Newsletter #104 is out now! Stay informed with us about new updates in the digital regulatory landscape, affecting the GDPR and transfers of personal data to the US. Technology specialist? Read about how to download our Website Evidence Collector 2.1.1. Also in this edition, learn more how can social media be both practical and privacy friendly? This issue is also part of our podcast series, the Newsletter Digest.
In this issue
Swift adoption of Regulation to streamline cross-border enforcement needed
Together with the European Data Protection Board we adopted a Joint Opinion on the European Commission’s Proposal for a Regulation on additional procedural rules for the enforcement of the GDPR, on 21 September 2023.
The proposal aims to ensure the timely completion of investigations and the delivery of swift remedies for individuals in cross-border cases, by harmonising a number of procedural differences across the EU and streamlining the cross-border cooperation procedure. The proposal follows a wish list sent by the EDPB to the European Commission in October 2022.
EDPS Supervisor, Wojciech Wiewiórowski, said: “The Commission’s proposal is a welcome attempt to address some of the challenges identified by experts and practitioners related to the governance of the One-Stop-Shop mechanism. With our Joint Opinion, we hope to further improve the future legislation and, in particular, to foster timely resolution of cross-border cases, and to ensure that procedural rights of complainants are respected, keeping in mind constraints inherent in the GDPR enforcement model. Moreover, we call on the co-legislators to use this opportunity to address practical obstacles to efficient cooperation between national data protection authorities and the EDPS.”
Calling website owners, designers, operators and DPAs to use our Website Evidence Collector!
The EDPS Website Evidence Collector version 2.1.1 is out now, with brand new features and improvements.
Initially launched in 2019, the EDPS Website Evidence Collector (WEC) is an open source software created to help website owners, designers and operators, as well as data protection authorities (DPAs) to detect automatically the processing operations of their website on their users' browsers. For example, the WEC can help detect evidence of cookies, third parties on websites and other information stored during a user’s visit to your website.
The WEC version 2.1.1 introduces the following features and improvements:
- Generation of output in PDF format and a still experimental output in DOCX/ODT format.
- Improvements to the HTML output with jump marks.
- Possibility to combine multiple scans or to add custom data for the generation of output with custom templates.
Using the WEC benefits your organisation, its people and your reputation by helping you comply with the EU’s General Data Protection Regulation, and Regulation EU 2018/1725 if you work for an EU institution, body, office or agency.
You can start using this tool now. The WEC is available for Linux, Mac, and Windows users as NPM package, and you can download the tool on the EU JoinUp software platform or on Github. Setting up the tool successfully requires some experience with system administration or web development.
International cooperation in data protection: not an option, but vital to our tasks
In September, EDPS Secretary-General Leonardo Cervera Navas and EDPS Supervisor Wojciech Wiewiórowski participated in a high-level titled "Data-protection in the Western Balkans and Eastern Partnership Region", arranged by the SIGMA Programme; the Eastern Partnership Regional Fund for Public Administration; the Regional Cooperation Council and the Regional School of Public Administration.
The event gathered data protection authorities and public institutions from Albania; Armenia; Azerbaijan; Bosnia and Herzegovina; Georgia; Kosovo; Moldova; Montenegro; North-Macedonia; Serbia and Ukraine. These 11 countries shared their insights, unique perspectives, as well as the challenges and opportunities they encounter when advocating for digital rights and the protection of individuals’ personal data.
The EDPS was present to share recommendations as the independent data protection authority supervising the EU institutions, bodies, offices and agencies, and as a member of the European Data Protection Board collaborating with other data protection authorities of the EU/EEA.
The Secretary-General highlighted the importance of having data protection authorities that work closely together, and that demonstrate flexibility to keep up with the rapidly changing digital regulatory landscape, and the increasing development of technologies impacting data protection.
Bone of contention on data retention
On 6 September 2023, the General Court issued a Judgment in favour of the EDPS concerning a case submitted by a complainant about data retention involving the Single Resolution Board (T‑200/21).
In this court case, the complainant requested a review of the EDPS’ decision.
Initially, the claimant filed a complaint with us stating that the Single Resolution Board had infringed their right to erasure, their rights to object and to the restriction of the processing of their personal data, because the content of their personal file was not erased after they stopped working there and had asked for it to be erased.
In our decision, we assessed that the conditions for obtaining data erasure were not met under Article 19(3) EUDPR, since the Single Resolution Board has the legal obligation under Article 26 of the Staff Regulations to keep the content of a complainant's personal file even after they have left service.
The complainant also put to question whether it was proportional for the Single Resolution Board to keep a staff member’s personal data for 120 years after their date of birth, even if that staff member had left the service. Whilst we did not address this issue because it had no bearing on the decision we made, it is something we regularly draw EU institutions’ attention to, since some follow the European Commission’s Common Retention List. For example, recently on 5 June 2023, we asked the European Commission to reconsider its retention period of 100 years after the recruitment of the staff member, and to set out considerably shorter retention periods as a general rule.
We welcome the General Court’s decision. When tackling complaints, our aim is to treat individuals fairly by ensuring that their fundamental rights to data protection and privacy are protected and defended. Our objective is to provide complainants with what they are entitled to expect from EU institutions under data protection law - provided they are entitled to it.
Social Media: can platforms be both privacy-friendly and user-friendly?
When the EDPS opened its alternative social media platforms - EU Voice to share short posts and photos, and EU Video to share videos - in April 2022, its primary aim was to give users the choice of platforms that correspond to their preferred privacy settings and policies.
With these platforms, powered by the free and open-source Mastodon and PeerTube software, we aim to provide a response to the data protection concerns that mainstream platforms raise, such as the tracking of users, and the lack of transparent and unbiased algorithms.
Now, a year and a half later, what are some of the conclusions that we can draw from using these decentralised and independent platforms? The Supervisor, Wojciech Wiewiórowski, had the opportunity to present some of his findings at the Freedom not Fear conference, held in September in Brussels.
Since the creation of their platforms, the EDPS has carried out a number of initiatives in an effort to promote their use by the EU institutions, bodies, offices and agencies (EUIs), including the organisations of workshops and trainings, demonstrations at public events, and some other logistical support. As a result, a number of large EUIs, such as the European Commission, have developed their own online presence on these platforms, amassing substantial following. In most cases, the platforms were quickly recognised as interoperable and fulfilling their promises to better protect users’ fundamental rights.
Whilst these positive aspects should be highlighted, the popularity of these platforms is often not comparable to mainstream platforms, asserted the Supervisor at the Conference. The reasons why are three-fold, in his opinion.
Firstly, and perhaps more importantly, there is a lack of a unified political will to make these type of platforms - their creation and development - a priority, which directly affects the resources - time and money - invested in them.
Secondly, alternative social media platforms may appear to be less practical because they do not offer analytical tools useful to inform communicators’ work like mainstream platforms do, although the latter come at a cost to the privacy of individuals. In essence, the development and use of alternative social media platforms means making an active choice not to compromise individuals’ privacy rights.
Thirdly, the technical challenges that using alternative platforms represent. Using social media platforms powered by free and open-source software, like Mastodon and PeerTube, generally means developing and maintaining your own service. What is more, cross-publishing on alternative platforms, which the EDPS, like other EUIs, has experience in, is more demanding, and not always smooth, as this is, in most cases, prevented by mainstream platforms.
Taking stock of the work done in this area and exchanging with data protection and technology actors during open discussions, like the Freedom not Fear conference, helps inform the EDPS’ work. As the EU institution in charge of protecting individuals’ privacy, we will continue to proactively promote communication tools that prioritise individuals’ fundamental rights to data protection and privacy.
Cyber safe habits: an added layer of security for your personal data
Did you know that public administration, digital service providers and the general public are the three groups that are the most vulnerable to cyber threats? This could mean that the personal data that you may process in your day-to-day work as well as your own personal data could be put at risk.
But, there are some steps that you can take, both individually, and within your business or organisation, that could help prevent cyber attacks or threats.
At the EDPS, we have prepared a short series of four videos of some of the precautionary actions that you can take right now, in less than five minutes, to foster habits that keep you and your personal information safe.
Why not start by checking the privacy settings of your personal and corporate devices to adjust which apps can or cannot have access to your contacts, camera or folders. This can help you control to which extent third-party apps can have access to your personal information. Another way to prevent access to your data is to activate the multi-authentication setting when login into online accounts; this way you can verify your identity with separate devices, therefore adding a layer of security for your data.
In our videos, you can find more advice, such as the habits you can adopt when using social media for private or professional purposes, and how to recognise potential cyber threats in the form of phishing emails.
Financial and payment services: use of personal data should remain proportionate and fair
On 23 August 2023, the EDPS published two Opinions: one on the proposal for a Regulation on a Financial Data Access Framework and one on the proposal for a Regulation and Directive on payment services in the EU’s internal market. Both proposals aim to foster the sharing of data to broaden the offer of financial services and products, whilst providing individuals or organisations control over the processing of their financial data.
According to the Proposals, individuals and organisations would manage access to their financial data using dashboards provided by financial institutions. This would allow individuals concerned to monitor, restrict or grant access to their information. The EDPS highlights that, to achieve this objective, individuals or organisations should be provided with complete, accurate and clear information on the provider of the financial service requesting access to their data. Information on the type of product, payment or service for which an individual’s personal data would be used and the types of data requested should also be communicated.
The EDPS welcomes the efforts made to ensure the Proposals’ consistency with the General Data Protection Regulation (GDPR). Both Proposals should specify that the granting of ‘permissions’ to access financial data does not equate to giving consent under the GDPR. Likewise, all processing of personal data following a request to access an individual’s financial data must have an appropriate legal basis under the GDPR.
Wojciech Wiewiórowski, EDPS, said: “Increased sharing of financial data should open new opportunities for individuals, not close doors. Without clear boundaries, one could see higher prices for important financial services or the exclusion of customers with an unfavourable risk profile. Financial authorities and data protection authorities will need to cooperate closely to ensure that individuals and their fundamental rights are protected”.
Read Opinion on the proposal for a Regulation on a Financial Data Access Framework
Q&A: the impact of the EU-U.S. Data Privacy Framework
Whether you are interested or specialised in data protection, or use US-based social media platforms or other services, you may have heard that on 10th July 2023 the European Commission adopted an adequacy decision with the US, the EU-US Data Privacy Framework.
An adequacy decision formally recognises a non-EU/EEA country’s ability to provide an adequate level of protection of individuals’ personal data, like in the EU under the General Data Protection Regulation, without the need for additional data transfer tools.
As such, what does the EU-US Data Privacy Framework mean in practice? The European Data Protection Board (EDPB), of which the EDPS is a member, has prepared a short, yet comprehensive, Q&A document to help users, data protection practitioners and specialists navigate the applicability of this decision.
Importantly, the EDPB’s document notes that the EU-US Privacy Framework can be used for transfers of personal data to a non-EU/EEA organisation, if that organisation is included on the Data Privacy Framework List, therefore indicating that it meets the EU’s data protection standards. For EU institutions, bodies, offices and agencies (EUIs), which the EDPS supervises in this area, transfers of personal data to US companies participating in the EU-U.S. Data Privacy Framework can take place without the need to obtain any further authorisation from the EDPS. On the contrary, additional transfer tools and measures will need to be used under the GDPR for non-EU/EEA organisations that are not on the Data Privacy Framework List.
Guidance is also provided on how individuals in the EU can lodge a complaint under the EU-US Data Privacy Framework, and how to make use of the new redress-mechanism.
As the European Data Protection Supervisor of the EUIs, we stress the importance of upholding individuals’ data protection rights, especially when transfers of personal data to non-EU/EEA countries are involved. We encourage EUIs to exercise caution, and take action when necessary. This may include continuously assessing and analysing potential risks related to non-EU/EEA laws that may impact the privacy of individuals.
EU crisis management: free movement of supplies and products
In times of crisis, the EU aims to provide support or send supplies and products to countries and regions affected by disasters. To provide an appropriate and rapid response, the European Commission has come up with a proposed Regulation for a Compulsory Licensing Scheme to allow the free movement of supplies and products needed for crisis management. In practice, this Compulsory Licensing Scheme would allow to override temporarily the patent of certain supplies and products, such as medicinal or pharmaceutical products, for them to be manufactured and distributed to address a crisis or emergency.
Regulating a Compulsory Licensing Scheme may involve the processing of personal data, for example between EU Member States’ competent authorities and the European Commission. This is why we issued an Opinion on 28 July in which we submitted remarks on the process of enforcing the EU’s Compulsory License Scheme, and on the granting of Compulsory Licences at EU Member State level.
In our Opinion, we take note that to enforce the EU’s Compulsory Licensing Scheme, the European Commission plans to introduce fines or periodic penalty payments. According to the Proposal, the decisions of issuing such fines or penalty payments, including to whom these are addressed to, would be made public. We recommend to only disclose the personal data of individuals involved in these fines on an exceptional and justified basis, in cases of serious infringements and if strong dissuasive measures are needed.
In some cases, national compulsory licences may be granted for the purpose of addressing a national crisis or emergency. Should this occur, the relevant EU Member State would need to report this to the European Commission, including the name and address of the licensee, states the Proposal. In response to this foreseen measure, we advise that specific roles and responsibilities are defined for the European Commission and EU Member States alike, to ensure that the processing of personal data of licensees is done according to EU data protection law.
Pollution penalties: protecting the identity of whistle-blowers
How to prevent or stop pollution caused by ships in our oceans? A Directive imposing dissuasive penalties, may be the way forward. But, how? And what type of information, including personal data, may be processed, and by whom, to enforce such penalties.
The EDPS issued an Opinion on this proposed Directive in July 2023 in which we highlight the need to put in place measures to protect the identity of individuals reporting on potential infringements, in the context of whistleblowing for example.
As such, we made recommendations on the centralised and external reporting channel for infringements envisaged in the proposed Directive. We advised to explicitly refer in the Proposal that the European Commission is the controller of this channel, meaning taking responsibility for the purpose and means for which personal data may be processed with this tool. We added in our remarks that a set time for which personal data is stored should be provided, for any personal data collected.
Other measures in the Proposal heeded our attention: the possible restriction of the data protection rights of individuals who are mentioned in the infringement reports. We remind the European Commission that restricting individuals’ rights is exceptional and can only be done in very specific cases under data protection law. As such, in our view, a re-assessment of certain restrictions is necessary to check whether these are necessary and proportionate.
Speech of European Data Protection Supervisor Wojciech Wiewiórowski at the Joint Parliamentary Scrutiny Group on Europol.
Keynote Speech by Wojciech Wiewiórowski at the Europol Data Protection Expert Network Conference.