In the February 2020 edition of the EDPS newlsetter we cover the EDPS Proportionality Guidelines, the EDPS preliminary Opinion on scientific research and our recent contributions to the debate on Artificial Intelligence, among other topics.
New EDPS Guidelines on assessing proportionality aim to provide policymakers with practical tools to help assess the compliance of proposed EU measures that would impact the fundamental rights to privacy and the protection of personal data with the Charter of Fundamental Rights.
Wojciech Wiewiórowski, EDPS, said: “Any proposed limitation of the right to the protection of personal data must comply with EU law. This means ensuring that this limitation is both necessary and proportional. Our Proportionality Guidelines, combined with the Necessity Toolkit we published in 2017, aim to make the assessment of necessity and proportionality quicker and easier for policymakers, helping them to ensure that all new EU proposals respect the fundamental right to personal data protection.”
One of the tasks of the EDPS is to provide advice on new legislative instruments and policy proposals to the European Commission, the European Parliament and to the Council. As new EU proposals now routinely imply the processing of personal data, it is vitally important to ensure that policymakers are well equipped to adequately assess the necessity and proportionality of a proposed measure. Building on relevant case law and recent EDPS legislative Opinions and formal Comments, the EDPS Proportionality Guidelines provide practical guidance to help address these key dimensions from the start of the legislative process, therefore facilitating responsible and informed EU policymaking.
Additionally, to complement our Guidelines and Toolkit, we recently published a Quick-Guide to necessity and proportionality to help in assessing the compatibility of measures which impact the fundamental rights to privacy and the protection of personal data with the EU Charter of Fundamental Rights.
A new supervisory framework for the processing of personal data at the EU Agency for Criminal Justice Cooperation (Eurojust) came into force on 12 December 2019. Under the new rules, the EDPS takes over responsibility for monitoring Eurojust’s compliance with the applicable EU rules on data protection.
Eurojust is responsible for supporting and improving coordination and cooperation between the competent judicial authorities in the EU Member States on matters relating to serious organised crime. With public security certain to remain an important policy concern for the EU over the coming years, newly-appointed EDPS Wojciech Wiewiórowski is determined to ensure that the EU is able to achieve increased security without applying any undue restriction to individual data protection rights.
Wojciech Wiewiórowski, EDPS, said: “Ensuring a secure and open Europe requires increased operational effectiveness, but it also requires a commitment to protecting the fundamental rights and freedoms of individuals, including the rights to data protection and privacy. Under the new rules, it will be the job of the EDPS to ensure that Eurojust is able to perform its role as a law enforcement body as efficiently as possible, while demonstrating full respect for EU data protection law. After a year of intense preparation, including close cooperation with our colleagues at Eurojust, I am confident that the EDPS is prepared to perform this role.”
The Forum was established in The Hague on 29 August 2019, at the first EU software and cloud suppliers’ customer council, which included representatives from the EU institutions, EU Member State public authorities and international organisations. Its aim is to discuss both how to take back control over IT services and products offered by big IT service providers and how the process involved in agreeing contracts can be modified to meet this need.
This meeting is a proactive and practical response to the results of EDPS and other investigations into the contractual agreements offered by big IT service providers. It also represents a further step towards a joint European procurement approach to software and cloud suppliers operating in the EU. Topics that we would like to discuss include the privacy and security of cloud services, as well as contractual standardisation and strategic procurement. We look forward to getting to work!
There has been an explosion of meetings, conferences and discussions in the EU and beyond on fairness, non-discriminatory treatment, explainability, due process and the cumulative negative effects of the inherent characteristics of Artificial Intelligence (AI) technologies, all with the aim of trying to solve the AI puzzle. What is not being discussed as much, however, is how to supervise AI and the role of data protection authorities (DPAs) in this.
To address this question, the EDPS organised a side event at this year’s Computers, Privacy and Data Protection (CPDP) conference, on 23 January 2020. We invited four speakers, each of which presented and discussed their own innovative approaches on how to regulate or supervise AI.
The side event served as a great follow-up to the EDPS World Café on AI, which took place two days earlier. The World Café brought together forty representatives from DPAs, NGOs, academia, EU institutions and the private sector for an interactive meeting, in order to gather a variety of perspectives and ideas on how to prepare for the challenges of AI supervision. The overwhelming conclusion? That DPAs are integral to ensuring that individuals receive fair treatment.
The EDPS also participated in several insightful and constructive panel discussions at this year’s CPDP conference, with Supervisor Wojciech Wiewiórowski providing the closing remarks of the conference on 24 January 2020. Video recordings of all panels are available online.
Following up on the ideas and concerns raised at the CPDP conference and the World Café, we delved further into the challenges posed by AI at an Expert Workshop hosted by the EDPS on 13 February 2020, more information on which will be available in the March 2020 Newsletter . We will also launch a survey to map the use of AI by EU institutions and intensify our efforts to collaborate with other supervisory authorities and stakeholders.
On 23 January 2020, ESMA's Director celebrated the first anniversary of Regulation 2018/1725, which sets out the rules for data protection in the EU institutions. As part of these celebrations, the EDPS was invited to kick off the New Year with another thematic training session.
We started the session with a presentation to top management, on the philosophy behind the Regulation. We also highlighted some recent developments in data protection and EDPS work. These related to dealing with software providers, the use of cloud computing services and the relationship between archiving and data protection.
Our focus then shifted to specific case studies on events management, personal data breaches and data subject rights, during which participants were able to practice tackling some of the data protection issues they might encounter in their everyday work.
Ensuring that the EU institutions are well equipped to put data protection rules into practice is a key priority for the EDPS. We therefore organise thematic training sessions for EU institution employees at the European School of Administration (EUSA) on a regular basis. Information on these sessions and when they will take place can be found on the EDPS website.
In addition, the EDPS is also able to organise specific training sessions for EU institutions and bodies upon request. Just get in touch!
On 31 January 2020, the EDPS adopted an Opinion on the negotiating mandate to conclude an international agreement on the exchange of personal data between Europol, the EU body responsible for supporting Member State law enforcement authorities in the fight against serious international crime and terrorism, and New Zealand’s law enforcement authorities.
The envisaged agreement aims to provide the legal basis for the transfer of personal data between Europol and the competent authorities in New Zealand. This would support and strengthen their cooperation in preventing and combatting serious transnational crime and terrorism while ensuring the protection of privacy and personal data, along with other fundamental rights and freedoms.
New Zealand has a well-established national data protection system in place, including a national data protection authority (DPA) that is competent to supervise the work of law enforcement authorities. In addition, the negotiating mandate with New Zealand proposed by the European Commission incorporates a number of specific recommendations from our 2018 Opinion on international agreements permitting the exchange of data between Europol and non-EU countries. The recommendations in our Opinion therefore focused on clarifying, and further developing where necessary, the safeguards and controls in place to protect personal data within the specific context of New Zealand.
These recommendations focused on purpose and storage limitation, which involves ensuring that the criminal offences about which data can be exchanged is clearly specified and that the need for storage of transferred personal data is periodically reviewed. They also highlighted the need for clear and detailed rules on the right to information and the need to include further information relating to the legal basis for the transfer of information.
Scientific research depends on the exchange of ideas, knowledge and information. In instances where it involves the processing of data concerning people in the EU, scientific research is subject to the applicable rules, including those in the General Data Protection Regulation (GDPR) and Regulation 2018/1725 for the EU institutions.
On 6 January 2020, we issued a Preliminary Opinion on how data protection rules should be understood in the context of scientific research. The rules of the GDPR contain a special regime affording a degree of flexibility for genuine research projects that operate within an ethical framework and aim to increase society’s collective knowledge and wellbeing. This regime applies the usual principles of lawfulness, purpose limitation and data subject rights, but permits certain derogations from controller obligations; flexibility is afforded on the assumption that research occurring within a framework of ethical oversight serves, in principle, the public interest.
At the same time, our Preliminary Opinion acknowledges that the boundary between private sector research and traditional academic research is blurrier than ever, and it is becoming increasingly difficult to distinguish research with tangible benefits for society from research that primarily serves private interests. Scientific research serves a valuable function in a democratic society to hold powerful players to account, and this has grown in importance with the concentration of control over information flows in the hands of a few private global companies. Data protection obligations should not be misappropriated and employed as a means for powerful players to escape transparency and accountability.
We recommend intensifying dialogue between data protection authorities and ethical review boards to establish a common understanding of what qualifies as genuine research through the standardisation of EU codes of conduct for scientific research. We also encourage closer alignment between EU research framework programmes and data protection standards, and the launch of a debate on the circumstances in which access by researchers to data held by private companies can be based on public interest.
On 27 February, we celebrated the 14th annual Data Protection Day (DPD). This extremely important day in the EDPS calendar marks the anniversary of the Council of Europe's Convention 108, the first legally binding international framework for data protection. This year’s DPD was all the more special, as Europe also celebrated its Data Protection Golden Anniversary; it is now 50 years since the first European data protection law was passed in the German Federal State of Hesse.
As has become the tradition, the EDPS and the EDPB decided to mark this year’s DPD not only through participating in and organising a number of the panels at this year’s CPDP conference, but also through the organisation of a data protection conference for trainees working at the EU institutions in Brussels. With data protection issues becoming increasingly important to the public psyche, garnering an ever-higher level of media attention, the EDPS and EDPB trainees organised an engaging and informative exploration of how individuals can develop a transparent and fully-functioning relationship with their data. The conference revolved around the concept of data doubles: the digital imprints we actively or passively create online, consequently used to categorise and target us, lingering throughout our human lifetime and beyond.
Guest speakers included experts from BEUC, Facebook and the Future for Privacy Forum, who participated in an interview-style panel moderated by Christian D’Cunha, Head of the EDPS Private Office. Presentations were also made by EDPS Wojciech Wiewiorowski and Head of the EDPB secretariat, Isabelle Vereecken.