Newsletter (113)
In this issue, has the European Commission organised a micro-targeting campaign on X? EDPS reprimands EPSO, and organises its first AI correspondents meeting, plus what is a privacy protector? And, as always, there is a lot more in this edition, including our monthly Tip 'n' Trick. Read on!
In this issue
Happy Data Protection Day!
As the independent institution in charge of supervising data protection matters within the EU institution, data protection day is, well, every day, for us at the EDPS. However, for the rest of the world, data protection is mainly celebrated on 28 January every year. This date coincides with the signing of Convention 108 in 1981 - a milestone in its own right - since it is the first legally binding international instrument to protect privacy in the digital age.
As is the tradition, this important day is a chance for the EDPS to connect with peers, reflect on the digital landscape, the privacy of individuals, different approaches to embracing technologies and counteracting their risks to progress in data protection, but also to raise awareness amongst individuals about what we do, and why their privacy matters to us.
Building on last year’s success, we partnered once again with the Council of Europe and CPDP Conference to organise a full-day event, welcoming more than 430 in-person participants and 500 online, to focus on exploring the current and future landscape of data protection. Given the intertwining nature of data protection with many topics, three main sessions and three side sessions were organised, to maximise the number of subjects discussed.
Therefore, topics covered were multidisciplinary; these include:
- taking stock of the major milestones in data protection;
- the key priorities that different actors in the field are taking, such as the European Commission’s ambition to foster innovation, the building of a “Data Union Strategy and the Digital Fairness Act, as well as the European Parliament’s upcoming work on the General Data Protection Regulation’s procedural regulation and transfers of personal data to countries outside the EU;
- neuroscience and data protection;
- access to data by the criminal justice sector;
- the risks associated to period tracking apps.
You can find out more about CPDP Data Protection Day by reading our blogpost and watching or re-watching the talks and discussions recorded.
The Data Protection Officer, a privacy protector
Present in each EU institution and in most public or private entity in the EU, a DPO gives independent and expert advice on data protection law to ensure its compliance.
Within their role as privacy protector, they have diverse tasks, such as keeping a register of their organisation’s data processing activities; they may also assess the impact of technologies; manage personal data breaches; and even respond to people’s requests on their data, for example.
But, what’s it really like to be the DPO of an EU institution, what does a typical day look like?
We sat down with the EDPS’ Data Protection Officer to talk about their experience of working for the independent data protection authority of the EU institutions. The in-depth discussion is available on our podcast channel EDPS On Air here, on Spotify, or wherever you get your podcasts.
Happy Listening!
EDPS hosts first AI Correspondents Network Meeting
For the first time, on 27 January 2025, the EDPS hosted its first AI Correspondents Network Meeting, a group of diverse people - not just legal and data protection experts, but also ethical and human rights experts - to shape the future of artificial intelligence together.
During the meeting, the EDPS identified three key opportunities to collaborate on.
AI literacy to provide a multitude of training programmes to EU institutions’ members of staff.
Public Procurement to negotiate effectively with vendors and service providers of AI systems.
Pilot programmes for the use of a selected number of AI tools.
At the meeting, all participants, including the EDPS, benefited from the rich exchange of views and experiences.
Going forward, the EDPS suggested three core pillars to guide the network: Community, Compliance and Collaboration, to channel its action plan.
EDPS reprimands EPSO for its remote testing
On 27 November 2024, we issued a decision on three complaints concerning the European Personnel Selection Office’s (EPSO) remote testing used in 2023.
Amidst COVID-19, EPSO, the main institution in charge of the EU institutions’ recruitment procedures, launched remote testing. These online tests involved proctoring subcontracted to an external contractor, whereby candidates were supervised and monitored during the exams.
Assessing the complaints made in this context, the EDPS retained most of the allegations made, and found that EPSO infringed certain rules of Regulation (EU) 2018/1725 (EUDPR).
Amongst other important findings, the EDPS highlights that:
EPSO had incorrectly relied on consent as legal basis for processing personal data in the context of remote proctored testing.
The biometric data of candidates being tested, such as their faces, were processed by EPSO without any legal basis.
Candidates were not provided with fair, transparent and sufficient information about how and for what purposes their personal data were processed.
These - now discontinued - proctored exams were subcontracted by EPSO to another company. EPSO was not in control of the processing operations conducted on its behalf by the subcontractor, which led to transfers of candidates’ personal data to non-EU countries, without transfer tools in place to ensure its adequate protection.
Totalising these observations, the EDPS decided to reprimand EPSO.
Coordinated Enforcement Action: EDPS findings highlight challenges on right of access to personal data
On 20 January 2025, the EDPS released its findings on the enforcement of individuals’ right of access to their personal data when processed by EU institutions, bodies, offices and agencies (EUIs).
These findings are part of the European Data Protection Board’s (EDPB) broader Coordinated Enforcement Action initiated in February 2024. The EDPB report aggregates the findings of the participating Data Protection Authorities, including the EDPS.
The right of access is one of the core elements of data protection; it is a vehicle for transparency on how individuals’ personal data is processed, in this case by EUIs and whether it is done in compliance with the applicable data protection regulation, Regulation (EU) 2018/1725.
As such, the EDPS highlighted the following five key findings:
- There is a limited volume of requests received by EUIs. In 2023, 58 out of 63 respondents receive between 0 to 25 access requests annually.
- Many EUIs lack centralised systems for managing access requests.
- EUIs face challenges in categorising requests from individuals.
- Verifying the identity of requesters is sometimes difficult, and may involve excessive or unnecessary processing of personal data.
- EUIs may experience practical challenges in balancing individuals’ right to access personal data and the obligation to protect the rights and freedoms of others.
You can read more about our findings in this Press Release and Report.
Towards Digital Clearinghouse 2.0
As the digital landscape evolves, so does its complex regulatory system. The risk? There could be an inconsistent application of legal requirements.
Identifying areas of improvement in this area, the EDPS has published on 15 January 2025 its concept note on a Digital Clearinghouse 2.0, highlighting:
the need for a coherent and consistent application of EU law in the digital economy;
the need for cross regulatory cooperation between competent regulators;
the necessity to uphold data protection as the backbone of the digital regulatory framework.
The Digital Clearinghouse could therefore be a tool to increase the chances of coherent application of EU laws in the digital sphere to help uphold individuals’ data protection rights.
Read more about the Digital Clearinghouse in this blogpost and concept note.
EDPS reprimands Frontex
On 8 January 2025, the EDPS issued a reprimand to Frontex, the European Border and Coast Guard Agency, for not complying with its applicable Regulation, Regulation (EU) 2019/1896, when transmitting personal data of suspects of cross-border crimes to Europol, the EU’s Agency for law enforcement cooperation.
This all began in October 2022, when the EDPS carried out an audit on Frontex’s activities when assisting Member States at the EU external borders in joint operations. In particular, the EDPS focused on debriefing interviews by Frontex of individuals intercepted while crossing external borders and the Agency’s further use of the information collected in this context.
During its audit, the EDPS found that during these debriefing interviews, Frontex was collecting information on suspects of cross-border crime based on interviewees’ testimony. Frontex was then sharing this information systematically and proactively with Europol without performing any kind of assessment of the necessity of such sharing, contrary to what is required by Frontex Regulation. Considering the high risks that this implies for individuals reported as suspects, should that information prove unreliable or inaccurate, the EDPS decided to open an investigation.
While this constitutes a severe breach of Frontex Regulation, the EDPS has nevertheless decided to limit the exercise of his powers to the issuance of a reprimand taking into account that five days after the adoption of the EDPS audit report in May 2023, Frontex interrupted its sharing of information with Europol.
Helping EUIs manage and avoid data breaches
Over the past year, we have enhanced our efforts to support EU institutions’, bodies, offices and agencies (EUIs) in effectively managing and preventing personal data breaches. In 2024, the EDPS took proactive steps to strengthen data protection, including the following initiatives.
Determined to provide the necessary tools to EUIs in this field, we launched the PATRICIA exercise (Personal dATa bReach awareness In Cybersecurity Incident hAndling) in collaboration with the EU’s Cybersecurity Agency (ENISA) to test whether EUIs are ready to face a personal data breach stemming from a cybersecurity attack and identify how they could better prepare, if necessary. While the exercise aimed to raise awareness on all the necessary steps of managing a personal data breach, including assessing the risks to individuals’ rights and freedoms, the main focus of the exercise was the internal communication channels and processes for effective collaboration among an EUI’s IT team, data protection officers and security officers. More information can be found here.
The EDPS also launched an awareness campaign focused on EUIs that had never reported a data breach. This time, the EDPS selected a number of EUIs to participate in a survey on personal data breaches to identify the state of play, potential shortcomings and follow-up actions. Upon completing this exercise, the EDPS identified three key areas for improvement: the need for EUIs’ data controllers, with the support of their DPO, to increase staff awareness on the risks of personal data breaches; the lack of resources amongst EUIs and the need to establish a formal risk management framework to identify and mitigate personal data breaches. More information can be found here.
Some key statistics of data breaches within EUIs in 2024:
- The EDPS received and assessed 109 new admissible personal data breach notifications under Regulation (EU) 2018/1725; an increase of nearly 30% compared to 2023, during which the EDPS received 77 personal data breaches.
- The main root causes are human error (42%), followed by external attacks (26%).
In this context, the EDPS notes the increase, both in number and severity of CyberAttacks. As such, we issued an order to ensure that the communication will take place in a specific timeframe and cover all individuals. Overall, out of the 109 cases, 42% involved a communication to individual(s) concerned.
Our news is your news!
Once a month we share with you some of the most significant updates of the work we do to protect your privacy and personal information in our Newsletter.
You can be the first to know about our latest investigations, technological research, events, advice given to the EU legislator by subscribing to our newsletter; it’s completely free.
Here is how:
- Hop over to this link, and click on subscribe https://www.edps.europa.eu/press-publications/publications/newsletters_en.
- Wait for an email from us; it will only take a few seconds.
- Confirm your subscription - an important step to make sure you receive our newsletter.
- And, then, enjoy reading our newsletter, on the way to work, with your cup of coffee, or however you like it.
EDPS Tips n Tricks
Do you know your rights?
Under the GDPR, and the EUDPR, you have personal data protection and privacy rights that most be respected by the organisation or EU institution that processes your personal data, like the right to be informed about how and why your personal data is processed.
Not sure you know all your rights? Check out our short factsheet here to protect yourself and your information.
Has the European Commission organised a micro targeting campaign on X?
On 13 December 2024, the EDPS issued an important decision on a complaint case submitted by a Dutch citizen concerning the European Commission's micro-targeted advertising campaign on the social media platform X, formerly known as Twitter. The aim of the ad campaign, which ran on X in September 2023, was to communicate on the Child Sexual Abuse Material (CSAM) legislative proposal.
The complainant, represented by the non-profit organisation NOYB, otherwise known as European Centre for Digital Rights, alleged unlawful processing of the complainant’s personal data in this context.
The EDPS’ investigation revealed that the European Commission had targeted X users over the age of 18 from certain EU Member States, including the Netherlands. Other specifically targeted groups, such as political parties and politicians, as well as groups sharing Eurosceptic and/or nationalistic political opinions and religious beliefs were explicitly excluded from the ad campaign.
Following these findings, the EDPS found that the European Commission had infringed several provisions of the EUDPR (Regulation (EU) 2018/1725, by unlawfully processing the complainant’s personal data, including special categories of personal data, such as their political opinions and religious beliefs, without a valid legal basis when targeting them with the ad campaign.
The European Commission argued that it falls within its activities to inform the public about the content of and the need for legislative proposals, such as CSAM. The EDPS found that the European Commission had not demonstrated that the processing of special categories of personal data, in the context of the targeted ad campaign on CSAM, was necessary for reasons of substantial public interest, nor proportionate to the aim pursued by Article 17(2) TEU.
In conclusion, the EDPS issued a reprimand, taking into account that the processing operation is no longer ongoing.
Read the full Decision here.