In this issue, catch up on the EDPS' organisational changes, the Supervisor's visit to Japan for his participation in the G7 roundtable of data protection and privacy authorities, our latest Supervisory Opinions and audits, and find out how you can put data protection into practice. This issue is also part of our podcast series, the Newsletter Digest.
In this issue
EDPS finds that the CJEU’s use of cloud videoconferencing services complies with data protection law
In its Decision published on 13 July 2023, the EDPS finds that the use of Cisco Webex videoconferencing and related services by the Court of Justice of the European Union (the Court) meets the data protection standards under Regulation 2018/1725 applicable to EU institutions, bodies, offices and agencies.
Wojciech Wiewiórowski, EDPS, said: “EU institutions, bodies, offices and agencies in their day-to-day work must uphold individuals’ fundamental rights and in particular data protection rules when using videoconferencing tools. This is all the more true when the use of these tools may involve transfers of personal data to countries outside the EU and the European Economic Area (EEA) that can lead to increased risks for the rights and freedoms of individuals. I welcome that the Court has taken leadership to obtain significant changes from Cisco; we hope this achievement can act as an example for other EU institutions, bodies, offices and agencies.”
Reshaping the EDPS to tackle data protection challenges
The European Data Protection Supervisor (EDPS) is making organisational changes to be able to continuously respond and adapt to the evolving data protection challenges that lie ahead, announced the Supervisor, Wojciech Wiewiórowski, today.
Wojciech Wiewiórowski, EDPS, said: "Since its establishment, the EDPS’ mandate, responsibilities and tasks have expanded considerably. Likewise, the risks posed by the use of new technologies have accrued, requiring the EDPS to invest its resources in monitoring their impact on individuals’ privacy. To be able to deliver on its commitments, the EDPS has found it necessary to rethink its approach and processes to ensure its efficiency in a fast-changing environment."
To this end, the EDPS has made the following organisational changes to reflect its priorities.
The Supervisor, Wojciech Wiewiórowski, has appointed the EDPS’ first Secretary-General, Leonardo Cervera Navas.
To ensure the effective enforcement of data protection law, the EDPS has set up specific sectors.Notably, a sector to monitor the EU’s Area of Freedom, Security and Justice; a sector to address efficiently complaints made by individuals and to launch timely investigations into the way personal data is processed by EUIs; and a sector to deliver comprehensive advice to EUIs on data protection matters.
Furthermore, the EDPS has redefined the Technology and Privacy Unit to ensure that technologies embed the principles of privacy and data protection.
Dedicating the appropriate and necessary resources, tools and expertise allows the EDPS to tackle ongoing and future data protection challenges.
The impact of AI on data protection: ensuring privacy in the era of innovation
On 7th July 2023, the European Data Protection Supervisor and the European Data Protection Board’s trainees organised a Conference on the topic of Artificial Intelligence.
Titled, “the impact of AI on data protection: ensuring privacy in the era of innovation”, this joint event invited other trainees of the EU institutions to reflect on and discuss the developments of AI, their impact on individuals and their privacy, and some of the possible measures necessary to put in place to comply with data protection law.
AI is a multidisciplinary topic, affecting numerous aspects of individuals’ day-to-day lives. To represent accurately the pluralism of this topic, the EDPS and EDPB trainees organised a panel discussion with various actors in the field - from technology experts, lawyers to politicians - each sharing their views and analysis.
Discussions focused on taking stock of some of AI’s key developments so far, the risks that these may entail, the role of the EDPS and the EDPS as institutions contributing to the enforcement of data protection law, and the balance between AI innovation and data protection.
Speaking at the trainees’ conference, EDPS Secretary-General, Leonardo Cervera-Navas emphasised that the “the Regulation on Artificial Intelligence and the General Data Protection Regulation should go hand-in-hand for the benefit of everybody. We need to embrace technology according to EU values”.
As the conference ended, EDPB Head of Secretariat, Isabelle Vereecken, highlighted that “AI raises a lot of fundamental rights’ questions, which depend on its application, and we are also touching on ethical questions.” Isabelle Vereecken also touched upon the ban of the use of AI in certain circumstances, for example in the case of automated recognition of human features in publicly accessible spaces, advocated by both the EDPB and the EDPS.
Missed some of the discussions? Want to know more about AI? Watch the video recording of the EDPS- EDPB trainees available here.
G7 data protection and privacy authorities meet in Japan
Representing the EU, the European Data Protection Supervisor (EDPS), Wojciech Wiewiórowski, and the previous chair of the European Data Protection Board (EDPB), Andrea Jelinek, participated in the G7 Roundtable of data protection and privacy authorities on 19-21 June 2023, in Tokyo, Japan. They were joined by the data protection and privacy authorities of Canada, France, Germany, Italy, Japan, the United Kingdom and the United States of America as well.
Together, G7 data protection and privacy authorities discussed joint actions on some of the key issues permeating to data protection. This included the topic of Generative Artificial Intelligence and the topic of Data Free Flow with Trust. Exchange of views were also held on emerging technologies, and how these can embed the principles of data protection and privacy, as well as strategies to enforce data protection rules.
Shaping the global debate on data protection has long been one of the EDPS’ priorities; exchanging views allows for the development of common approaches on privacy, whilst taking into account the broader geopolitical contexts. It is also a chance for the EDPS and the EDPB to share and promote the EU’s perspective, notably its standards related to data protection and privacy, on the global stage, and to build cooperation on that basis.
You can found out more about the Roundtable of G7 data protection authorities and the actions that will be taken in the future by reading:
the action plan: https://www.ppc.go.jp/files/pdf/G7roundtable_202306_actionplan.pdf
the Statement on Generative IA: https://www.ppc.go.jp/files/pdf/G7roundtable_202306_statement.pdf
SOS EDPS: how to make a complaint?
Has your personal data been processed by an EU institution, body, office, or agency (EUI)? Do you feel that the processing did not go according to plan, and that the EUI may have infringed your data protection rights?
At the EDPS, we may be able to address your complaint if your personal data is processed by an EUI. But, before you submit your complaint to us, check whether your situation meets the eligibility conditions for the EDPS to be able to assist you.
Understanding whether your complaint can be addressed by the EDPS can be challenging. To help you with this, visit our brand new EDPS Complaint Page where we have created a short interactive guide, with flow charts, a brief questionnaire, to help you identify to whom, and where, you may be able to reach out. On this page, you can also find more details about how the EDPS handles a complaint.
With this new EDPS Complaint Page, you can now find out instantly what actions you may be able to take in the case of an alleged violation of your data protection rights, whether the EDPS can help you or not.
Ethics and Privacy
EU institutions, bodies, offices and agencies (EUIs), like other organisations, may need to process their employees’ personal data for various reasons: bank details to pay salaries, employment history or occupations outside of work to avoid ethical concerns, health data for medical reimbursements and more.
As an independent data protection supervisory authority, our job is to advise EUIs to help them comply with data protection law when they need to process this type of data. As part of our work, we check whether the processing of employees’ personal data really needs to be processed, how it is processed, and how this data is used and protected.
It is in this context that we provided advice to an EUI that is collecting information about the gainful employment that their employees’ spouses may hold, to avoid conflicts of interests and prevent other ethical concerns. This is an obligation under the Staff Regulation applicable to EUIs to protect the EU’s mission and objectives.
Amongst the information collected, the employees’ spouses’ identity is processed, such as the name of their employer, their professional activity, their name and surname for example. Whilst the name and surname of an employee’s spouse is not sensitive data, this information may indirectly reveal their sexual orientation. This information, on the other hand, falls under special categories of personal data, and therefore is sensitive data. The processing of this type of data is prohibited, unless it is proven necessary in light of obligations laid out in the Staff Regulation for EUIs.
Against this background, is it necessary to collect the surname and name of a spouse to check whether their gainful employment poses ethical concerns and to combat conflicts of interests?
The EDPS considers that, in general, this is not the case. As such, this information - name and surname of a spouse - should only be collected to clear up any potential doubts or confusions that may arise. Should this be the case, the circumstances should be duly examined before lifting the prohibition of processing personal data that may indirectly reveal sensitive personal data, such as someone’s sexual orientation.
What happens when an organisation breaches the GDPR?
The European Data Protection Board (EDPB), the independent EU body that ensures the consistent application of the General Data Protection Regulation (GDPR) across the EU Member States and the European Economic Area (EEA), has issued Guidelines on the calculation of administrative fines.
The Guidelines aim to harmonise the methodology that data protection authorities may use to calculate fines when organisations in the EU have breached the GDPR. These guidelines also apply to the calculation of fines imposed on public authorities and bodies. As a member of the EDPB, the EDPS contributes to the preparation of EDPB guidelines.
The EDPB proposes in its Guidelines to follow a five-step approach to determine the amount of the fine that organisations should pay.
The EU’s/EEA’s Data Protection Authorities (DPAs), which are in charge of imposing fines, should start by identifying the processing operations that are in breach of the GDPR. Then, they should classify the infringement depending on the nature and type of the GDPR breach, as well as evaluating the seriousness of the infringement, and assessing the annual turnover of the organisation concerned.
After that, DPAs should evaluate if any aggravating and mitigating circumstances related to the past or present behaviour of the data controller, who defines how and why personal data is processed, or of the data processor, who processes personal data on behalf of the controller. It is also important to identify the maximum legal amount that can be fined for the relevant infringements of the GDPR. The fines cannot exceed this maximum amount.
Finally, calculating the amount that an organisation can be fined must take into account how effective and dissuasive it will be and whether it is proportionate in light of the infringement and the aims pursued.
Want to dig deeper into the EDPB’s Guidelines? You can find them here.
Privacy, data protection and cybersecurity: a balancing act?
On 22 June 2023, the EDPS participated in the “EU Cybersecurity: Collective Resilience through Regulation” conference organised by the University of Maastricht in Brussels, Belgium.
Cybersecurity and data protection are interconnected; they are two essential allies to protect individuals and their rights. Technologies can help develop cybersecurity to keep individuals and their personal data safe, for example with the use of encryption. But, cybersecurity operations, especially in the era of artificial intelligence and machine learning, may also imply more processing of personal data, increasing intrusiveness into individuals’ lives.
During the conference, we shared our views on the legislative developments following the launch of the EU’s cybersecurity strategy, and the current and mid-term challenges that may arise in this context. Speaking at the conference, we advocated for a legal, strategic and operational approach to cybersecurity. We emphasised that cybersecurity should integrate in its design measures that promote individuals’ fundamental rights, including privacy and personal data protection.
It is key to protect EU citizens from cyberattacks. In our view, a structural collaboration between cybersecurity and the competent data protection and privacy authorities is decisive to establish data protection safeguards to counter-balance the possible growing intrusiveness that technologies may bring.
In our role as the data protection authority of EU institutions, bodies, offices and agencies, we regularly work with the EU’s Agency for Cybersecurity (ENISA), with whom we have a Memorandum of Understanding to promote cyber hygiene, privacy and data protection, amongst other activities.
We also regularly issue Opinions on the topics of cybersecurity and data protection, at the request or on our own initiative to the EU Legislator. In our most recent Opinion on a proposed Regulation on cybersecurity requirements for products with digital elements, we provided practical recommendations to help ensure that EU-wide cybersecurity requirements comply with data protection law to protect individuals.
Auditing data protection practices at the European Commission
Every year, the EDPS sets out an audit plan to verify that the data protection practices of EU institutions, bodies, offices and agencies (EUIs) comply with the applicable data protection law, Regulation (EU) 2018/1725.
Selecting EUIs that will be audited depends on a number of criteria, for example the categories of data processed by an EUI, the number of complaints received concerning an EUI, an EUI’s compliance with previous decisions made by the EDPS.
This time, it was DG GROW’s turn to be inspected. DG GROW is the European Commission’s Directorate-General for Internal Market, Industry, Entrepreneurship and Small and Medium-Sized Enterprises (SMEs). In our audit, we were inspecting DG GROW’s Internal Market Information System (IMI), which is a secure, multilingual, online tool that facilitates the exchange of information between public authorities involved in the practical application of EU law.
Our onsite inspection focused on the verification of the performance of some data protection measures according to the IMI Regulation and Regulation (EU) 2018/1725. We also delved into, amongst others, some of the IT’s security aspects taking as reference the ISO Standard 27002:2022, which is an international standard for IT and information security.
Following our audit, we will provide our findings and, if applicable, a list of data protection recommendations to DG GROW, which we will follow-up on to check if these have been complied with.
How to put data protection and privacy into practice?
Do you know how to put data protection and privacy principles into practice concretely? Do you know how to take action to ensure that you protect individuals’ personal information to respect data protection law?
The EDPS has got you covered. Whether you work for an organisation in the EU, or are employed by an EU institution, or would simply like to know how your data protection rights should be protected, we have created a short factsheet called Data Protection in Action. From theory to practice, our factsheet is jam-packed with a comprehensive list of examples of the actions that you can take to help protect individuals’ personal data that you process.
Putting data protection into practice starts with making sure that it is lawful for you to process individuals’ personal data. This means that you must have a legal basis to do so, for example, this could be because you have received consent from the people concerned, or it is in the public interest for you to do so.
But, being able to lawfully process personal data is not enough in data protection law. As an organisation in the EU or as an EU institution, you must ensure that the following principles are respected: purpose limitation; data minimisation; data accuracy; storage limitation. Equally, you can’t forget to put in place technical and organisational security measures to keep individuals’ personal data safe.
In addition to explaining how to put into practice certain data protection principles, our factsheet covers some of the important question that you may encounter within your organisation or EU institution. We have included, for example, what happens when you outsource some of your activities, what to do if some of your operations require transfers of personal data outside the EU or European Economic Area.
Ready to learn more about putting data protection in action? Check out our factsheet.