In the December 2017 edition of the EDPS Newsletter we cover the EDPS survey, data protection and farm statistics and the proposed Regulation on ECRIS-TCN.
Data protection of course has always been about dignity and restraint. It is based on the idea that respect for humans means being careful with what you do with information about them.
But data protection in the EU has also always been about helping to oil the cogs of commerce inside the internal market. Common standards meant that it didn’t matter where personal data travelled within the Union; what mattered instead were the safeguards in place for individuals, as well as accountability of controllers and processors.
One of the many signals of data protection being now truly part of the mainstream of public policy is the recent discussions on the proper relationship between trade and data, including personal data. Apart from a general exception, the General Agreement on Tariffs and Trade - signed in 1994 as the first multilateral treaty on the liberalisation of international trade - makes no mention of data flows. Indeed the WTO’s own website could not be more categorical: “The WTO has had nothing whatever to do with Internet privacy”.
Now, however, with the digital economy developing at a very fast pace, an EU institutional trend to address the issue of restrictive measures to trade (so-called “digital protectionism”) has emerged. The pursued objective is to support the interests of EU businesses and to enable them to be competitive on markets outside EU. The trade agreements at stake also aim at supporting third countries’ businesses. This has led to the idea of inserting into the trade agreements negotiated by the European Commission specific clauses that would on the one hand ensure the “free flow of data”, and on the other hand, prohibit “unjustified” data localisation restrictions by third countries.
There is a clear need for the EU to develop a more efficient system for exchanging information on the criminal records of non-EU citizens. At the same time, any proposal to update the current system must ensure consistency with the EU Charter of Fundamental Rights and the Lisbon Treaty and fully respect data protection principles, the EDPS said on 13 December 2017, as he published his Opinion on the Commission’s Proposal for a Regulation on ECRIS-TCN.
Member States use the current European Criminal Records Information Service (ECRIS) primarily to facilitate judicial cooperation, through the exchange of information relating to criminal convictions. In 2016, the Commission proposed a Directive on ECRIS aimed at improving this system. They wanted to make it easier for Member States to exchange information on non-EU citizens, known as third-country nationals (TCN). The proposed Regulation on ECRIS-TCN aims to complement the Directive and address some of the technical problems encountered in its application, most notably by changing the system used to identify which Member States hold information on criminal convictions relating to non-EU citizens from a decentralised system to a central system.
Giovanni Buttarelli, EDPS, said: "There is a clear need to improve the ECRIS system to better facilitate the exchange of information on the criminal records of non-EU citizens, and we support the Commission’s efforts to do this. At the same time, it is vital that our approach is consistent. Firstly, this means ensuring that any difference and specificity in the treatment of the personal data of non-EU citizens and EU nationals is fully justified. Secondly, it means ensuring that the Regulation and the Directive fully respect the EU Charter of Fundamental Rights and the requirements for any lawful limitation of these rights.”
EU institutions and bodies deal with a wide variety of personal data, and often in complex ways. EU law requires that they are able to ensure, verify and demonstrate compliance with data protection rules when handling this data. According to a report published on 28 November 2017 by the EDPS, there has been continuous and steady progress in the way that they deliver on this obligation.
Giovanni Buttarelli, EDPS, said: "Our latest stock-taking exercise confirms a largely positive trend among EU institutions and bodies. As their independent supervisory authority, it is the role of the EDPS to make sure they remain accountable in their compliance with data protection rules. The publication of this report will help us to establish priorities for EDPS activities in 2018, a year which, with the entry into force of the new General Data Protection Regulation (GDPR), as well as a Proposal to amend the current rules governing data protection in the EU institutions, will mark the beginning of a new era in data protection.”
Wojciech Wiewiórowski, Assistant EDPS, said: "This Survey provides a state of play in relation to the compliance of EU institutions with data protection rules, whilst also illustrating the role of the EDPS as their independent supervisory authority. The report is part of our efforts to train and guide EU institutions on how best to respect data protection rules in practice, whilst focusing on processing activities that present a high risk to individuals. We emphasise progress made in comparison to previous Surveys, and underline shortcomings. We also take follow-up action, ranging from targeted assistance, guidance and training to more robust action, where appropriate.”
As part of our supervisory work, the EDPS carries out on-site inspections at the EU institutions. They allow us to verify how data protection is applied in practice and are carried out for a variety of different reasons.
On 20 and 21 November 2017, the EDPS carried out an inspection at the European Economic and Social Committee (EESC) in Brussels. The inspection covered the EESC's processing operations in the fields of recruitment, staff appraisal and administrative inquiries.
On 23 and 24 November, we carried out another inspection, this time at the European Food Safety Authority (EFSA) in Parma. The inspection covered anti-harassment procedures, CCTV and access to personal data under Regulation 45/2001, the current rules covering data protection in the EU institutions. In the case of anti-harassment procedures, we focused specifically on evaluating data quality and data retention practices, while to assess their CCTV practices, we verified the information provided to the individuals concerned
Both inspections provided useful feedback on how EU bodies are performing in terms of compliance, and will help us to determine priorities for future inspections and supervision work.
Before carrying out any new operations involving the processing of personal data, EU institutions and bodies are required to declare these operations to the EDPS. In what are known as prior check opinions, the EDPS examines the proposal and makes recommendations to ensure that the proposed operation complies with data protection rules.
At the recent meetings of data protection officers (DPOs) in Tallinn and London, we announced that, as of the end of November 2017, the EDPS will no longer accept ex-post notifications. These are prior check requests relating to processing operations that started before the EDPS was appointed or before the current data protection rules came into force.
Though ex-post prior check notifications received after 1 December 2017 will not be analysed in detail, EU institutions and bodies remain responsible for ensuring that any processing of personal data complies with the rules set out under Regulation 45/2001, demonstrating full respect for the fundamental rights to data protection and privacy. The fact that the EDPS will no longer analyse such notifications in detail does not imply tacit approval.
The decision to end ex-post prior checks is related to our increased emphasis on the principle of accountability, which encourages EU institutions to not only comply with data protection rules but to also be able to demonstrate that compliance. With the revised rules for data protection in the EU institutions set to come into force in the near future, the EDPS encourages all EU institutions and bodies to consider whether the processing operations they currently use might require a data protection impact assessment (DPIA) under the proposed new Regulation.
In December 2016, the Commission published a proposal for a Regulation on integrated farm statistics. The amendments proposed during recent discussions on the proposal in the Council, however, raised new issues regarding data protection which were not present in the Commission’s initial proposal. If these amendments are included in the final text, the draft Regulation would become the first EU legislative instrument to provide for derogations from the rights of access and rectification, the right of restriction and the right to object to the processing of personal data for statistical purposes, in accordance with Article 89 of the General Data Protection Regulation (GDPR).
The Council therefore invited the EDPS to issue a formal opinion on the proposed amendments. In our Opinion, published on 20 November 2017, we stressed that the rights of access and rectification are set out in the Charter and are considered essential components of the right to the protection of personal data. We therefore recommended that the Council re-assess the necessity of the proposed derogations. The fact that putting in place technical and organisational measures to provide access and other rights to individuals may require financial and human resources is, by itself, not a valid reason to derogate from the rights of individuals under the GDPR.
Unless the EU legislator can provide further justification of the need for these derogations, and tailor the scope of the provisions more narrowly, we recommended that they consider to what extent Article 11 of the GDPR (processing which does not require identification) may help address the legitimate concerns of national statistical institutes.
Cybersecurity is no longer just a concern for experts. A large majority of EU citizens recognise its importance. In a recent Eurobarometer survey 87 percent of respondents considered cybercrime to be an important challenge to the internal security of the EU, while the misuse of personal data continues to be the most significant concern for internet users.
On 13 September 2017 the European Commission and the EU’s High Representative for Foreign Affairs and Security Policy proposed a set of measures aimed at increasing EU resilience to cyber-attacks. Referred to as the Cybersecurity Package, they specifically mentioned the need to establish a system of EU cyber deterrence and criminal law that would better protect people, businesses and public institutions within the EU. On 18 October, the Commission adopted a report on the Security Union, elaborating on some of these initiatives.
The proposed measures include:
The EDPS recognizes that adequate cybersecurity is necessary to protect privacy and personal data, and in particular emphasizes the importance of prevention. While effective prosecution is needed, it is even better to avoid becoming victim of a cyber-attack in the first place. Where the same instruments are used for cybersecurity as for data protection, for example certification and incident notification, organisations will be subject to both sets of rules. This must not lead to confusion or contradiction.
Enhanced measures against cyber criminals must be developed and applied in full respect of the principles of necessity and proportionality. The EDPS welcomes the Commission’s commitment not to weaken or undermine the strength of encryption. Trustworthy encryption capabilities are critical for digital markets and societies. We cannot risk undermining the confidence in our services and cybersecurity tools.
The Commission announced several legislative initiatives. The EDPS will provide recommendations on these proposals in order to ensure that they are not only effective, but that they guarantee the protection of fundamental rights, including the rights to privacy and data protection.
When we develop cyber-attack tools, we may risk becoming victims ourselves if our own tools fall into the wrong hands. We have seen this in past events, and we repeat this warning in the context of the Cybersecurity Package.
We have recently issued formal comments on the proposed policy package, and plan to issue further advice in the near future.