In the June 2018 edition of the EDPS Newsletter we cover the latest developments relating to the 2018 International Conference of Data Protection and Privacy Commissioners (ICDPPC), the 43rd DPO-EDPS meeting and the 2018 EDPS-IPEN Workshop.
In this issue
Registration for the 2018 International Conference is now open!
The EDPS and the Bulgarian Commission for Personal Data Protection (CPDP) are pleased to announce that registration is now open for the 2018 International Conference of Data Protection and Privacy Commissioners (ICDPPC).
The conference will take place in Brussels from 22-26 October 2018, with additional privacy events also planned in Sofia. Registration fees, entitlements and terms and conditions are now all available at www.privacyconference2018.org, as is the conference timetable. Sign up before 31 August 2018 to take advantage of our early bird rates!
WANTED: Your views on Digital Ethics!
It is time to go beyond simple compliance with data protection principles. The evolution of digital technologies has brought with it a paradigm shift which affects almost all aspects of our daily lives and raises ethical questions and complex dilemmas for societies to grapple with.
We want to know what you think about this. Take part in our public consultation on digital ethics.
The results of the consultation will be incorporated into a discussion paper to be published by the EDPS for the public session of the 2018 International Conference of Privacy and Data Protection Commissioners, which will focus on digital ethics.
We look forward to hearing your views! Hurry, the consultation will close on 15 July 2018.
Preparing for the International Conference of the future
At its latest annual meeting in Hong Kong in September 2017, the International Conference of Data Protection and Privacy Commissioners (ICDPPC) initiated a strategic consultation among its members to further define its objectives, identity and structure. On 11 June 2018 in Paris, a representative from the EDPS participated in a meeting of the Working Group set up to discuss the future of the ICDPPC.
The ICDPPC aims to provide leadership in data protection and privacy at the international level. The annual conference provides a forum for cooperation and collaboration between 119 privacy and data protection authorities from all over the world. The consultation on the future of the ICDPPC aims to ensure that the conference continues to provide effective international leadership.
The 2018 International Conference takes place in Brussels and Sofia in October 2018 and will be jointly hosted by the EDPS and the Commission for Personal Data Protection of the Republic of Bulgaria. The focus of the public session will be on the topic of Digital Ethics.
Embarking on a challenging journey towards the new Regulation: the 43rd DPO-EDPS meeting
On 31 May 2018, the EDPS invited all 120 Data Protection Officers (DPOs) and Assistant DPOs from the EU institutions and bodies to join us on a challenging journey towards ensuring compliance with the new Regulation 45/2001, which sets out the rules for data protection in the EU institutions.
EDPS Assistant Supervisor Wojciech Wiewiórowski welcomed the DPOs by stressing the importance of the General Data Protection Regulation (GDPR) as the beginning of a new era in EU data protection. He also highlighted the importance the new rules place on the principle of accountability. The EU institutions must make sure that they not only comply with the new rules but that they can demonstrate this compliance.
Our data protection journey included several interactive exchanges with the DPOs. These focused on specific case studies covering many topics, including social media and micro-targeting, data protection impact assessments (DPIAs) and IT governance.
The day ended with a cocktail event, to celebrate the forthcoming adoption of the new data protection rules for the EU institutions. It is likely that, by the time the next DPO-EDPS meeting takes place, these new rules will already be in force. With this in mind, we will continue to work closely with our DPO partners over the coming months in order to provide them with the guidance and support necessary to prepare for the challenges ahead.
A warm EDPS welcome for new DPOs!
On 29 May 2018, just four days after the General Data Protection Regulation (GDPR) entered into force, the EDPS welcomed 23 recently appointed Data Protection Officers (DPOs) and assistant DPOs from the EU institutions and bodies to a training course on the effective protection of personal data in their new role.
EDPS Supervisor Giovanni Buttarelli opened the session. He described the DPO as a reliable guardian of the data protection culture within an EU institution. He also outlined what people expect from the EU institutions when we handle their data: transparency, information about what is happening to their data and control over their own personal data.
In the first session of the day, we provided the new DPOs with practical information about their role. We informed them about the practical tools at their disposal, including the wide-ranging guidance offered by the EDPS. This includes the DPO Corner on the EDPS website, thematic Guidelines and information on how to update records and data protection notices. We then focused on the topic of individuals’ rights, looking specifically at how to handle requests from individuals in a way that ensures that these rights are respected.
We ended the day with a practical case study on event management, which allowed the DPOs to both apply what they had learned and familiarise themselves with certain aspects of the new legal framework, such as outsourcing, controllership, collection of consent and personal data breaches. After intense discussion addressing the case from different perspectives, the DPOs proved themselves more than capable of translating legal obligations into pragmatic solutions. We wish them the best of luck in their new roles!
Supervising Europol: cooperating with national data protection authorities
Regular attacks on EU citizens inside the European Union remind us of the challenges faced by national law enforcement authorities in ensuring our security. The European Agency for Law Enforcement Cooperation (Europol) supports national authorities in their fight against serious cross-border crime and terrorism. However, a secure and open Europe depends not only on ensuring enhanced operational effectiveness in the fight against cross-border crime, but also on protecting fundamental rights and freedoms.
On 1 May 2017, the EDPS took over responsibility for the supervision of personal data processing carried out by Europol as part of their operational activities. One key challenge is to make sure that Europol strikes the right balance between security and privacy. However, as Europol relies heavily on information provided by national law enforcement authorities to perform its tasks, meeting this challenge is only possible if we work closely with national supervisory authorities.
EDPS collaboration with national authorities is facilitated by the Europol Cooperation Board. The Board acts as an advisory body on Europol matters. For example, it plays a key role in ensuring that citizens are able to exercise their rights in relation to the processing of personal data by Europol and provides clear guidelines to national law enforcement authorities on the data protection rules that apply to the data they send to Europol, particularly as they relate to vulnerable individuals.
On 29 May 2018, we attended the third meeting of the Europol Cooperation Board, at which we were able to share information relating to the supervisory activities undertaken since the last meeting, in November 2017. We also discussed the work programme for the next two years. We look forward to strengthening our cooperation within this essential network of national authority representatives as we work towards achieving the joint aim of a secure and open Europe.
Interested in working for the EDPS?
We are currently looking for someone to take on an advisory position, focused on the socio-economic impacts of data processing. With the processing of personal data now an integral part of a wide range of EU policy initiatives, this new role aims to accelerate EDPS engagement with the socio-economic implications of the collection and use of personal data in the digital age.
The EDPB gets to work!
Among the many changes introduced by the General Data Protection Regulation (GDPR) is the creation of the European Data Protection Board (EDPB). The Board, which began work on 25 May 2018, acts as a forum for cooperation between national data protection authorities from across the EU and the EDPS. It replaces the Article 29 Working Party (WP29), while also assuming responsibility for many new tasks aimed at ensuring the consistent application of the GDPR across the EU.
Much of the work carried out by the EDPB, and previously by the WP29, takes place within subgroups, dedicated to specific areas relating to data protection. The first meetings of five of these EDPB subgroups took place in June 2018, focusing on financial matters, key provisions of the GDPR, international transfers, technology and strategic and organisational issues.
As a member of the EDPB, representatives from the EDPS, including the Assistant Supervisor Wojciech Wiewiórowski, attended all these meetings. As we enter a new era in data protection practice, we look forward to continued and increasing cooperation with our fellow data protection authorities through the newly-established EDPB.
The free-flow of non-personal data
On 4 June 2018 we received a request from the European Parliament's Committee on Internal Market and Consumer Protection (IMCO) to comment on the European Commission proposal for a Regulation on a framework for the free flow of non-personal data in the European Union. The request cited concerns about certain amendments relating to the relationship between the proposal and the General Data Protection Regulation (GDPR). A consultation request from a responsible European Parliament Committee is a new development and we see it as yet further proof that the co-legislators are increasingly interested in our input in the course of legislative process.
The legislative proposal in question was published on 13 September 2017. It would allow for the free flow of non-personal data within the EU internal market, making the porting of data easier for professional users and enabling users to more easily change between cloud service providers. The proposal also contains provisions relating to the availability of data for competent authorities.
We sent our Comments to IMCO on 11 June 2018, just four days after receiving the request.
One of the main issues we highlighted, and which was already present in the initial proposal from the Commission, is that the proposal would apply to data that is not personal data under the GDPR. The problem with this negative definition is that it is likely to be very difficult to apply in practice, since the definition of personal data is very broad and context-dependent. It also automatically creates a tension with the GDPR and results in legal uncertainty as to which legal framework should apply in a given situation. Moreover, IMCO introduced amendments which, instead of clarifying the relationship between the proposal and the GDPR, risk blurring them even further.
We recommended that the proposal should clearly state that the GDPR fully applies to all personal data, irrespective of whether personal data are inextricably linked or not with non-personal data.
Joint controllership: the case of the European Labour Authority
On 30 May 2018, we issued formal Comments on the European Commission proposal for a Regulation establishing a European Labour Authority (ELA).
The role of the ELA would be to encourage fairness and mutual trust in the Internal Market, by ensuring that EU rules are enforced in a fair, simple and effective way. It would do this by supporting Member States in matters relating to cross-border labour mobility, including rules on the free movement of workers, the posting of workers and the coordination of social security systems. Additionally, the Authority would enhance cooperation between Member States in tackling undeclared work.
Our Comments focus on the need to clearly define the tasks and responsibilities of both the ELA and other parties involved in processing data within the EURES portal, the EU’s job mobility portal. This is particularly important in order to identify who is the controller, the person in charge of determining the purposes and means of processing this data.
The primary reason why the clear and unambiguous identification of the controller is so crucial is that it determines who is responsible for ensuring compliance with data protection rules. Clarity is especially important in situations where multiple actors are involved in a cooperative relationship. In this Proposal, for example, it is not particularly clear if the ELA should be considered as the sole controller or a joint controller alongside the European Commission.
Furthermore, working on the assumption that personal data will also be processed in the exchange of information between Member States, we suggested that the Proposal should clearly define the tasks and responsibilities of the different authorities involved.
The EDPS-IPEN workshop 2018
The 2018 EDPS-IPEN Workshop took place in Barcelona on 15 June 2018 with the support of the Polytechnic University of Catalonia (UPC). This annual workshop has taken place at different locations across Europe since 2014. It aims to bring together privacy experts and engineers from public authorities, industry, academia and civil society to discuss relevant challenges and developments for the technological implementation of data protection and privacy.
EDPS Assistant Supervisor Wojciech Wiewiórowski gave the opening keynote speech, in which he emphasised the need to develop practical solutions for privacy engineering. The role of privacy engineering is now more important than ever, since, under the General Data Protection Regulation (GDPR), data protection by design and by default are now enforceable legal obligations. Ensuring that privacy and data protection are incorporated into all new technologies from the development phase is a crucial step in ensuring that we are able to protect personal data in the digital age.
The main aim of the workshop was to assess the state of play for privacy engineering and privacy-enhancing technologies (PETs) in the wake of the GDPR and to follow-up on the outcome of last year’s trans-Atlantic workshop. Some IPEN participants provided updates on ongoing initiatives, such as the IPEN wiki on privacy related standardisation initiatives and the PETs maturity repository.
Beyond current legal obligations, the relationship between ethics and technological developments was also a topic of discussion. We challenged those present to try to answer the question of whether privacy engineering can help solve the ethical problems posed by artificial intelligence (AI). We also asked them to think into the future, from data protection by design to human rights by design. The idea of introducing a Human Rights, Ethical and Social Impact Assessment (HRESIA) was presented as a possible way forward from Privacy Impact Assessments.
The workshop was also an opportunity for businesses to present and demonstrate solutions which combine innovation and data protection. Companies including SAP, Jolla, Qwant and Brave shared their best practices and how to give users more control over their personal data, implementing the spirit of the GDPR to its full extent. Academics from European and American universities reported on recent research results, not only at a theoretical level but also through the presentation of practical tools which help to detect privacy compliance issues and might support regulatory authorities or controllers that wish to act in full accountability.
The workshop marked an encouraging start to the GDPR era and we are looking forward to continue this valuable interdisciplinary dialogue over the months and years to come.
The workshop was web streamed and the presentations are still available on the UPC web site.
Data Protection Officers
Speeches and Publications
Speech by Giovanni Buttarelli at the Ambassadors' Cocktail, Brussels, Belgium (5 June, 2018).
Speech by Giovanni Buttarelli at Austrian Commission of Jurists, Vienna, Austria (31 May, 2018).
Speech by Giovanni Buttarelli at 8th European Data Protection Days (EDPD), Berlin, Germany (14 May, 2018).
Speech by Giovanni Buttarelli at Telecommunications and Media Forum: Artificial Intelligence and the future Digital Single Market, Brussels, Belgium (24 April, 2018).