In the November 2017 edition of the EDPS Newsletter we cover the interoperability of the EU's large scale IT systems, personal data in clinical software used to treat rare and complex diseases, and the latest updates on the ePrivacy regulation.
Several different large-scale IT databases are used by the EU to facilitate police cooperation and to help manage borders and migration. The EU aims to improve the efficiency of these databases by making them more interoperable, or capable of communicating and exchanging information. While we endorse attempts to develop a more coherent approach to border management and cooperation, this is a complex topic. Any new proposal must ensure full respect for data protection rules, the EDPS said as he published his contribution to the debate on interoperability.
Giovanni Buttarelli, EDPS, said: “Interoperability, when implemented in a well-considered manner, could help to increase the efficiency of information-sharing in the EU, as well as to reduce the costs associated with operating the EU’s large-scale IT systems. Interoperability may even act in the interest of data protection, helping to ensure that the data held in these systems is up to date. We welcome the EU’s efforts to explore a more coherent approach to borders and security and will work with them to help ensure that any new measures fully respect the fundamental right to data protection.”
On 6 November 2017, the EDPS published an Opinion on the Clinical Patient Management System (CPMS), a web-based clinical software application developed to support European Reference Networks (ERN) when dealing with rare and complex diseases. ERNs are virtual networks of healthcare providers working within the EU, across national borders.
The CPMS is the first multi-country clinical system able to play a critical role in patient care, diagnosis and treatment of rare diseases. It also supports clinical research. It contains information on rare diseases and provides tools for collaboration and virtual consultations between doctors on patient files. It therefore has significant potential for improving the health and treatment of patients affected by rare diseases. Any processing of personal data is based entirely on the consent of the patient, which may be withdrawn at any time.
In order to ensure that the CPMS remains compliant with Regulation 45/2001, we made several recommendations. These included reducing the retention period for personal data and improving the quality of the data stored in the system. In addition, we recommended that more detailed information be provided to individuals about how their personal data is processed in the CPMS.
New data protection rules are expected to apply to the EU institutions and bodies from May 2018. As part of a programme of visits to the EU institutions aimed at helping to raise awareness of what this will mean in practice, Assistant Supervisor Wojciech Wiewiórowski visited the European Insurance and Occupational Pensions Authority (EIOPA) in Frankfurt on 25 October 2017 to help them better understand the concepts of compliance and accountability.
The principle of accountability requires EU institutions and bodies to ensure, verify and demonstrate compliance. At a meeting with top management and heads of unit, the Assistant Supervisor explained how to prepare for the shift from formal data protection compliance to effective accountability. This was followed by a presentation from EDPS staff on the practical implications of the new data protection rules, with a particular focus on the implications for IT.
The visit led to tangible results: with the help of their Data Protection Officers, EIOPA's management has now streamlined their register of processing operations and set up an ambitious road map aimed at further increasing compliance. We hope to achieve similar results from our work with other institutions.
On 27 October 2017, the plenary of the European Parliament approved the Report on the ePrivacy Regulation. This will provide the basis for negotiations with the European Council and European Commission on the final text. Once adopted, the new ePrivacy Regulation will update the rules of the road for privacy and electronic communications.
The Report adopted in the plenary builds upon a draft Report prepared by rapporteur Marju Lauristin in June 2017. It follows many of the recommendations provided by the EDPS in our Opinion of 24 April 2017, our Preliminary Opinion of 22 July 2016 and, most recently, in our Recommendations on the proposed parliamentary amendments. It also builds on the recommendations set out in the Article 29 Working Party Opinion on the proposed Regulation.
Importantly, and despite massive lobbying efforts, the Report saw no expansion of the legal bases for the processing of personal data. Amendments aimed at allowing further processing of data for compatible purposes or on the basis of legitimate interest were not included in the Report. In particular, the text clearly prohibits any further processing of communications metadata. With few exceptions, internet companies and communication providers should only be able to use the data of users with their consent. The Report prohibits tracking walls and take-it-or-leave-it approaches, helps ensure that consent is genuinely freely given and also requires privacy by default for software settings.
The EDPS will continue to follow the progress of the ePrivacy Regulation as discussions move to the trilogue stage.
Since its establishment in 2011, the European Agency in charge of the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA) has been gradually entrusted with the operational management of the Schengen Information System, the Visa Information System and Eurodac. After four years of operation, the European Commission conducted an evaluation, which led to the publication of their Proposal for a Regulation on eu-LISA, in June 2017.
The proposal would see eu-LISA entrusted with the operational management of existing and future large-scale IT systems in the area of freedom, security and justice, as well as for developing some aspects related to the interoperability of these systems. It would also require the agency to carry out research activities and to develop, manage and host a common IT system for those Member States interested in a centralised solution for implementing technical aspects of EU legislation in the area on freedom, security and justice.
On 10 October 2017, the EDPS published an Opinion on the proposal. In our capacity as the supervisory authority of eu-LISA, we recommended that the Commission conduct a detailed impact assessment to determine the impact of the proposal on fundamental rights. In particular, this assessment should focus on the issues associated with concentrating all EU large-scale IT systems in one agency and take into account the broader legal context, including ongoing legislative proposals relating to large-scale IT systems.
We also recalled that there is currently no legal framework for the interoperability of large-scale IT systems in the EU, and so recommended that references to interoperability be removed from the proposal. Finally, we recommended that the Commission delete the provision allowing for the possible establishment of a common IT system on the basis of and agreement between eu-LISA and a group of Member States, as such an agreement cannot, under any circumstances, provide a proper legal basis for such a crucial change to the system. We encourage the co-legislator to take our recommendations into account as the legislative process progresses.
On 10 November 2017, privacy engineering experts met at the University of Leuven for a multidisciplinary Trans-Atlantic workshop. The aim of the workshop, which was organised by the EDPS’ IPEN initiative, the Future of privacy Forum (FPF), the University of Leuven and Carnegie Mellon University (CMU), was to identify what steps must be taken to prepare for a new phase in privacy engineering, which will start with the introduction of the GDPR in May 2018.
Giovanni Buttarelli, EDPS, opened the workshop with the observation that the inclusion of data protection by design and by default in the GDPR indicated that these requirements received the full blessing of the legislator. From 25 May 2018, these concepts will no longer be just good practice, but will become explicit legal obligations. While this is undoubtedly a positive step forward for data protection, it represents a challenge for privacy engineers across the world. Assistant Supervisor Wojciech Wiewiórowski invited participants to identify the questions we need to address in order to confront this challenge, while accepting that a lot of hard work on many issues will clearly be required.
After a panel debate on EU and US approaches to privacy engineering, colleagues from the collaborating organisations, including Head of the EDPS IT Policy Unit Achim Klabunde, moderated breakout sessions on specific challenges. These included an exploration of concepts such as state of the art, consent, de-identification, transparent and interpretable processing, and deployment and development processes. The sessions focused on identifying open research and development tasks that will make the implementation of the GDPR successful.
The organisers and participants will document the outcome of the workshop in research reports and policy recommendations, which should be available from early next year.
The annual Computers, Privacy and Data Protection (CPDP) conference will take place from 24-26 January 2018 at Les Halles de Schaerbeek in Brussels. Striving for diversity and balance, CPDP gathers together academics, lawyers, practitioners, policy-makers, computer scientists and civil society from all over the world to exchange ideas and discuss the latest emerging issues and trends.
As data collection increasingly focuses on the physical body and bodies are increasingly connected, digitised and informatised, CPDP2018 will focus on the Internet of Bodies as its overarching theme. The aim is to pave the way for a timely and thorough discussion over a broad range of ethical, legal and policy issues related to new technologies.
CPDP2018 will stage more than 70 panels addressing current debates in the area of information technology, privacy and data protection. Already lined-up are panels on the implementation of the GDPR, wearables, the Internet of Things (IOT), blockchain, border control, data breaches, privacy and security by design, health data, neural prosthetics and algorithmic accountability. CPDP is also a brilliant opportunity for networking within the privacy and data protection community. The initial line-up of speakers will be announced soon.
For more information and to register visit: http://www.cpdpconferences.org/
For inquiries, contact: firstname.lastname@example.org
Mr. Marco Moreschini (Assistant DPO), European Data Protection Supervisor (EDPS)
Ms. Adrianna Bochenek (Deputy DPO), Agency for Fundamental Rights (FRA)