In the April 2018 edition of the EDPS Newsletter we cover the EDPS Opinion on interoperability, data protection in conference organisation social media monitoring and the EDPS-IPEN Privacy by Design contest.
In this issue
EDPS calls for wider debate on the future of information sharing in the EU
The EU needs a smarter approach to information sharing in order to address challenges relating to security and border management. Interoperability, the process of enabling large-scale EU databases to communicate and exchange information, might prove a useful tool, but it is also likely to have profound legal and societal consequences, the EDPS said on 16 April 2018, as he published his Opinion on the Proposals for two Regulations establishing a framework for interoperability between EU large-scale information systems. The Opinion follows a reflection paper published by the EDPS on interoperability on 17 November 2017.
Giovanni Buttarelli, EDPS, said: “Competent authorities across the EU must be able to share information in order to manage current migratory challenges and terrorist and crime-related issues. Interoperability, implemented in a well-considered manner and in full compliance with fundamental rights, could prove useful in facilitating this. However, in their current form, the Commission’s Proposals would alter the structure and operation of the EU’s existing IT databases and change the way in which fundamental legal principles in this area have traditionally been interpreted. As the precise implications of this for the rights and freedoms of individuals require more clarity, wider debate on the future of information exchange in the EU, the governance of interoperable databases and the safeguarding of fundamental rights is needed.”
Data protection for conference organisation
As part of the registration process for an international conference organised by one of the EU institutions, individuals were required to submit a scanned copy of their passport or identity card, in order to verify their identity. The EDPS received a complaint relating to this requirement, to which we responded on 10 April 2018.
In our investigation, we found that the EU institution could have used a less intrusive means of verifying the identity of participants. For example, checking passports or ID cards at the entrance to the conference and comparing them with the information submitted online. Moreover, in certain Member States, it is illegal to photocopy passports unless justified by the law. The EU institution also failed to formally notify their Data Protection Officer (DPO) of the collection of scanned copies of individuals’ ID, as is required under Regulation 45/2001, which sets out the data protection rules for the EU institutions. We therefore concluded that requesting scanned copies of participant ID in this case was disproportionate and not in compliance with the legal requirements laid out in Regulation 45/2001.
We also responded to concerns about the transfer of the personal data collected to the authorities of the host Member State, based on the premise that participants had consented to this. To qualify as a valid legal basis for the transfer of data, consent must be freely given. As participants were not able to register for this conference unless they gave their consent to share personal information with the host Member State authorities, their consent was not freely given and so consent cannot, in this case, be considered a valid legal basis for the transfer of data.
Data processing for social media monitoring
On 21 March 2018, we adopted an Opinion on the processing of personal data for social media monitoring at the European Central Bank (ECB). The ECB intends to use an external contractor to monitor and track discussions about ECB related topics on different social media channels. Their aim is to gain a better understanding of how internet users perceive the ECB and to improve the ECB’s communication and reputation.
Specifically, the ECB intends to collect information on what is being said about them, topics related to their activities, the tone used and how far the information is spread. The external contractor will conduct the monitoring and analysis of the aggregated data on different groups of users, while the ECB will analyse this information and draft reports.
As some internet users, who are not public figures, may be indirectly identifiable by their quotes, their likes or their native language, we provided the ECB with some specific recommendations aimed at ensuring that the rights of individuals are respected. In particular, we focused on the need to ensure the quality of the data collected and processed, provided recommendations on the content of the contract with the external contractor and advised the ECB on an individuals’ right of access to their own data. We also provided them with advice on the information they must provide to internet users and the security measures the contractor must adopt.
Assessing the implications of changing data protection rules
As part of our ongoing preparations for the revised Regulation 45/2001 on data protection in the EU institutions, on 15 March 2018 we organised a Working Group on Outsourcing.
When an EU institution or body is unable to perform or provide a service itself, they typically seek to outsource this service to an external company. Model contract clauses, tendering procedures, on-going contracts and IT management, including the use of cloud services, are several ways in which they might do this. When the service provided by the external company involves the processing of personal data, this external company becomes a data processor.
Under the revised Regulation 45/2001, the rules on data processors are set to change. In particular, the new rules will impose direct obligations on data processors to ensure compliance with data protection rules. The focus of the Working Group’s discussion, therefore, was on determining the possible impact of these changing rules on the different ways in which the EU institutions outsource certain services.
The Working Group sought contributions from interested Data Protection Officers (DPOs) in the EU institutions and bodies, as well as from colleagues in the European Commission, with the aim of sharing problems and determining how best to prepare the EU institutions for these new rules. We will continue our work on this topic as part of our endeavours to ensure that the EU institutions are fully prepared when the new rules come into force.
Information exchange in the fight against terrorism and serious crime
In eight recommendations adopted on 20 December 2017, the European Commission advised the Council of the EU to authorise negotiations with Algeria, Egypt, Israel, Jordan, Lebanon, Morocco, Tunisia and Turkey to conclude international agreements on the exchange of data between Europol and these eight non-EU countries.
The Europol Regulation outlines the rules for the transfer of data from Europol to countries outside the EU. According to these rules, the conclusion of international agreements negotiated by the Commission would provide the required legal basis for the exchange of personal data between Europol and the authorities of these eight countries, in order to fight serious crime and terrorism.
On 14 March 2018, the EDPS issued an Opinion on the Commission’s recommendations. We stressed that any international agreements for the exchange of data between Europol and non-EU countries should strike a fair balance between the need to fight serious crime and terrorism and the need to protect personal data and other fundamental rights. Each agreement must also outline the specific conditions under which Europol can transfer personal data to the country concerned, recognising that these conditions will vary depending on the country.
In addition to some general recommendations aimed at ensuring that the negotiated agreements include the appropriate safeguards required by the Europol Regulation, our Opinion also focused on the Annexes to the Commission’s recommendations. These set out the mandates and directives the Council should give to the Commission in order to negotiate each agreement, including all data protection requirements with which the international agreements should comply. Our recommendations aimed to ensure that these requirements are comprehensive.
The EDPS stands ready to give further advice during the negotiations concerning these eight international agreements.
EDPS-IPEN to launch Privacy by Design contest for mHealth applications
On 28 March 2018 the EDPS, supported by the Internet Privacy Engineering Network (IPEN) and in partnership with the Data Protection Authorities of Austria, Ireland and Schleswig-Holstein, announced the forthcoming launch of the EDPS-IPEN Privacy by Design contest for mobile Health (mHealth) apps.
mHealth apps can provide beneficial services, helping to lower the cost of healthcare and empower patients, by giving them more control over their healthcare. They allow immediate access to medical care and information and, through the analysis of personal data, provide new insights for medical research.
However, processing sensitive personal data through connected devices can also reduce the control we have over our personal information, with the risk that it might be used in ways that compromise our interests and fundamental rights. The mobile app ecosystem, which does not currently guarantee effective protection for individuals and their personal data, only serves to increase this risk.
The EDPS-IPEN initiative aims to promote privacy engineering by recognising mHealth apps that implement the principles of privacy by design and by default, integrating privacy into new technology from the outset. We hope that the competition will help provide a reference for the privacy-friendly development of mobile apps and reinforce the importance of these principles in app development.
Prizes of € 20.000 and € 10.000 will be awarded respectively to the mHealth projects ranked in first and second place. Both winners will have the opportunity to present their projects at the 40th International Conference of Data Protection and Privacy Commissioners (ICDPPC), which will take place in Brussels during the week of 22 October 2018.
More information about the competition is available on the EDPS website.
2018 IPEN Workshop to take place in Barcelona
The 2018 IPEN Workshop will take place in Barcelona on 15 June 2018, with the support of the Polytechnic University of Catalonia (UPC). It follows immediately after the ENISA Annual Privacy Forum 2018, which will take place from 13-14 June 2018, also in Barcelona.
The research and innovation laboratory of the Barcelona School of Informatics has kindly offered to host the 2018 Workshop on UPC premises, in Campus Diagonal Nord. Participation will be, as usual, free of charge.
For this edition of the IPEN Workshop, we are expecting contributions relating to privacy features of communications systems and devices and to industry processes related to ensuring data protection by design in systems development. We also welcome suggestions for other topics related to privacy engineering. Contributions may be in the form of a presentation of 15 to 30 minutes or a panel of up to 90 minutes. Breakout sessions may also be possible.
Potential contributors should send a short description of their topic to email@example.com by Monday 14 May 2018 at the latest.
You can follow the latest updates about the event on the Workshop webpage.
Data Protection Officers
Mr. Nikitas NIKITARAS (Deputy DPO), European GNSS Agency (GSA)
Mr. Ezio VILLA (Acting DPO), European GNSS Agency (GSA)
Speeches and Publications
Speech made by Giovanni Buttarelli at the Fifth World Congress for Freedom of Scientific research on the General Data Protection Regulation (GDPR) in scientific research, Brussels, Belgium (12 April 2018).