In the October 2017 edition of the EDPS Newsletter we cover the theme for the 2018 International Conference of Data Protection and Privacy Commissioners, our priorities for the next 12 months, and our ongoing training in preparation for the new Regulation.
The European Data Protection Supervisor, Giovanni Buttarelli, and the Chairman of the Commission for Personal Data Protection of the Republic of Bulgaria (CPDP), Ventislav Karadjov, would like to extend their warmest congratulations to the Privacy Commissioner for Personal Data in Hong Kong, who hosted this year’s thought provoking edition of the International Conference of Data Protection and Privacy Commissioners (ICDPPC).
Giovanni Buttarelli, EDPS, said: “One of our biggest challenges as data protection and privacy regulators today is how to respond to the way in which the digital arena is changing our mission in relation to data protection and privacy. The 2018 International Conference will address this challenge by asking whether an ethical approach is needed to regulate the digital world and, if so, how this approach might be developed and implemented. This is a pivotal moment and we must act to ensure that technology is designed and developed to serve humankind and not the other way around.”
The EU has been through a period of reflection on how people should be treated with respect in the new digital reality, with the conclusion that data protection and privacy laws needed updating. We are now entering the home straight for the implementation of the General Data Protection Regulation (GDPR) and for the finalisation of outstanding related reforms, moving in the direction of more sustainable solutions for international personal data flows.
Over the next 12 months, the EDPS has three major priorities. The first priority is working with national data protection authorities to ensure the European Data Protection Board (EDPB) hits the ground running on 25 May 2018, with the support of a professional secretariat, which the EDPS will provide in accordance with the GDPR.
The second is to continue to ensure that the EU institutions and bodies we supervise are fully invested in the notion of accountability at the highest level, when it comes to how people’s personal information is handled.
The third is the delivery of the 2018 International Conference of Data Protection and Privacy Commissioners, which should be an event unlike any other before in Brussels, with a new, broad and inclusive community of forward-thinking experts able to engage with urgent questions of technology and respect for humans in the age of Artificial Intelligence and potentially ubiquitous surveillance.
The EDPB offers a fantastic chance to make this happen.
On 13 October 2017, Data Protection Officers (DPO) from the EU institutions and bodies met in London for the 42nd meeting of the Network of DPOs, hosted by the European Medicines Agency (EMA).
The event was an excellent opportunity for us to meet with DPOs, our data protection partners, and to exchange practical experiences, continuing our preparation towards the implementation of the revised rules on data protection for the EU institutions and bodies.
One of the topics of discussion was the revised role of DPOs in ensuring compliance with the Regulation. We also discussed the principle of accountability, which requires EU institutions and bodies to ensure, verify and demonstrate compliance, as well as Data Protection Impact Assessments (DPIAs), following up on the EDPS’ practical guidance on how to document the new obligation of a DPIA in practice.
The EDPS IT Policy sector completed the meeting with a session on data breach notifications. Under the new Regulation, the obligation to notify personal data breaches to the supervisory authority and to inform the individuals concerned will also apply to EU institutions and bodies. We discussed possible procedures with the DPOs, and presented our draft guidance on the topic, which was recently submitted to the Article 29 Working Party for consultation.
The meeting in London was a challenging but productive exercise for DPOs, encouraging them to think ahead and exchange views on their institutional needs and concrete actions for demonstrating compliance.
On 5 October 2017, EDPS Giovanni Buttarelli was invited to speak at a training session in Luxembourg on the transition to the new General Data Protection Regulation (GDPR). Organised by the Luxembourg state administration, the session was aimed at lawyers, IT experts, archivists and other public servants who work there. The Prime Minister of Luxembourg, Xavier Bettel, gave the opening address.
The aim of the training was to encourage participants to shift their approach from mere compliance with data protection rules to accountability, the ability to demonstrate compliance with these rules. In particular, Mr. Buttarelli underlined the importance of ensuring that the public service leads by example in its implementation of data protection rules.
EDPS staff were also present to explain the vital role played by the Data Protection Officer (DPO) in the EU institutions and bodies, as well as new concepts and requirements under the GDPR, including data protection impact assessments (DPIAs).
The new Regulation governing data protection in the EU institutions and bodies is expected to come into effect in spring 2018, replacing the current Regulation (EC) 45/2001. To help them prepare, the EDPS organised trainings for managers working in the EU institutions and bodies.
The trainings took place in both French and English, in the form of a lunchtime conference. Our aim was to provide heads of unit and sector with a practical perspective on new and existing obligations under the new Regulation. In particular, we explained how to apply the new data protection rules and principles to the various procedures they are responsible for, such as selection and recruitment, staff appraisals, administrative inquiries, organisation of meetings, managing visitors and dealing with contracts, grants and tenders.
The trainings were received enthusiastically by managers, and further sessions are planned for the coming months.
The impact of technology on the fundamental rights to privacy and data protection continues to be a subject of interest, having been discussed at the International Conference of Data Protection and Privacy Commissioners, which took place in Hong Kong in September. We must pay more attention to the rights of individuals in the development of technological solutions and ensure that technology serves humankind.
With the new General Data Protection Regulation (GDPR), data protection by design will become a legal obligation. Those who process the personal data of individuals will have to take data protection into account both at the time of the determination of the means for processing and at the time of the processing itself, as is stated in Article 25 of the GDPR.
The current review of the ePrivacy legislation will modernise existing principles, clarify technological requirements and ensure effective enforcement. The Commission’s proposal for the new ePrivacy Regulation is a step in the right direction, but still requires improvements, as both the EDPS and the Article 29 Working Party have suggested. The review of ePrivacy rules is an opportunity to create a new field for competitive and privacy friendly services on the Internet and the World Wide Web, giving back control to individuals.
Ms. Kalliroi Grammenou, Consumers, Health and Food Executive Agency (Chafea)
Ms. Sarah Hayes (Acting DPO), European Foundation for the Improvement of Living and Working Conditions (Eurofound)
Ms. Patricia Juanes Burgos, European Institute of Innovation and Technology (EIT)
Ms. Mariya Koleva (Acting DPO), European Union Intellectual Property Office (EUIPO)