In this edition of the EDPS Newsletter we cover the side event organised by the EDPS at the 2019 ICDPPC, the latest on the EU-Japan PNR agreement and facial recognition technology, among many other topics.
In a world transformed by new technologies, it is vital to ensure that law enforcement and judicial authorities have access to the necessary information and tools that are effective in the fight against terrorism and other crimes. However, any initiative in this field must fully respect the EU Charter of Fundamental Rights and the EU data protection framework, the Assistant EDPS said, as he published his Opinion on a new EU legal framework for gathering electronic evidence (e-evidence) in cross-border cases.
Wojciech Wiewiórowski, Assistant EDPS, said: “New technologies have opened up new avenues for cross-border criminal activity across national borders. Evidence of criminal activity is now, in many cases, electronic, and not always easy for the competent authorities to access, due to limitations based on the traditional concepts of geographical jurisdictions. Ensuring EU authorities have effective and efficient means to access information stored in another State is essential to the security of the European Union. However, it cannot come at the expense of the rights and freedoms we enjoy as EU citizens. A balance must be found which provides for greater EU security without compromising fundamental rights and data protection principles.”
Law enforcement authorities are increasingly faced with cross-border situations, where the information they need is stored electronically in another State. The Commission’s Proposals on e-evidence, published in April 2018, would introduce two new types of binding orders for criminal proceedings, allowing for access to data stored by service providers that may serve as evidence (Production Orders), or for the preservation of this data by service providers in anticipation of subsequent requests for access (Preservation Orders). It would streamline procedures within the EU, facilitating and accelerating access to cross-border data.
Facial recognition, the biometric application used to identify or verify a person’s identity, has become increasingly present in many aspects of daily life. It is used for an ever-increasing list of tasks, including tagging people on social media platforms and unlocking smart phones.
In the general absence of specific regulation so far, private companies and public bodies in both democracies and authoritarian states have been adopting this technology for a variety of uses. There is no consensus in society about the ethics of facial recognition, and doubts are growing as to its compliance with the law as well as its ethical sustainability over the long term.
The privacy and data protection issues with facial recognition, like all forms of data mining and surveillance, are quite straightforward. These include the lack of accountability and transparency in the current deployment of the technology, particularly regarding how images are collected and for what purposes they will be used.
However, the surveillance problem is not only one of privacy, but of democracy and freedom of expression. Fundamentally, it is an ethical question for a democratic society.
Where better to discuss the important issue of archiving and data protection than the Historical Archives of the European Union in Florence! This was the location of the 46th meeting of Data Protection Officers (DPOs) within the EU institutions and bodies, which took place from 6-7 November 2019.
While the essence of data protection is about protecting the rights and freedoms of individuals, this does not mean that data protection and archiving in the public interest have to be at odds. Archives keep public administrations, governments and society at large accountable and efficient data protection safeguards support effective records and archives management.
During the meeting, we presented an online, annotated version of the data protection rules for the EU institutions, which DPOs can use to look up the EDPS’ interpretation of the Regulation, article-by-article. This was followed by a case study on consent and cookies, based on the recent landmark Planet49 case. Best practices for data protection in mobile apps, archiving and outsourcing were other topics for discussion.
The next EDPS-EU DPO Meeting will take place during the first half of 2020.
On 25 October 2019, the EDPS adopted an Opinion on the negotiating mandate of an Agreement between the EU and Japan for the transfer and use of Passenger Name Record (PNR) data to prevent and combat terrorism and other serious transnational crimes. PNR data is the information provided by passengers to airlines in order to make reservations and check in for a flight. It includes the dates of travel, the payment method used and passenger contact details, among other information.
The purpose of the envisaged Agreement is to lay down the legal basis and the conditions under which air carriers will be authorised to transfer to Japan the PNR data of passengers flying between the EU and Japan. This must be done in compliance with EU law, including the Charter of Fundamental Rights of the EU. If an Agreement is reached before the Olympics takes place in Japan in summer 2020, for example, it will apply to all individuals from the EU travelling to Japan to watch and take part in the Games.
The Commission has strived to align the proposed negotiating mandate as much as possible with the EU Court of Justice 2017 Opinion on the EU-Canada PNR Agreement, in which several of the proposed provisions were found not to be compatible with EU fundamental rights. Nevertheless, given the impact of the envisaged agreement on the fundamental rights of a very large number of individuals not implicated in a criminal activity, the EDPS made a number of recommendations. These are aimed at ensuring the proportionality of the PNR system and limiting any interference with the rights of individuals to what is strictly necessary and justified by the general interest of the Union.
Some of our specific recommendations concerned the risk of indirectly revealing special categories of data about air passengers and the risk of re-identification of individuals after the anonymisation of the PNR data relating to them. We also recommended adding clauses allowing for suspension of the Agreement if its rules are breached, as well as for its termination if non-compliance is serious and persistent.
To avoid possible confusion, our Opinion clarifies that the Commission adequacy decision on Japan adopted in January this year is not applicable in the case of PNR transfers.
We expect to be further consulted on the draft Agreement once it is finalised.
A hash function is used to transform any random dataset into a fixed length character series. It can be used as a pseudonymisation or anonymisation technique, to provide additional protection when processing personal data.
The EDPS and the Spanish data protection authority, the AEPD, published a joint paper on this topic on 4 November 2019. Our aim was to provide helpful information for data controllers on how to use hash techniques.
The paper presents the basic aspects of hash functions, their properties and explores the likelihood that a message generated by the hash could be re-identified, while also establishing certain guidelines to analyse the suitability of hash function-based processing. This includes the need to carry out an objective analysis of the risk of re-identification in order to determine whether this pseudonymisation or anonymisation technique is appropriate.
Following the success of the 2018 International Conference of Data Protection and Privacy Commissioners (ICDPPC), co-hosted by the EDPS in Brussels, the 2019 edition of the conference took place in Tirana, Albania on 21-24 October 2019.
In order to ensure that the international discussion on Digital Ethics - the theme of the 2018 conference - continues to move forward, the EDPS organised a side event at this year’s conference. The topic of discussion was one of the less well-known consequences of the digital revolution: the climate crisis and its impact on digital rights.
The event aimed to build on a discussion initiated in one of our #DebatingEthics Conversations podcasts recorded earlier this year, in which we addressed the relatively under-explored consequences of the digital revolution for climate change and human rights. It focused on whether universal rights to privacy will be able to withstand the consequences of climate change over the coming years, with regard to increasing migration flows.
Several experts in the field were invited to speak, and the discussion revolved around legal and humanistic approaches to technological tools, such as drones for aid, facial recognition systems, Smart Borders, biometrics and location tracking.
The Geneva Conventions do not consider climate change as grounds for asylum, despite the fact that the effects of climate change, including economic hardship, often lead to forced migration. The panellists explored how destination countries respond to this, and how the world is prepared to handle increasing migration flows while ensuring respect for the rights and freedoms of vulnerable people.
Another big talking point was the ethics surrounding government use of often-intrusive technologies to mediate migrant mobility, and the question of whether vulnerable groups should be entitled to special protection measures.
With the effects of climate change becoming increasingly evident, it is time that the data protection community comes together to address the implications for human rights, and for data protection and privacy in particular. A concerted effort is required from Data Protection Authorities (DPAs) both to ensure stronger enforcement, particularly when it comes to data protection and new technologies, and increased cooperation with organisations working in the areas of migration and human rights.
Assistant EDPS Wojciech Wiewiórowski announced that the EDPS and EDRi will be hosting the fifth edition of the EDPS - Civil Society Summit on 21 January 2020, as a part of the Privacy Camp, an annual conference organised the day before the beginning of the famous CPDP Conference.
The Summit has become a fond tradition which brings together representatives from Civil Society Organisations (CSOs) working on digital rights and experts from the EDPS to discuss existing and looming problems for human rights in the digital environment.
The issues discussed in last year’s summit, namely the draft Regulation on ePrivacy and the ‘upload filters’, are still affecting the privacy of individuals around EU and further afield. At the last conference, Civil Society expressed its concerns about the risks of lowering privacy protection, reflecting an increasing anxiety around the globe that the lack of such legislation may become a disadvantage in economic terms. These topical issues will almost certainly come up again in the next summit.
The EDPS is thrilled to be hosting this all-important event and will post more information soon.
The annual Computers, Privacy and Data Protection (CPDP) International Conference has been confirmed for 22-24 January 2020! The event will be held at Les Halles de Schaerbeek and Area42 in Brussels, focusing on the theme of Data Protection and Artificial Intelligence (AI).
CPDP offers the cutting edge in legal, regulatory, academic and technological development in privacy and data protection. It gathers academics, lawyers, practitioners, policy-makers, computer scientists and civil society from all over the world to exchange ideas and discuss the latest trends and emerging issues. Each year, CPDP offers a compelling and diverse line up of speakers and panels; its unique multidisciplinary formula has served to make CPDP one of the leading data protection and privacy conferences in Europe and around the world.
CPDP2020 has adopted Data Protection and Artificial Intelligence as its overarching theme to pave the way for a thorough discussion on a broad range of ethical, legal and policy issues related to new technologies and data analytics. The Conference will offer more than 80 panels addressing current debates in the area of information technology, privacy and data protection.
Already lined-up for the programme are panels on AI and healthcare, autonomous vehicles, AI-based sentiment analysis, deepfakes, digital evidence, AI for crime prevention, GDPR compliance for SMEs, and many more. CPDP is also an extraordinary networking opportunity to mix and mingle with the privacy and data protection community.
The programme and registration information can be found at http://www.cpdpconferences.org/
For videos from past conferences, visit the YouTube Channel: www.youtube.com/user/CPDPConferences
For enquiries, contact: firstname.lastname@example.org