2018 was a busy year for the EDPS and a pivotal year for data protection in general. Under new data protection rules, the rights of every individual living in the EU are now better protected than ever, the European Data Protection Supervisor (EDPS) said today, as he presented his 2018 Annual Report to the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE).
Giovanni Buttarelli, EDPS, said: “Data protection hit the headlines in 2018. Public awareness about the value of online privacy is at an all time high, while concern about the abuse of personal data by online service providers remains a topic of enquiry for governments around the world. In the EU, new rules on data protection go a long way towards addressing concerns, but more is required. Agreement on a new ePrivacy Regulation is urgent, but in the digital world we also need to look beyond rules and regulations. Through initiatives focused on digital ethics and greater regulatory cooperation the EDPS is determined to play a decisive part in shaping the digital future in the EU and further afield.”
The 2018 Annual Report provides an insight into all EDPS activities in 2018. Chief among these were our efforts to prepare for the new legislation. The General Data Protection Regulation (GDPR) became fully applicable across the EU on 25 May 2018 and new data protection rules for the EU institutions are also now in place. Working with the new European Data Protection Board (EDPB), the EDPS aims to ensure consistent protection of individuals’ rights, wherever they live in the EU.
Wojciech Wiewiórowski, Assistant Supervisor, said: “As the supervisory authority for the EU institutions, we have dedicated much time and effort to ensuring that they are prepared to deal with the challenges of the new Regulation. In addition to updating our guidance documents, we provided training sessions and carried out visits and meetings across the EU institutions and bodies. We believe that the EU institutions must lead by example in applying the new rules and will continue to work with them throughout 2019 to ensure that they do so.”
In parallel to these activities, the EDPS has worked hard to instigate a debate on digital ethics. These efforts reached a diverse and global audience during the 2018 International Conference of Data Protection and Privacy Commissioners, co-hosted by the EDPS. Meanwhile, through his Digital Clearinghouse initiative, the EDPS has succeeded in bringing together regulators from competition, data protection and consumer protection in an attempt to develop more coherent and consistent responses to the challenges posed by the digital economy. The EDPS remains committed to developing these initiatives in 2019, as part of his efforts to ensure effective protection of fundamental rights in the digital world.
As we move into 2019, and the last year of the current EDPS mandate, the EDPS will continue to work with the EDPB, international organisations and others to promote a global alliance, dedicated to tackling the technological challenges of the future. In June, he will publish his reflections on the future of data protection in the EU and globally, as part of his continued efforts to inspire those working within and outside the field to unite in defence of human dignity and fundamental rights in the digital world.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in the new Regulation (EU) 2018/1725. These rules replace those set out in Regulation (EC) No 45/2001. The EDPS is a relatively new but increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.
Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are the members of the institution, appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 4 December 2014.
Key figures for 2018:
- 30 training sessions provided for EU institutions and bodies
- 90 prior check Opinions issued (80% relating to administrative procedures proposed by EU institutions)
- 5 inspections
- 3 visits to EU institutions
- 11 Opinions issued on legislative proposals
- 13 Formal Comments issued on legislative proposals
EDPS Strategy 2015-2019: Unveiled on 2 March 2015, the EDPS Strategy 2015-2019 summarises the major data protection and privacy challenges over the coming years; three strategic objectives and ten accompanying actions for meeting those challenges; and how to deliver the strategy through effective resource management, clear communication and evaluation of our performance.
Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details, such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
Processing of personal data: According to Article 4(1) of Regulation (EU) No 679/2016, processing of personal data refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." See the glossary on the EDPS website.
EU Data Protection Reform package: On 25 January 2012, the European Commission adopted its reform package, comprising two legislative proposals:
- a general Regulation on data protection, which was adopted on 24 May 2016, applicable as of 25 May 2018; and
- a specific Directive on data protection in the area of police and justice, adopted on 5 May 2016, applicable as of 6 May 2018.
The official texts of the Regulation and the Directive are now recognised as law across the European Union (EU) and are fully applicable across the EU.
Regulation 45/2001, which addresses data protection in the EU institutions and bodies, was replaced by Regulation (EU) 2018/1725 on 11 December 2018, while new rules on ePrivacy are also planned.