In this month’s newsletter, the EDPS calls for Digital Solidarity in times of COVID-19, to work closely with EU Data Protection Supervisory authorities, in particular, with regard to contact tracing apps. EDPS, also, continued its investigative work into EU institution’s activities, issuing further recommendations. The IPEN 2020 Online Workshop will take place on 3 June, covering the topics of encryption, cryptography and algorithms.
The EDPS calls for a pan-European approach against COVID-19
The global public health crisis we are facing requires extraordinary preventative measures to be put in place such as lockdowns and social distancing; compliance with such measures requires supervision and oversight by enforcement authorities. In recent weeks, discussions about the use of contact tracing apps and of telecoms data has emerged both at EU and Member State level, raising questions about how containment measures can be reconciled with the EU data protection legal framework.
The EDPS addressed this dilemma in a video message released on 6 April. He stressed the need for the urgent, limited and temporary adaptation of the General Data Protection Regulation (GDPR) to tackle the unprecedented health crisis facing the EU; the GDPR should not be an obstacle to the processing of personal data, which may be necessary to combat the pandemic.
Wojciech Wiewiórowski, EDPS, said “The European Data Protection Supervisor calls for a pan-European model “COVID-19 mobile application”, coordinated at EU level. Ideally coordination with the World Health Organisation should also take place, to ensure data protection by design globally from the start”.
The EDPS emphasised the importance of data protection principles by design and said that the EDPS and the data protection community stand ready to assist technology developers in this collective endeavour.
The EDPS called for Digital Solidarity to find a common solution to the crisis and to this end, pointed out that the EDPS is already working closely with the European Data Protection Board and other EU Data Protection Supervisory authorities. This also includes the authorities of the member states of the European Economic Area which also have valuable input for the use of big data tools.
Carrying the torch in times of darkness
The outbreak of Covid-19 is affecting our lives at an unprecedented pace. It is testing the resilience of our societies as we respond to this global crisis and try to contain its consequences, both in the short and in the long run.
Personal data have and will continue to play an important role in the fight against the pandemic.
However, we need to mind the endemic in times of pandemic.
Some trends in the digital economy will be amplified during and in the aftermath of the crisis: imbalance of power and information between a handful of powerful players and the people; insufficient transparency and accountability; growing inequality in the distribution of value; and role of platforms as gatekeepers for solutions, choice, and innovation. Not to mention cybersecurity incidents and disinformation campaigns.
Continue reading blogpost by Wojciech Wiewiórowski
EDPS investigation into EU institutions’ use of Microsoft products and services
The EDPS has completed an investigation into EU institutions’ use of Microsoft products and services. On 24 March, we issued our findings and recommendations to all EU institutions.
Our focus in the report is on the risks posed by the Inter-Institutional Licensing Agreement (‘ILA’) signed with Microsoft in 2018.
Our recommendations principally target the following key objectives:
- EU institutions should retain all controllership rights under the ILA. At present, Microsoft retains broad discretionary rights over what data it processes, where and how: we do not think this appropriate given the public-interest context in which EU institutions use its software.
- The controller-processor agreement should be brought into compliance with Regulation 2018/1725. In particular, it should include effective audit rights and controls over Microsoft’s use of sub-processors.
- EU institutions should regain contractual control over where data is located, over international transfers and over requests for disclosure under third-country laws. The current ILA offers them few guarantees.
EU institutions should work together to put in place technical measures to stem the flow of personal data generated and sent to Microsoft by its software.
EDPS remote investigation on EU institutions’ records
Under Article 31(5) of Regulation 2018/1725, “Union institutions and bodies shall keep their records of processing activities in a central register. They shall make the register publicly available.” The EDPS has previously issued guidance that making the register “publicly available” means publication on the internet. In early 2020, the EDPS decided to screen how EUIs comply with this obligation.
The first phase of this monitoring exercise was conducted remotely and unannounced to simulate availability to the general public. The inspection looked into whether:
- Any form of listing of processing operations was indeed available on the EUI’s website
- The register contained records following the template published in EDPS guidance
or comparable formats – as opposed to only providing links to data protection statements (format);
- The number of records listed is plausible (coverage).
At the end of the second phase of the inspection (11 March 2020), only 15 out of a total of 67 EUIs examined were considered fully compliant (according to the limited scope of the inspection).
The EDPS will continue to monitor EUIs’ progress towards fulfilling commitments they have made, welcomes several initiatives taken by DPOs since 11 March 2020 and invites all DPOs to make all records publicly available as soon as possible under the circumstances.
IPEN 2020 Online Workshop on data protection and encryption
What is the state of the art on cryptographic measures? On 3 June, the 2020 edition of the IPEN Workshop will explore algorithms, parameters and protocols of cryptography as well as new concepts of encryption. The aim is to help all parties involved to make the best use of encryption technologies, by promoting the understanding of available technologies and encouraging their development and usage in the context of the processing of personal data.
We welcome participation from all those that can contribute to the discussion based on their experience as privacy experts in an organisation or in a regulatory body, as developers and designers of solutions or as managers of technology driven businesses.
Due to the current COVID-19 outbreak, the Workshop will be hosted online.
More information can be found on the IPEN 2020 Online Workshop webpage.