In the March 2018 edition of the EDPS Newsletter we cover EDPS preparations for the revised Regulation for EU institutions, the 2017 EDPS Annual Report, the future of passenger name record (PNR) data and blockchain. You can also check out the 2018 International Conference of Data Protection and Privacy Commissioners (ICDPPC) website, which is now live!
In this issue
EDPS helping EU institutions to prepare for new chapter in EU data protection
Two months before the new data protection rules set out in the General Data Protection Regulation (GDPR) become applicable, the EDPS has published two new sets of Guidelines. The Guidelines provide advice to the EU institutions on how to adapt to this new chapter in EU data protection, which is notable for the emphasis it places on the principle of accountability.
The Guidelines address data protection requirements for the management and governance of IT infrastructure in general, and for cloud computing services specifically. They build on the principles enshrined in the GDPR, which will apply in the Member States from 25 May 2018.
Wojciech Wiewiórowski, Assistant EDPS, said: “When we published our Strategy for the current mandate in 2015, we made readiness for the GDPR one of our top priorities. We are contributing to this target through our work with the EU institutions, as well as through our preparation of the EDPB secretariat. I am glad to see that we are on track with our efforts, and look forward to the completion of discussions currently underway between the European Parliament and the Council to finalise the new rules for the EU institutions.”
Data Protection and Privacy in 2018: Going beyond the GDPR
2018 will be a landmark year for data protection. As co-host of the 2018 International Conference of Data Protection and Privacy Commissioners (ICDPPC) and a key player in the reform and implementation of the new EU data protection framework, the EDPS will remain at the forefront of the global dialogue on data protection and privacy in the digital age, the EDPS said on 20 March 2018, as he presented his 2017 Annual Report to the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE).
Giovanni Buttarelli, EDPS, said: “In the EDPS Strategy 2015-2019, we set out three goals and an action plan to help the EU lead by example in the global dialogue on data protection and privacy in the digital age. As our 2017 Annual Report shows, we are well on the way to achieving our aim. In October this year, Brussels will play host to the 40th International Conference of Data Protection and Privacy Commissioners. This is a unique opportunity to showcase the leading role played by the EU in this area. Through focusing on the topic of Digital Ethics, we will explore effective, international and interdisciplinary responses to the challenges we face in the digital age. I am therefore proud to announce not only the publication of our 2017 Annual Report, but also the launch of our 2018 International Conference website.”
EDPS advocates an extension of the scope of protection afforded to individuals’ interests in the digital society
The ever-increasing pervasiveness of big data analytics and artificial intelligence in our daily lives has a varied impact on civic engagement in decision-making and on the barriers to public involvement in democratic processes, the EDPS said on 20 March 2018, as he published his Opinion on the topic. The ease of gathering and storing large volumes of data generates massive amounts of digital advertising revenue, the vast majority of which, and the resulting power, is vested in a small number of companies that dominate the digital field.
Giovanni Buttarelli, EDPS, said: “The solution is to be found beyond content management and transparency, though they may help where appropriate. What we also need is better enforcement of the rules on data processing, especially sensitive information like on health, political and religious views, and accountability. Antitrust and merger control – with the support of DPAs - has a central role in addressing structural issues of concentrated markets. But with the threat posed to social norms and democracy we now need to expand collaboration to include electoral regulators and audio visial media regulators. We also have to change the incentives in the market. That is why new ePrivacy rules are essential.”
The EDPS training campaign continues
In our February Newsletter, we reported on our efforts to prepare the EU institutions and bodies we are responsible for supervising for the new data protection rules currently being discussed by the European Commission, Parliament and Council. As part of these efforts, on 1-2 March 2018 we organised a one and a half day training session in Athens, for staff working at the EU Agency for Network and Information Security (ENISA) and the European Centre for the Development of Vocational Training (CEDEFOP).
The training session was an opportunity for us to reaffirm current data protection obligations and introduce the new obligations, which will apply under the revised Regulation 45/2001. We gave a step by step demonstration on how to fill in a record and a privacy statement, using current ENISA and CEDEFOP notifications and privacy statements on events, experts and health as examples, and also explained the rights of individuals under the current legislation and the revised legislation, providing specific examples.
In addition, we prepared two specific case studies, on event organisation and the monitoring of experts' work, designed to encourage participants to exchange ideas on topics relevant to their everyday work. Our aim was to inspire those who are responsible for processing data to start taking action, particularly when it comes to putting in place relevant and effective data protection safeguards, in order to ensure that they are ready when the revised rules come into force.
Joint controllership: the case of the Online Linguistic Support tool
Erasmus+ is the European Commission’s programme for education, training, youth and sport. The Education, Audiovisual and Culture Executive Agency (EACEA) runs the programme for the European Commission's Directorate General for Education and Culture (DG EAC), alongside national agencies in the Member States.
As part of the Erasmus+ programme, EACEA runs an online tool known as Online Linguistic Support (OLS), used to check if an individual’s language skills have improved during their stay abroad. Language skills are tested both before leaving and upon return home, and the OLS also provides online language classes. The tests are mandatory for any individual receiving funding through Erasmus+, but any consequences relating to failing to take the test, such as a reduction in an individual’s mobility grant, are decided at national level.
Any processing of personal data proposed by an EU institution or body and considered to pose a specific risk to the rights and freedoms of the individuals concerned is subject to prior checking by the EDPS. However, while EACEA provides the online tool, it does not carry out an evaluation of the data collected by the tool, a task which is done at national level. We therefore informed EACEA that no prior check was necessary in this case.
The case raised an interesting question, relevant to many European systems, platforms and tools. The EDPS sees the distribution of tasks between EACEA and DG EAC on the one hand, and national agencies on the other, as a case of joint controllership, meaning that both EU and national authorities are responsible for determining the means and purposes of the processing of personal data. We therefore recommended clarifying the responsibilities of the different controllers involved, so that it is possible for individuals to address the right organisation immediately, depending on their needs. For example, in the case of the OLS, requests for access to personal data relating to test results should be addressed to the national agency of an individual’s home country, while the security of the OLS central system remains the responsibility of EACEA.
The EU-U.S. Privacy Shield two years on
Under EU law and its interpretation by the courts, where a third country requires access to personal data concerning people in the EU it must provide clarity as to the purposes for accessing the data and ensure real safeguards for the individuals affected.
The EU does not interfere and does not purport to interfere in the surveillance activities conducted by the United States or any other third country insofar as they are directed at their own citizens. However, if the secret services of a third country want to access data concerning people in the EU collected for commercial purposes, then clarity and specific safeguards are essential.
In September 2017, an EU delegation composed of representatives of the Commission and several European data protection authorities (including a representative of the EDPS) attended in Washington, D.C. the first joint review of implementation of the agreement, taking into consideration both commercial and law enforcement aspects.
Simplifying judicial cooperation on family matters
On 15 February 2018, the EDPS published an Opinion on a proposal for a recast of the Brussels IIa Regulation, which we presented at the Council on 1 March 2018. This Council Regulation on jurisdiction concerns the recognition and enforcement of decisions in matrimonial matters and matters of parental responsibility, including international child abduction. The Opinion was formally requested by the Council.
The recast of the Brussels IIa Regulation establishes uniform jurisdiction on rules for divorce, separation and annulment of marriage, as well as for disputes about parental responsibility in cross-border situations. Its overall objective is to remove the remaining obstacles to the free movement of judicial decisions, in line with the principle of mutual recognition, and to better protect the interests of the child by simplifying the procedures involved and improving efficiency. The new rules also aim to avoid the creation of a new EU IT system, by improving cooperation between the central authorities involved in exchanging information within and across Member States.
Our Opinion outlines specific recommendations to ensure that any processing of personal data is done lawfully and that suitable and specific safeguards are put in place to protect the fundamental rights and interests of the individuals concerned. We also recommended that clauses explaining the specific purposes for which data can be processed, and the individuals this concerns, be inserted into the text, as well as explicit references to the need to respect the principles of data quality and minimisation.
In addition, we stressed the importance of specifying that any reference to the national law of a Member State should not lead to increased limitations on an individual’s right to information at national level. This is important in order to ensure that data is processed fairly and consistently across the EU. We also recommended establishing a principle in the Regulation providing individuals with the right of access to any information transmitted to the requesting authority of a Member State. To deal with cases where restrictions to an individual’s rights of access and rectification are considered necessary, a clear and specific provision laying down the scope of these restrictions must be included.
Debating the future of PNR
On 21 February 2018, Assistant Supervisor Wojciech Wiewiórowski and a member of the EDPS Policy and Consultation Unit attended a conference on the Future of Passenger Name Record (PNR) Data, organised by the Bulgarian Presidency of the EU.
To date, the EDPS has delivered a number of Opinions on proposals for an EU PNR and international agreements for the exchange of PNR data. Most recently, we intervened in a court case relating to the proposed EU-Canada PNR, which the European Court of Justice (CJEU) judged incompatible with EU fundamental rights, particularly those relating to respect for privacy and the protection of personal data.
Mr. Wiewiórowski was the only speaker at the conference who addressed the data protection implications of the use of PNR data by competent authorities. In his presentation, he explained the relevance of data protection principles to the discussion on PNR and the importance of ensuring that any EU agreement or proposal on PNR respects EU fundamental rights, using the EU-Canada PNR agreement as an example. The EDPS will continue to follow developments relating to this agreement, which should be adapted to include the recommendations outlined in the CJEU Opinion of July 2017.
Around 50 people attended the conference, including officials in charge of setting up the Passenger Information Units (PIU) from the Member States and representatives from the State Agency for National Security of the Republic of Bulgaria, the Commission, the General Secretariat of the Council, Europol, the EU Agency for the operational management of large-scale IT systems (eu-LISA), Frontex, the Fundamental Rights Agency (FRA), and the EU Counter-Terrorism Coordinator. Representatives from agencies involved in the use of passenger information in Australia and the USA were also in attendance.
Fighting fraud while respecting data protection
On 30 November 2017, the European Commission tabled a Proposal for a Regulation aimed at strengthening administrative cooperation in the field of value added tax (VAT). Their intention was to simplify the current system while making it more robust and resilient to fraud, by increasing trust and cooperation between tax administrations.
The Proposal amends the current rules, set out in Regulation 904/2010. It aims to put into practice the Commission’s plan for a new, definitive single EU VAT area, presented in October 2017, as well as the provisions set out in their VAT Action Plan, presented in April 2016. It also complements the VAT e-commerce package, adopted in December 2016, by envisaging deeper cooperation among Member States. In our Formal Comments, published on 8 March 2018, we addressed some of the data protection implications of the Proposal.
Under the Proposal, the exchange and processing of information would take place both in order to help combat VAT fraud and to facilitate administrative cooperation. While this process mainly concerns information relating to registered companies, or legal persons, data relating to individuals, or natural persons, may also be involved. As the Commission will be responsible for processing this data, we advised them that the data protection rules applicable to the EU institutions and bodies, laid down in Regulation 45/2001, would therefore apply in this case, including supervision by the EDPS.
The Proposal also appears to impose an obligation on Member States to introduce far-reaching restrictions on the rights of individuals, as part of national law. We reminded the Commission that any plans to restrict the rights of individuals must comply with the standard established under Article 23 of the General Data Protection Regulation (GDPR). We therefore recommended including a dedicated provision in the new Regulation outlining the specific conditions, to be assessed on a case-by-case basis and in relation to the objective pursued, under which certain specific rights may be restricted, as well as the necessary safeguards that should be implemented in such cases.
We also highlighted the need to determine an appropriate data retention period, taking into account the period of time after which it is no longer possible to prosecute due to the legal limitation periods relating to VAT fraud offences. Moreover, we strongly recommended establishing a maximum data retention period for all personal data processed under the terms set out in the Proposal, with possible exceptions for exceptional and duly justified circumstances.
Our Comments also addressed data protection concerns relating to the joint processing and analysis of data within Eurofisc, a mechanism intended to improve administrative cooperation between the Member States.
Blockchain: assessing the implications for data protection
Blockchain has become a powerful buzzword in the world of technology and financial innovation. The technology is currently used as an enabler for Bitcoin and other so-called crypto-currencies, and sparked the development of Distributed Ledger Technology (DLT). Distributed ledgers such as blockchains are databases with many replicas under the shared control of distinct, often autonomous participants.
Originally developed to secure online transactions based on sophisticated cryptography instead of intermediaries, EU industries and legislators are now assessing the viability of using blockchain technology in a range of areas, from finance to e-government, and even in personal healthcare. However, it is vital to ensure that these assessments consider the data protection implications of such distributed databases.
Whenever blockchain technology is used to process personal data the relevant data protection law applies. The processing of personal data must respect the data protection principles outlined in the General Data Protection Regulation.
The EDPS has been following the evolution of blockchain for the past two years. So far, we have identified challenges to data protection principles in areas such as storage limitation, controllership and individual’s rights. Over the course of 2018, we plan to increase our efforts to monitor this fast evolving technology, in order to adequately advise the EU legislator on the possible risks and safeguards involved in its application.
Mobile data, global flows
Organised by the global associations of the mobile communications industry, the Mobile World Congress in Barcelona has become one of the world’s most important technology fairs. While companies demonstrate their newest technologies to potential customers as part of an exhibition, a conference provides the setting for discussions between business representatives, politicians and regulators on regulatory and political developments.
Assistant Supervisor Wojciech Wiewiórowski attended the conference in February of this year, participating in panels and round tables alongside other data protection commissioners from across the world. Privacy regulators explained how data protection principles can be applied to new technology and how these principles protect the fundamental rights of citizens, while outlining their expectations in relation to the measures taken by the industry to incorporate these principles into their products. Industry representatives, however, expressed their concerns that some legislative initiatives could lead to the unnecessary restriction of the cross-border data flows they consider necessary for some business activities.
5G, the expected next generation of mobile communications technology, which still faces technical and regulatory challenges, was a frequent topic of discussion in Barcelona, particularly in relation to the governance of spectrum, the regulation of radio frequencies. Artificial Intelligence (AI), Big Data and the Internet of Things (IoT) were also big talking points. The EDPS participated in a debate with industry and consumer representatives on transparency and control for individuals in the collection and processing of their data in IoT environments, stressing that the GDPR provides clear rules on this, specifically on the relevant principles and individuals’ rights. The principles of data protection by design and by default should be adopted by the manufacturers and providers of IoT devices and services. To aid them in this process, we invited these manufacturers and providers to cooperate with privacy, technology and other professionals through the Internet Privacy Engineering Network (IPEN), which will hold a workshop in Barcelona on 15 June 2018.
Data protection and IT security: encouraging effective risk management
On 8 February 2018, the EU Agency for Network and Information Security (ENISA) and Garante (the Italian data protection authority) organised a workshop on security of personal data processing in Rome. The EDPS was invited to the workshop to present its provisional guidance for the EU institutions on documentation and obligations relating to Data Protection Impact Assessments (DPIAs), and the role played by IT security risk management in this.
Under the General Data Protection Regulation, organisations responsible for processing personal data must ensure that they put in place effective risk management policies to protect the fundamental rights and freedoms of the individuals concerned. This includes the specific requirement for organisations to manage IT security risks when processing personal data. It might also include the use of Data Protection Impact Assessments (DPIAs), which are mandatory in cases where the processing of personal data is likely to entail a high risk for the individuals concerned.
A focus of the workshop discussion was on the need for organisations to better integrate personal data protection risk management into their working methods. Integrating the obligations relating to both DPIAs and IT security into a common risk management process, which addresses both IT security and data protection risks, is undoubtedly a challenge. However, it is worthwhile, proving more efficient than implementing separate processes, as it avoids duplication and allows for a more successful implementation of the obligations outlined in the GDPR.
Data Protection Officers
Mr. Martin KRÖGER (Acting DPO), European Commission (EC)
Speeches and Publications
Speech by Giovanni Buttarelli as he presents the EDPS Annual Report 2017 before the Committee on Civil Liberties, Justice and Home Affairs (LIBE), European Parliament, Brussels, Belgium (20 March, 2018).
Speech by Giovanni Buttarelli at the meeting of the Joint Parliamentary Scrutiny Group on the European Union Agency for Law Enforcement Cooperation (Europol), Brussels, Belgium (19 March, 2018).
Speech by Giovanni Buttarelli at the Commonwealth Data Forum 2018 via videomessage, Gibraltar (21 February, 2018).