In the last edition of the EDPS Newsletter for 2019, we report on the appointment of Wojciech Wiewiórowski as the new European Data Protection Supervisor, take a moment to reflect on the previous five-year EDPS mandate and cover the EDPS investigation into the European Paliament's election activities, among many other activities.
The appointment of Wojciech Wiewiórowski as the new European Data Protection Supervisor (EDPS) was confirmed on 5 December 2019. The Pole, who served as Assistant Supervisor under the late Giovanni Buttarelli during the 2014-2019 mandate, took up his position on 6 December.
Wojciech Wiewiórowski, newly appointed EDPS, said: “I am delighted to have been selected as the new EDPS and look forward to continuing my work with the dedicated and talented team of individuals that make up this small but incredibly important institution. While the EU currently holds considerable influence in the regulation of the digital economy, we cannot take this position for granted, nor allow our standards to slip. With new EU legislation on data protection now in place, our attention must turn to making sure that these rules are fairly enforced and that Europeans are in control of their own data.”
Mr. Wiewiórowski’s appointment as EDPS was confirmed by a joint decision of the European Parliament and the Council, following a rigorous selection process launched earlier this year. A well-respected figure in the field of data protection, he previously served as Inspector General of the Polish Data Protection Authority (GIODO) and as Vice Chair of the Article 29 Working Party, before taking up the position of Assistant EDPS in December 2014, under previous EDPS Giovanni Buttarelli.
The past five years have witnessed significant changes in European and international approaches to data protection. However, while considerable progress has been made towards ensuring that individuals are able to exercise and maintain control over their digital lives, many significant challenges still remain and must be overcome, the Assistant EDPS said today, as he presented a report on EDPS actions and achievements over the course of the last EDPS mandate, which came to an end at the beginning of December. His presentation was followed by remarks from EU Commissioner Vera Jourovà.
Wojciech Wiewiórowski, Assistant EDPS, said: “The late EDPS Giovanni Buttarelli and I issued an ambitious Strategy for our mandate within 100 days of taking up our posts, reflecting our vision for privacy in the digital age. Five years on, people and policymakers are now increasingly aware of the reality and potential of digital technology and many regions in the world, not only the EU, are now examining how they can give people more control over their data and digital lives. Leading by Example: EDPS 2015-2019 reflects on how far we have come in implementing this vision, while also recognising that this is only the beginning of a much longer process, aimed at ensuring that personal data works for society in general, and not only for a handful of powerful private interests.”
The EDPS has finalised its investigation into the European Parliament’s use of a US-based political campaigning company to process personal data as part of its activities relating to the 2019 EU parliamentary election.
Wojciech Wiewiórowski, Assistant EDPS, said: “The EU parliamentary elections came in the wake of a series of electoral controversies, both within the EU Member States and abroad, which centred on the threat posed by online manipulation. Strong data protection rules are essential for democracy, especially in the digital age. They help to foster trust in our institutions and the democratic process, through promoting the responsible use of personal data and respect for individual rights. With this in mind, starting in February 2019, the EDPS acted proactively and decisively in the interest of all individuals in the EU to ensure that the European Parliament upholds the highest of standards when collecting and using personal data. It has been encouraging to see a good level of cooperation developing between the EDPS and the European Parliament over the course of this investigation.”
Election campaigns are currently the subject of considerable scrutiny. The EDPS is actively engaged in seeking solutions to the challenges of online manipulation in elections while the European Parliament itself adopted a resolution to protect the European elections from data misuse in March 2019. Data protection plays a fundamental role in ensuring electoral integrity and must therefore be treated as a priority in the planning of any election campaign.
A new supervisory framework for the processing of personal data at the EU Agency for Criminal Justice Cooperation (Eurojust) has come into force. Under the new rules, the EDPS takes over responsibility for monitoring Eurojust’s compliance with the applicable EU rules on data protection.
Eurojust is responsible for supporting and improving coordination and cooperation between the competent judicial authorities in the EU Member States on matters relating to serious organised crime. With public security certain to remain an important policy concern for the EU over the coming years, newly-appointed EDPS Wojciech Wiewiórowski is determined to ensure that the EU is able to achieve increased security without applying any undue restriction to individual data protection rights.
Wojciech Wiewiórowski, European Data Protection Supervisor, said: “Ensuring a secure and open Europe requires increased operational effectiveness, but it also requires a commitment to protecting the fundamental rights and freedoms of individuals, including the rights to data protection and privacy. Under the new rules, it will be the job of the EDPS to ensure that Eurojust is able to perform its role as a law enforcement body as efficiently as possible, while demonstrating full respect for EU data protection law. After a year of intense preparation, including close cooperation with our colleagues at Eurojust, I am confident that the EDPS is prepared to perform this role.”
At the end of November, the EDPS had the privilege of hosting the 31st edition of the annual European Data Protection Case Handling Workshop, at which we welcomed colleagues from 28 EU and non-EU data protection authorities.
The unique set up of the workshop provides an opportunity to meet a wide array of practitioners and to share our experiences of investigating complaints, providing guidance to controllers and enforcing data protection law. It is a platform to exchange with colleagues from our sister data protection authorities (DPAs) at the national level about our supervisory and enforcement tasks.
Opened by Assistant Supervisor Wojciech Wiewiórowski, a number of larger and smaller DPAs, including the EDPS, took to the stage during the workshop and kick-started discussions on various aspects of supervising and enforcing the General Data Protection Regulation (GDPR) and other pertinent (national) legislation, as well as presenting practical case studies that guided our conversations. Among the topics discussed were prior consultations, data brokers and credit reference systems, cross-border case handling, investigative practices and the determination of corrective measures.
With events such as this, the EDPS underlines its support for a strong regulatory framework and continues to push for the solid implementation of this framework in practice. As per tradition, we pass the organisational torch onto another authority for next year’s edition and look forward to a bright future for the workshop.
As part of our ongoing training programme to raise awareness about data protection rules in the EU institutions, on 28 November 2019 the EDPS gave a presentation at the Paymaster’s Office (PMO) Training Days. The presentation focused on data protection rules and principles, as well as on the data breach notifications we receive.
More than 300 participants from the HR departments of the EU institutions, bodies and agencies had the opportunity to put their questions to EDPS experts, in addition to working through case studies together and putting their knowledge into practice.
The session aimed to share best practices in the protection of personal data. In addition to providing information on general data protection principles and data subjects’ rights, we focused on explaining the roles of controller, joint-controller and processor, so that everyone had a clear idea of their tasks and responsibilities from the very beginning. We also used the session to reinforce the fact that EU institutions are not immune to personal data breaches, meaning that they need to be equipped to handle them.
Providing training for EU institutions will remain a priority in 2020, focusing not only on more general data protection issues, but also on specific topics, such as data breach notifications.
The Europol Regulation grants the EDPS several tools to help ensure Europol’s compliance with data protection rules. One of these is the right to carry out inspections.
Earlier this year, we ran a targeted inspection on Europol’s verification role under the Terrorist Finance Tracking Programme (TFTP) Agreement. The Agreement relates to the exchange of financial information between the EU and the US to put together financial intelligence, which is used to help tackle terrorism. Europol’s role in this is to assess whether the data on financial transfers stored in EU territory and requested by the US authorities is necessary for the fight against terrorism and the financing of terrorism. Europol also makes sure that each request is tailored as narrowly as possible, in order to minimise the amount of data transferred to the US.
Our inspection found that, in general, Europol does a good job of verifying US requests. However, we also made eight recommendations for Europol to consider when carrying out these activities. Most importantly, the EDPS recommended that Europol ask for additional information from the US authorities in order to be able to check that their requests actually meet necessity requirements in terms of countries and message types. Other recommendations concerned both the verification process and security measures, with the aim of ensuring that the methods used by Europol contribute to keeping the EU safe and secure without unduly compromising the fundamental rights to data protection and privacy.
The roles and concepts of controller, processor and joint controllership are not new. However, the General Data Protection Regulation (GDPR) and the equivalent rules for the EU institutions set out in Regulation 2018/1725 introduced some changes, which have led to many questions about these concepts, and the respective roles and responsibilities assigned to each in particular.
Recognising a need for guidance on this issue, on 7 November 2019 the EDPS published Guidelines on the concepts of controller, processor and joint controllership under the data protection rules for the EU institutions set out in Regulation 2018/1725.
Aimed primarily at those working in the EU institutions, but also useful for others, the Guidelines aim to provide practical advice and instructions on how to comply with Regulation 2018/1725 by clarifying the concepts of controller, processor and joint controllership, based on the definitions provided in the Regulation. The Guidelines also explain the distribution of obligations and responsibilities between these roles, in particular in cases where data subjects decide to exercise their rights.
To help put this into practice, the Guidelines include specific case studies, checklists and charts on controller-processor, separate controllership and joint controllership situations. We hope they prove a useful tool in ensuring the protection of personal data in the EU institutions and beyond.
Starting on 13 November 2019, the Ibero-American Data Protection Network (RIPD) and the Spanish Agency for International Development Cooperation (AECID) held a three-day conference in Montevideo, Uruguay, entitled One year of application of the General Data Protection Regulation (GDPR).
In addition to a representative from the EDPS, those attending included representatives from Ibero-American data protection authorities, the US Federal Trade Commission, the European Commission, big tech companies and civil rights NGOs, as well as data protection professionals and members of academia.
The event provided a comprehensive overview of data protection-related legal developments in Ibero-American countries. With the GDPR now in place, Ibero-American regulators have been using it as a comparative standard for their own legislation. Most countries without a specific data protection regulation are in the process of drafting one, while others are updating their current legislation based on the main principles of the GDPR, promoting concepts such as accountability and the right to data portability.
The Spanish Data Protection Authority (AEPD), which provides the Secretariat for the network, plans to follow up the successful conference with a seminar on Artificial Intelligence and Ethics in 2020. We will keep you updated!
In our role as the European Guardian of Data Protection, we are tasked with carrying out audits of the large-scale IT systems used by the EU. Most recently, we carried out an audit of Eurodac, a system used to compare the fingerprints of applicants for asylum and irregular immigrants in the EU, which is managed by the European Union Agency for the Operational Management of Large-Scale IT Systems (eu-LISA).
A team from the EDPS travelled to Strasbourg on 2 December 2019 to conduct the audit at the eu-LISA premises, in compliance with international auditing standards. The scope of the audit included following up on the recommendations of the previous audit report, as well as reviewing the security and operational management of the Eurodac system and the retention period of records and log files.
The team will prepare an audit report, which, after review by eu-LISA, will be sent to the European Parliament, the Council, the Commission, and the national supervisory authorities in the Member States.