Newsletter (111)
September can mark the season of new beginnings! Here at the EDPS we are getting ready for AI! This month we’ve also provided our advice on an agreement for judicial cooperation and its impact on data protection. You can also swing by our latest work on international data protection transfers and lots more!
This edition is also part of the Newsletter Digest, have a listen now!
In this issue
IPEN: Human Oversight in Automated Decision-Making
EDPS - Western Balkans and Eastern Partnership Region: working together for data protection
Judicial cooperation in criminal matters and transfers of personal data
EU-International Organisations: new model for safer transfers of personal data
TechDispatch Talks: feed your brain with information about your brain
Ready...Set...AI !
On 1st August 2024, the EU’s Artificial Intelligence Act; the first democratically established regulatory tool in the world to govern AI came into force. With this new law, a new chapter of the digital regulatory landscape begins, and the role of the EDPS expands.
Under the AI Act, the EDPS will act as notified body and market surveillance authority to assess the compliance of high-risk AI systems that are developed or deployed by EU institutions, bodies, offices and agencies (EUIs). The EDPS will also take on the role of competent authority for the supervision of the provision or use of AI systems by EUIs.
Work done so far
The EDPS has been preparing for the AI Act in recent years, to both embrace this new tool, whilst ensuring that the EU continues to be a place where individuals’ fundamental rights prevail.
To this end, we’ve recently issued our strategic plan for AI, alongside a number of recommendations, and guidance. Some examples are detailed below.
The EDPS’ strategy for AI focuses on governance, risk management, and supervision. To foster a multilateral and inter-institutional approach to AI with the aid of AI correspondents composed of a pool of diverse experts; to find efficient ways to identity risks of AI tools; to put in place strong mechanisms to monitor, prohibit or sanction use of AI banned under the AI act.
In June, we published Guidelines on generative AI for EUIs, to help them comply with their obligations under the applicable data protection law, Regulation (EU) 2018/1725, when using or developing generative AI tools. These guidelines include practical advice on how EUIs can identify whether to use AI tools when processing individuals’ personal data.
What’s to come? Follow along!
In anticipation of the rapid development of AI technology, the EDPS uses its expertise to deepen its research. For example, the EDPS dedicated one of its TechDispatch reports to Explainable Artificial Intelligence; exploring its benefits as a transparent way of using AI, and also its limits, such as the possible exploitation of AI systems.
As more work is done by the EDPS on Artificial Intelligence, all updates in this area are easily accessible here.
Watch Video on the Artificial Intelligence Act by Supervisor Wojciech Wiewiórowski
Read our Strategic Plan for AI by Secretary General Leonardo Cervera Navas
Read up on our Guidelines on Generative AI
Read our TechDispatch on Explainable Artificial Intelligence
IPEN: Human Oversight in Automated Decision-Making
We all make small or big decisions in our day-to-day lives, whether it’s deciding on what to wear, which job to accept, or school to go to. But, what if all decisions, both mundane and important, become automated? No need to imagine. In some cases, it’s already happening: your job application could be selected automatically; your credit score decided by a machine, or your insurance policy could be determined by algorithms and so on.
Both the General Data Protection Regulation (GDPR) and the Artificial Intelligence Act address the risks associated with automated decision-making and provide for human oversight as one of the measures to ensure the accountability and fairness of these systems.
This is what the EDPS discussed with elite guests at its 10th Internet Privacy Engineering Network (IPEN) event on 3rd September 2024, co-hosted with the University of Karlstad, Sweden. Founded in 2019, IPEN was created to bring together privacy experts and engineers to help address the challenges and opportunities of embedding data protection in the development of technologies.
With 300 participants attending the event either in person or online, the appetite for exchanges had no limits. Topics touched upon included:
- the way human-oversight can be properly integrated into the use of Artificial Intelligence and automated - decision making to enhance individuals’ understanding of how their personal data is processed.
- the possibility of creating standards for automated and non-automated decision-making for a high-level of protection.
- the factors that may influence the effectiveness of human oversight, focusing on technical aspects.
You can find out more about automated-decision making by watching or re-watching the recorded IPEN event here.
EDPS - Western Balkans and Eastern Partnership Region: working together for data protection
This week, the Supervisor and Secretary General of the EDPS welcomed colleagues from the Western Balkans and Eastern Partnership Region for a full day of meetings to discuss the practical application of data protection to uphold individuals’ privacy.
Gathering representatives from data protection authorities and public institutions from Albania; Armenia; Azerbaijan; Bosnia and Herzegovina; Georgia; Kosovo; Moldova; Montenegro; North-Macedonia; Serbia and Ukraine was an honour. This occasion provided an opportunity to share the possibilities and hurdles encountered in matters of compliance and enforcement of data protection.
A year after the EDPS first met the Western Balkans and Eastern Partnership Region, cooperation continues to grow - an essential ingredient to move forward successfully in the field of data protection and the emerging field of AI Regulation.
As such, a large portion of the day’s meetings was dedicated to technical and practical matters concerning:
- the interplay between the General Data Protection Regulation, and the EU data regulations, such as the Digital Services Act and the Digital Markets Act;
- investigation policies;
- international transfers
Many other topics were also covered. Find out more about them by reading the EDPS Secretary General’s blogpost, linked here.
Judicial cooperation in criminal matters and transfers of personal data
The European Union and the Republic of Lebanon are currently negotiating an agreement to enhance judicial cooperation in criminal matters between Eurojust, the EU’s Agency for criminal justice cooperation, and the authorities of Lebanon that are competent to investigate and prosecute serious crime, in particular organised crime and terrorism.
To achieve this objective, this cooperation will require transfers of personal data.
As required by Regulation 2018/1725, the EU data protection law for EU institutions, the EDPS had been consulted on the draft agreement and issued an Opinion on 28 August, in which we conclude that the Agreement provides generally adequate safeguards to protect individuals’ fundamental right to data protection.
The EDPS also provided additional recommendations to facilitate the practical application of the future Agreement, including guidance that may be relevant for future agreements with other countries outside the EU/European Economic Area for which negotiations either are about to begin or are underway.
The EDPS recommendations focus on:
- forward transfers of personal data to authorities outside of the agreement;
- the possibility to postpone or suspend transfers of personal data;
- the review and evaluation of the agreement itself.
EU-International Organisations: new model for safer transfers of personal data
Part of the EDPS’ priorities is to ensure that individuals’ personal data is protected according to EU standards both inside and outside the EU/European Economic Area (EU/EEA).
Aligning with this goal, the EDPS released on 31 July 2024 its new Model Administrative Arrangement (Model) for EU institutions, bodies, offices and agencies to assist them with preparing possible transfers of personal data to International Organisations.
To ensure its practical application by EUIs, the Model places emphasis on data protection’s core principles and puts in place the necessary safeguards as a way to ensure a level of protection essentially equivalent to that guaranteed by EU legislation.
Importantly, the administrative arrangements concluded by EUIs with International Organisations using the Model will continue to require the EDPS’ approval of transfers of personal data outside the EU/EEA. It’s use will greatly facilitate this process.
Working for an EU institution? Check out the EDPS Model Administrative Arrangement.
All our work on International Transfers of personal data can be found here.
TechDispatch Talks: feed your brain with information about your brain
What is neurodata?
What are neurotechnologies?
How do they relate to our fundamental rights to data protection and privacy?
These are the topics we investigate in our latest TechDispatch Talks podcast series.
Each episode examines one technology, its opportunities, challenges and impact on privacy and data protection.
Listen to this episode, TechDispatch #3, to find out more about how neurodata is collected and how it can help advance health, but also why it raises privacy and data protection concerns when used for other purposes.
Learn about how someone’s brain activity can be recorded, analysed and stimulated, and the different types of neurotechnologies that exist.
This episode as well as others can be found directly on our website or on your preferred platform.
Listen to TechDispatch Talks #3 on our website or on Spotify.
Become a walking #Datapedia
Have you been keeping up with our weekly #Datapedia series on social media?
If not, why not follow us on Instagram, X and LinkedIn to learn about the complex, sometimes confusing, world of privacy one word at a time.
From defining what consent really means, to shedding a light on the differences between a controller and a processor, come and find some nuggets of knowledge with us. You can start small and build up your data protection knowledge with us every week.
Follow us on:
EDPS Tips n Tricks
Is your processing of personal data legal? Let’s check!
Before your organisation starts processing personal data, for an event or a newsletter subscription for example, make sure to check whether the processing of personal data you are planning is lawful.
How?
- Check if your organisation has an appropriate legal basis for the processing of personal data.
- Check if the processing envisaged complies with all data protection principles.
- Consult your data protection officer.