In this edition of the EDPS Newsletter we cover Data Protection Impact Assessments (DPIAs), the first EDPS-EDPB Joint Opinion and the new EDPS website inspection software, among many other topics.
In this issue
Giovanni Buttarelli, 1957-2019
All at the EDPS are profoundly saddened by this tragic loss of such a kind and brilliant individual. Throughout his life, Giovanni dedicated himself completely to his family, to the service of the judiciary and the European Union and its values. His passion and intelligence will ensure an enduring and unique legacy for the EDPS as an institution and for all people whose lives were touched by him. He will be sorely missed.
Two, among many, to pay tribute to Mr. Buttarelli were the Assistant Supervisor at the EDPS, Wojciech Wiewiórowski and EDPS Director Leonardo Cervera Navas (in Spanish). Their tributes can be found on the EDPS website.
In accordance with Regulation 2018/1725, Mr. Wiewiórowski will take over the duties of the European Data Protection Supervisor until the end of the current mandate.
How to work out when a Data Protection Impact Assessment is necessary
In July 2019, the EDPS published its list of what types of processing operations require a Data Protection Impact Assessment (DPIA) under the new data protection rules for the EU institutions (GDPR for EUI). We also published a list of processing operations that do not require a DPIA. Adopted after consultation with the European Data Protection Board (EDPB), these lists aim to provide additional guidance to controllers working in the EU institutions on how to implement the new rules. It complements the advice provided in our accountability on the ground toolkit.
DPIAs are a new concept introduced under both the GDPR and the GDPR for EUI. They help to ensure that controllers adequately address privacy and data protection risks in certain high-risk processing operations. This is particularly helpful in ensuring compliance with the concept of data protection by design, which involves building data protection into new processes and technologies, as it provides a structured way of thinking about the risks to individuals and how to mitigate them.
The list identifies some common cases in which a DPIA is needed. These include:
- exclusion databases;
- the large-scale processing of special categories of personal data, such as disease monitoring, pharmacovigilance and central databases for law-enforcement cooperation;
- internet traffic analysis breaking encryption;
- e-recruitment tools that automatically pre-select or exclude candidates without human intervention.
However, the speed of technological development means that it is impossible to produce an exhaustive list of all high-risk processing operations. The list therefore also provides a set of criteria that can be used by controllers to assess whether a DPIA is required.
Publication of the EDPS list, which applies specifically to data processing operations carried out by the EU institutions, follows the publication by many other EU data protection authorities (DPAs) of their own lists on DPIAs, aimed at the organisations and businesses operating in their respective countries.
The EDPS took over responsibility for supervising the processing of personal data for Europol’s operational activities on 1 May 2017. Since then, we have been cooperating continuously with Europol and closely monitoring their operational activities in order to develop a sound and effective supervision scheme. One of the supervisory tools granted to the EDPS under the Europol Regulation is regular on-site inspections.
In June 2019, we carried out our third annual inspection at Europol. This year, we decided to focus on the processing of data in the areas of terrorist financing, the fight against money laundering and illegal activities on the dark web. We also checked Europol’s use of derogations to transfer personal data to third countries. Subject to strict requirements, these transfers are only permitted in exceptional circumstances, such as to support investigations in the aftermath of a terrorist attack or to prevent an immediate and serious threat to public security.
Another point for inspection was a new practice by Member States that involves sending a larger volume of data to Europol. This new trend results from the larger amount of personal data available to law enforcement authorities at national level relating to criminal investigations and criminal intelligence operations. We also verified Europol’s encryption methodologies, and followed up on the implementation of selected recommendations from our previous inspection reports.
As for previous inspections, we benefited from the expertise of national data protection authorities (DPAs). This time, three experts from the DPAs of Germany, Greece and Italy joined the inspection as part of the EDPS team. The Member States are Europol’s main information providers so the participation of national experts in the inspection process helps to raise awareness of any problems arising at Europol level that might have originated at national level. This could include problems with data quality or insufficient justification for the processing of sensitive data or data on special categories of persons, such as minors. Back home, national experts can consider how to tackle these problems in their supervisory activities, helping to increase coordination between EU and national supervisory activities.
Having assessed the results of the inspection, we will outline a number of recommendations for improvement in our inspection report. Our close cooperation with Europol will continue, in order to ensure they put EDPS recommendations into practice.
Making technology user (and data protection) friendly
New technologies are often a source of wonder, but they can also be a source of concern. There are many reasons for this, one being the lack of transparency in certain modern processing operations, which could provoke confusion, and even suspicion, among data protection and cybersecurity experts and non-experts alike.
It is for this reason that it is so important to clarify from the very start of a new technology’s lifecycle the terms and conditions of any data processing, especially those that involve innovative technologies that many people might not be familiar with or easily understand. It is up to the controller - those who are responsible for determining how the data is processed and for what purpose - to determine that the proposed data processing operations are fair and transparent and to clearly explain them to users.
Not only do controllers have a legal obligation under both the General Data Protection Regulation (GDPR) and the equivalent rules for the EU institutions, to provide this information, but it is in their interest to do so, in order to maintain and build consumer trust. If controllers do not explain how technologies work, as well as their personal data processing operations, they may lose this trust. The information that controllers are legally obliged to provide includes the name of the controller in the data processing, for which purposes data is processed, to whom personal data may be transmitted and for how long data will be stored. Individuals must also be informed about their rights in relation to the data processed.
All of this information needs to be communicated in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This becomes even more important when communicating with minors. The information should be provided in writing, usually in the form of a data protection notice, available either online or on paper. If requested by an individual, it can also be provided orally.
Processing patients’ data: EDPS and EDPB issue first Joint Opinion
Under the new rules on data protection for EU institutions and bodies, the European Commission may, in certain cases, request a Joint Opinion on a legislative proposal or a draft implementing measure from the EDPS and the European Data Protection Board (EDPB).
The first request for such an Opinion came on 13 May 2019, and concerned the data protection aspects of the draft Implementing Decision providing for the establishment, management and functioning of the eHealth network, and repealing Commission Implementing Decision 2011/890/EU.
The eHealth Network is a voluntary network of authorities responsible for eHealth, representing each Member State. It was established under European Commission Implementing Decision 2011/890/EU, which also sets out the rules for the management and functioning of the network.
One of the main objectives of the eHealth network is to improve the interoperability of national digital health systems, making it easier to exchange patient data found in ePrescriptions, Patient Summaries and electronic health records. To facilitate this interoperability, the eHealth network and the Commission developed the eHealth Digital Service Infrastructure (eHDSI), an IT tool that enables the exchange of health data under the Commission’s Connecting Europe Facility programme.
Our Joint Opinion addressed the processing of patient data in the eHealth Digital Service Infrastructure and, in particular, the Commission’s role in this. The EDPS and the EDPB considered that, in the situation covered by the Implementing Decision, and specifically for the processing of patients’ data within the eHDSI, the European Commission’s assessment of its role as a processor within the eHDSI was correct, while the Member States should indeed be considered joint controllers. We also reminded the Commission of the need to clearly set out all of its duties as a processor in this processing operation in the proposed Implementing Act, as required by the data protection rules for EU institutions.
EDPS and EDPB advise European Parliament on US CLOUD Act
The US CLOUD Act gives US law enforcement authorities the power to request the disclosure of data by US service providers, regardless of where in the world this data is stored. Mindful of the possible implications of the Act for EU citizens, the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE) wrote to both the EDPS and the EDPB requesting a legal assessment. Specifically, LIBE asked us to assess the impact of the US CLOUD Act on the EU’s legal framework for data protection and the mandate for negotiating an EU-US agreement on cross-border access to electronic evidence for judicial cooperation in criminal matters.
On 10 July 2019, the EDPB and the EDPS issued a joint response. This response outlined the opinion of both the EDPS and the EDPB that a comprehensive EU-US agreement on cross-border access to electronic evidence, with strong procedural and substantial safeguards for fundamental rights, would be the most appropriate way of ensuring the necessary level of protection for individuals living in the EU, as well as to provide legal certainty for businesses.
EDPS releases website inspection software
In a first for the EDPS, we recently published a software tool to support the work of data protection professionals, such as data controllers, data protection officers, data protection authorities or researchers.
The tool, known as the Website Evidence Collector, aids in the audit of websites. It is a result of our work on the inspection of EU institutions’ websites and is available for Linux, MacOS X and Windows. Once set up, and after following a brief introduction, it allows technical amateurs to collect automated evidence of personal data processing, such as cookies or requests to third parties. The collected evidence is documented in a format that is both human- and machine-readable.
We published the tool as free software under the EU public license (EUPL) on the EDPS website and on the code collaboration platform GitHub. Further information and tutorial videos are also available on these platforms.
We would appreciate all feedback in the form of questions, ideas and code. You can send us an email or contact us directly through GitHub.
Presenting TechDispatch: reports from the front line of technological development
The EDPS TechDispatch reports aim to explain emerging developments in technology and inspire wider discussion on their data protection implications. Each TechDispatch provides factual descriptions of a new technology and briefly assesses the possible impact of these technologies on privacy and the protection of personal data, as we understand them now. For those who wish to delve deeper, we include plenty of links to further reading in each issue.
To receive future issues of the TechDispatch directly in your mailbox, please sign up to our mailing list on the EDPS website.
If you want to take part in the discussion and have suggestions or comments, you can send us an email.
Can we trust our artificial eyes?
Every group of trainees that comes to work at the EDPS organises their own conference on a topic of interest. These events are a platform for the younger generation to share fresh – and sometimes provocative! – ideas. The most recent edition of this conference took place on 11 July 2019, and focused on a timely and exciting subject: the potential consequences of technological enhancements to our bodies for human rights and privacy.
Human enhancement is quickly moving into the centre of public debate, both due to academic discussion and technological developments reaching the popular consciousness, and through pop culture, which confronts us with visions of potential future paths for our society – both inspiring and disturbing.
A world in which human bodies are enhanced with digital technologies is likely to lead to a new range of challenges for data protection and privacy, with legal questions that could be difficult to resolve decisively using existing frameworks. Our best hope to manage this coming revolution certainly requires technological and legislative solutions. These solutions, however, require a moral backbone – based in digital ethics.
One of the tasks of the EDPS is to promote public awareness and understanding of the risks, rules, safeguards and rights in relation to data processing operations. With this mission in mind, we have recorded several podcasts over the past months. In July, we recorded two podcasts, both of which are now available to listen to on the EDPS website.
The second in our series of podcasts addressing data protection in practice featured an interview with researcher Raphäel Gellert. The conversation addressed the risk-based approach in the EU’s data protection reform, comparing it to the rights-based approach and touching on new ethical issues emerging from this. The notion of risk, the challenges of risk assessment and the need to protect vulnerable groups of individuals at particular risk were all addressed. Listen to the podcast to find out more!
Our latest #DebatingEthics Conversation focused on the environmental footprint of data-intensive technologies. While we think of digital as being virtual and non-physical, behind the life cycle of our digital tools lies a very material chain of natural exploitation, continuous energy consumption and pollution. To explore this further, we spoke to Ruben Dekker, a specialist in the Circular Economy at the European Commission’s Directorate General for Environment, Andrew Brennan, Professor of Environmental Ethics at La Trobe University, and Heather Iqbal, Senior Advisor at Global Witness. Check out the podcast to hear what they had to say!
Data Protection Officers
Speeches and Publications
Presentation of EDPS Tasks and Activities, by Wojciech Wiewiórowski before the Committee on Civil Liberties, Justice and Home Affairs (LIBE) at the European Parliament, Brussels (5 September 2019).