In the February 2018 edition of the EDPS Newsletter we cover the state of play of the revised Regulation for the EU institutions, EDPS supervision of Europol and the 11th edition of the Computers, Privacy and Data Protection (CPDP) conference.
In this issue
Time running out to ensure effective data protection in the EU institutions
Through the General Data Protection Regulation (GDPR), the EU has lead the way in safeguarding fundamental rights in the digital age. It reinforces the rights of individuals, strengthens legal guarantees and will allow for better and more consistent enforcement of data protection rules through the new European Data Protection Board (EDPB), for which the EDPS will provide the secretariat.
This major shift is certainly a reason to celebrate, but we must not forget that the EU’s work is not yet finished. The data protection reform package remains incomplete, as discussions on the rules applying to electronic communications (the new ePrivacy Regulation) and the EU institutions and bodies are still ongoing.
More than a year has passed since the Commission issued its proposal for the new Regulation for EU institutions and bodies. Its adoption should have been quick, especially as when the GDPR was adopted the co-legislators agreed that the new data protection rules for EU institutions and bodies should become applicable at the same time as the GDPR.
The importance of the new Regulation for all EU institutions and bodies cannot be underestimated. It is a statement of the EU’s commitment to subject itself to the same rules that will apply to others under the GDPR and the law enforcement directive. There can be no special treatment for the EU bubble. The strongest way to send this signal is to adopt these updated rules in time for them to be fully applicable alongside the GDPR on 25 May 2018.
Assistant EDPS visits EU institutions in Luxembourg
Our efforts to ensure that the EU institutions are prepared for the revised data protection rules are not limited to training courses in Brussels. On 30 and 31 January 2018, Assistant Supervisor Wojciech Wiewiórowski and EDPS staff from the Supervision and Enforcement Unit visited Luxembourg for a series of meetings with management representatives from the European Parliament, the European Investment Bank (EIB), the European Investment Fund (EIF) and the Consumers, Health, Agriculture and Food Executive Agency (CHAFEA).
These meetings were an opportunity for us to explain the main changes expected under the revised data protection rules for the EU institutions and provide recommendations on how to prepare for them. We targeted high-level management, with the idea that, as with any compliance effort, those at the top set the tone for the rest of the organisation.
However, it is crucial that colleagues of all levels are aware of the new rules. Therefore, with the help of the European Court of Auditors, we organised two training sessions aimed at staff members working at all EU institutions based in Luxembourg. In total, more than 200 people attended the sessions, in which we provided an overview of both the current rules and the expected changes to these rules. We also explained their individual obligations when processing personal data in the workplace and their rights as individuals when their data is processed by EU institutions. Each session included a lively question and answer session, one of which was recorded and webstreamed.
Europol demonstrates commitment to effective data protection
As the supervisory authority for Europol, the EDPS is responsible for providing Europol with advice on all matters concerning the processing of personal data. This includes proposals for internal rules or administrative measures relating to the protection of the fundamental rights of individuals or the transfer and exchange of personal data. On 6 July 2017, we published our first Europol Opinion, which concerned Europol’s Integrated Data Management Concept (IDMC) Guidelines.
The IDMC Guidelines were provisionally adopted by Europol on 1 May 2017, pending EDPS approval. They specify:
- the conditions under which personal data might be temporarily processed in order to determine whether it is relevant to Europol’s tasks;
- the procedures for processing personal information;
- the requirements for processing personal information for cross-checking, strategic or thematic analysis, operational analysis or for facilitating the exchange of information.
The guidelines therefore provide the procedures according to which Europol must carry out all future processing of personal data under the Europol Regulation.
In our Opinion, we made 16 recommendations. Our main concern was the need to further clarify the different purposes for which Europol can process personal data. This issue is important because different data protection safeguards apply depending on the purpose for which data is processed, as this purpose determines the different types of intelligence services that Europol is able to provide to the national law enforcement authorities.
Europol promptly implemented the recommendations made by the EDPS and adopted a revised version of the IDMC Guidelines on 13 December 2017. Europol has expressed a commitment to continuing its work to clearly define and streamline their procedures with their respective data protection safeguards, such as the implementation of data retention periods for each type of analysis product or service they produce. The objective of this exercise is to implement more efficient rules for data processing and reviewing, leading to improved data quality, the deletion of unnecessary data (noise reduction) and improved intelligence products.
Training the EU institutions to lead by example
With new data protection rules for the EU institutions and bodies currently being discussed by the European Commission, Parliament and Council, the EDPS has stepped up its efforts to ensure that the EU institutions are ready to lead by example in implementing these rules. As part of these efforts, we have organised a series of training courses addressing the new obligations foreseen under the revised rules
Our awareness-raising campaign began in earnest in June 2017, with a lunch conference in French which took place at the EU School of Administration (EUSA), in Brussels. Aimed at EU staff working in middle management, the aim of the conference was to raise awareness about current and new obligations relating to the processing of personal data by the EU institutions. Two further conferences took place in English in October and November 2017, the second of which was recorded and shared with all EU institutions and bodies, to be used as an internal training tool. These lunchtime conferences will continue into 2018, with two more planned for 16 February and 16 March 2018.
In addition to this, we have been working with individual institutions to help them prepare. On 31 January 2018, for example, EDPS staff from the Supervision and Enforcement Unit organised a training course for the European Ombudsman. The course, which took place in Brussels and via videoconference in Strasbourg, was attended by Heads of Units and Sectors, as well as other relevant staff members. Participants were encouraged to ask questions and participate fully in the discussion, with the objective of providing them with relevant and practical advice on the application of the new rules at the European Ombudsman.
As the revised rules will soon become fully applicable, the EU institutions need to ensure that they are ready to comply with them at short notice. Our aim, therefore, is to target all professional levels of the EU institutions that will be directly affected by the anticipated changes and help them to prepare appropriately.
EU trade unions and the EDPS
On 29 January 2018, we responded to a consultation from a trade union for EU staff, relating to the conditions for sharing data within the same trade union. Our Opinion found that these trade unions are not classified as EU institutions or bodies under the relevant provision of the current rules for the EU institutions and bodies. Nevertheless, as a general rule, any internal transfer of data should be governed by the need-to-know principle and therefore the trade union should carry out an analysis to determine whether or not internal data transfers are necessary in this case.
Don’t just press record...
On 21 December 2017, the EDPS issued a confidential decision relating to a complaint submitted by a staff member from an EU body. The complaint concerned the recording of an intervention made during an internal meeting and its potential impact on the appraisal of the staff member.
In our Decision, we stated that the recording of internal meetings is more intrusive than simply taking notes. It should therefore only be done in cases where the goal sought cannot be adequately achieved by taking written minutes. If an EU institution wants to record meetings, it should demonstrate the need to do so on a case-by-case basis, and within the framework of internal rules.
Digital ethics high on the agenda at CPDP 2018
The 11th edition of the Computers, Privacy and Data Protection (CPDP) conference took place in Brussels from 24-26 January 2018. The theme of the conference was the Internet of Bodies (IoB), a concept derived from the Internet of Things (IoT). EDPS staff participated in panels addressing potential privacy concerns with the IoB, including automated decision-making in commercial health, the use of multimodal biometrics at border-crossings, the internet of (vulnerable) bodies and the fundamental rights implications of European large-scale IT systems and the use of biometrics.
Ethical questions relating to the pervasive processing of personal data in the digital age were also high on the agenda. Notably, the Ethics Advisory Group, which was launched by the EDPS at CPDP 2016, returned to the conference as part of a panel organised by the EDPS, to discuss the questions raised in their recently published report. Their ideas were echoed in a separate panel, on the privatisation of privacy, which stressed that without appropriate measures to preserve the dignity of the person, we risk weakening the democratic process.
With the General Data Protection Regulation (GDPR) fully applicable from 25 May this year, there was growing interest in how data protection authorities can maximise their effectiveness in enforcing the new rules, with panels debating the use of legitimate interest, administrative fines and the right of access in practice. Other notable themes included the transatlantic dimension of international transfers of personal data and the importance of privacy engineering for addressing privacy concerns through privacy by design.
EDPS Giovanni Buttarelli had the honour of both moderating the last panel, on the encryption of communications and electronic evidence, and of closing the conference. In his concluding remarks, he urged European privacy professionals to make 2018 the year of increased accountability and transparency, and invited them to continue discussions at the 40th International Conference of Data Protection and Privacy Commissioners, which takes place in Brussels from 22-26 October 2018.
EDPS celebrates Data Protection Day 2018
On 28 January each year, EU institutions, agencies and bodies, as well as the member states of the Council of Europe, celebrate Data Protection Day. This day marks the anniversary of the Council of Europe’s data protection convention, known as Convention 108. This was the first binding international law concerning individuals’ rights to the protection of their personal data.
This year, to mark the occasion, the EDPS trainees held a lunchtime conference on 12 February 2018, focused on data protection issues relating to modern-day dating apps. The EDPS and Assistant Supervisor provided the opening and closing remarks at the conference, which included presentations by Maryant Fernández Pérez and Diego Naranjo, Senior Policy Advisors at European Digital Rights (EDRi), Jerome Groetenbriel, co-founder of PersonalData.IO, Raegan MacDonald, Senior EU Policy Manager at Mozilla, and Marijn Sax, PhD candidate at the Institute for Information Law, University of Amsterdam. The panels discussed topics such as:
- what personal data dating apps can process and how they use this data;
- the rights of individuals to request access to the data held on them;
- digital ethics in the context of dating apps;
- privacy by design;
- algorithms used to ‘match’ app users.
Taking place just two days before Valentine’s Day, the conference theme proved successful in raising awareness about the risks and rights associated with widely-used apps, as well as in encouraging young people to engage in the data protection and privacy debate. The conference was webstreamed and can still be viewed online.
Data Protection Officers
Ms. Kalliroi GRAMMENOU, Chafea
Mr. Tobias KOHLHOF (Deputy DPO), Chafea
Speeches and Publications
Closing remarks by Giovanni Buttarelli at the 11th International Computers, Privacy & Data Protection (CPDP) conference, Brussels (26 January 2018)
Speech by Giovanni Buttarelli on privacy by design and privacy engineering given at the 11th International Computers, Privacy and Data Protection Conference (CPDP), Brussels, Belgium (25 January 2018)
Speech by Giovanni Buttarelli on digital ethics given at the 11th International Computers, Privacy and Data Protection Conference (CPDP), Brussels, Belgium (25 January 2018)
Surveillance for public security purposes, Four pillars of acceptable interference with the fundamental right to privacy, Chapter by Wojciech Wiewiórowski published in Data Protection and Privacy under Pressure, Transatlantic tensions, EU surveillance and big data by Gert Vermeulen and Eva Lievens (18 December 2017)