Newsletter (100)
This is our 100th Newsletter! Enjoy a trip down memory lane on EDPS history. Read about the EDPS piloting the use of Open Source software, our latest Opinions on Parenthood and equality bodies for equal treatment. In this edition, you can also find out about how we conduct investigation into EU institutions' activities with an impact on data protection. And, there is always more! This issue is also part of our podcast series, the Newsletter Digest.
In this issue
Celebrating 100 EDPS Newsletters!
EDPS to pilot the use of Open Source Software
Personal data and public safety
Standards for equality bodies: ensuring that everyone is treated equally
Data protection engineering by design and by default
EDPS investigations: a step-by-step guide
Parenthood and Privacy: protecting the interests of children
Celebrating 100 EDPS Newsletters!
This Newsletter edition is a special one, as it is our 100th newsletter! That’s 100 newsletters written since 2005, in which we aim to bring you regular bite-size updates on the work we do to protect two of your fundamental rights: your rights to data protection and privacy.
To mark this occasion, our EDPS Director, Leonardo Cervera-Navas, looks back on some of the key events that have marked EDPS history.
With the EDPS’ first Supervisor, Peter Hustinx, the network of data protection officers of the EU institutions, bodies, offices and agencies (EUIs) was created. At the time, data protection was rather unknown, and sometimes considered as unimportant. This network, and the strong relationship we have built over the last 18 years with data protection officers, have been crucial to achieve compliance with data protection law amongst EUIs, and to help bridge the gap between the law and its practical application. Over the years, the network has grown, now counting 70 data protection officers. Last year, in 2022, the EDPS and the data protection officers celebrated their 50th biannual meeting - a symbol of their fruitful collaboration.
Fast-forward to 2018. With the second Supervisor, Giovanni Buttarelli, the EDPS organised the 40th International Conference of Data Protection and Privacy Commissioners: Debating Ethics - Dignity and Respect in Data Driven Life. During the conference, the EDPS welcomed 1132 delegates from diverse backgrounds. The goal of the conference was to stimulate an honest and informed conversation about what digital technology has done and is doing to us as individuals and as societies, identifying the values at risk and what must be done to preserve them. Giovanni’s vision was as follows: not everything that is possible is legal, and not everything that is legal should be done.
Meanwhile, the General Data Protection Regulation (GDPR) was coming into force.The EDPS had to find a practical way of facilitating its coherent and consistent application across all EU Member States, by proposing a Secretariat, now known as the European Data Protection Board (EDPB), to establish synergies and coordination between 27 data protection authorities. This has come with challenges, but also great successes, with the rapid delivery of qualitative legal advice and opinions on the application of the GDPR, to protect EU citizens’ data. Indeed, the GDPR is considered as a gold standard around the world, with many other countries adopting its principles in their own national laws.
More recently, with the current Supervisor, Wojciech Wiewiórowski, the EDPS organised a Conference on the future of data protection: effective enforcement in the digital world, with over 2000 participants, and over 100 distinguished speakers, hosted both online and remotely. The conference not only took stock of the current enforcement models under EU data protection law and beyond, with its challenges and opportunities. But also focused on the future of data protection, foreseeing new technologies and their privacy implications, as well as reflecting on the ways forward, the solutions to adopt in the data protection and privacy fields.
As we celebrate this Newsletter milestone, we look forward to bringing you more news about the EDPS’ data protection activities in a clear and transparent way for both experts and non-experts; subscribe here.
For more information about:
- the network of DPOs, click here
- the 40th International Conference of Data Protection and Privacy Commissioners, click here
- the EDPB, click here
- the Conference on the future of data protection, effective enforcement in the digital world, click here
EDPS to pilot the use of Open Source Software
In February 2023, the EDPS has started piloting the use of the Open Source Software Nextcloud and Collabora Online (based on LibreOffice technology). Together, they offer the possibility to share files, send messages, make video calls, and allows collaborative drafting, in a secured cloud environment.
The contract negotiated by the EDPS with an EU-based service provider is accessible to all EU institutions, bodies, offices and agencies (EUIs), and ensures compliance with the EU’s data protection law applicable to EUIs, Regulation (EU) 2018/1725, as well as other rules specifically applicable to EUIs as an international organisation.
Wojciech Wiewiórowski, EDPS, said: “Open Source Software offers data protection-friendly alternatives to commonly used large-scale cloud service providers that often imply the transfer of individuals’ personal data to non-EU countries. Solutions like this may therefore minimise reliance on monopoly providers and detrimental vendor lock-in. By negotiating a contract with an EU-based provider of cloud services, the EDPS is delivering on its commitments, as set out in its 2020-2024 Strategy, to support EUIs in leading by example to safeguard digital rights and process data responsibly.”
Personal data and public safety
On 10 February 2023, the EDPS issued an Opinion on two legislative Proposals on the collection and transfer of advance passenger information (API), which includes air passengers’ personal data included in their travel documents (passport or identity cards) that is collected during check-in. The Proposals have two different aims: firstly, to facilitate effective border checks and to combat illegal immigration, and secondly, to prevent, detect, investigate, and prosecute terrorist offences and serious crime.
The EDPS Opinion focuses on whether it is necessary and proportionate for individuals’ API data from intra-EU flights, meaning flights from one EU country to another EU country, to be collected and transferred to the competent national authorities for law enforcement purposes. In particular, the EDPS assesses whether such processing is compatible with the existing Passenger Name Record Directive (PNR) - which lays down the rules on the collection of passengers’ personal travel data to tackle cross-border crime and terrorism, and the recent ruling of the Court of Justice of the European Union (CJEU) in the Ligue des droits humains case.
Wojciech Wiewiórowski, EDPS, said: "According to the CJEU’s ruling on the PNR Directive, EU countries are able to process individuals’ travel data from selected intra-EU flights, as a way of preventing serious crime and terrorism. API data may not be as intrusive for the right to private life and protection of personal data as the full PNR datasets considered by the Court in its ruling. However, in line with the fundamental rights guaranteed in the EU Charter of Fundamental Rights, including the right to free movement, processing of API data must also be limited to what is strictly necessary. EU law should be clear in that respect. Therefore, I call for harmonised criteria for the selection of intra-EU flights, from which API data should be collected, to avoid divergent practices amongst EU countries."
In the Opinion, the EDPS recommends the development of harmonised criteria and a common methodology to help determine, on what basis, and from which intra-EU flights, individuals’ API data would be collected, in line with the CJEU’s ruling. The EDPS also recommends further strengthening the security measures envisaged by applying additional data protection safeguards, such as pseudonymisation or encryption of API data, if technically and operationally possible.
Standards for equality bodies: ensuring that everyone is treated equally
The EDPS issued an Opinion on 2 February 2023 on Proposals, made by the European Commission, aiming to lay down minimum requirements for the functioning of equality bodies to improve their effectiveness and guarantee their independence - a crucial step to strengthen the principle of equal treatment.
As part of this objective, the two Proposals include:
- one on standards for equality bodies for the equal treatment of individuals, irrespective of their racial or ethnic origin; for the equal treatment of individuals in the field of employment and occupation, irrespective of their religion or belief, disability, sexual orientation or age; and for the equal treatment between women and men in the field of social security and in the access of goods and services;
- one on standards for equality bodies for equal treatment and equal opportunities between women and men in the field of employment and occupation.
In its Opinion, the EDPS takes note that the Proposals would involve the processing of special categories of data, such as information on race, ethnic origin, religion or beliefs, gender, sexual orientation and age. In this case, the EDPS recommends clarifying a list of all special categories of personal data that may be processed, and the measures to safeguard the fundamental rights and the interests of individuals, due to the high sensitivity of this data.
Putting in place data protection measures and respecting EU data protection law ensures legal certainty, which, in turn, contributes to protecting people, especially the most vulnerable.
To read the Opinion, visit our website here.
Data protection engineering by design and by default
In January 2023, the EDPS, the European Data Protection Board Secretariat and the EU Agency for Cybersecurity (ENISA) delivered a training on data protection engineering organised by DG Connect, the European Commission’s Directorate General for Communications networks, Content and Technology for its employees and other departments of the European Commission.
Data protection engineering is the process of integrating privacy by design and privacy by default throughout the development of technologies. Privacy by design might include, for example, encrypting personal data. Whilst privacy by default, for example, may include ensuring that settings for an app or software are automatically set to the most data protection friendly option.
Data protection by design and by default are obligations for organisations responsible for processing personal data and are key to using technology sustainably. As a result, it is essential to learn how to engineer data protection throughout all the phases of a project and to grow a mind-set that supports this need.
During the training, the EDPS provided advice and shared experiences on how to take into account data protection requirements throughout the lifecycle of IT products and services, focusing on the responsibilities and actions that IT Departments can take in this area.
Additionally Professor Bart Preneel, Head of the Computer Security and Industrial Cryptography at KU Leuven, shared valuable information on cryptology, a cornerstone of many privacy-enhancing technologies, and on measures to secure communications.
The EDPS will consider organising other similar trainings in the future, having identified gaps within EU institutions, bodies, and offices on how privacy by design and by default should be applied in practice.
EDPS investigations: a step-by-step guide
Are you familiar with how the EDPS carries out its investigations?
Look no further! The EDPS has issued, on 30th January 2023, a Factsheet and a Policy Paper to help you understand how investigations are carried out.
Investigations are a way of establishing whether EU institutions, bodies, offices and agencies (EUI) have breached applicable data protection rules.The EDPS may decide to start an investigation when we have a strong suspicion of an infringement of data protection rules by an EUI.
In our Factsheet and Policy Paper, you can find the detailed steps that the EDPS takes when carrying out an investigation.
These may include the following:
- opening an investigation;
- opening and evidence-gathering meetings;
- an onsite or remote inspection;
- a preliminary assessment;
- a hearing;
- the EDPS’ final decision and its publication;
- a possible follow-up after the investigation.
To find out more information about EDPS Investigations, have a look at our Investigation Policy and Investigation Factsheet.
Parenthood and Privacy: protecting the interests of children
On 26th January 2023, the EDPS issued an Opinion on a Proposal regarding the establishment of parenthood in cross-border situations, for example in situations where a child has family members living in another EU Member State.
To achieve this, the Proposal aims to determine which courts of the EU Member States have jurisdiction and which laws are applicable to establish parenthood of a child in these types of situations.
The Proposal also aims to establish common rules for the recognition of court decisions and authentic instruments on parenthood. It also includes the creation of an EU certificate of Parenthood.
The EDPS checked whether the Proposal includes effective data protection measures, and complies with the General Data Protection Regulation, applicable to EU member states, and Regulation (EU) 2018/1725, applicable to EU institutions, bodies, offices and agencies. In particular, the EDPS examined the determination of controllership regarding the processing of personal data, namely who determines why and how personal data is processed.
In its Opinion, the EDPS stresses that the processing of special categories of data is in principle prohibited in EU law. Special categories of data, which include, for example, health data, data on race, ethnic origin, sexuality, religious beliefs, are of highly sensitive nature, with great impact on individuals’ fundamental rights, if these are not adequately protected when processed.
To find out more about this Opinion, you can find it on the EDPS Website here.