact of new laws on the fundamental right to data protection and determine the cases in which the limitation of this right is truly necessary, the EDPS said today.

Giovanni Buttarelli, EDPS, said: “The EU Charter of Fundamental Rights guarantees the right of every individual to data protection. Using an evidence-based approach, policymakers must be able to demonstrate that any planned limitation of this right, and any other rights that might be affected by the processing of personal data, including the right to privacy, is absolutely necessary, either to achieve an objective of general interest to all concerned or to protect the rights and freedoms of others. We believe the EDPS necessity toolkit will assist policymakers in doing this and therefore better ensure that the legislator remains accountable for its actions.

Almost all EU policy proposals now involve some form of personal data processing. With policymakers increasingly required to respond quickly to acute public security challenges and keep up with developments related to the digital economy or international trade, the need for help to ensure that new proposals respect fundamental rights is greater than ever. In his necessity toolkit, the EDPS provides policymakers with a practical step-by-step checklist, setting out the criteria to be considered by policymakers when they assess the necessity of new legislation, and providing examples to illustrate each step.

Any new EU proposal that interferes with the fundamental right to data protection must undergo a test for necessity. This involves determining, based on objective evidence, whether any proposed limitation on the right to data protection genuinely meets the legislator’s needs, is truly necessary and will have the least intrusive impact on an individual’s right to the protection of personal data.

The toolkit is based on decisions issued by the Court of Justice and the European Court of Human Rights, as well as on Opinions published by both the EDPS and the Article 29 Working Party. It also incorporates feedback gathered on an EDPS background paper on the topic, published in June 2016. This feedback was used to develop the toolkit and ensure that it meets the needs of EU policymakers in all sectors, ranging from security to the digital economy.

As part of a continued effort to ensure that data protection remains a key concern for EU policymakers, the EDPS also plans to provide guidance to policymakers on how to assess the proportionality of new policy measures. Our goal is to ensure that fundamental rights, which represent the core values of the European Union, are protected and respected in all EU policy.

Background information

The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EC) No 45/2001. The EDPS is a relatively new but increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.

Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are the members of the institution, appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 4 December 2014.

Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.

Privacy: the right of an individual to be left alone and in control of information about him or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8)