In the March 2020 edition of the Newsletter we cover the EDPS Annual Report, EDPS traning sessions and Artificial Intelligence, among other topics.
In this issue
The moment you realise the world has changed: re-thinking the EDPS Strategy
The EDPS planned to publish a Strategy for 2020-2024 on 19 March 2020. Who would have thought that the streets of so many European capitals would be empty by then? Who would have thought that the external borders of the European Union would be closed, that the Schengen area would literally stop operating, that xenophobia would be on the rise?
We could not imagine that reasonable people would start asking internet and telecom operators to possibly track each and every person in Europe using his or her mobile location data in real time, and to create a diagram representing all physical interactions between people. COVID-19, however, is a game changer.
Recognising that we are facing a new stage in the discussion about fundamental rights, EDPS Wojciech Wiewiórowski decided to pause and reflect on what this means for the EDPS. A strengthened EDPS Strategy for 2020-2024 is therefore planned for the beginning of May 2020.
As COVID-19 is raising a debate worldwide and in the EU that has implication with fundamental rights to data protection and privacy, the European Data Protection Board (EDPB) has published two statements on 16 March and on 20 March.
EDPS Annual Report 2019: new EU data protection rules must produce promised result
With new legislation on data protection in the EU now in place, our greatest challenge moving into 2020 and beyond is to ensure that this legislation produces the promised results, the EDPS said on 18 March, as he published his 2019 Annual Report.
Wojciech Wiewiórowski, EDPS, said: “Awareness of the issues surrounding data protection and privacy, and the importance of protecting these fundamental rights, is at an all-time high and we cannot allow this momentum to decline. With a new European Parliament and Commission now in place, developing an effective response to the challenges of the digital era is a top priority, and must include ensuring that new rules on ePrivacy remain firmly on the agenda. The EDPS intends to contribute fully to these efforts, while also ensuring that the EU institutions themselves maintain the highest standards of data protection practice.”
The Annual Report provides an insight into all EDPS activities in 2019, which was the last year of a five-year EDPS mandate. EDPS activities therefore focused on consolidating the achievements of previous years, assessing the progress made and starting to define priorities for the future. Of particular note were EDPS efforts to ensure that new EU rules on data protection are put into practice.
EDPS closes investigation into European Parliament’s 2019 election activities
The EDPS has closed its investigation into the European Parliament’s use of a US-based political campaigning company to process personal data as part of its activities relating to the 2019 EU parliamentary elections. The contract between the European Parliament and NationBuilder came to a natural end in July 2019 and all data collected has been transferred to the European Parliament’s servers, the EDPS announced.
Wojciech Wiewiórowski, EDPS, said: “Data protection plays a fundamental role in ensuring electoral integrity and must therefore be treated as a priority in the planning of any election campaign. With this in mind, the EDPS will continue to monitor the Parliament’s activities closely, in particular those relating to the 2024 EU parliamentary elections. Nevertheless, I am confident that the improved cooperation and understanding that now exists between the EDPS and the Parliament will help the Parliament to learn from its mistakes and make more informed decisions on data protection in the future, ensuring that the interests of all those living in the EU are adequately protected when their personal data is processed.”
Targeted data protection training for EU staff
Regulation 2018/1725, which sets out the rules for data protection in the EU institutions, has now been in place for just over a year. During this time, we have been able to identify several areas in which the EU institutions require further guidance or clarity in order to ensure that they are acting in compliance with the new rules.
One of these areas is joint controllership. Though the roles and concepts of controller, processor and joint controllership are not new, Regulation 2018/1725 introduced some changes, which have led to some questions about these concepts, and the respective roles and responsibilities assigned to each in particular. The European School of Administration (EUSA) therefore invited the EDPS to organise training sessions on the subject for EU staff.
Sessions took place in Brussels on 18 February and 10 March 2020, and in Luxembourg on 4 March 2020. Our focus was on joint controllership, and on the arrangements between controllers in particular. We also invited participants to take part in practical case studies, helping them to put theory into practice and to explore in more detail the different roles involved in processing operations.
Another issue of concern for EU institutions is how to ensure respect for data protection rules in the organisation and management of events. EUSA therefore also invited us to organise a training session on this topic, which took place on 26 February 2020. The session focused on a case study, covering how to collect the consent of participants, keep them informed and deal with requests for access to data, among other considerations.
Alongside these more targeted sessions, we continue to provide individual training sessions aimed at specific EU services. At the request of the Data Protection Officer (DPO) at the EU’s Research Executive Agency (REA), we met with REA’s Director and top managers to discuss the main requirements of the new rules. In particular, we stressed the importance of consulting the DPO before launching a project. We followed this up with a session for over seventy members of REA’s staff, focused on clarifying all current and new obligations under the Regulation, as well as an analysis of different scenarios relating to personal data breaches and individual rights.
Picture perfect: the data protection guide to using photo booths
However, photo booths take images that identify individuals, and therefore involve the processing of personal data. They are also used publicly, with the aim of generating a positive customer experience, making it counterproductive to use them in a way that could violate anyone’s fundamental right to data protection.
Based on the results of our 2019 investigation on the topic, the EDPS has therefore developed some guidance on the use of photo booths by the EU institutions. This guidance helps controllers to identify the rules they need to comply with and, in line with the accountability principle, demonstrate this compliance. It can be found on the EDPS website.
AI and Facial Recognition: Challenges and Opportunities
We know that a substantial amount of data is processed to fuel and improve the machine learning algorithms at the heart of Artificial Intelligence (AI) and we are aware of the rapidly increasing precision and capabilities of ubiquitous surveillance equipment, but what is the EU’s approach to AI and Facial Recognition?
On 13 February 2020, the EDPS organised a workshop to discuss this and debate the challenges and opportunities of AI and Facial Recognition applications. The event gathered together more than 50 world-leading researchers, experts and practitioners from academia, regulators, business and civil society together, to share their insights and experiences and deepen our understanding of the challenges ahead and the possible policy responses.
The ideas and insights gathered at the workshop will help us to better plan and focus our future activities on the various technological, legal and regulatory issues related to Artificial Intelligence and Facial Recognition. This includes our contribution to the EU public consultation on the White Paper on AI and the other strategic documents unveiled by the European Commission on 19 February 2020.
The high-level discussions at the workshop will also contribute to the EDPS Strategy 2020-2024 and our long-term view of global trends, such as the need to ensure the sustainable development of new technologies and the assessment of their potential impact on fundamental rights.
EDPS Opinion on the opening of negotiations for a new partnership with the UK
On 24 February 2020, the EDPS issued an Opinion on the Commission Recommendation for the opening of negotiations for a new partnership with the UK (the negotiating mandate was adopted by the Council the next day).
The EDPS supports a comprehensive partnership with the UK, affirming the Parties’ commitment to ensuring a high level of personal data protection and fully respecting the EU’s personal data protection rules.
Given the aim of continued close cooperation between the EU and the UK at the end of the transition period, the EDPS welcomes the Commission’s commitment to work towards the adoption of adequacy decisions, provided that the relevant conditions are met.
The Opinion outlines 3 main recommendations in relation to the envisaged partnership:
- ensuring that the security and the economic partnerships are underpinned by similar commitments to respect fundamental rights including adequate protection of personal data;
- defining priorities where arrangements for international cooperation should be concluded in matters other than law enforcement, in particular for the cooperation between public authorities, including Union institutions, bodies, offices and agencies;
- assessing the issue of onward transfers of personal data, in light of the Opinion 1/15 of the CJEU both for the economic and the security partnerships.
With regard to the assessment of adequacy, the EDPS draws attention to
- the importance of such assessment under the Law Enforcement Directive and under the GDPR for cooperation between public authorities and its impact on transfers by Union institutions, bodies, offices and agencies to the UK;
- the importance of defining the scope of the envisaged adequacy decisions, in particular under the Law Enforcement Directive.
- the adoption of an adequacy decision is subject to specific conditions and requirements and, should the Commission present a draft adequacy decision, the EDPB should be involved as appropriate in due time;
- given the specific situation of the UK, any substantial deviation from the EU data protection acquis that would result in lowering the level of protection would constitute an important obstacle to the adequacy findings.
The EDPS finally recommends that the EU prepares for all eventualities, including where the adequacy decision(s) could not be adopted within the transition period, where no adequacy decision would be adopted at all, or where it would be adopted only in relation to some areas.