In this edition of the EDPS Newsletter we cover the EDPS investigation into IT contracts, the Berlin Group meeting in Brussels and the second edition of our TechDispatch, among many other topics.
The EDPS has received the Global Privacy and Data Protection Award for innovation. The award recognises EDPS efforts to develop a Website Evidence Collector and was presented at the annual International Conference of Data Protection and Privacy Commissioners (ICDPPC), taking place this year in Tirana, Albania.
Originally developed by the EDPS Information Technology (IT) Policy Unit to support EDPS inspections of EU websites, the EDPS Website Evidence Collector (WEC) consists of open source software tools that can be used to gather evidence on personal data processing operations on websites. Data protection authorities (DPAs), privacy professionals, data controllers and web developers can use the WEC to carry out their own website inspections. Among other things, it allows them to collect evidence relating to cookies, the secure transfer of data and requests to third-party components, employing a method that is reproducible, reliable and fast.
Wojciech Wiewiórowski, Assistant EDPS, said: "The Global Privacy and Data Protection Award for innovation emphasises that data protection authorities can approach their enforcement tasks in a modern and technically sophisticated way to address new and evolving challenges to data protection and privacy. We are also proud to share the software with other DPAs, civil society and individual privacy experts, making it freely accessible open source software."
Thomas Zerdick, Head of the EDPS IT Policy Unit, and Robert Riemann, EDPS Technology and Security Officer and author of the WEC added: “Through the publication of the EDPS Website Evidence Collector, we hope to inspire increased cooperation between technology experts in our fellow data protection authorities, in academia and in the private sector. We strongly encourage other supervisory authorities to develop and exchange their own tools.”
Cooperation between public authorities in the Member States, EU institutions and other international organisations is essential to ensure that contractual arrangements and measures with Microsoft provide the same level of protection for individual rights throughout the European Economic Area (EEA). Amended contractual terms, technical safeguards and settings agreed between the Dutch Ministry of Justice and Security and Microsoft to better protect the rights of individuals shows that there is significant scope for improvement in the development of contracts between public administration and the most powerful software developers and online service outsourcers. The EDPS is of the opinion that such solutions should be extended not only to all public and private bodies in the EU, which is our short-term expectation, but also to individuals, the Assistant EDPS said on 21 October 2019.
In April 2019, the EDPS launched an investigation into the use of Microsoft products and services by EU institutions. The investigation identified the Microsoft products and services used by the EU institutions and assessed whether the contractual agreements concluded between Microsoft and the EU institutions are fully compliant with data protection rules. The EDPS also considered whether there were appropriate measures in place to mitigate risks to the data protection rights of individuals when EU institutions use Microsoft products and services.
Though the investigation is still ongoing, preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services. Similar risk assessments were carried out by the Dutch Ministry of Justice and Security confirmed that public authorities in the Member States face similar issues.
Does a pre-ticked I agree box constitute valid consent for data processing? The answer from the EU Court of Justice, published on 1 October 2019, was a resounding no.
The company involved in the case, Planet49, had used a pre-ticked box in order to obtain consent to receive marketing messages from participants in a promotional lottery. In its ruling on case 673/17, the Court noted that even under the General Data Protection Regulation’s (GDPR) predecessor, Directive 95/46/EC, this did not constitute valid consent.
The definition of consent in the GDPR and Regulation 2018/1725, which applies to the EU institutions, is even clearer. Under these new rules, consent must be provided in the form of a statement or by a clear affirmative action.
The Court also referred to the need for valid consent to be unambiguous. In the case of a pre-ticked box, this cannot be the case, as it would be easy for an individual to miss the box. Additionally, consent must be specific. Controllers must therefore seek consent for different purposes separately, and not bundle together consent sought for separate purposes.
As the Court confirmed, affirmative, unambiguous and specific consent is required independently of whether the cookie collected qualifies as personal data or not. This is because Article 5(3) of the EU’s ePrivacy Directive requires consent for the storing of information and the gaining of access to information already stored via cookies or similar tools for marketing purposes.
The Court’s ruling helps to clarify how, and in what cases, consent is required under the EU’s data protection rules. It should act as a reminder to all controllers to ensure that their consent procedures are fully compliant with these rules.
In our Opinion of 13 September 2019, we assessed two Commission Proposals aimed at improving the functioning of cross-border judicial cooperation in civil or commercial matters within the EU. The proposals focused in particular on the transmission of documents and taking of evidence requests through a decentralised IT system. They would amend the Regulations already in place in this area.
The EDPS welcomed the overall objectives of the proposals, yet insisted on the need to provide a clear legal basis for the IT system to be used for the transmission of documents, requests and communications for the purposes of these Regulations.
In addition, we advised the Commission that the legislative acts themselves should include a high-level description of the aspects relating to the proposed IT system. In particular, we brought attention to the fact that, as the Commission or another EU institution, body, agency or office would be implicated in the operation of the new system, the legal act should ideally define its responsibilities as a (joint) controller or a processor.
We also stressed the need to conduct an impact assessment on data protection when preparing the implementing acts.
We will remain at the disposal of the institutions for further advice during the legislative and implementing phase of the Regulations.
Confidentiality of communications is essential for the functioning of a modern, democratic society. On 9 - 10 September 2019, the EDPS was invited to appear before the EU Court of Justice (CJEU) in a joint hearing in a number of cases primarily relating to the retention of telecommunications data and to regimes governing access to electronic communications data by State authorities.
All parties invited to the hearing were asked to answer several questions, aimed in particular at clarifying the scope of EU law in relation to data retention practices. In addition, the EDPS was invited to answer specific questions with a strong technical component.
Our oral pleading is available on the EDPS website.
Smart Meters are an effective everyday tool to combat climate change, but are they really used exclusively as a force for good? Who is keeping tabs on our energy data? How vulnerable is it to interception and what implications does this have for us as consumers?
The EDPS TechDispatch reports aim to explain emerging developments in technology and inspire wider discussion on their data protection implications. In this issue, we explore the subject of Smart Meters. These have become increasingly common across the EU since 2012, following the European Commission’s efforts to facilitate reduced energy consumption across the EU. The Commission’s aim is for 80% of EU consumers to be using smart meters by 2020.
To receive future issues of the TechDispatch directly in your mailbox, please sign up to our mailing list on the EDPS website.
If you want to take part in the discussion or have suggestions or comments, you can send us an email.
On 10 - 11 October 2019, the EDPS hosted the meeting of the International Working Group on Data Protection in Telecommunications (IWGDPT) for the first time. The group was established in 1983 and is chaired by the Berlin Data Protection Authority. It is therefore informally called the Berlin Group.
During the meeting, the group decided to change their name, replacing Telecommunications with Technology to reflect the much broader focus of the group over the past few years. In their recent meetings, for example, the group has adopted working papers on Artificial Intelligence, Smart Devices and Online Services for Children.
As one of its next initiatives, the group wants to look into payment systems based on cryptocurrencies. Some organisations plan for large-scale rollouts of such technology, which may place even more detailed and precise personal data into the hands of the most data-hungry organisations. As the Berlin Group includes representatives from civil society organisations and other experts from around the world, it is an excellent forum in which to facilitate discussions between data protection authorities and other concerned parties on the data protection and privacy risks of such initiatives.
The EDPS also updated the Berlin group on its most recent activities. Our IT Policy unit presented its TechDispatch, which provides an introduction to new technologies and their potential data protection issues, as well as the Website Evidence Collector. This new piece of software, developed by the EDPS, helps web developers and data protection experts to improve their data protection compliance. Both initiatives were very well received.
The Israeli Data Protection Authority will host the next meeting of the Berlin group in Tel Aviv, on 4 - 5 March 2020.