In this edition of the EDPS Newsletter we cover the EDPS consultation on transfers of personal data, the virtual visit at the European Medicines Agency (EMA), the new TechDispatch on contact tracing and mobile apps, the 47th DPO virtual meeting among other topics.
On 9 May, also known as Europe Day, the EDPS published a blogpost on behalf of the EDPS and EDPB trainees about their hopes for the future, as a way to celebrate the 70th anniversary of Schuman Declaration.
The current crisis has disrupted our way of living and working. At the same time, it highlights that the European Values on which the EU was built - reconciliation, peace and solidarity - have never been more relevant.
Many, young and old alike, have taken for granted the rights and opportunities the EU offers, but these circumstances are making us re-evaluate and appreciate them.
European Data Protection Supervisor, Wojciech Wiewiórowski said, “… now more than ever, Europeans are ready to defend and further aliment the European project and its values”.
Cooperation in all aspects, including privacy, is the key for a prosperous future of the EU. Digital life has become a lifeline for manyin lockdown, and such cooperation means ensuring the right to data protection in the present and in the future.
Read the blogpost here.
Faced with a pandemic, such as the Coronavirus (COVID-19), it is essential that the number of new infection cases are lowered and eventually halted.
Contact tracing is the process of identifying all those that have had contact with an infected person, in order to isolate and prevent them infecting others.
In this context, Digital Proximity Tracing, involves radio wave sensors built into smartphones, which can be used to automatically detect close contacts. Smartphones can be equipped with new functionalities, such as dedicated smartphone applications and/or operating system software updates. Global Navigation Satellite Systems like GPS or Galileo, Bluetooth Low Energy (BLE) and Wi-Fi are among the technologies employed in this domain.
What about the implications for data protection?
This technology has privacy implications as it involves the processing of sensitive personal data and provides for preventive, contact recording of a very large number of the population in public and private spaces using radio wave signals invisible to human eyes. For this reason, contact tracing apps require a data protection assessment to be carried out before they are deployed. Data minimisation and privacy-enhancing technologies are also fundamental to prevent harm through the identification of contacts and infected cases.
To receive future issues of TechDispatch directly in your inbox, please sign up to our mailing list on the EDPS website.
The public health crisis around the world due to Covid-19, has disrupted our way of living and working. Adapting to the new normal, on 8 May 2020, the EDPS, organised the 47th meeting of the network of Data Protection Officers (DPOs) within the EU institutions (EUIs), the first remote DPO meeting using videoconference facilities.
The issues discussed at the meeting included:
The meeting was a lively and dynamic one with 117 participants, many putting forward questions and comments, and making it a successful virtual endeavour. You can read more in our blogpost here.
In April 2020, the EDPS addressed several questions from an EU institution (EUI) on transfers of personal data. Specifically, these questions related to the data protection provisions to be included in an agreement with a service provider concerning payroll services for its local employees located in a country outside of the EU with which there is no adequacy decision.
The EDPS explained why derogations for specific situations under Article 50 of Regulation (EU) 2018/1725 (or the EUIDPR), which applies to the processing of personal data by the EUIs, are not applicable in such cases.
The EDPS also referred to the application of Article 46 of the EUIDPR, which provides that any international transfers shall take place only if (subject to the other provisions of EUIDPR) the conditions of Chapter V are complied with by the controller and processor.
In particular, among the other provisions of the EUIDPR, Article 4 on the principles relating to processing of personal data, Article 5 on the lawfulness of processing and Article 29 on the processor are applicable. Article 29 obliges the EUI to have a contract or another legally binding arrangement with the service provider. The use of any grounds for transfers in Chapter V, including derogations, should never lead to the possible breach of fundamental rights. Moreover, the EUI’s personal data cannot be processed (solely) in accordance with guarantees provided by the law of the non-EU country.
The EDPS outlined that the proper legal basis for the international transfers of personal data to the service provider is Article 48(1) of the EUIDPR and that the EUI, as controller, must ensure that the service provider, as processor, is able to demonstrate appropriate guarantees and safeguards for the processing of the personal data it receives and processes on its behalf. The EUI should not engage any processor unwilling to provide such guarantees and safeguards to meet the requirements of the EUIDPR.
On 4 May 2020, European Data Protection Supervisor, Wojciech Wiewiórowski met (virtually) with the Executive Director of the European Medicines Agency (EMA), Professor Guido Rasi and other Senior colleagues. They discussed critical issues such as the secondary use of personal data in clinical research in a complex global environment.
He then gave the opening speech for a two and a half hour training session by the EDPS’ Supervision & Enforcement Unit for 322 participants from the EMA using videoconference facilities.
The training session covered how to determine who is a controller and processor, outsourcing requirements, joint controllership arrangements with reference to EMA's clinical trial's database and Eudravigilance database, personal data breaches, international transfers, use of real world health data for research purposes and safeguards under the Regulation (EU) 2018/1725.
The EDPS message during the training session was that the respect of personal data is wholly compatible with responsible research and that any technological, legal and organisational solutions should serve specified legitimate objectives.
Covid-19 outbreak is testing fundamental rights to data protection and privacy. EU Member States, EU institutions and Big Tech companies are trying to explore solutions to tackle the uncontrolled spread of the virus.
In the past weeks, contact tracing apps and data localisation have become a constant topic in the political agenda of the Union. Such technologies may have strong consequences on EU citizens’ lives and lead to growing inequalities.
The EDPS is cooperating with the EU institutions and the European Data Protection Board to ensure fundamental rights to be respected.
As a result, we established a Covid-19 task force to follow developments and to prepare for the future of data protection and privacy after Covid-19 crisis.
Follow the EDPS Covid-19 dedicated page if you wish to receive updates on the EDPS activites and action plan in the fight against the pandemic.