The European Data Protection Supervisor (EDPS) has received the Global Privacy and Data Protection Award for innovation. The award recognises EDPS efforts to develop a Website Evidence Collector and was presented at the annual International Conference of Data Protection and Privacy Commissioners (ICDPPC), taking place this year in Tirana, Albania.
Originally developed by the EDPS Information Technology (IT) Policy Unit to support EDPS inspections of EU websites, the EDPS Website Evidence Collector (WEC) consists of open source software tools that can be used to gather evidence on personal data processing operations on websites. Data protection authorities (DPAs), privacy professionals, data controllers and web developers can use the WEC to carry out their own website inspections. Among other things, it allows them to collect evidence relating to cookies, the secure transfer of data and requests to third-party components, employing a method that is reproducible, reliable and fast.
Wojciech Wiewiórowski, Assistant EDPS, said: "The Global Privacy and Data Protection Award for innovation emphasises that data protection authorities can approach their enforcement tasks in a modern and technically sophisticated way to address new and evolving challenges to data protection and privacy. We are also proud to share the software with other DPAs, civil society and individual privacy experts, making it freely accessible open source software."
Thomas Zerdick, Head of the EDPS IT Policy Unit, and Robert Riemann, EDPS Technology and Security Officer and author of the WEC added: “Through the publication of the EDPS Website Evidence Collector, we hope to inspire increased cooperation between technology experts in our fellow data protection authorities, in academia and in the private sector. We strongly encourage other supervisory authorities to develop and exchange their own tools.”
The WEC is published as open source software under the European Union Public Licence and is available for download on the EDPS website and also on Github. The open software licence allows users to adapt the tools to their own needs.
Many websites have updated their consent management mechanisms and re-assessed their personal data processing operations in recent months, in order to ensure compliance with the EU’s new data protection legislation. With the General Data Protection Regulation (GDPR) and Regulation 2018/1725 in place since 2018, public awareness about the privacy issues associated with websites has significantly increased, with DPAs receiving an increasing number of complaints from individuals concerned about how their personal data is used online.
The Website Evidence Collector takes inspiration from some earlier tools for website evidence collection, developed by data protection authorities and private companies. It makes use of modern open source libraries to ease installation and includes many new features. The EDPS welcomes all contributions to the Website Evidence Collector in form of ideas, bug reports or code.
Further details about the International Conference of Data Protection and Privacy Commissioners (ICDPPC) can be found at: https://privacyconference2019.info/ and https://icdppc.org/. The ICDPPC seeks to provide leadership at international level in data protection and privacy and counts among its members about 120 privacy and data protection authorities from across the globe.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in the new Regulation (EU) 2018/1725. These rules replace those set out in Regulation (EC) No 45/2001. The EDPS is an increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
Wojciech Wiewiórowski (Assistant EDPS), was appointed by a joint decision of the European Parliament and the Council on 4 December 2014 to serve a five-year term.
Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details, such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
Processing of personal data: According to Article 4(1) of Regulation (EU) No 679/2016, processing of personal data refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." See the glossary on the EDPS website.