2019 was a year of great change at the EDPS. It marked the last year of an incredibly successful and productive mandate, which saw public awareness of the issues surrounding data protection and privacy increase tenfold.
At the beginning of what is not only a new year, but a new mandate for the EDPS, January 2020’s Newsletter provides you with a retrospective look over the past twelve months, as well as an overview of some important EDPS events taking place this month. Read on for ten things you might have missed from 2019:
In this issue
Managing contact lists: a guide
It is essential that EU institutions interact directly with the wider world. Through a range of channels, the EU institutions engage with EU citizens, relevant stakeholders, EU staff members and more.
Nonetheless, contact lists contain a lot of personal data and so they have to be in line with data protection rules. Even if an EU institution stores contact details collected for different purposes in one single database, this does not mean that the data can be used for any purpose.
In fact, one of the most important guiding principles in personal data protection is that of purpose limitation. Purpose limitation protects individuals by setting limits on how data controllers are able to use their data.
The concept has two building blocks: first, personal data must be collected for a specified, explicit and legitimate purpose, and secondly it should not be processed again later in a way incompatible with the original purpose. This principle is also linked to fairness: purposes must be clearly defined so that those affected know what to expect.
For example, taking the contact details of a colleague working in a different EU institution with the purpose of following-up on a specific matter does not amount to permission to add this person to the mailing list of your own EU institution’s Newsletter. The original purpose for collecting personal data defines the scope of how this personal data can be used. As an example, if you were sent this newsletter by email, it is only because you gave explicit consent by signing up to receive it!
Not every additional processing action is incompatible, but changes in purpose have to be assessed on a case-by-case basis. This should take into account:
- the relationship between the purposes of the previous data collections and the purposes of further processing
- the context in which the data was collected and the reasonable expectations of the concerned individuals as to their further use
- the nature of the data and the future impact on the individuals concerned
- the safeguards applied to ensure fair processing and to prevent any undue impact on the individuals concerned
More information on this four-factor test can be found in the Article 29 Working Party (WP29) Opinion on purpose limitation.
Measuring risk under the new data protection rules
Before the data protection reform, data controllers tended to focus on the risks to their organisation, like financial or social penalties. The data protection reform adopted a different approach, angled towards the concept of risk assessment. The General Data Protection Regulation (GDPR) and the equivalent rules for data protection in the EU institutions (GDPR for EUI) ask data controllers to focus on risks to the rights and freedoms of individuals. The aim is to better protect individuals and make data controllers, including the EU institutions, more accountable. Through measuring the risks to individuals, the controller can assess the proportionality and necessity of their data processing operation and identify any required safeguards and security measures.
This assessment is not always easy. Risks to the rights and freedoms of individuals regarding personal data can be difficult to measure. Measurement requires accurate information on potential impact and likelihood, and can be a complex exercise due to the number of variables to be taken into account. This is why the new rules highlight certain data processing operations and related vulnerable groups that are more likely to be put at risk.
Under the new rules, specific risk assessments are also now required, such as the Data Protection Impact Assessment (DPIA), or in relation to the aftermath of a personal data breach. While the DPIA is an abstract analysis of possible scenarios, risk assessments after data breaches deal with concrete situations. The existence of a previous DPIA, therefore, even when not mandated by law, helps to frame the risk to individuals in the context of a specific personal data breach.
Contexts change and technologies evolve, and so do risks. That is why it is a good idea to perform data protection risk assessments periodically. Given that even the best-prepared organisations can face an unexpected data breach, we owe it to our institutions and to the individuals concerned to take every step to prepare for issues before they occur.
For more information about this topic, make sure to listen to our podcast on risk assessment after the data protection reform, which is available on our website.
How to work out when a Data Protection Impact Assessment is necessary
In July 2019, the EDPS published its list of what types of processing operations require a Data Protection Impact Assessment (DPIA) under the new data protection rules for the EU institutions (GDPR for EUI). We also published a list of processing operations that do not require a DPIA. Adopted after consultation with the European Data Protection Board (EDPB), these lists aim to provide additional guidance to controllers working in the EU institutions on how to implement the new rules. It complements the advice provided in our accountability on the ground toolkit.
DPIAs are a new concept introduced under both the GDPR and the GDPR for EUI. They help to ensure that controllers adequately address privacy and data protection risks in certain high-risk processing operations. This is particularly helpful in ensuring compliance with the concept of data protection by design, which involves building data protection into new processes and technologies, as it provides a structured way of thinking about the risks to individuals and how to mitigate them.
The list identifies some common cases in which a DPIA is needed. These include:
- exclusion databases;
- the large-scale processing of special categories of personal data, such as disease monitoring, pharmacovigilance and central databases for law-enforcement cooperation;
- internet traffic analysis breaking encryption;
- e-recruitment tools that automatically pre-select or exclude candidates without human intervention.
However, the speed of technological development means that it is impossible to produce an exhaustive list of all high-risk processing operations. The list therefore also provides a set of criteria that can be used by controllers to assess whether a DPIA is required.
Publication of the EDPS list, which applies specifically to data processing operations carried out by the EU institutions, follows the publication by many other EU data protection authorities (DPAs) of their own lists on DPIAs, aimed at the organisations and businesses operating in their respective countries.
Rethinking non-performing loans
On 24 January 2018, we issued formal comments on the Commission’s Proposal for a Directive regulating certain aspects of non-performing loans (NPLs). NPLs are loans that are more than 90 days overdue and consequently assessed as unlikely to be repaid by the borrower.
The goal of the Proposal is to reduce the stock of NPLs held by banks in two ways:
- Through the availability of an accelerated extrajudicial enforcement procedure;
- Through increasing the information to be provided when selling and collecting NPLs, thus increasing the transparency of the financial product.
The second approach is especially relevant to data protection, as it involves the processing of personal data, in particular that of borrowers and credit purchasers.
A high number of actors are potentially involved in the processing of a borrower’s personal data, including credit institutions, credit purchasers, credit servicers and credit service providers. Our comments therefore state that the Proposal should not only refer to the principles of necessity, proportionality and purpose limitation, but also to the principle of transparency. The individual concerned should be informed about the processing of their personal data at each stage of the process.
Furthermore, in accordance with the principle of data minimisation, we recommend reducing the obligation on credit servicers to keep and maintain correspondence with the creditor, as well as reducing their obligation to maintain instructions regarding each credit agreement they manage and enforce on the creditor’s behalf. Similarly, we suggest that it would be sufficient for credit institutions to transmit aggregated information to the competent authorities of the Member States. It is worth noting here that this would also reduce administrative costs on economic operators.
Preventing the dissemination of terrorist content online
On 13 February 2019, we issued formal Comments on the European Commission proposal on the fight against dissemination of terrorist content online. The proposal outlines the responsibilities of service providers and the actions that they are required to take. Our Comments specify that these must be aligned with the fundamental rights to privacy and data protection, enshrined in the Charter of Fundamental Rights of the EU.
To ensure compliance with the Charter, the actions that service providers have to take need to be clearly described, taking into account the principles of quality of law and economic certainty. This will also help to limit discretion and provide adequate oversight for their activities in targeting terrorism content online.
Requirements for service providers to act against terrorist content should be highly specific, taking into account how much exposure the platform has to terrorist content and the reasons behind this exposure. Importantly, these actions must not lead to the creation of a systematic or broad monitoring system.
The removal of online terrorist content based on automated tools should always be subject to human oversight, and service providers should give those affected a meaningful explanation of all measures that are used. Service providers should also give competent authorities all necessary information, so that they are able to thoroughly analyse the automated tools used and ensure that they do not produce discriminatory, untargeted, unspecific or unjustified results.
Furthermore, in line with the judgements of the Court of Justice of the European Union, we called on the Commission to reconsider the proposed obligation for service providers to retain online terrorist content and related data for at least six months for the purpose of prevention, detection, investigation or prosecution of terrorist offences.
Efforts to counter terrorist content online are a necessary part of common security policy; the EDPS encourages further discussion to ensure that these efforts are balanced alongside the fundamental rights and freedoms of the EU.
Protecting the principle of purpose limitation: the ETIAS case
The Commission issued two further Proposals on 7 January 2019 to improve interoperability between the ETIAS and the other EU databases. Interoperability enables large-scale EU databases to communicate and exchange information. The Commission presented these Proposals as limited technical changes, mirroring existing provisions in the ETIAS Regulation.
However, in our formal Comments we stressed that the Proposals are far from being “limited technical adjustments”. This is because they also include the use of data stored in the European Criminal Record Information System for third country nationals (ECRIS-TCN).
The ECRIS-TCN contains very sensitive information. It is a tool designed to support judicial cooperation. Using it for border management purposes constitutes a major change to the ECRIS-TCN, and suggests that personal data would be used for a purpose different from the one that it was originally collected for. We therefore stress the need for a proper data protection assessment of the Commission’s Proposals, to be conducted in full transparency.
Presenting TechDispatch: reports from the front line of technological development
The EDPS TechDispatch reports aim to explain emerging developments in technology and inspire wider discussion on their data protection implications. Each TechDispatch provides factual descriptions of a new technology and briefly assesses the possible impact of these technologies on privacy and the protection of personal data, as we understand them now. For those who wish to delve deeper, we include plenty of links to further reading in each issue.
To receive future issues of the TechDispatch directly in your mailbox, please sign up to our mailing list on the EDPS website.
If you want to take part in the discussion and have suggestions or comments, you can send us an email.
Data retention under scrutiny: EDPS makes case at EU Court of Justice
Confidentiality of communications is essential for the functioning of a modern, democratic society. On 9 - 10 September 2019, the EDPS was invited to appear before the EU Court of Justice (CJEU) in a joint hearing in a number of cases primarily relating to the retention of telecommunications data and to regimes governing access to electronic communications data by State authorities.
All parties invited to the hearing were asked to answer several questions, aimed in particular at clarifying the scope of EU law in relation to data retention practices. In addition, the EDPS was invited to answer specific questions with a strong technical component.
Our oral pleading is available on the EDPS website.
Top of the class: the EDPS goes back to school
Top of the agenda were the upcoming EU elections, in which some of the students were able to vote for the very first time, as well as data protection issues, the role of the EDPS and, of course, what Europe can offer to young people. EU programmes aimed at young people, as well as possible careers and internships at European institutions, were other popular topics.
Not only did students and teachers hugely appreciate having a visiting speaker talking about Europe and their experience abroad, it also represented an enriching exchange for EDPS team members. The talks gave pupils food for thought, but also confidence in their options and enthusiasm for their future beyond school.
Feedback from our EDPS colleagues was hugely positive and many said they would happily have taken even more time with pupils to discuss the ideas raised. We look forward to continuing this programme in the future, providing yet another channel to better communicate with the wider community.
EDPS looks back on a pivotal five years for data protection
The past five years have witnessed significant changes in European and international approaches to data protection. However, while considerable progress has been made towards ensuring that individuals are able to exercise and maintain control over their digital lives, many significant challenges still remain and must be overcome, the Assistant EDPS said today, as he presented a report on EDPS actions and achievements over the course of the last EDPS mandate, which came to an end at the beginning of December. His presentation was followed by remarks from EU Commissioner Vera Jourovà.
Wojciech Wiewiórowski, Assistant EDPS, said: “The late EDPS Giovanni Buttarelli and I issued an ambitious Strategy for our mandate within 100 days of taking up our posts, reflecting our vision for privacy in the digital age. Five years on, people and policymakers are now increasingly aware of the reality and potential of digital technology and many regions in the world, not only the EU, are now examining how they can give people more control over their data and digital lives. Leading by Example: EDPS 2015-2019 reflects on how far we have come in implementing this vision, while also recognising that this is only the beginning of a much longer process, aimed at ensuring that personal data works for society in general, and not only for a handful of powerful private interests.”
In connection with the 13th international conference on Computers, Privacy and Data Protection (CPDP), the EDPS is organising and co-organising a variety of side events on Tuesday 21 January 2019. These include:
- A World Café on Artificial Intelligence (AI) Governance, which will also take place in the Giovanni Buttarelli room on EDPS premises.
More detailed information on each of the events and how to register for them can be found by clicking on the relevant links above. We hope to see you there!