In the May 2018 edition of the EDPS Newsletter we cover the new data protection rules for the EU institutions, the annual EDPS Civil Society Summit and our Opinion on Privacy by Design.
In this issue
EDPS welcomes agreement on new data protection rules for the EU institutions and bodies
On 25 May 2018, the General Data Protection Regulation (GDPR) became fully applicable to all companies and organisations operating within the EU. We welcome the news that the EU legislator has now reached a political agreement on equivalent rules on data protection in the EU institutions and bodies and we will continue to support the EU institutions to ensure that they are ready to implement these rules from day one, the EDPS said.
Giovanni Buttarelli, EDPS, said: “25 May 2018 is an historic day for data protection in the European Union. The GDPR became fully applicable on 25 May 2018, bringing with it a big shift towards the principle of accountability and stronger powers of enforcement. We welcome the announcement of a political agreement on equivalent rules for the EU institutions and bodies and call for their swift adoption and publication, to ensure that they become applicable without further delay. As the supervisory authority responsible for monitoring and ensuring the protection of personal data in the EU institutions and bodies, the EDPS has undertaken to ensure that the EU institutions will be adequately prepared.”
Civil society organisations as natural allies of the data protection authorities
Earlier this year, the EDPS met with European civil liberties organisations to discuss the state of data protection and privacy in the EU, in what is now known as the annual EDPS Civil Society (CSO) Summit. Data protection authorities and non-governmental organisations are natural allies when it comes to putting data protection principles into practice, empowering individuals to assert their rights and holding data controllers accountable for their actions.
The first issue discussed at this year’s Summit was individual and collective redress under the General Data Protection Regulation (GDPR). In their 2014 report, the EU Fundamental Rights Agency acknowledged the important role of the CSOs in helping victims of data protection violations to overcome various challenges in exercising their right to effective remedy. In light of the obstacles to the effective exercise of data protection rights, the GDPR relaxes the legal standing rules for the CSOs, allowing them to better fulfil their role. It is now up to the Member States to make the necessary legal arrangements and ensure that individuals have the recourse to these rights under national law.
The second big issue discussed was ongoing legislative and political developments with respect to the monitoring of illegal and harmful content online. The Commission has set up a High Level Group on Fake News charged with providing a better understanding of the phenomenon, defining roles and responsibilities of the relevant stakeholders and advising the Commission on the way forward. The quest for solutions for addressing disinformation, harmful or illegal content online cannot focus on curbing the freedom of speech. We should rather shift our attention to the enablers, the ecosystem behind the widespread illegal content, and strengthen the enforcement of the existing rules under data protection, consumer protection and competition law.
The voice of the digital rights groups is particularly important in the growing debate around ethical implications of technologies, such as how artificial intelligence and big data challenge notions of individual agency, accountability and freedom in the public space. This is why we are delighted that two representatives of CSOs have kindly agreed to take an active role in the 40th annual International Conference of Data Protection and Privacy Commissioners (ICDPPC) by joining the conference’s Advisory Committee.
Accept and continue: billions are clocking into digital sweat factories without realising it
The digital information ecosystem farms people for their attention, ideas and data in exchange for so-called free services. Unlike their analogue equivalents, these sweatshops of the connected world extract more than one's labour, and while clocking into the online factory is effortless it is often impossible to clock off.
The most recent scandal has served to expose a broken and unbalanced ecosystem reliant on unscrupulous personal data collection and micro-targeting for whatever purposes promise to generate clicks and revenues. In such a distorted environment, everyone must now participate, instilling the paradoxical sense of being more and more monitored and yet less and less known and respected by the small number of remote tech powers.
As the state of things digital becomes gradually clearer, there are already noises suggesting that if you object to being tracked in exchange for the free services on which many of which our lives now depend, then the only alternative is to pay. But the fundamental right to privacy and related freedoms like free speech and non-discrimination apply to all, they cannot be the exclusive privilege of those who can afford to pay.
The GDPR is, essentially, about accountability of controllers, safeguards for individuals including giving them more control over what happens to their data. Its greater goal is to protect individuals not companies. What individuals and regulators expect is a change of culture. Massive digitisation and machine learning are demanding new and smarter policy responses: stronger enforcement but also empowerment through tools like meaningful consent; ethics and accountability and a fairer allocation of the digital dividend.
Protecting EU assets: the data protection implications
On 12 April 2018, the EDPS issued formal comments on a proposal for a regulation to establish a framework for the screening of foreign direct investments into the European Union.
The proposed regulation aims to prevent foreign investors from making strategic acquisitions of key European assets. It provides Member States with a framework to establish or update their screening mechanisms and grants the Commission the power to screen any foreign direct investments with a possible impact on EU projects or programmes. A notification mechanism, facilitating communication between the European Commission and the Member States, will help to ensure a comprehensive and consistent approach to the screening process.
In our Comments, we noted that the screening of direct investments and the exchange of this information could, in many cases, lead to the processing of data relating to directly or indirectly identifiable individuals. The processing of such data must therefore comply with the rules set out under the General Data Protection Regulation (GDPR) and Regulation 45/2001, which applies to the processing of personal data by the EU institutions and bodies. This would include the establishment of a fixed and proportionate retention period for all personal data collected.
The proposal could also lead to Member States and the European Commission acting as joint controllers, meaning that both would be responsible for determining the means and purposes of processing of the personal data concerned. In such cases, both controllers should clearly define and agree upon their responsibilities in order to ensure that the individuals concerned are fully and accurately informed.
Privacy by design: technology that serves the people
The public debate on the misuse of personal data for tracking and profiling and the role of technology in our society has received unprecedented attention in recent weeks. One element of this debate concerns the role of technology in our society, in particular whether companies should be able to take advantage of it exclusively as a means to increase their profits, or whether they should be obliged to use it to further the interests of individuals and the common good.
The principle of privacy by design may help to establish the human perspective as the main driver for technological development. Privacy by design involves planning for the integration of personal data protection into new technological systems and processes from the initial design stage of a project, as well as throughout its whole lifecycle. Privacy by default is a complementary principle, which involves integrating privacy protection into all technological services and products as a default setting. Both principles are cited in the General Data Protection Regulation (GDPR) as essential obligations in ensuring accountability, which requires those responsible for collecting and processing personal data to implement appropriate technical and organisational methods to ensure and demonstrate data protection compliance.
The EDPS has played an active part in attempts to further the dialogue between policy makers, regulators, industry, academia and civil society on how new technologies can be designed to benefit the individual and society. The 2018 IPEN workshop, which will take place in Barcelona on 15 June 2018, will focus on initiatives and case studies relating to privacy engineering and the use of privacy enhancing technologies, while the 40th International Conference of Data Protection and Privacy Commissioners, which will take place in Brussels during the week of 22 October 2018, will address digital ethics in general, helping to identify the way forward for privacy by design.
Our preliminary Opinion on Privacy by Design, published on May 31, 2018 sets out the groundwork for this dialogue and builds on our previous work in this area. We welcome any feedback and hope it will foster productive debate moving forward.
EDPS success at annual EU Open Day
On 5 May 2018, in celebration of Europe Day, the EU institutions opened their doors to all members of the public. The annual EU Open Day is an opportunity for the EU institutions to increase the transparency of their work and to educate people on the work of the EU.
The EDPS stand was once again located in the European Commission’s Berlaymont building. EDPS staff were on hand from 10am onwards to answer questions from visitors and encourage them to take part in our quiz, and take away an EDPS gift! Our facial detection software, which attempts to define a person’s gender, age and emotions, also proved popular and undoubtedly contributed to a record number of people participating in our quiz.
With public awareness about privacy and data protection at an all-time high, the increased interest in data protection and the work of the EDPS was both understandable and encouraging. We hope to see you at our stand in May 2019!