In the June 2019 edition of the EDPS Newsletter we review the results of the EDPS inspection of EU institution websites, look at the successful events held with International Organisations and IPEN and take a closer look at risk in personal data processing.
In this issue
EDPS flags data protection issues on EU institutions’ websites
In June, the EDPS announced the results of its inspection of the websites of major EU bodies, which revealed data protection and data security issues in seven out of the ten websites inspected. Each of the institutions concerned received recommendations from the EDPS on how to comply with data protection rules and they have reacted swiftly to start rectifying the problems identified.
Giovanni Buttarelli, EDPS, said: “The responses to this remote inspection have been reassuring. The EU institutions responsible for the most important websites have informed us of technical measures that they have implemented to significantly reduce the risks to security and privacy that were detected in our inspection. We have already received positive feedback from the inspected institutions concerning our recommendations and we expect to be able to confirm that all remaining issues are resolved in a follow-up inspection.”
The EDPS inspection concerned the data protection compliance of public web services controlled by the EU institutions and bodies, assessing compliance with Regulation 2018/1725, the ePrivacy Directive 2002/57EC and the recommendations provided in the 2016 Guidelines on web services. For this first wave of inspections, the EDPS selected ten public websites, including those of the European Parliament, the European Commission, the Court of Justice of the EU, Europol and the European Banking Authority, as well as the websites of the EDPS and European Data Protection Board (EDPB).
The inspection revealed that several of the websites were not compliant with the Regulation or with the ePrivacy Directive and did not follow the Guidelines on web services, with one of the main issues being third-party tracking without prior consent. In response to our findings, all inspected EU institutions have now acted to rectify this problem by providing secure HTTPS connections and significantly reducing the number of third-party trackers they use.
The EDPS will monitor the efforts of the EU institutions inspected while also continuing website inspections in the months to come. Our next wave of inspections will focus on the most visited websites of the EU institutions and bodies.
Internet Privacy Engineering Network discusses state of the art technology for privacy and data protection
The 2019 Internet Privacy Engineering Network (IPEN) workshop took place on 12 June in Rome, Italy. This year’s workshop focused on state of the art technology in data protection by design, in an effort to help establish a common understanding of this concept.
Under the EU’s General Data Protection Regulation (GDPR) and the new data protection rules for the EU institutions, it is now a legal obligation to consider personal data protection from the early project stages when designing technological solutions. This includes embedding measures into new technologies to ensure that the fundamental rights of individuals are adequately protected when their personal data is processed. Controllers and developers, regulators and legal experts all need to understand what they should – and should not – consider as state of the art technology to be able to design and implement measures to effectively protect individuals.
Wojciech Wiewiórowski, Assistant Supervisor, said: “The success of the EU’s new data protection rules relies largely on the implementation of the principles of data protection by design and by default by technology designers and controllers, and their enforcement by regulators. A common understanding of what is considered to be state of the art in this area is therefore essential. IPEN provides a forum for discussion for developers, legal experts and regulators to advance this common understanding, as a network through which pragmatic technological solutions can be evaluated, considered and developed in conjunction with scientists and IT experts.”
The workshop explored four key areas: the concept of state of the art in relevant fields, the consideration of business models enabling individuals to be in control of their data, privacy engineering, pseudonymisation and anonymisation. Presentations and recordings from the workshop will soon be available on the EDPS website. After another successful session, the EDPS looks forward to engaging with IPEN in future events to ensure a stronger, collaborative and effective approach to privacy engineering.
Measuring risk under the new data protection rules
Before the data protection reform, data controllers tended to focus on the risks to their organisation, like financial or social penalties. The data protection reform adopted a different approach, angled towards the concept of risk assessment. The General Data Protection Regulation (GDPR) and the equivalent rules for data protection in the EU institutions (GDPR for EUI) ask data controllers to focus on risks to the rights and freedoms of individuals. The aim is to better protect individuals and make data controllers, including the EU institutions, more accountable. Through measuring the risks to individuals, the controller can assess the proportionality and necessity of their data processing operation and identify any required safeguards and security measures.
This assessment is not always easy. Risks to the rights and freedoms of individuals regarding personal data can be difficult to measure. Measurement requires accurate information on potential impact and likelihood, and can be a complex exercise due to the number of variables to be taken into account. This is why the new rules highlight certain data processing operations and related vulnerable groups that are more likely to be put at risk.
Under the new rules, specific risk assessments are also now required, such as the Data Protection Impact Assessment (DPIA), or in relation to the aftermath of a personal data breach. While the DPIA is an abstract analysis of possible scenarios, risk assessments after data breaches deal with concrete situations. The existence of a previous DPIA, therefore, even when not mandated by law, helps to frame the risk to individuals in the context of a specific personal data breach.
Contexts change and technologies evolve, and so do risks. That is why it is a good idea to perform data protection risk assessments periodically. Given that even the best-prepared organisations can face an unexpected data breach, we owe it to our institutions and to the individuals concerned to take every step to prepare for issues before they occur.
For more information about this topic, make sure to listen to our podcast on risk assessment after the data protection reform, which will be available soon on our website.
Defending individual rights: a focused approach to data processing
The risk-based approach is one of the requirements put into focus by both the General Data Protection Regulation (GDPR) and the equivalent rules for EU institutions (GDPR for EUI). This approach requires data controllers and processors to take into account the risks of each data processing operation they carry out – specifically the risks to individuals and their fundamental rights. Data protection impact assessments and personal data breach notifications are two examples of situations where a specific risk assessment is now required.
As well as identifying the risks associated with a data processing operation, controllers need to show that they have a risk management strategy in place to address the risks to individual rights that are identified. In this way, they ensure accountability, through being able to demonstrate their compliance with data protection rules. This risk mind-set strengthens protection for the individuals whose data is being processed by increasing the responsibility taken by the controller.
The risks posed to individual rights can depend on a range of factors: the processing operations, the controllers themselves, the safeguards in place, and more. Different organisations face different risks and need to assess and then mitigate those risks to people and their rights on an individual basis.
Risk management for personal data requires more than just expertise in information and IT security – these very human challenges require a human-centric response. Data Protection Officers (DPOs) play an essential role in ensuring that controllers are informed and aware of any relevant risk to individuals. DPOs should therefore support information and IT security experts in the development of effective risk management processes.
It is almost impossible to eliminate risk from personal data processing. Data controllers and processors therefore need to be able to assess and demonstrate examples of what constitutes acceptable risk. Technical security solutions alone cannot solve the challenge of information security and data protection. Managers must support the development and implementation of policies, and ensure there are resources available to counter any risks to individuals in their data processing activities.
There is a clear and simple message here: before beginning any data processing activity, make sure you are aware of the risks it poses to the individuals concerned – by adopting a risk mind-set!
Coffee and case studies: data protection training with the EU institutions
Our campaign to raise awareness about the new data protection rules for the EU institutions (GDPR for EUI) has been going for almost two years now, and engagement continues to grow.
Assistant Supervisor Wojciech Wiewiórowski gave a presentation on 14 March 2019 to management at the European Parliament’s Directorate General for Finance (DG FINS). Following this, we were asked by their Data Protection Coordinator to train DG FINS case officers on the new rules. A total of 80 people in Brussels and Luxembourg came together via videoconference and participated in a tailor-made case study on procurement, giving case officers an opportunity to reflect on the specific data protection requirements that should be put in place when they select an external contractor. The case study also covered different scenarios regarding contractual relationships and the content of contracts between joint controllers and controller–processors.
Next up was a visit to the European Commission’s Directorate General for Human Resources (DG HR), who invited us to join them at one of their regular “Knowledge Cafés”. We briefly presented the 2018 EDPS Annual Report before moving on to a presentation of the key points relating to the new rules.
Human Resources is one of the areas of work most heavily impacted by the new rules as it involves collecting and processing a significant amount of personal data. The event was therefore a great opportunity for DG HR staff members to ask questions on the subject, covering topics such as consent in the case of events and photography, the content of joint controllership arrangements, outsourcing and personal data breaches.
Both events served to demonstrate that interest and engagement with data protection issues within the institutions continues to grow. We look forward to continuing to engage constructively in similar discussions in the future, to build on the momentum gained through these presentations.
Working with international organisations to lead the way in data protection
Generating and fostering global partnerships in the field of data protection is one of the EDPS’ strategic objectives. That is why we co-organise a yearly workshop dedicated to data protection within international organisations. The workshop is a forum for the exchange of experiences and views on the most pressing issues in this field faced by international organisations all over the world; this year, we teamed up with the Organisation for Economic Cooperation and Development (OECD) to organise the workshop.
The size and the relevance of this event has been growing consistently since the first edition in 2005. This confirms the need for a platform for international organisations to engage, share best practices and discuss unsolved dilemmas, and demonstrates the increasing awareness of the importance of ensuring strong safeguards for personal data. This year, we welcomed a record of more than 90 participants representing more than 40 different organisations.
Over the course of two days, participants discussed a range of challenges facing them when developing a data protection policy in their organisations. These included issues around web services and social media use, software contract negotiation and effective risk assessment. Throughout, the discussions were enriched with a wealth of advice and practical solutions.
Our colleagues in international organisations are working tirelessly on the development of strong safeguards for personal data within their organisations, and were keen to exchange views on present and future challenges. A key lesson from this workshop is that the development of robust data protection standards is and will continue to be a joint effort. This year’s workshop demonstrated the commitment and innovation in the data protection community within international organisations, and the EDPS will continue to support their efforts and offer our contribution to increasing global cooperation.
Top of the class: the EDPS goes back to school
Building a better understanding of the EU and of data protection issues among citizens starts right at the grassroots. This is why, in 2019, EDPS colleagues joined the EU’s Back to School initiative for the first time. The initiative offers employees at the EU institutions the opportunity to return to their former school to present their work and experiences in the EU institutions.
Five EDPS staff members went back to their hometowns in Belgium, Spain and Italy between March and May 2019, visiting classes of teenagers aged from 15 to 19.
The sessions were fun and interactive, giving students an insight into how the EU institutions work, while challenging them with a quiz designed to test their knowledge about Europe. By sharing and discussing their own experiences of Europe with the EDPS representatives, pupils gained a better understanding of how the EU affects their everyday life.
Top of the agenda were the upcoming EU elections, in which some of the students were able to vote for the very first time, as well as data protection issues, the role of the EDPS and, of course, what Europe can offer to young people. EU programmes aimed at young people, as well as possible careers and internships at European institutions, were other popular topics.
Not only did students and teachers hugely appreciate having a visiting speaker talking about Europe and their experience abroad, it also represented an enriching exchange for EDPS team members. The talks gave pupils food for thought, but also confidence in their options and enthusiasm for their future beyond school.
Feedback from our EDPS colleagues was hugely positive and many said they would happily have taken even more time with pupils to discuss the ideas raised. We look forward to continuing this programme in the future, providing yet another channel to better communicate with the wider community.
Data Protection Officers
Ms. Julia ANTONOVA, European Border and Coast Guard Agency (FRONTEX)
Mr. Marco DE SANTIS, Body of European Regulators for Electronic Communications (BEREC)
Mrs. Encarna GIMENEZ, European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA)
Ms. Christina KARAKOSTA, European Anti-Fraud Office (OLAF)