Newsletter (106)
In this edition: What are some of the technologies to watch in 2024? Can social media be used to identify and prevent diseases? News about data protection officers and more. This issue is also part of our podcast series, the Newsletter Digest.
In this issue
Happening soon: CPDP Data Protection Conference
TechSonar: a look into the future of technologies
Empowering and emboldening data protection officers
The knots and bolts of Explainable Artificial Intelligence
Social Media monitoring for epidemic intelligence purposes
EDPS and ICO sign Memorandum of Understanding
Reaching global data protection standards
Checking in for a flight? Let’s talk passenger name record data
Happening soon: CPDP Data Protection Conference
Are you ready to celebrate data protection day?
Join us on 25 January 2024 in Brussels for a very special edition of the Computers, Privacy, Data Protection Conference organised with the Council of Europe, Privacy Salon, and colleagues from CPDP Conferences.
This interactive event - comprised of in-depth panel discussions, networking opportunities and other fireside chats - promises to bring together a large variety of experts in policy-making, data protection, privacy, technology, civil society, and more, to debate on key topics permeating to data protection.
Registering now gives you the unique chance to take part in meaningful dialogues on global data flows, digital governance, regulating artificial intelligence, the harmonisation of GDPR procedures, data retention and national security, and other of the latest developments and challenges that impact data protection.
There is lots more to come! Make sure to follow the CPDP Data Protection Conference dedicated website to stay updated on the initiatives to come. In the meantime, why not look at the Conference’s programme to get a flavour of what you can expect.
See you there; register here.
TechSonar: a look into the future of technologies
Which technology developments can we expect in the upcoming year? Which technologies should you keep an eye on in 2024?
A handful of EDPS Technology and Privacy specialists have tackled these big questions.
In their recent TechSonar Report published on 4 December 2023, they have handpicked some of the technologies worth following in the near future. These are: large language models, digital identity wallets, internet of behaviours, extended reality, and deep fake detection.
Our experts have delved into the intricacies of each technology: diving into the positive aspects and impact they may have on you and your fundamental rights to privacy and to the protection of personal data.
For example, did you know that large language models can suffer from “hallucinations”, meaning that they may produce erroneous information that appears correct, which may even go unnoticed? Or did you know that extended reality could actually provide you with information on how your personal data is processed, ensuring more transparency, which is an important data protection principle.
What’s important to remember is that each of these technologies presents opportunities and challenges which we aim to inform you about and demystify in our TechSonar Reports, an initiative started in 2021 by the EDPS as part of its technology-monitoring efforts.
Check out our analysis of these technologies, read TechSonar 2023-2024 available now.
Empowering and emboldening data protection officers
Twice a year, the EDPS meets with the network of data protection officers (DPOs) of the EU institutions, bodies, offices and agencies (EU institutions) to take stock of the progress made and the challenges that lie ahead in data protection. With an attendance of 100 DPOs, the latest meeting, held on 30 November 2023, at the European Parliament of Strasbourg - where the Council of Europe was born to promote democracy, human rights and the rule of law - was all the more symbolic.
At their core, DPOs help bridge the gap between data protection law and its practical application. In the EU institutions, they are the backbone to achieving data protection compliance. The EDPS-DPO network meetings, organised since 2004, are therefore beneficial to ensure that DPOs are provided with the right guidance to foster a robust and sustainable data protection culture within EU institutions.
During the meeting, various workshop and activities were organised - all designed to tackle the current and future data protection issues that may arise when EU institutions carry out their activities.
This included a workshop focusing on the role and tasks of DPOs, as a follow-up to a survey they completed on this topic. Within this remit, the EDPS and DPOs discussed the management of resources, the independence of DPOs, for example. Exchanges on these topics help inform the EDPS’ guidance to empower and embolden DPOs in their role.
The topic of Artificial Intelligence - which is at the forefront of many debates currently - was also heavily touched upon during the EDPS-DPO network meeting. During these valuable exchanges, it was remarked that generative AI systems may often be opaque and complex, and that, without appropriate safeguards and supervision, they may present significant risks to privacy and the protection of personal data. As such, it is important that AI systems are transparent, explainable, consistent, auditable and accessible, to ensure the fair processing of personal data.
With each EDPS- DPO meeting, synergies are created to further advance the protection of individuals’ privacy. To find out more about this meeting, read this blogpost, written by the EDPS’ Secretary General as he retraces this event, and its importance and impact on data protection.
The knots and bolts of Explainable Artificial Intelligence
This month, join us on a tech journey to uncover the knots and bolts of Explainable Artificial Intelligence (XAI).
XAI consists of having AI systems provide clear and understandable explanations for its actions and decisions. The main aim of XAI is to make AI systems understandable to the wider public, by explaining the mechanisms behind their decision-making process.
But, what are the benefits and the risks of XAI? What are the type of explanations offered by XAI? And what are black boxes and white boxes?
These are some of the questions that we tackle in our latest TechDispatch report.
Plus, you can listen to our podcast episode on the topic of XAI that delves deeper into this topic.
Social Media monitoring for epidemic intelligence purposes
In a pilot project, the European Centre for Disease Prevention and Control (ECDC) decided to monitor, both in a manual and automated way, certain social media platforms for epidemic intelligence purposes, in view of collecting data to identify and prevent future outbreaks of contagious diseases.
But, are the ECDC’s processing operations lawful?
In its Supervisory Opinion issued on 9 November, the EDPS found that the ECDC did not sufficiently demonstrate that it does not process personal data, including special categories of data, like health data, in the context of its social media monitoring.
Additionally, the EDPS finds that the ECDC does not have the legal basis to carry out these processing operations. The ECDC Founding Regulation, which governs how the ECDC functions, does not expressly provide a lawful ground allowing for the processing of personal data through the monitoring of publicly available information on social media for epidemic intelligence purposes.
In its Opinion, the EDPS recommends that the ECDC either modifies its Founding Regulation to foresee these types of processing operations, or, alternatively, adopts dedicated internal rules.
The EDPS also makes further suggestions related to ensuring transparency for data subjects, as well as on the ECDC’s data protection impact assessment and more.
Read the EDPS’ Supervisory Opinion, available here.
EDPS and ICO sign Memorandum of Understanding
The European Data Protection Supervisor (EDPS) and the UK Information Commissioner’s Office (ICO) signed on 9 November 2023 a Memorandum of Understanding (MoU), which reinforces their common mission to uphold individuals’ data protection and privacy rights, and cooperate internationally to achieve this goal.
The MoU builds on the strong collaboration already established in other forums that both authorities mutually participate in, such as the Global Privacy Assembly and the G7 DPAs Roundtable.
The MoU sets out how the authorities will continue to share experiences and best practices; cooperate on specific projects of interest; share information or intelligence to support their regulatory work; and, promote dialogue amongst data protection authorities and other digital regulators.
Signing this MoU with the UK confirms the EDPS’ continuous ambition to foster international partnerships to elevate the global standards of data protection, and to champion solidarity in the face of a digital landscape that is constantly evolving.
Reaching global data protection standards
With their diverse purposes - from providing food assistance, advocating for human rights, to ensuring our safety, protecting our borders - each international organisation has their own set of challenges, which they have to tackle, whilst ensuring the protection of privacy.
This is why it is important to give international organisations the opportunity to share significant legal, policy or technological updates affecting their work, and how these may impact data protection, through the International Organisations Workshop that the EDPS co-organises each year.
These workshops, commenced in 2005, aim to generate and foster global partnerships to share and promote good practices in the field of privacy, to protect individuals’ personal data. Each year, the EDPS co-organises a workshop with one of the 50 international organisations represented at the workshop. This year, Interpol - The International Criminal Police Organisation - hosted this important event in Lyon, France, at the end of October 2023.
Amongst other topics, this year’s workshop focused on:
- digital identities and the processing of biometric data;
- the use of cloud based service providers;
- upcoming technology developments, including developments in the field of Artificial Intelligence.
The workshop also championed a forward-looking approach to different topics surrounding data protection.
To find out more about this International Organisation’s workshop, read blogpost by Wojciech Wiewiórowski.
For more information about the work of the EDPS with International Organisations, visit our website here.
Checking in for a flight? Let’s talk passenger name record data
The EDPS has issued three Opinions on the negotiating mandate for agreements between the EU and Iceland, Norway and Switzerland on the transfer of Passenger Name Record data.
Passenger Name Record data, or PNR, is information provided by passengers, and collected and held by air carriers in their reservation and departure control systems for their own commercial purposes.
Whilst PNR data may be useful for combatting terrorism and serious crime, the transfer of this type of data to countries outside the EU/European Economic Area, and the subsequent processing of this data by these countries’ authorities, amounts to an interference with the fundamental rights enshrined in Articles 7 and 8 of the EU’s charter of fundamental rights. It is for this reason that before processing this type of data, a legal basis, under EU law is required, and must be necessary, proportionate and subject to strict limitations and effective safeguards, to protect individuals’ privacy.
Against this background, the aim of these future Agreements is to allow Iceland, Norway and Switzerland to lawfully receive PNR data from EU Member States, and to allow their designated competent authorities to make use of such data in a manner that ensures the security of individuals moving within a common area, without internal borders controls, whilst ensuring that their privacy is protected.
In its three Opinions, the EDPS provided recommendations on the processing of sensitive personal data, and advised to introduce negotiating directives in the agreements to be able to suspend them in case of breaches or persistent non-compliance.
Want to know more?
Read the PNR agreement with Iceland: here
Read the PNR agreement with Norway: here
Read the PNR agreement with Switzerland: here
Speeches & Articles
European Data Protection Supervisor Wojciech Wiewiórowski's opening remarks at the Brussels Privacy Symposium on the EU Data Strategy.