In the March 2019 edition of the EDPS Newsletter we cover the launch of our 2018 Annual Report, share the first episode of our #DebatingEthics Conversations podcast, and discuss the balance between security and fundamental rights when it comes to addressing terrorist content online.
2018 was a busy year for the EDPS and a pivotal year for data protection in general. Under new data protection rules, the rights of every individual living in the EU are now better protected than ever.
Our 2018 Annual Report is available on the EDPS website in PDF and HTML formats and provides an insight into all EDPS activities in 2018. Chief among these were our efforts to prepare for the new legislation.
The General Data Protection Regulation (GDPR) became fully applicable across the EU on 25 May 2018. Working with the new European Data Protection Board (EDPB), the EDPS aims to ensure consistent protection of individuals’ rights, wherever they live in the EU.
New data protection rules for the EU institutions also came into force at the end of 2018. Our job, as their supervisory authority, was to ensure that the EU institutions were ready for the new challenges they faced. In addition to updating our guidance documents, we provided training sessions and carried out visits and meetings across the EU institutions and bodies. We are dedicated to ensuring that the EU institutions lead by example in applying the new rules and will continue our work with them throughout 2019.
In parallel, the EDPS has worked hard to instigate a debate on a digital ethics. These efforts reached a diverse and global audience during the 2018 International Conference of Data Protection and Privacy Commissioners, co-hosted by the EDPS. Meanwhile, through his Digital Clearinghouse initiative, the EDPS has succeeded in bringing together regulators from competition, data protection and consumer protection, in an attempt to develop more coherent and consistent responses to the challenges posed by the digital economy.
As we move into 2019, and the last year of the current EDPS mandate, we will continue to work with the EDPB, international organisations and others to promote a global alliance, dedicated to tackling the technological challenges of the future.
On 11 February 2019, the EDPS led a discussion between data protection authorities, electoral regulators, audio-visual regulators, and representatives from media and platforms as part of the fight against online manipulation of personal data in elections. The event was attended by over 100 participants and featured keynote speeches from Giovanni Buttarelli, Elizabeth Denham and Shoshana Zuboff. It was also streamed live.
In addition to elections to the European Parliament, 14 national polls are planned across the EU in 2019. Our highly concentrated digital ecosystem and the opaque, massive-scale data sharing facilitated by constant ad tech monitoring and targeting creates an easy target for those seeking to undermine the integrity of our elections.
Among the topics under discussion was the need for greater diversity of public digital spaces for political discourse. We also addressed the decline in independent journalism, which is essential for effective fact checking and whistleblowing.
The challenges encountered during elections in 2018 were another topic of discussion. We looked at ways in which online manipulation occurs and examined key roles and responsibilities in the election ecosystem. We called for a concerted response from key actors, through collaborative forums like the new European electoral cooperation network and the Digital Clearinghouse.
The EDPS issued an Opinion on Online Manipulation and Personal Data in 2018. A recording of Europe Votes 2019 is available online. The full programme, including the list of speakers, can be found on the EDPS website.
The EDPS assists EU institutions and bodies as an independent advisor in ensuring that any limitation of the right to the protection of personal data complies with EU primary law. Our aim is to simplify policymaking on issues involving the protection of personal data, helping policymakers to consider this key dimension from the early stages of the legislative process.
On 25 February 2019, we launched a consultation on new EDPS Guidelines on Proportionality. These Guidelines aim to help policymakers to assess the validity of measures that limit the fundamental rights to privacy and the protection of personal data.
In 2017, the EDPS published the Necessity Toolkit, a framework aimed at helping policymakers to assess the necessity of proposed measures that would limit the fundamental right to the protection of personal data. The Guidelines relating to Proportionality are intended to complement the existing Toolkit. Both aim to help policymakers ensure that new proposals are compatible with the fundamental right to the protection of personal data. They also take into account existing guidance from the Commission and the Council regarding the approach to verifying the compatibility of new laws with the EU Charter of Fundamental Rights.
Any limitation of the rights and freedoms in the Charter must be provided for by law, respect the essence of those rights and freedoms and be both necessary and proportionate, taking into account not just the aims of the measure itself, but also the need to protect rights and freedoms.
We propose the following test to evaluate any new measure against four criteria:
As part of the Guidelines, we gave examples showing the link between negative effects to the right to privacy and negative effects to other fundamental rights, demonstrating that measures affecting privacy and data protection can affect not only the person concerned but also society as a whole. Throughout, we highlighted both existing European case law and EDPS legislative Opinions and formal Comments from recent years.
It’s important to have a range of opinions in developing our guidelines, and we would greatly appreciate your feedback. You have until 4 April 2019 to send us your views on our Proportionality Guidelines, at POLICY-CONSULT@edps.europa.eu
On 13 February 2019, we issued formal Comments on the European Commission proposal on the fight against dissemination of terrorist content online. The proposal outlines the responsibilities of service providers and the actions that they are required to take. Our Comments specify that these must be aligned with the fundamental rights to privacy and data protection, enshrined in the Charter of Fundamental Rights of the EU.
To ensure compliance with the Charter, the actions that service providers have to take need to be clearly described, taking into account the principles of quality of law and economic certainty. This will also help to limit discretion and provide adequate oversight for their activities in targeting terrorism content online.
Requirements for service providers to act against terrorist content should be highly specific, taking into account how much exposure the platform has to terrorist content and the reasons behind this exposure. Importantly, these actions must not lead to the creation of a systematic or broad monitoring system.
The removal of online terrorist content based on automated tools should always be subject to human oversight, and service providers should give those affected a meaningful explanation of all measures that are used. Service providers should also give competent authorities all necessary information, so that they are able to thoroughly analyse the automated tools used and ensure that they do not produce discriminatory, untargeted, unspecific or unjustified results.
Furthermore, in line with the judgements of the Court of Justice of the European Union, we called on the Commission to reconsider the proposed obligation for service providers to retain online terrorist content and related data for at least six months for the purpose of prevention, detection, investigation or prosecution of terrorist offences.
Efforts to counter terrorist content online are a necessary part of common security policy; the EDPS encourages further discussion to ensure that these efforts are balanced alongside the fundamental rights and freedoms of the EU.
Given the complexity of applying blockchain technology in privacy-friendly ways, European data protection authorities have so far been cautious about expressing their opinion on blockchain and related technologies. This is likely to change in 2019, as the European Data Protection Board (EDPB) considers including blockchain as one of the topics to cover in its Work Program 2019/2020.
In parallel with this, international humanitarian organisations are aiming to improve their understanding of the opportunities and risks related to privacy when using blockchain to, for example, distribute goods and services to refugees. The International Committee of the Red Cross is organising a series of workshops in 2019 to update their Handbook on Data Protection in Humanitarian Action, with the aim of providing specific data protection guidance on blockchain.
The EDPS is participating in these debates in its role as a member of both the EDPB and the Advisory Board set up for the workshop series on Data Protection in Humanitarian Actions. A recent workshop on blockchain held in February 2019 in Geneva brought together humanitarian organisations such as the Red Cross, UNHCR, and Medecins Sans Frontières, alongside technology experts from academia and European data protection authorities. The results of this discussion will feed into the next edition of the Handbook, coming in 2020.
The EDPS and the EU Agency for Network Information and Security (ENISA) are teaming up to host a conference on Personal Data Breaches, taking place in Brussels on 4 April 2019. Towards assessing the risk in personal data breaches will analyse how to assess the risk of personal data breaches to the rights and freedoms of individuals under the General Data Protection Regulation (GDPR) and the new data protection rules for the EU institutions.
Other panels will discuss experience gained to date in assessing personal data breach notifications since both regulations came into force, with a focus on difficulties encountered and practical solutions.
The full agenda is available on the ENISA website.
Can ethics undermine the law? Or does the law result from ethics? Can ethics ever be universal, or conversely should they always be contested and redefined? This is what our expert panel explores in the first episode of #DebatingEthics Conversations, our new podcast series on digital ethics. Hear what Julia Powles, Sandra Wachter, Peter Schaar, Pernille Tranberg and Joan Antokol have to say on how to responsibly regulate technology – and create a future that we all want to live in.
From Sandra Wachter: "Ethics is not supposed to be easy. Ethics is not there to be convenient. Ethics is there to challenge your views and notions and convictions on a daily basis."
Our next recording is on 30 April – save the date! Next time we’ll be examining new ethical questions arising from the digitalisation of work and employment. You can follow our updates on the EDPS Ethics page.
An Expert Q&A with Giovanni Buttarelli, by Thomson Reuters (25 March 2019).
Ceci n'est pas un article sur la protection des données et le droit de la concurrence, article by Giovanni Buttarelli on CPI Antitrust Chronicle (11 March 2019)
Presentation of the EDPS Annual Report 2018 by Giovanni Buttarelli before the Committee on Civil Liberties, Justice and Home Affairs (LIBE), European Parliament, Brussels, Belgium (26 February 2019)
Reporting back by the EDPS on Europol Supervision by Giovanni Buttarelli, Bucharest, Romania (25 February 2019)
Opening speech at Europe Votes 2019 by Giovanni Buttarelli, Brussels, Belgium (1 February 2019)