In the April 2019 edition of the EDPS Newsletter we look at the investigation into contractual agreements involving software in the EU institutions, examine newly released Opinions on cybercrime cooperation and electronic evidence and announce the next recording of our #DebatingEthics Conversations podcast.
In this issue
EDPS investigates contractual agreements concerning software used by EU institutions
As the supervisory authority for all EU institutions, the EDPS is responsible for enforcing and monitoring their compliance with data protection rules. In this capacity, the EDPS is undertaking an investigation into the compliance of contractual arrangements concluded between the EU institutions and Microsoft, the EDPS said on 8 April 2019.
Wojciech Wiewiórowski, Assistant EDPS, said: “New data protection rules for the EU institutions and bodies came into force on 11 December 2018. Regulation 2018/1725 introduced significant changes to the rules governing outsourcing. Contractors now have direct responsibilities when it comes to ensuring compliance. However, when relying on third parties to provide services, the EU institutions remain accountable for any data processing carried out on their behalf. They also have a duty to ensure that any contractual arrangements respect the new rules and to identify and mitigate any risks. It is with this in mind that the contractual relationship between the EU institutions and Microsoft is now under EDPS scrutiny.”
The EU institutions rely on Microsoft services and products to carry out their daily activities. This includes the processing of large amounts of personal data. Considering the nature, scope, context and purposes of this data processing, it is vitally important that appropriate contractual safeguards and risk-mitigating measures are in place to ensure compliance with the new Regulation. The EDPS investigation will therefore assess which Microsoft products and services are currently being used by the EU institutions and whether the contractual arrangements concluded between Microsoft and the EU institutions are fully compliant with data protection rules.
Cross-border access to electronic evidence: negotiating an EU-US agreement
To make our justice system as effective as possible, EU law enforcement authorities need to be able to work and exchange information with partners outside the EU. Even as we do this however, it is important to ensure that the fundamental rights of people within the EU remain protected. On this basis, on 2 April 2019 the EDPS issued an Opinion on a Recommendation for a Council Decision that would authorise negotiations on an EU-US agreement on cross-border access to electronic evidence as part of judicial cooperation in criminal matters.
The proposed agreement would establish common rules on direct cooperation between law enforcement authorities and service providers in the EU and the US and address any conflicts between our laws on obtaining content and non-content data.
Our Opinion provided constructive and objective advice on the negotiating mandate of an EU-US agreement to lay down common rules on cross-border access to electronic evidence. We welcomed confirmation that the EU-US Umbrella Agreement would be referenced in the proposed agreement, and therefore fully applicable, in addition to other safeguards.
More specifically, we proposed that judicial authorities designated by the other Party to the agreement be involved as early as possible in the process of gathering electronic evidence. This would give these authorities the opportunity to review the compliance of any requests for evidence with fundamental rights, and to raise grounds for refusal if appropriate. We also recommended adding Article 16 of the Treaty on the Functioning of the EU, which establishes the fundamental right to the protection of personal data, as a substantive legal basis of the agreement.
The EDPS will remain available to provide further advice to the Commission during the negotiations, as needed. We look forward to being consulted on the final text of the draft agreement when it is ready.
Authorisation for data transfers under the GDPR for EUI
It is easy to forget that levels of personal data protection outside the European Economic Area (EEA) are not necessarily as high as within the bloc. Since the rules are not consistent, transferring personal data to countries outside the EEA and to international organisations can carry additional risks. Data protection rules in the recipient's jurisdiction may not be up to the European standards – or may not exist at all. This is why there are specific rules on these transfers in Chapter V of the new data protection rules for the EU institutions (GDPR for EUI).
The EDPS explained how to protect such transfers in a position paper on this topic. Though the paper refers to Regulation 45/2001, which has now been replaced by the GDPR for EUI, the general concepts remain the same.
The preferred option is to transfer data to recipients in jurisdictions recognised as providing adequate protection, for example Switzerland or Japan. The second-best option is to safeguard such transfers with standard contractual clauses or by basing them on an international agreement including the necessary safeguards. These types of transfers do not require a specific authorisation from the EDPS.
'Ad hoc' contractual clauses between the EU institution in question and the recipient are another option and should include the derogations for some specific situations, which are set out in Article 50 of the GDPR for EUI. Some data protection provisions can also be inserted into administrative arrangements between public authorities or bodies. Should EU institutions wish to use either of these options, they must obtain an authorisation from the EDPS first. Our first decision on a data transfer under the new rules, in March 2019, concerned the use of an administrative arrangement.
To reinforce all these concepts, the EDPS has created a new section on our website, where these decisions will be published. We welcome you to use this area as a resource for ensuring that data transfer agreements involving each institution always fit within the rules for the EU institutions – even when data flows beyond our borders.
EU employees’ rights under the new GDPR for EUI
The very nature of the EU project involves the processing of personal data in many fields. Notably, EU institutions process data in their role as employers, in the same way as any number of other public bodies in the EU, and face the same challenges that this task poses.
As data controllers, public institutions are responsible for many data processing operations relating to the staff they employ. This can cover a wide range of areas, such as recruitment, payroll and the management of human resources. As it involves personal information, this processing is subject to a number of rules.
Under the new GDPR for EU institutions (EUI), EU employees now have more rights than ever before when it comes to the processing of their personal data by their employer.
First, there is the right to information, since employees can only exercise their rights if they are informed about them. All EU staff members need to be told who is responsible for keeping their personal data, why their data is being processed and all other information needed to ensure fair and transparent processing. All of this has to be clear, easily accessible and understandable by the employee. In all contacts relating to their personal data, EU staff members have the right to communication in a clear, concise and transparent way.
Employees also have the right of access; they can ask if their institution is processing their personal data. If this is the case, employees can request access to their personal data and additional information, like the purpose, the categories of data involved and any recipients of that data.
If their personal data is inaccurate, employees have the right to rectification; they can ask their institution to correct any incorrect information about them. This includes if their personal details have changed over time. For example, if the employee changes their home address, they can ask their institution to update that information.
Employees also have the right to the erasure of their personal data, under some circumstances. For example, if the data is no longer needed for the purpose it was collected, and there is no legal obligation for the institution to keep it, EU staff members can ask their institution to erase it from their personal file.
All of the rights above add up to an extensive set of data protection rights specific to EU employees. It is the role of the EDPS to make sure that these rights are clearly understood and work for everyone, so that the EU institutions lead by example, processing employee personal data fairly and lawfully.
An employer’s guide to data protection in practice
The EDPS has developed various Guidelines for the EU institutions that provide recommendations on best practice in the processing of an employee’s personal information. With the use of new technologies in the workplace becoming increasingly common, our Guidelines on web services and mobile devices are particularly helpful for employers.
The use of big data and the increasing reliance on technology in the workplace pose significant risks to employees’ personal data rights. Not only are these technologies susceptible to security breaches and misuse, but being constantly monitored also changes the way that we behave, as we try to conform to the expectations of those who are monitoring us.
As the Guidelines explain, the pervasive monitoring of workers through digital media is not acceptable. Employers need to be aware of the difference between supervising employees’ work and constant monitoring. They also need to protect their employees by taking into account any known internet-related threats and vulnerabilities relating to the specific web services and technologies they use. They need to identify whether these web services process personal data, and exactly what data is processed, and ensure that the user provides active, explicit and informed consent before any cookies are used. All records containing identifiers, notably IP addresses, are personal data and must be treated as such.
While the Bring-Your-Own-Device model offers greater work flexibility and is increasingly common, mobile devices pose specific risks to corporate and private data that employers need to assess. To guarantee an adequate level of protection, EU institutions must carry out a risk management process, assessing the security risks of using mobile devices for processing personal data. Employers must then implement measures to deal with the identified risks. These measures might be organisational, such as the adoption of information security policies, or technical, such as Mobile Device Management solutions and the implementation of the necessary software updates.
To properly manage the use of mobile devices, whether the property of the EU institutions or privately owned, institutions should adopt written procedures for managing the lifecycle of these tools. Such procedures should take into account all operations that need to be performed on the device.
By following our Guidelines and applying the new principles set out in the February edition of our Newsletter, including the principles of data protection by design and by default, we can ensure that data protection rules benefit both employers and employees.
This topic will be the subject of our upcoming podcast on digital innovation and privacy in the workplace so, for more information, make sure to check it out!
Managing contact lists: a guide
It is essential that EU institutions interact directly with the wider world. Through a range of channels, the EU institutions engage with EU citizens, relevant stakeholders, EU staff members and more.
Nonetheless, contact lists contain a lot of personal data and so they have to be in line with data protection rules. Even if an EU institution stores contact details collected for different purposes in one single database, this does not mean that the data can be used for any purpose.
In fact, one of the most important guiding principles in personal data protection is that of purpose limitation. Purpose limitation protects individuals by setting limits on how data controllers are able to use their data.
The concept has two building blocks: first, personal data must be collected for a specified, explicit and legitimate purpose, and secondly it should not be processed again later in a way incompatible with the original purpose. This principle is also linked to fairness: purposes must be clearly defined so that those affected know what to expect.
For example, taking the contact details of a colleague working in a different EU institution with the purpose of following-up on a specific matter does not amount to permission to add this person to the mailing list of your own EU institution’s Newsletter. The original purpose for collecting personal data defines the scope of how this personal data can be used. As an example, if you were sent this newsletter by email, it is only because you gave explicit consent by signing up to receive it!
Not every additional processing action is incompatible, but changes in purpose have to be assessed on a case-by-case basis. This should take into account:
1. the relationship between the purposes of the previous data collections and the purposes of further processing
2. the context in which the data was collected and the reasonable expectations of the concerned individuals as to their further use
3. the nature of the data and the future impact on the individuals concerned
4. the safeguards applied to ensure fair processing and to prevent any undue impact on the individuals concerned
More information on this four-factor test can be found in the Article 29 Working Party (WP29) Opinion on purpose limitation.
Podcast Announcement: Digital innovation and privacy in the workplace
Advances in digital technology are celebrated for delivering better security and greater efficiency in the workplace. At the same time, they have enabled more intrusive monitoring and control of workers according to algorithmic decision-making.
In the spirit of identifying and preventing new dangers to fundamental rights and values in the digital age, on 30 April 2019 we host our next #DebatingEthics Conversation, dedicated to the digitalisation of work. With our expert speakers Ursula Huws, Barbara Prainsack and Aiha Nguyen we will discuss topics such as:
- Monitoring and ‘optimisation’: the ways in which workers are increasingly subject to intrusive surveillance, as well as techniques aimed at maximising the efficiency of their behaviour. This is reported, for example, in eCommerce warehouses, drivers in ride hailing services and even street cleaners.
- Criticism of the culture in the tech sector, including prejudice and secrecy in Silicon Valley and the excessive working hours demanded of employees in China’s tech hubs.
- The intense extraction of human labour, personal data and natural resources which underpins the gadgets, networks and software which make up the digital economy, and the impact of digital externalities on people and on the environment, from the working conditions of cobalt miners to human moderators required to sift through disturbing content as a full-time job.
How do trends like these relate to labour rights, privacy and data protection principles? What broader questions of social justice and human dignity do they raise? What role do we want work to play in our lives and in society? The constant evolution of technology requires us to continuously reassess the purposes for which we use it.
We look forward to addressing these essential questions in our next #DebatingEthics Conversation! You can follow the recording live on 30 April 2019 at 17:00 (CEST) and submit your questions to the speakers. Stay tuned for updates by following us on Twitter, LinkedIn or the EDPS website.
Supporting greater international cooperation on cybercrime
The adjustment of an international agreement with an impact on fundamental rights is always a delicate task and the EDPS takes its consultation role in these matters seriously. On this basis, and at the request of the European Commission, on 2 April 2019 the EDPS published an Opinion on the Commission’s Recommendation for a Council Decision that would authorise the Commission to participate in negotiations towards a Second Additional Protocol to the Budapest Cybercrime Convention.
Negotiations on the new Protocol aim to improve cooperation in the collection of electronic evidence in criminal matters. The planned additions also concern direct cross-border cooperation between law enforcement authorities and service providers, including direct cross-border access to data, which is a significant development.
The EDPS supports the Commission’s participation in negotiations to ensure the compatibility of the new Protocol with EU law. Besides several specific recommendations, we advocated ensuring the mandatory nature of the agreement, which should include detailed safeguards, especially in terms of purpose limitation. This principle is particularly important as not all parties to the Protocol operate under the same data protection frameworks.
The EDPS has consistently pushed for sustainable arrangements for personal data sharing with non-EU countries for law enforcement and we are encouraged to see movement in this direction. We will remain at the disposal of the Commission and the Council for further advice during the negotiations and expect to be consulted on the text of the draft agreement once ready.
Protecting the principle of purpose limitation: the ETIAS case
The European Travel Information and Authorisation System (ETIAS) is an in-progress project established by a new Regulation in late 2018, and intended to be operational in 2020. The system aims to identify in advance any security, illegal immigration or health risks among visa-exempt non-EU nationals travelling to the Schengen Area. Put simply, the system will enable a more comprehensive oversight and knowledge sharing about non-EU nationals moving in and out of the Schengen Area.
Under the new system, all such travellers will have to file an online travel authorisation application before their date of departure. The data submitted in each application will be compared with data held in other EU and Interpol databases to determine whether there are grounds to refuse a travel authorisation.
The Commission issued two further Proposals on 7 January 2019 to improve interoperability between the ETIAS and the other EU databases. Interoperability enables large-scale EU databases to communicate and exchange information. The Commission presented these Proposals as limited technical changes, mirroring existing provisions in the ETIAS Regulation.
However, in our formal Comments we stressed that the Proposals are far from being “limited technical adjustments”. This is because they also include the use of data stored in the European Criminal Record Information System for third country nationals (ECRIS-TCN).
The ECRIS-TCN contains very sensitive information. It is a tool designed to support judicial cooperation. Using it for border management purposes constitutes a major change to the ECRIS-TCN, and suggests that personal data would be used for a purpose different from the one that it was originally collected for. We therefore stress the need for a proper data protection assessment of the Commission’s Proposals, to be conducted in full transparency.
Combatting VAT Fraud
The European Commission’s recent initiative aims to adapt VAT enforcement in the e-commerce environment and reduce fraud. However, continued respect for our fundamental rights must be ingrained in any new proposal.
In our Opinion of 14 March 2019, we assessed two Commission Proposals aimed at strengthening the fight against VAT fraud in the area of e-commerce. Our feedback aimed to minimise the impact of these Proposals on the fundamental rights to privacy and to the protection of personal data.
We stressed the need to strictly limit any data processing to the purpose of fighting tax fraud and to limit the collection and transfer of personal data, in particular by payment service providers, to what is necessary and proportionate to that goal. Moreover, we highlighted that any data processed should only relate to the company receiving the payment, not the consumer involved. This would ensure that any information collected could not be used for monitoring consumer purchase habits, for example. We recognised that the Commission has adopted this approach and we strongly recommend that it be maintained throughout the legislative negotiations.
Since the Proposals would set up a central electronic database (CESOP) hosted and managed by the Commission, we referred the Commission to past EDPS guidance on IT governance and management.
Finally, we gave guidance on the conditions and limitations on restricting the data protection rights of the person concerned, to bring them in line with the GDPR and the new data protection rules for the EU institutions. The EDPS believes that our recommendations will provide useful guidance for the next stage of the legislative process.
Defining the state of the art in data protection by design
The Internet Privacy Engineering Network (IPEN) is aiming to boost cross-disciplinary awareness of what constitutes the "state of the art" in privacy engineering. IPEN’s most recent workshop, in Brussels, on Data Protection Day, gave a broad outline of the issues at stake. Next up is our IPEN event in Rome on 12 June 2019, entitled Towards an operational definition of state of the art in data protection by design – Current state and future trends.
Legal obligations in the new EU data protection framework require controllers to consider the state of the art not only in data processing security, but also when ensuring data protection by design and by default.
While there are guidelines defining the state of the art in IT security, there is less operational guidance on what the state of the art is in data protection by design. Those involved in the technical and legal processes do not necessarily have a shared understanding of what data protection by design means in practice. Ideally, we believe that the groups involved should develop a common language to talk about these concepts, to allow them to meaningfully communicate about obligations, requirements, options and choices.
In the past, IPEN, which was established by the EDPS in 2014, has supported a general exploration of the concepts involved and provided a platform for showcasing privacy friendly solutions. The next step is to identify the state of the art in data protection by design in a concrete sense, including specific fields of application. The upcoming workshop will aim to produce first elements of tangible privacy-enhancing measures, covering current innovations as well as promising developments.
We are encouraging participation and input from all related experts, whether you have experience in privacy regulation, relevant solution development, or technology-driven business management. If you are interested in taking part, please refer to the workshop web page for registration and further details.
Assessing risk in personal data breaches
On 4 April 2019 the EDPS organised a conference in partnership with the European Union Agency for Network and Information Security (ENISA). The event, Towards assessing risk in personal data breaches, was very well received, with more than 200 participants coming together to share ideas and discuss key issues.
In line with the goals of the conference, we provided a technical overview of current practices, followed by discussions with controllers and supervisory authorities. The focus throughout was on risk assessment and the challenges surrounding it, examining the legal obligation of personal data breach notifications under the General Data Protection Regulation (GDPR) and the new data protection rules for the EU institutions.
Risk assessment is a core element in preventing and responding to personal data breaches, which inherently create a lot of uncertainty. Unlike other traditional risk assessment methodologies, the focus in a personal data breach is to evaluate the risk to the rights and freedoms of individuals. This involves many different methodologies used by various stakeholders, supervisory authorities and private and public organisations. The recent Guidelines from the EDPS and from the European Data Protection Board (EDPB) provide practical examples to assist in this process and the conference provided valuable input for further guidance and future work in this area.
Our speakers provided a range of viewpoints on the challenges of risk assessment and presented new relevant working methods. Important issues were raised, including the challenges of complying with the strict notification deadlines, the roles of controllers and processors, and the adoption of specific methodologies for risk assessment, including those using both quantitative and qualitative methods. To improve knowledge sharing, we have published the presentations of the speakers on the Conference website, and Conference notes will be available soon as well. We look forward to further collaboration with ENISA on these important areas of shared interest.