In the February 2019 edition of the EDPS Newsletter we cover the upcoming European elections, privacy-friendly workplaces, and the circumstances under which EU institutions are permitted to restrict an individual's data protection rights.
2018 was a year of significant change in EU data protection. The latest addition to the new legislative framework is Regulation 2018/1725, the new data protection regulation for EU institutions (EUI), also known as the GDPR for EUI.
This Regulation, which came into force on 11 December 2018, aligns data protection requirements for EU institutions with the General Data Protection Regulation (GDPR) and the Data Protection Law Enforcement Directive, both applicable since May 2018.
Also in late 2018, the Council of the European Union adopted the Eurojust Regulation (EJR), after five years of legislative negotiations. The EJR will apply from 12 December 2019. It will set Eurojust apart from other EU law enforcement agencies, as the first of these not to be governed by an autonomous, standalone data protection regime.
On 1 February 2019, Assistant Supervisor Wojciech Wiewiorowski chaired a panel at the annual Computers, Privacy and Data Protection Conference (CPDP). The panel aimed to highlight the significance of these changes in data protection law, the purpose of a separate Regulation for EU institutions and the differences and similarities between the GDPR and the GDPR for EUI.
If the GDPR for EUI provides the same level of protection as the GDPR, why do we need two separate Regulations? The simple answer is that the EU institutions have a specific ecosystem, with certain idiosyncrasies, that cannot be addressed by the GDPR. For a more detailed explanation, take a look at the video recording of the CPDP panel, available online.
On 17 December 2018, we published an Opinion on the European Commission’s legislative package on free and fair European elections. The package consisted of four parts:
In our Opinion, we recognised the fact that the package underlined the role of social media platforms in the election process, as well as the consistency of the package with the Commission’s Code of Practice on online disinformation.
With European Parliament elections set for May 2019 and numerous other national elections scheduled throughout the year, we acknowledged the need to set up national election networks and a European coordination network, as outlined in the Commission’s Recommendation. Given our work in this area, we also expressed our interest in participating in the European network.
Our Opinion reinforced the urgency of the Commission’s call for Member States to assess the risks associated with the European Parliament elections, particularly potential cyber incidents that could affect the integrity of the electoral process.
Moreover, we felt that, for further clarity, a reference could have been included to the fact that personal data processed by the European Parliament, the Authority for European political parties and European political foundations and the Committee of independent persons will be done within the scope of the new Regulation for the EU institutions and bodies.
We also provided several specific recommendations on the proposed Regulation, including the need to clarify the scope of the new measures and their aims and the need to ensure confidentiality in the exchange of information between DPAs and the Committee of independent persons. In addition, we advised including references to EDPS decisions and the current data protection legal framework.
Employment numbers across the EU are on an upward trend. However, as more people enter the workforce, we need to make sure that they do so in a way that protects their data protection rights. This includes the more than 40,000 men and women employed by the different EU institutions.
The EU should lead by example in protecting fundamental rights, including data protection. As the supervisory authority responsible for overseeing how EU institutions process personal data, the EDPS has provided extensive guidance on many aspects of employment in the data-driven age.
The processing of personal data for the management of human resources is one of the main data processing activities carried out by the EU institutions. It is therefore important to ensure that, when carrying out these processing activities, this data and the rights of the individuals concerned are adequately protected. Several new principles introduced under the new rules for data protection in the EU institutions help to do this.
The Accountability principle: The new rules introduced under Regulation 2018/1725 represent an evolution in data protection culture. Employers are responsible for upholding data protection rules when handling the personal data entrusted to them by their employees. Now, however, they must go further than mere compliance with these rules. They need to be able to demonstrate compliance. This requires organisations to evolve from an approach of data protection in theory to one of data protection in practice.
Risk-based approach: Closely linked to the principle of accountability is the idea that organisations should gauge the risks posed by a processing activity to the individuals concerned before settling on a line of action. Deciding on whether or not to install an intelligent CCTV system will require more scrutiny than the decision to send out a newsletter such as the one you are reading now, for instance. Each action an employer takes has a potential impact on the fundamental rights of their employees, their contractors and others.
Data Protection Impact Assessments (DPIAs): DPIAs help employers to identify the risks to the data protection rights and freedoms of their employees. They are necessary in cases where a new data processing activity might pose a particularly high level of risk to the individuals whose data is concerned. This might include the introduction of new technologies, such as a new software to process payrolls or intelligent CCTV cameras.
Data breach notifications: European data protection laws stipulate that if an employer suffers a data breach which is likely to result in a risk to an employee’s rights and freedoms, the latter must be informed about the breach. Data breach notifications allow employees to immediately adopt specific safeguards to protect themselves against the impact of the breach.
Privacy by design and by default: Privacy must be built in to all new data processing activities and tools. This means that employers must ensure that the necessary safeguards set out in the new rules are integrated into all of the processes and technologies used to process personal data. The role of Data Protection Officers and Coordinators is crucial here. They need to be involved in any new developments from an early stage and will ensure that you receive any necessary information and training.
If you are a data controller (EU institution), a data processor of an EU institution, or an EU employee, keep the new rules in mind! Data protection is a fundamental right and something that concerns us all.
On 10 January 2019, we kicked off the New Year with a speech from the EDPS Director to the European Parliament’s Directorate-General for Personnel. Focusing on the new Regulation for data protection in the EU institutions, the Director told the audience that compliance with the rules must be continually pursued and demonstrated. Data protection is not only about fulfilling legal obligations - it is also a means of protecting citizens’ fundamental rights.
A week later, on 17 and 18 January 2019, colleagues from the EDPS Supervision and Enforcement team were invited by the Academy of European Law (ERA) to provide training for more than 70 participants. The event was made up of two sessions. The first considered the data protection obligations of the EU institutions, bodies, offices and agencies towards data subjects, whilst the second focused on the possible remedies, liabilities and penalties that may result from non-compliance with the new Regulation.
On 23 January, one month after the entry into force of the new Regulation, we staged a training event at the European School of Administration for EU managers. The session sparked a lively debate on event organisation, joint controllership and - in light of the recent Nowak case - access to candidates’ written answers in professional examinations.
On 20 December 2018, the EDPS published Guidance on Article 25 of the Regulation 2018/1725 and internal rules.
The aim of this guidance paper is to help EU institutions, bodies and agencies understand the circumstances in which they are permitted to restrict an individual’s rights. Likewise, the paper seeks to inform the individuals concerned about the reasons behind, and limits to, a possible restriction of their rights, including the rights to access, rectification, erasure and others.
Our guidance states that any restrictions to data protection rights should be exceptional and time-limited. As soon as the restriction is no longer necessary, it should be lifted. In addition, restrictions should always be based on the conditions specified in Regulation 2018/1725. For instance, a restriction may be permitted in the prevention or investigation of criminal offences or to protect the individual concerned or the rights and freedoms of others.
Internal rules should be drafted by the relevant EU institution and then published in the Official Journal of the European Union (OJ). These internal rules must be in place before any restrictions can be imposed. Moreover, data protection notices including information about potential restrictions should be available to those individuals who require information on processing and restrictions.
As it stands, most EU institutions and bodies are in the process of drafting their internal rules on rights restrictions. Others have already published their rules in the OJ. Once an advanced draft has been formulated, the EU institution should submit this draft to the EDPS for consultation.
On 24 January 2018, we issued formal comments on the Commission’s Proposal for a Directive regulating certain aspects of non-performing loans (NPLs). NPLs are loans that are more than 90 days overdue and consequently assessed as unlikely to be repaid by the borrower.
The goal of the Proposal is to reduce the stock of NPLs held by banks in two ways:
The second approach is especially relevant to data protection, as it involves the processing of personal data, in particular that of borrowers and credit purchasers.
A high number of actors are potentially involved in the processing of a borrower’s personal data, including credit institutions, credit purchasers, credit servicers and credit service providers. Our comments therefore state that the Proposal should not only refer to the principles of necessity, proportionality and purpose limitation, but also to the principle of transparency. The individual concerned should be informed about the processing of their personal data at each stage of the process.
Furthermore, in accordance with the principle of data minimisation, we recommend reducing the obligation on credit servicers to keep and maintain correspondence with the creditor, as well as reducing their obligation to maintain instructions regarding each credit agreement they manage and enforce on the creditor’s behalf. Similarly, we suggest that it would be sufficient for credit institutions to transmit aggregated information to the competent authorities of the Member States. It is worth noting here that this would also reduce administrative costs on economic operators.
The phoney war is coming to an end. The new data protection framework has applied since May last year, but most people have probably not noticed much change to the way they are treated online, apart from a proliferation of pushy demands for consent to accept business as usual. We have seen, as predicted, the first sanctions, important but hardly to be expected to remedy systemic abuses of personal data. Nevertheless, evidence is emerging that thoughtful moves away from behavioural targeting may have had a positive effect on advertising revenues.
In 2019 the GDPR will get real, as regulators reach conclusions on the now over 250 cross border cases from the One Stop Shop of possible violations. The biggest challenge for data protection authorities is going to be resources, and that means not just sufficient budget allocations and highly competent personnel, but a firm understanding of the technologies behind data processing and communications service provision. The EU legislator has now written this task into the job description of every independent supervisor: both the GDPR (for national authorities) and the new GDPR for EU institutions (for the EDPS) require us to monitor relevant developments insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices.
Technological expertise is undisputedly a component of the regulator’s DNA - along with oversight, auditor, mediation and dispute resolution. The EDPS has invested a lot of time and energy in these questions, especially Artificial Intelligence which, following our discussion paper of 2016, is now a mainstream concern for data protection commissioners across the world. We are pleased to publish the first in a new series of Technology Monitoring briefs, on smart glasses. These are devices on the cusp between science fiction/dystopias (Black Mirror) and eerie reality (see its deployment in the Chinese police forces, for instance). We hope it is useful and would be interested in your feedback on this and suggestions for future editions.
We closed the public session of the International Conference of Data Protection and Privacy Commissioners in October 2018 with a promise to continue the discussion on digital ethics. With the launch of our new #DebatingEthics Conversations, a series of six interactive webinars that will then be released as podcasts, we aim to provide an open platform for this urgent debate.
Each webinar will revolve around a specific theme and bring together different perspectives. Our provisional programme is as follows:
28 February 2019: #DebatingEthics 1 - Digital ethics and the law
30 April 2019: #DebatingEthics 2 - Digitalisation and the future of work
19 June 2019: #DebatingEthics 3 - The environmental impact of new technologies
4 September 2019: #DebatingEthics 4 - Growing up in the digital age
20 November 2019: #DebatingEthics 5 - Digital platforms and their impact on relationships
5 December 2019: #DebatingEthics 6 - Why #DebatingEthics? Revisited
Each webinar will be open for anyone to listen in and comment or ask questions at the end of the discussion. How can moral reasoning help us shape responsible technological development? Follow our updates on the EDPS website and on Twitter and join us in #DebatingEthics.
On 28 January 2019, the IPEN community celebrated Data Protection Day with a special workshop in Brussels. The workshop, which featured as a side event of the 2019 CPDP conference, brought together over 70 privacy experts and engineers from public authorities, industry, academia and civil society to discuss the developments and challenges facing the effective implementation of privacy and data protection.
The workshop was devised as a follow-up to the Preliminary Opinion on Privacy by Design, published on 31 May 2018. This Opinion launched a debate on privacy by design and on the role of technology and privacy engineering for successful application of the General Data Protection Regulation (GDPR)’s new, enforceable legal obligations of data protection by design and by default.
One of the workshop’s objectives was to understand where we are with existing privacy engineering methodologies and best practices, and to figure out what is missing for them to become shareable, useable tools that can support organisations and developers in integrating data protection requirements. Given the global dimension of data flows and the cross-border nature of digital services and products, it is crucial to find common approaches that can stretch across continents in order to overcome legal differences.
Participants stressed how future work should focus on a common operational language, understandable for IT engineers and developers. They also emphasised that we should take into account the new ways in which software and technology are being designed, recognise how adapted educational curriculums and collaborative spaces can be harnessed, and that we acknowledge the decisive role of standardisation. What’s more, they indicated that public administrations should lead by example by offering services that protect individuals’ privacy and personal data.
The workshop was also an opportunity to discuss the relationship between state-of-the-art technologies and privacy and data protection. Through assessing existing technologies and sharing the results, we can help both users and developers. One participant showcased a project for compliant online advertising which keeps publishers in control, while another proposed ethical web guidelines. A presentation on the rationale behind World Wide Web founder Sir Tim Berners-Lee’s groundbreaking proposal to separate data from applications was also given, raising great interest.
A number of the participants did highlight, however, that the monopolistic or oligopolistic nature of certain digital services whose core business model lies in exploiting personal data remains a significant obstacle to the development of privacy by design solutions.
We are looking forward to continuing the discussion at the annual IPEN workshop on 12th June 2019 in Rome, the day before the 2019 ENISA Annual Privacy Forum 2019. Make sure you save the date!
Slowly but surely, Europe is embracing a cashless way of life. Last year, the European Central Bank reported that the use of cash as a percentage of total transactions had fallen across all nations in which surveys were conducted. Done correctly, the full digitalisation of our monetary system can benefit us all. However, without due care, complications are likely to arise - not least with regard to data protection. With this in mind, the EDPS and EDPB trainees organised a lunchtime conference, entitled Big Banking is Watching You: Privacy in a Cashless World.
The two-hour conference took place on Data Protection Day, 28th January 2018. Held at the European Parliament in Brussels, it explored the questions surrounding the protection of privacy and personal data in online transactions and payments. Trainees and officials from the EU institutions and beyond were invited to attend. Encouragingly, there were a number of youthful faces in the audience, eager to find solutions to the privacy concerns emerging today, which will undoubtedly have in impact in the future.
Assistant Supervisor Wojciech Wiewiorowski kicked off proceedings at the conference, offering opening remarks on the topic before the expert discussion began. Already, the partial digitalisation of the financial system has raised important questions: how is financial data used by those who collect it? Who has access to this data? And how can the prospect of increased surveillance be mitigated? As we move closer to cashlessness, concerns surrounding social and financial exclusion, profiling and automated decision making will only intensify. EDPS Giovanni Buttarelli was on hand to wrap up discussions stressing that it is important to find a compromise between the advantages gained from the full digitalisation of payments and the privacy risks that such an upheaval entails.
We would like to thank Els Kindt for moderating the conference, and Carl-Christian Buhr, Jérémie Dubois-Lacoste, Farid Aliyev and Philippe de Koster for taking part in our lively panel discussion.
Within the EU institutions, Data Protection Officers (DPOs) are the first port of call for all things data protection. This includes employment data and administrative functioning, but also anything connected to the core business of their institution.
When it comes to ensuring compliance in practice, DPOs are our main point of contact with the EU institutions, each of which has its own DPO. Becoming a DPO is a career option for any member of EU staff interested in data protection. To give you an idea of what it is like to work as a DPO in an EU institution, we spoke to Barbara Eggl, Data Protection Officer at the European Central Bank (ECB).