In this newsletter, we cover the EDPS Strategy 2020-2024 focusing on Digital Solidarity. As well as, in the context of The Hague Forum, a report on the use of Microsoft products and services by the EUIs. Finally, the EDPS published a report accompanied by a factsheet and video on Data Protection Impact Assessments and the EDPS/EDPB trainees organised a conference on Data Protection in times of COVID-19.
In this issue
EDPS Strategy 2020-2024: Shaping a Safer Digital Future
On 30 June, the European Data Protection Supervisor (EDPS), Wojciech Wiewiórowski, published his Strategy for 2020-2024, focusing on Digital Solidarity.
Wojciech Wiewiórowski, EDPS, said: “This is a new strategy for a new decade, to shape a safer, fairer and more sustainable digital Europe, particularly for the most vulnerable in our societies. My mandate will embody the spirit of collaboration and unity. We will continue to work with authorities and experts across different policy areas to address the digital asymmetries that have become more acute during the Covid-19 public health crisis”.
At his presentation of the EDPS strategy in an online event to which over 150 people registered, the Chair of the European Data Protection Board (EDPB) Andrea Jelinek and EU Commissioner for Justice, Didier Reynders contributed their remarks.
The three core pillars of the EDPS strategy outline the guiding actions and objectives for the organisation to the end of 2024.
The EDPS will continue to monitor legal, social and technological advances around the world and engage with experts, specialists and data protection authorities to inform its work.
To strengthen the EDPS’ supervision, enforcement and advisory roles the EDPS will promote coherence in the activities of enforcement bodies in the EU and develop tools to assist the EU institutions, bodies and agencies to maintain the highest standards in data protection.
While promoting digital justice and privacy for all, the EDPS will also enforce responsible and sustainable data processing, to positively impact individuals and maximise societal benefits in a just and fair way.
EDPS Press Statement following the ruling of the European Court of Justice in Case C-311/18 (Schrems II)
The EDPS welcomes that the Court of Justice of the European Union, in its landmark Grand Chamber judgment of 16 July 2020, reaffirmed the importance of maintaining a high level of protection of personal data transferred from the European Union to third countries. The EDPS will continue to strive, as a member of the European Data Protection Board (EDPB), to achieve the necessary coherent approach among the European supervisory authorities in the implementation of the EU framework for international transfers of personal data.
Read the statement.
The Hague Forum: Reinforcing cooperation for fair IT contracts in Europe
The Hague Forum, jointly organised with the Dutch Ministry of Justice and Security and the European Commission, met for the second time, on 2 July. The Hague Forum is a cooperation platform for public authorities in the EU, EU institutions (EUIs) and other international organisations to exchange information and strengthen their negotiation power with ICT service providers, including cloud service and communications providers.
On this occasion, the EDPS issued a Public Paper detailing its findings and recommendations on the use of Microsoft products and services by EU institutions. These findings may help any public administrations when contracting ICT services, because of the similarities between the General Data Protection Regulation (GDPR) and Regulation (EU) 2018/1725, which applies to the EUIs.
Wojciech Wiewiórowski, EDPS, said: “Our expectation is that by sharing the results of our recent investigation, we will help public administrations to improve data protection compliance when negotiating contracts with their service providers. It is not appropriate that the data of people collected in the provision of services to public authorities is processed for their own purposes by these service providers. By sharing technical expertise and by reinforcing regulatory cooperation through this Forum, we can also contribute to ensuring the same level of data protection safeguards and measures for all consumers and public authorities living and operating in the EEA”.
The Public Paper emphasises that when public administrations enter into contractual relationships with ICT service providers, the terms of these contracts should reinforce the EUIs control over how and why personal data is processed.
EDPS Opinion: European Strategy for Data
On 16 June, the EDPS published their Opinion on the European Strategy for Data issued by the European Commission in February 2020. The aim of the Data Strategy, as set out in the Commission’s document, is to create a single European data space, to make it easier for businesses and public authorities to access high-quality data to boost growth and create value.
This opinion, therefore, presents the EDPS view on the Data Strategy as a whole, and on certain specific aspects: the notion of “public good”, Open Data, use of data for scientific research, data intermediaries, data altruism, international data sharing and others.
While the EDPS understands the growing importance of data for the economy and society, such as the development of a Digital Single Market and the EU’s digital sovereignty, it stresses that with "big data comes with big responsibilities" and appropriate data protection safeguards should be put in place. To this end, the EDPS supports the Commission’s commitment to develop the Data Strategy ensuring that European fundamental rights and values, including the right to the protection of personal data are respected, as well as being in full compliance with the GDPR.
Another point that the EDPS makes is that one of the objectives of the Data Strategy should be to prove the viability and sustainability of an alternative data economy model- open, fair and democratic.
The EDPS’ view is the European data space should serve as an example of transparency, effective accountability and a proper balance between the interests of the individuals and the shared interests of the society as a whole.
Lastly, in the context of COVID-19, the EDPS reiterates its position that data protection is not part of the problem but part of the solution.
EDPS Guidelines: EUIs as employers in times of COVID-19
On 15 July 2020, the EDPS published a document entitled Orientations from the EDPS: Reactions of EU institutions as employers to the COVID-19 crisis to guide the European institutions and bodies (EUIs) as they have had to not only respond to the crisis within their policy roles, but also as employers.
Building on the experience of the past months, the document compiles the issues that were raised to or encountered by the EDPS, the advice given on questions related to teleworking tools, staff management, health data aspects and replying to data subject access requests. This is still relevant as telework is likely to remain a big part of the ‘new normal’ for the foreseeable.
Recommendations made by the EDPS relate to processing and minimising the collection of data, data retention and transfer, particularly when relying on external providers for certain products or services. In addition, the EDPS adds that keeping data secure requires the collaboration of IT departments, the Local Information Security Officer (LISO), the Data Protection Officers (DPOs) and all users. The EDPS also points out that the Covid-19 crisis does not suspend the rights that individuals’ have over their data.
The EDPS reiterated that data protection rules currently in force within the EUIs are flexible enough to allow various measures for the business continuity of EUIs operations. The EDPS is fully aware that some adaptations resulting from an emergency situation may require some time and stands ready to assist the EUIs.
The EDPS’ guidelines are addressed to controllers and DPOs in the EUIs. Controllers should consult their EUI’s DPO early in the process of developing organisational responses to this crisis. DPOs guide and advise controllers, but in the end, controllers are accountable for compliance with the Regulation, reinstated the EDPS.
Full EDPS guidelines here.
Reinventing the trainee conference in times of COVID-19
The data protection conference, organised for fellow EU trainees, is a long- established tradition marking the end of the cohort’s traineeship. This session could not be any more different due to current unprecedented circumstances, which the trainees had to overcome by finding innovative solutions to deliver this event. The webinar gathered experts in the field of data protection, all coming from different backgrounds (academia, business, regulatory and civil society), to address the following questions:
- Yesterday: Was the existing data protection framework robust and comprehensive enough to protect our rights before and during the global pandemic?
- Today: To what extent are the responses to the crisis in balance with the right to data protection?
- Tomorrow: Will the pandemic have a lasting effect on the perspective that society has on data protection?
Opening and closing remarks were made by European Data Protection Supervisor Wojciech Wiewiórowski and head of the Secretariat of the European Data Protection Board Isabelle Vereecken.
Christopher Kuner, Law Professor and Director of the Brussels Privacy Hub; Gary Davis, Global Director of Privacy Law and Enforcement Requests at Apple; and María Paz Canales, Executive Director of the NGO Derechos Digitales contributed to the discussion and exchanged with the trainees.
EU Institutions’ use of Data Protection Impact Assessments
On 6 July, the EDPS published a Report on how EU institutions, bodies and agencies (EUIs) carry out Data Protection Impact Assessments (DPIAs) when processing information that presents a high risk to the rights and freedom of natural persons.
Wojciech Wiewiórowski, EDPS, said: “Data Protection Impact Assessments are one of the new and valuable accountability tools that EUIs use when they process sensitive personal data to measure the impact and risks to individuals. DPIAs also help to better understand how the data processing is changing in practice. Our Report, along with the replies received from our survey, allows the EDPS to provide further guidance on DPIAs in accordance with Article 39 of the Regulation applicable to EU institutions”.
The nature of processing operations for which DPIAs are carried out varies widely, with the main reasons for conducting a DPIA being the processing of sensitive or highly personal data, personal data processed on a large scale or the innovative use or application of new technology.
The EDPS will carry out targeted surveys such as this one, more frequently in the future, as they are a useful way to monitor compliance with the Regulation.
European Commission’s GDPR Review: Stronger European solidarity for the enforcement of the GDPR
On 24 June, the EDPS welcomed the European Commission’s General Data Protection Regulation (GDPR) review, assessing the application of the Regulation after two years of experience with it.
The EDPS agrees with the Commission’s positive evaluation. The GDPR has strengthened the fundamental right to data protection, and contributed to raising awareness about the importance of data privacy, both within the EU and in other parts of the world.
As mentioned by the Commission’s report, the consistent and efficient enforcement of the GDPR remains a priority. Resources available for the national data protection authorities (DPAs) are sometimes insufficient and there are some discrepancies caused by the different legal frameworks and national procedural laws.
Wojciech Wiewiórowski, EDPS, said: “We now need a stronger expression of genuine European solidarity, burden sharing and a common approach to ensure the enforcement of our data protection rules. The outstanding success of the GDPR is the combination of many factors but the European data protection authorities’ ability to enforce EU rules is key, in particular if we want to address some harmful data practices by powerful global players. The EDPS stands ready to share its resources and expertise”.
To accompany DPAs in their work, the EDPS shares the idea of setting up a Support Pool of Experts within the EDPB. This initiative could provide support to DPAs on complex and resource-demanding cases in a genuine expression of European solidarity and burden sharing.
EDPS-FRA: A renewed collaboration
On 22 June 2020, the European Data Protection Supervisor (EDPS) and the EU Agency for Fundamental Rights (FRA) renewed their cooperation agreement to further strengthen data protection across the EU.
As EU countries continue rolling out new coronavirus contact tracing apps and data localisation, the data protection and privacy risks remain high on the agenda. Such technologies may have strong consequences on EU citizens’ lives and lead to growing inequalities.
Both FRA and EDPS argue that respect for fundamental rights, including privacy and data protection, has to be centre stage to make tracing apps, or any other technology, a success. They also highlight the importance of transparent, secure and voluntary use of technology to help curb the spread of the virus.
Wojciech Wiewiórowski, EDPS, said: "The outbreak of Covid-19 is affecting our lives at an unprecedented pace. It is testing the resilience of our societies as we respond to this global crisis and try to contain its consequences, both in the short and in the long run. Data protection is clearly not a problem, but part of the solution".
Michael O'Flaherty, Director of FRA, added: "Technology can play a vital role in our lives – be it in the transition to the ‘new normal’ or when used to safeguard public health. But it has to be used correctly, respecting people’s fundamental rights and data protection principles".
FRA and EDPS will continue working together in the future to put data protection issues in the spotlight.
EDPS online training sessions continue
The EDPS delivered two trainings in the course of June and July.
Both sessions included presentations, case studies and practical examples under Regulation (EU) 2018/1725.
On 2 June 2020, the EDPS’ Supervision & Enforcement Unit (S&E) hosted an online training session for 65 members of staff from the European Union Agency for Railways Agency in Valenciennes (ERA), focusing on the application of the data protection rules, principles and obligations under the Regulation with regard to event management, personal data breaches and the privacy rights of individuals in different contexts.
On 1 July, a training was held with 170 participants at the European School of Administration (EUSA) for staff from the European institutions and bodies (EUIs) representing controllers (Heads of Units, Head of sectors, case officers) and other members of staff dealing with personal data (procurement, legal, IT officers).
The session focused on data protection implications in procurement procedures, including how certain contractual clauses can undermine the protection of individuals.
The EDPS highlighted the following points:
- The importance for the EUIs to have a comprehensive data protection strategy to embed data protection in procurement.
- The EUIs should use privacy as a selection or award criteria when they procure products and services that will involve the processing of personal data.
- The contract is the final step of a procurement process and should clearly define its requirements, including those on data protection.
When outsourcing the processing of data, EUIs should request guarantees from prospective service providers and obtain the necessary safeguards in the contractual terms. The compliance of the processing and sub-processing activities should be carried out in accordance with the Regulation and with the terms set out in the agreed contract.
On 14 September, the EDPS will deliver a training on the outsourcing of services and products by the EUIs. The training will have an extended focus on agreements, and the use of Standard Contractual Clauses between processors and the EUIs.
On 20 October, the EDPS will have a training session on transfers of data, in particular international transfers.
A detailed list of the EDPS’ upcoming trainings can be found here.
The EDPS stands ready to provide other trainings specifically tailored to the EUIs work. The EUIs should express their interest to their Data Protection Officer (DPO) or Data Protection Coordinators (DPC).
The right to information: transparent and intelligible
The EDPS issued a decision on a complaint submitted against the European Parliament, concerning the access by a complainant’s to their evaluation results in an intelligible form.
In the context of its inquiry, the EDPS obtained two versions of the evaluation results:
- the original version, with the assessment criteria and the complainant's respective scores;
- a heavily redacted version, without the assessment criteria and with only the complainant's scores visible.
The EDPS’ decision said that the complainant should also be given access to the specific assessment criteria, corresponding to the respective score obtained. Without them, the complainant would not be able to understand the results.
The European Parliament argued that disclosing the assessment criteria would jeopardise the objectivity and secrecy of future selection procedures. Indeed, the same assessment criteria is likely to be used in other selection procedures.
To eliminate this risk, the EDPS recommended that the Parliament invite the complainant to their premises for an on-the-spot access to a slightly redacted version of the evaluations’ results, while presenting the information in an intelligible and transparent format.
EDPS decision on complaint against the European Commission
The EDPS issued a decision on a complaint against the European Commission regarding the request to access the assessment criteria and reason for which a complainant had not been pre-selected in a recruitment procedure.
The selection procedure and pre-selection process by the Commission is done via a database in the context of a Call for expression of interest, launched by the European Parliament.
The EDPS initially found three breaches in accordance to Regulation (EU) 2018/1725.
Firstly, the Commission was in violation of Article 14 (3) as they did not meet the one-month deadline to reply to the complainant. Secondly, the Commission was also in violation of Article 14 (1) for not issuing a reply to the complainant in a comprehensive, intelligible and clear language. Finally, the Commission was in breach of Article 17, as it did not give the complainant access to the assessment criteria and reasons for not being pre-selected.
In its response, the Commission argued that the Call for expression of interest, the procedure and the database were annulled due to a judgment dated from 26 March 2019. The Commission therefore did not hold any further personal data of the complainant. Furthermore, being registered in the database or passing tests are not a guarantee of recruitment.
Subsequently, the EDPS made three points:
- Regardless of whether the procedure was annulled, the complainant’s right of access is a continuous and permanent right. The processing of data had indeed occurred as the Commission had assessed the complainant’s application and information.
- For accountability purposes, the Commission should have kept a record of the documents and information on the complainant that had been processed during the pre-selection phase, including the reason for which they were not pre-selected. This should have been done by setting up a maximum retention period and the legitimate and necessary purposes for which the data was processed, such as complaints, access requests, audit/financial requirements.
- Although the Commission is not accountable for ensuring that all skilful candidates in the database are registered, it is, however, accountable for ensuring that the data protection rules and principles of the Regulation are duly applied, throughout the whole selection procedure, including the obligation to ensure that the candidates’ right of access is respected.
ICRC publishes the 2nd Edition of the Data Protection Handbook in Humanitarian Action
On 3 June, the International Committee of the Red Cross (ICRC) published the 2nd edition of the Handbook on Data Protection in Humanitarian Action. This tool further expands the discussion launched by the 2015 International Conference of Data Protection and Privacy Commissioners’ Resolution on Privacy and International Humanitarian Action.
In the aim to stress the importance of data protection in the realm of humanitarian organisations, the handbook is built on pre-existing laws and procedures applied during Humanitarian Emergencies. While some of them may have been put into practice before the development of data protection law, all of them are based on the principle of human dignity. The digitised and interconnected world we live in calls for new technologies to improve humanitarian actions, while also respecting international data protection standards.
The handbook aims to help insiders navigate the complex world of data protection and privacy in order to find the most appropriate solutions. It includes up-to-date guidelines on the following topics: Digital Identity, Social Media, Blockchain, Connectivity As Aid, as well as Artificial Intelligence and Machine Learning.
In this sense, data protection and privacy should not be seen as an obstacle to humanitarian work, but as a tool to complement the work of humanitarians and ensure stronger protection of fundamental rights.
Speeches and Publications
Speech by Wojciech Wiewiórowski on the use of Microsoft products by European Union Institutions, on the occasion of the Hague Forum.
Speech by Wojciech Wiewiórowski delivered on the occasion of the presentation of the EDPS Strategy 2020-2024.
Video message by Wojciech Wiewiórowski delivered at the German Presidency of the European Council event 'Access to Justice in the Digital Age'.