Last year, the EDPS worked on a huge variety of topics. Among other high-profile activities, we contributed to debates on EU border policy, including proposals on the interoperability of large-scale IT systems, ECRIS and ETIAS, and provided guidance to policymakers through the publication of a necessity toolkit. A look back at our monthly Newsletter, however, provides an insight into some of our less high-profile activities.
In the January 2018 edition of the EDPS Newsletter, we look back at 2017 and recap ten things you might have missed.
In this issue
Improving the treatment of rare and complex diseases
On 6 November 2017, the EDPS published an Opinion on the Clinical Patient Management System (CPMS), a web-based clinical software application developed to support European Reference Networks (ERN) when dealing with rare and complex diseases. ERNs are virtual networks of healthcare providers working within the EU, across national borders.
The CPMS is the first multi-country clinical system able to play a critical role in patient care, diagnosis and treatment of rare diseases. It also supports clinical research. It contains information on rare diseases and provides tools for collaboration and virtual consultations between doctors on patient files. It therefore has significant potential for improving the health and treatment of patients affected by rare diseases. Any processing of personal data is based entirely on the consent of the patient, which may be withdrawn at any time.
In order to ensure that the CPMS remains compliant with Regulation 45/2001, we made several recommendations. These included reducing the retention period for personal data and improving the quality of the data stored in the system. In addition, we recommended that more detailed information be provided to individuals about how their personal data is processed in the CPMS.
Health and data protection in the EU institutions
In 2017 the EDPS addressed several complaints concerning the processing of medical data. The rules that EU institutions and bodies must follow when dealing with such data are set out in Article 10 of Regulation 45/2001. The EDPS also issued Guidelines on the topic in September 2009, designed to help the EU institutions comply with their obligations under the Regulation.
One such complaint concerned the processing of medical data to facilitate disciplinary proceedings relating to suspected fraud. It involved analysing whether, under Regulation 45/2001, the EU body concerned had the right to access medical data linked to the reimbursement of medical expenses, stored by a third party, and transfer it to the State Prosecutor.
We concluded that, under the right to information, the EU body should have informed the relevant staff members of both actions and could not claim that doing so would have involved a disproportionate level of effort. We stressed that, for fraud investigations involving medical data, only the relevant medical advisers should have access to this data. Data protection officers (DPOs) should also be involved in internal disciplinary procedures, especially when they involve the special categories of personal data outlined in Article 10 of the Regulation.
Another case concerned a breach of confidentiality. The EU body concerned disclosed medical data to a third party in order to check the validity of a medical certificate. Though the EU Staff Regulations may justify this action, they also specify that the individuals concerned must be informed of the relevant legal basis under which this data will be processed and that the validity of a medical certificate might be checked. Changing the purpose for which medical data is processed, as occurred in this case, also constitutes a breach of Article 6 of the Regulation, which specifies that this is only possible if expressly provided for in the internal rules of the relevant EU body.
When the professional becomes personal
Information relating to a registered company or legal person, especially when connected with additional data, can make it possible to identify the individual or natural person associated with the company. For this reason, information about a registered company can, in certain cases, be considered personal data. In 2017 the EDPS dealt with several complaints relating to company data stored in EU databases.
One complaint concerned the email address used to register a company in an EU database. The complainant alleged that it had been accessed unlawfully by, or made available to, third parties and was then used for unsolicited commercial communication (spam).
We found that the data had been processed according to the rules set out in Article 5(a) of Regulation 45/2001, and judged that the EU institution responsible for the database had taken appropriate measures to address the complaint. However, we also recommended that the EU institution move forward with implementing anonymisation techniques to better protect the data stored in the database and advised it to amend the relevant data protection notices to ensure that they provide information on the limited availability of data and on any anonymisation techniques used.
Another complaint concerned an individual whose company is registered in the VAT Information Exchange System (VIES on-the-web). VIES is a search interface which facilitates cross-border economic transactions by making it possible to check the validity of the VAT identification numbers of companies registered in the EU. Our investigation found that the EU institution responsible for VIES had put in place adequate measures to prevent, detect, and stop illicit use of the database.
Though VIES is operated by an EU institution, its content is taken from the national VAT registries in the Member States. These are maintained by the respective national tax administrations and the information recorded by each depends on the national law. Only the tax administration that issued the VAT number is able to delete or alter the personal data found in their national registries, and which therefore appear on VIES, and personal information can only be accessed in VIES by searching for a VAT number. Supervision of data processing in this case is therefore the responsibility of the national data protection authority (DPA) of the country in which the company is registered.
In accordance with the new Europol Regulation, on 1 May 2017 the EDPS took over responsibility for the data protection supervision of Europol. The new Regulation also provides for the establishment of a Cooperation Board, for which the EDPS provides the secretariat. The Board will facilitate cooperation between the EDPS and national supervisory authorities on issues requiring national involvement.
In our new role, we carry out a range of duties, including:
- inspections, which will be carried out in cooperation with national supervisory authorities;
- advising Europol on all matters concerning the processing of personal data;
- hearing and investigating complaints from individuals who consider their personal data to have been mishandled by Europol.
We have confidently taken on this new responsibility and are fully aware of the need to strike the right balance between security and privacy when dealing with data processing for the purpose of law enforcement.
High quality data protection for high quality decision making
The European Union Intellectual Property Office (EUIPO) uses what are known ex-ante product quality audits to ensure the quality of its output. This means checking the quality of its decisions on trademarks and designs before they are issued. EUIPO records the error rate and trends in the type and category of errors detected and uses a database to record the monitoring process.
As staff members remain identifiable throughout the process and are given individual feedback dependent on the outcome, the process could have an impact on their performance evaluation. We therefore undertook to assess the procedure.
In our Opinion of 16 February 2017, we recommended that EUIPO ensure that all involved in the procedure are comprehensively informed of the processes used. They should also be allowed to consult their own data, stored in the database, and to exercise their data protection rights wherever and whenever relevant.
Investigating infringements: the privacy-friendly approach
The European Parliament employs the accredited parliamentary assistants (APAs) of all 751 Members of the European Parliament. Whilst the vast majority of these are employed legally and in accordance with the relevant contractual obligations, there have been examples of cases in which these contractual obligations have allegedly been breached, the most serious of which leading to lawsuits at national level.
The Parliament has therefore launched an information exchange system, named Confluence. The system aims to increase the efficiency with which the Parliament is able to investigate APAs suspected of infringements, such as non-residence in Brussels or the failure to declare professional activities undertaken outside their work at the Parliament.
In our Opinion on the use of Confluence, we examined the implications of the system for data protection. We advised the Parliament to revise its provisions on administrative investigations and disciplinary proceedings to ensure that they provide for the use of an administrative pre-enquiry tool such as Confluence. We also stressed the need to adequately inform APAs involved in such a procedure. In this way, the Parliament will be able to adequately investigate suspected infringements whilst ensuring that its own actions do not infringe upon data protection rules.
Data protection and farm statistics
In December 2016, the Commission published a proposal for a Regulation on integrated farm statistics. The amendments proposed during recent discussions on the proposal in the Council, however, raised new issues regarding data protection which were not present in the Commission’s initial proposal. If these amendments are included in the final text, the draft Regulation would become the first EU legislative instrument to provide for derogations from the rights of access and rectification, the right of restriction and the right to object to the processing of personal data for statistical purposes, in accordance with Article 89 of the General Data Protection Regulation (GDPR).
The Council therefore invited the EDPS to issue a formal opinion on the proposed amendments. In our Opinion, published on 20 November 2017, we stressed that the rights of access and rectification are set out in the Charter and are considered essential components of the right to the protection of personal data. We therefore recommended that the Council re-assess the necessity of the proposed derogations. The fact that putting in place technical and organisational measures to provide access and other rights to individuals may require financial and human resources is, by itself, not a valid reason to derogate from the rights of individuals under the GDPR.
Unless the EU legislator can provide further justification of the need for these derogations, and tailor the scope of the provisions more narrowly, we recommended that they consider to what extent Article 11 of the GDPR (processing which does not require identification) may help address the legitimate concerns of national statistical institutes.
Data protection and the fight against tax evasion
On 5 July 2016, the Commission proposed amendments to the Anti-Money Laundering (AML) Directive. The amendments would extend the scope of the Directive to tackle tax evasion and advocate a stricter approach to countering money laundering and terrorism financing. However, they could also have serious implications for data protection and privacy. In our Opinion of 2 February 2017, we highlighted the areas in which the amendments constitute a cause for concern.
The proposed amendments suggest that personal data collected and processed under the current AML Directive, for the purpose of countering money-laundering and terrorism financing, might also be processed for other purposes, which are not clearly defined. This would contravene the principle of purpose limitation, which requires that personal data must only be collected and processed for a specific and pre-defined purpose.
It also raises questions about the proportionality of the proposal, as it implies that the invasive personal data processing considered acceptable in the fight against money laundering and terrorism could be used to achieve other, undefined aims, for which the use of such methods might not be appropriate.
The amendments depart from the risk-based approach to data protection adopted in the current AML Directive and remove safeguards that help to establish proportionality, such as the setting of access conditions for information on financial transactions by Financial Intelligence Units. They also significantly broaden access to beneficial ownership information, so that both competent authorities and the public are able to use this information as a policy tool in the enforcement of tax obligations.
If implemented, the amendments would pose significant and unnecessary risks to individual privacy and data protection. For this reason we urged the Commission to re-think their position.
Ensuring privacy-friendly protection from cyber-attacks
Cybersecurity is no longer just a concern for experts. A large majority of EU citizens recognise its importance. In a recent Eurobarometer survey 87 percent of respondents considered cybercrime to be an important challenge to the internal security of the EU, while the misuse of personal data continues to be the most significant concern for internet users.
On 13 September 2017 the European Commission and the EU’s High Representative for Foreign Affairs and Security Policy proposed a set of measures aimed at increasing EU resilience to cyber-attacks. Referred to as the Cybersecurity Package, they specifically mentioned the need to establish a system of EU cyber deterrence and criminal law that would better protect people, businesses and public institutions within the EU. On 18 October, the Commission adopted a report on the Security Union, elaborating on some of these initiatives.
The proposed measures include:
- reinforcing the role of the European Network and Information Security Agency (ENISA);
- establishing a European cybersecurity certification framework to create a level playing field within the EU;
- introducing more effective deterrence focusing on detection, traceability and prosecution of cyber criminals.
The EDPS recognizes that adequate cybersecurity is necessary to protect privacy and personal data, and in particular emphasizes the importance of prevention. While effective prosecution is needed, it is even better to avoid becoming victim of a cyber-attack in the first place. Where the same instruments are used for cybersecurity as for data protection, for example certification and incident notification, organisations will be subject to both sets of rules. This must not lead to confusion or contradiction.
Enhanced measures against cyber criminals must be developed and applied in full respect of the principles of necessity and proportionality. The EDPS welcomes the Commission’s commitment not to weaken or undermine the strength of encryption. Trustworthy encryption capabilities are critical for digital markets and societies. We cannot risk undermining the confidence in our services and cybersecurity tools.
The Commission announced several legislative initiatives. The EDPS will provide recommendations on these proposals in order to ensure that they are not only effective, but that they guarantee the protection of fundamental rights, including the rights to privacy and data protection.
When we develop cyber-attack tools, we may risk becoming victims ourselves if our own tools fall into the wrong hands. We have seen this in past events, and we repeat this warning in the context of the Cybersecurity Package.
In December 2017 we issued formal comments on the proposed policy package, and we plan to issue further advice in the near future.
In May 2017, a widely-publicised cyber-attack took place, gaining fame in the media under the hashtag #WannaCry. The attack cased damage in two steps: After infecting a computer system, the malware-encrypted data stored itself in this system and demanded a ransom payment in exchange for decryption (ransomware). To infect computer systems, the malware used code that had been stolen from an intelligence service.
While the high number of infected systems raised a lot of interest, a much larger number of systems were not actually affected by the malware. System owners who had applied a recent security update which closed the security loophole, or who had disabled the vulnerable functions, were not affected. System owners who had up-to-date secure backups of their data were able to restore their systems without paying any ransom.
In 2015, the EDPS warned that the use and collection of surveillance tools by state authorities should be subject to strict limitations. At ENISA’s Annual Privacy Forum, which took place in Vienna on 7 and 8 June 2017, Assistant Supervisor Wojciech Wiewiórowski reiterated this point: “The current attacks show that even state agencies cannot guarantee that their cyber weapons and their intrusive tools will not fall into the wrong hands and serve the criminals and attackers they were supposed to target. Many experts are expecting further attacks with other tools from the stolen collection, some of which may not yet be known to security experts.”
The attack should act as a wake-up call and highlight the importance of information security in ensuring that personal data is adequately protected. In March 2016, the EDPS issued guidance on the implementation of an Information Security Risk Management Process (ISRM). Though aimed specifically at the EU institutions, this guidance might also be applied to other organisations. As cybercrime becomes increasingly sophisticated, it is vital that those involved in collecting and processing personal data treat information security as an integral element of their data protection policy.