In the September 2017 edition of the EDPS Newsletter we cover the EDPS Opinion on the digital single gateway, the investigation of complaints relating to medical data and the latest developments in privacy engineering.
In this issue
A digital Europe needs data protection
The successful implementation of an EU-wide once-only principle to enable the lawful exchange of data across EU borders depends on ensuring that the relevant data protection principles are respected, the EDPS said on 1 August 2017, as he published his Opinion on the Commission’s proposal for a Regulation establishing a single digital gateway and the once-only principle.
Giovanni Buttarelli, EDPS, said: “This proposal is one of the first EU instruments that explicitly refers to the once-only principle, which aims to ensure that citizens and businesses do not need to submit the same information to a public administration more than once. I welcome this initiative, but also recommend that the Commission take into account some key issues related to data protection in their continued development of the once-only principle. Additional clarity on important data protection principles, such as the legal basis of the processing, purpose limitation and data minimisation will reinforce the protection of the rights of individuals.”
The Commission’s proposal aims to modernise administrative services by facilitating the availability, quality and accessibility of information across the EU.
EDPS Press Release
Health and data protection in the EU institutions
The EDPS recently addressed two complaints concerning the processing of medical data. The rules that EU institutions and bodies must follow when dealing with such data are set out in Article 10 of Regulation 45/2001. The EDPS also issued Guidelines on the topic in September 2009, designed to help the EU institutions comply with their obligations under the Regulation.
The first complaint concerned the processing of medical data to facilitate disciplinary proceedings relating to suspected fraud. It involved analysing whether, under Regulation 45/2001, the EU body concerned had the right to access medical data linked to the reimbursement of medical expenses, stored by a third party, and transfer it to the State Prosecutor.
We concluded that, under the right to information, the EU body should have informed the relevant staff members of both actions and could not claim that doing so would have involved a disproportionate level of effort. We stressed that, for fraud investigations involving medical data, only the relevant medical advisers should have access to this data. Data protection officers (DPOs) should also be involved in internal disciplinary procedures, especially when they involve the special categories of personal data outlined in Article 10 of the Regulation.
The second case concerned a breach of confidentiality. The EU body concerned disclosed medical data to a third party in order to check the validity of a medical certificate. Though the EU Staff Regulations may justify this action, they also specify that the individuals concerned must be informed of the relevant legal basis under which this data will be processed and that the validity of a medical certificate might be checked. Changing the purpose for which medical data is processed, as occurred in this case, also constitutes a breach of Article 6 of the Regulation, which specifies that this is only possible if expressly provided for in the internal rules of the relevant EU body.
When the professional becomes personal
Information relating to a registered company or legal person, especially when connected with additional data, can make it possible to identify the individual or natural person associated with the company. For this reason, information about a registered company can, in certain cases, be considered personal data. The EDPS recently dealt with two complaints relating to company data stored in EU databases.
The first concerned the email address used to register a company in an EU database. The complainant alleged that it had been accessed unlawfully by, or made available to, third parties and was then used for unsolicited commercial communication (spam).
We found that the data had been processed according to the rules set out in Article 5(a) of Regulation 45/2001, and judged that the EU institution responsible for the database had taken appropriate measures to address the complaint. However, we also recommended that the EU institution move forward with implementing anonymisation techniques to better protect the data stored in the database and advised it to amend the relevant data protection notices to ensure that they provide information on the limited availability of data and on any anonymisation techniques used.
The second complaint concerned an individual whose company is registered in the VAT Information Exchange System (VIES on-the-web). VIES is a search interface which facilitates cross-border economic transactions by making it possible to check the validity of the VAT identification numbers of companies registered in the EU. Our investigation found that the EU institution responsible for VIES had put in place adequate measures to prevent, detect, and stop illicit use of the database.
Though VIES is operated by an EU institution, its content is taken from the national VAT registries in the Member States. These are maintained by the respective national tax administrations and the information recorded by each depends on the national law. Only the tax administration that issued the VAT number is able to delete or alter the personal data found in their national registries, and which therefore appear on VIES, and personal information can only be accessed in VIES by searching for a VAT number. Supervision of data processing in this case is therefore the responsibility of the national data protection authority (DPA) of the country in which the company is registered.
EU-Canada PNR under fire
On 26 July 2017, the European Court of Justice issued an Opinion on the EU-Canada Passenger Name Record (PNR) agreement, signed by the EU and Canada in 2014. The Opinion, requested by the European Parliament, concluded that several provisions in the agreement were not compatible with EU fundamental rights, particularly those relating to respect for privacy and the protection of personal data. The EDPS intervened in the court case on 5 April 2016 and reported on it in our July 2016 Newsletter.
The Court found that several of the provisions judged to interfere with the rights to privacy and data protection contravened the principle of necessity and failed to lay down clear and precise rules on the collection, transfer and processing of personal data. In particular, the court cited provisions on the transfer, processing and retention of sensitive data, which failed to protect against the possibility of discrimination.
The transfer and storage of PNR data for the purpose of entering Canada was not judged to exceed the limits of necessity. However, the Court specified that it must only be stored while the traveller remained in Canada. The use of any of this data during or after their stay would require new and justifiable circumstances, for which specific rules on the conditions of use and access would need to be developed. Retention of this data would be considered acceptable only in cases in which the travellers concerned presented a risk relating to the fight against terrorism or serious transnational crime.
In order to be compatible with EU law, the agreement must, among other things, also provide more clarity on the types of PNR data that can be transferred. Moreover, the right for air passengers to be notified if their PNR data is processed during their stay in Canada or after their departure should also be established, as well as an independent supervisory body to oversee the use of PNR data in Canada.
Privacy engineering gaining ground
With data protection by design set to become a legal obligation under the GDPR, current interest in technological solutions for privacy is particularly high. The most recent workshop of the IPEN network, which seeks to promote privacy engineering and bridge the gap between legal and IT engineering approaches to data protection, provided an opportunity to explore the practical consequences of the new obligations in depth.
In particular, the workshop, which took place in Vienna on 9 June 2017, aimed to highlight some of the ways in which new principles could be implemented to ensure an increased level of protection for personal data. These included the use of concepts and measures such as data minimisation, tracking protection, encryption and effective anonymisation.
Interest in privacy engineering techniques is also growing in the US. The Future of Privacy Forum (FPF) has organised an event in collaboration with IPEN, the Catholic University in Leuven and Carnegie-Mellon University. Set to take place in Leuven on 10 November 2017, it will focus on research and development needs in privacy engineering. The outcome of this promising initiative will be covered on the FPF and IPEN websites, as well as in a future edition of the EDPS newsletter.
The International Conference is underway!
The 39th International Conference of Data Protection and Privacy Commissioners (ICDPPC) is taking place in Hong Kong this week. The annual event brings together more than one hundred privacy and data protection authorities from across the world to discuss the future of data protection and privacy. This year's conference focuses on the theme of connecting the West with the East, addressing the different concepts and regulations relating to privacy in the East and West and the applicability of western models of data protection in Asia and elsewhere.
The closed session, for accredited members of the ICDPPC only, takes place from 26-27 September 2017, while the open session, which all members of the international data protection community are welcome to attend, will take place from 28-29 September.
Several side events also took place on 25 September, one of which was an event the EDPS co-hosted with the United Nation's Special Rapporteur on the Right to Privacy and Digital Asia Hub, aimed at data protection and privacy authorities and regulators.
With the International Conference set to return to Europe in 2018, where the EDPS and the Commission for Personal Data Protection of the Republic of Bulgaria will take over as joint hosts, the event was an opportunity to explore the common values that underpin privacy and data protection in an interactive environment. We look forward to developing the discussion further at the 2018 International Conference!
The Annual Privacy Forum 2017
The Annual Privacy Forum took place on 7 June 2017. Organised by the European Network and Information Security Agency (ENISA) on an annual basis since 2012, and supported by the EDPS, the Forum brings together researchers, regulators and businesses dealing with IT privacy.
Assistant Supervisor Wojciech Wiewiórowski gave the opening keynote speech. He took the opportunity to refer to the recent #WannaCry cyber-attack and highlighted the importance of advice previously issued by both the EDPS and ENISA: If we create backdoors to our devices or our encryption schemas, criminals and terrorists will abuse the reduced security of our devices or encryption for their own purposes. Appropriate security measures, required under data protection law, would have prevented these attacks.
The Forum’s agenda also covered many other important topics. For example, the EDPS was represented in a panel on the practical implementation of the GDPR in mobile applications, in which we addressed the importance and meaning of informed consent.
With its combination of technical presentations and policy debates, the Annual Privacy Forum provides an interesting mix of information and discussion on privacy, security and technology issues. The EDPS was proud to contribute to this discussion and we look forward to supporting this event again in the future.
Teenagers on privacy
The GDPR is going to be the keystone of data protection law for a generation. The new GDPR provisions on profiling, consent and the right to be forgotten, for instance, are an attempt to transpose individual control to the big data era.
Teenagers today live tech-dependent lives, and are skilful manipulators of this technology, but do they really have a different conception of privacy to older generations?
Anna, aged 17, recently did her work experience with the EDPS. She knew nothing about data protection law, but she agreed to share her reflections in a guest post on the EDPS blog.
Though legal terminology may be absent, established notions like consent, fairness and user control are clearly present in her article, which represents a thought provoking, and in some ways humbling, contribution to the privacy debate.
Data Protection Officers
Mr. Daniel Drewer, EUROPOL
Mr. Alexandru George Grigore, European Asylum Support Office (EASO)
Ms. Laura Gomez Gutierrez (Acting DPO), SESAR Joint Undertaking
Ms. Reyes Otero Zapata, Council of the European Union
Mr. Sébastien Pechberty, Shift2Rail Joint Undertaking
Ms. Marta Ramira Hidalgo, European Fisheries Control Agency (EFCA)
Ms. Kjersti Sneve, EFTA Surveillance Authority (ESA)