EDPS looks back on a pivotal five years for data protection


EDPS looks back on a pivotal five years for data protection

The past five years have witnessed significant changes in European and international approaches to data protection. However, while considerable progress has been made towards ensuring that individuals are able to exercise and maintain control over their digital lives, many significant challenges still remain and must be overcome, the Assistant EDPS said today, as he presented a report on EDPS actions and achievements over the course of the current EDPS mandate, which comes to an end this week. His presentation was followed by remarks from EU Commissioner Vera Jourovà.

Wojciech Wiewiórowski, Assistant EDPS, said: “The late EDPS Giovanni Buttarelli and I issued an ambitious Strategy for our mandate within 100 days of taking up our posts, reflecting our vision for privacy in the digital age. Five years on, people and policymakers are now increasingly aware of the reality and potential of digital technology and many regions in the world, not only the EU, are now examining how they can give people more control over their data and digital lives. Leading by Example: EDPS 2015-2019 reflects on how far we have come in implementing this vision, while also recognising that this is only the beginning of a much longer process, aimed at ensuring that personal data works for society in general, and not only for a handful of powerful private interests.”

On 2 March 2015, Giovanni Buttarelli presented the EDPS Strategy for the 2015-2019 mandate. It set out three main objectives and ten action points, aimed at facilitating the EU’s transition to a new era in data protection practice. These objectives focused on digitisation, global partnerships and modernising data protection and were based on a vision of the EU leading by example in the global dialogue on data protection in the digital age. Today’s publication sets out the actions taken by the EDPS to turn this vision into reality.

The EDPS Strategy recognises the need for a coordinated response to the challenges posed by emerging technologies, in order to ensure the protection of individual rights. Through the establishment of collaborative groups such as the Internet Privacy Engineering Network (IPEN) and the Digital Clearinghouse, as well as through the sharing of expertise, the EDPS has endeavoured to increase cooperation between regulators and experts from a number of different fields and develop a more effective response to the digital challenge.

While new EU data protection legislation introduced in 2018 goes a long way towards helping to address the data protection and privacy concerns of the digital age, it is clear that legislation alone is no longer sufficient. Through the Ethics Initiative, launched at the beginning of the current mandate, the EDPS succeeded in bringing together representatives from a range of different backgrounds, nationalities and professions, most notably during the public session of the 2018 International Conference of Data Protection and Privacy Commissioners, to discuss the need for a Digital Ethics to support legislation, and how it might be put into practice. The 2018 International Conference was co-hosted by the EDPS in Brussels.

Efforts to engage with partners have also intensified in other areas, perhaps none more so than within the EU institutions themselves. Strong and developing relationships with the European Commission, Parliament and the Council have helped not only to ensure the adoption of a comprehensive set of data protection rules for the EU and its institutions, but also to ensure that the opinions and advice of the EDPS are taken into account in the development of regional and international EU policy. A more hands-on and collaborative approach to the supervision of data protection practice in the EU institutions has also helped to ensure that the EU institutions themselves are ready and willing to lead by example in applying EU data protection law.

With the familiar figure of Assistant EDPS Wojciech Wiewiórowski set to take over as head of the institution in the coming days, the EDPS must now look to build on the significant progress made over the past five years and consolidate its position as one of the leading global advocates for individual rights, particularly as they relate to data protection and privacy.

Background information

The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725. These rules replace those set out in Regulation (EC) No 45/2001.

The EDPS is an increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.

Wojciech Wiewiórowski (Assistant EDPS), was appointed by a joint decision of the European Parliament and the Council on 4 December 2014 to serve a five-year term, which comes to an end this week.

Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details, such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.

Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).

Processing of personal data: According to Article 4(1) of Regulation (EU) No 679/2016, processing of personal data refers to "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." See the glossary on the EDPS website.

Available languages: German, English, French