In this newsletter, we cover Artificial Intelligence and the EU's digital future, body temperature checks in times of COVID-19, data protection requirements in the prevention of money laundering and our IPEN Webinar on encryption.
On 7 September, the EDPS published a blogpost reflecting on the European Commission’s public consultation on its Communication A European strategy for data and its White Paper on Artificial Intelligence - A European approach to excellence and trust.
Artificial Intelligence (AI) is now ubiquitous, being used in many of our products and services. For example, AI is used by public administrations in hospitals, utilities, transport services, financial supervisors and other areas of public interest.
The EDPS advises prudence; the risks associated with AI and the ethical implications must be taken into consideration. A proper assessment of what the impact will be on individuals, fundamental rights and society as a whole should be carried out.
The European Strategy for Data focuses on the role of data in matters of public interest, and how the processing of personal data should serve humankind. The power of persuasion, nudging individuals to ‘volunteer’ their data to contribute to the greater good, cannot be underestimated. To this end, the EDPS believes there is a need to better define and lay down the scope and purposes that determine the circumstances in which this would be beneficial, for example in the health sector or for scientific research.
Both of these strategies are long-term endeavours and the EDPS will closely monitor the developments.
On 1 September 2020, the EDPS issued orientations on the use of body temperature checks by EU institutions, bodies, offices and agencies (EUIs) in the context of the COVID-19 crisis, highlighting that a careful assessment and appropriate data protection safeguards are necessary.
Wojciech Wiewiórowski, EDPS, said: “Body temperature checks of employees and visitors, used as an additional measure in the fight against COVID-19, can be implemented through a variety of devices and processes that should be subject to careful assessment. Some of these processes are neutral while others may constitute an interference into individuals’ rights to private life and/or personal data protection.
In its advice, the EDPS distinguishes between those body temperature checks that are subject to Data Protection Regulation (EU) 2018/1725 and those which are not: Basic body temperature checks that are designed to measure body temperature only, are done manually and do not register, document or involve other processing of the individual’s personal data are not, in principle, subject to the Regulation. Other systems of temperature checks, operated manually or automatically, followed by the processing of individuals’ personal data are subject to the Regulation.
Finally, the EDPS advises EUIs implementing temperature checks to regularly review the necessity and proportionality of such measures, in light of the evolution of the epidemic and its scientific understanding.
Do you have any questions about the EDPS’ role, or about our day-to day work regarding data protection that you have never asked?
Take a look at our Frequently Asked Questions page on our website, available in English, French and German. The FAQs aim to help you better understand what we do, what personal data is and for what reasons the EUIs might process your personal information.
Take a look at our FAQs here.
Earlier this year, the EDPS was informally consulted on whether the processing of individuals’ data was considered as “large scale” processing in the sense of Article 39(3)(b) of Regulation (EU) 2018/1725.
In its consultation, which can be found in full here, the EDPS noted the following.
The term “large scale” in the context of data processing is neither defined in the EUDPR nor in the GDPR.
Nevertheless, it is an important concept, which may require a Data Protection Impact Assessment (DPIA) to be carried out.
The EDPS considered two factors to determine ‘large-scale’ and therefore whether a DPIA should be carried out. The proportion of the relevant population and the nature of the personal data being processed and possible related risks.
1. The proportion of the relevant population
No hard and fast numeric guidance as to what should be considered as “large-scale” can be provided regarding the total number of individuals concerned by the data processing.
However, some guidance is given in the Guidelines on Data Protection Officers (‘DPOs’) , adopted in December 2016, revised on 5 April 2017, endorsed by the EDPB, in which the notion of large scale processing refers to the number of data subjects concerned, either a specific number or as a proportion of the relevant population.
2. The nature of the personal data processed and possible related risks
Article 35 (3) of the GDPR enumerates a non-exhaustive list of data processing operations that may represent a “high risk”. Further information is also provided in recital 91 of the Regulation.
A concrete example of what is considered as “high risk” processing of data can be when the processing of an individual’s data involves the assessment of their skills or whether they have had a disciplinary procedure. This information would be considered as “high risk” if processed, as this involves the processing of special categories of personal data and “extensive evaluation”, and therefore a DPIA would need to be carried out.
Thursday 20 August 2020 marked the first anniversary of the death of European Data Protection Supervisor, Giovanni Buttarelli. The EDPS paid tribute to Giovanni’s life by sharing a selection of memories in a dedicated blogpost:
Wojciech Wiewiórowski, EDPS, wrote: “August 20th marks the first anniversary of the saddest day in the history of our institution. It was a year ago when we learned that the European Data Protection Supervisor Giovanni Buttarelli died in hospital in Milan, losing a long fight against a horrible disease. Though a whole year has already passed, and the world in Covid-19 times looks different than it was in August 2019, it is still hard for me to find the words to describe my feelings that day and to summarize somehow our long friendship with Giovanni.
I have read again the blog post I wrote a year ago and I still subscribe to each word I wrote. So let me refer you again to this text”.
Continue reading the EDPS Blogpost in memory of Giovanni Buttarelli.
Quantum computing applies the physical laws of quantum mechanics, which allows for an alternative method to how today’s computers process information. Whereas traditional computers use bits (0 or 1) as a building block, quantum computers employ quantum bits, or qubits, that can be at the same moment a combination of |0⟩ and |1⟩. As a result, quantum computers can have a speed advantage over classical computers, performing types of computation not available to current classical computers.
What are the data protection issues?
The data protection implications of quantum computing are significant in terms of data security and confidentiality of communications.
One reason is that quantum computing can break many of today’s classical cryptography and as such severely harm IT security. The risk extends to the core internet security protocols. Nearly all of today’s systems that demand security, privacy or trust, would be affected.
In addition, quantum computers may also have an impact on public-key cryptography, in terms of their confidentiality and authenticity. On a day-to-day basis, this means that online banking, online shopping, signatures and essential internet protocols like HTTPS (TLS) required for secure browsing could be jeopardised.
We encourage you to read our TechDispatch#2 on Quantum Computing and Crytography to find out more on cryptography, encryption and its impact on data protection.
To receive future issues of TechDispatch directly in your inbox, please sign up to our mailing list on the EDPS website.
On 27 July 2020, the EDPS published an Opinion and a Press Release on the European Commission’s action plan for a comprehensive Union policy on preventing money laundering and terrorism financing.
The EDPS highlighted that the Commission should make data protection a gold standard in the context of Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) compliance processes.
Wojciech Wiewiórowski, EDPS, said: “We welcome the Commission’s commitment to rely on the risk-based approach to streamline the legislative framework for the prevention of money laundering and terrorism financing, in line with the principle of proportionality. The Commission should strike a balance between the necessary measures to take for the general interest and the goals of the AML/CFT and the respect of the fundamental rights of privacy and personal data protection. General compliance with the EU AML/CFT rules by Member States must go hand in hand with the GDPR and the data protection framework”.
The EDPS notes the importance that the new governance mechanisms place on establishing a clear legal basis for the processing of personal data, as well as specific rules for the access to and sharing of information, particularly when personal data being processed is particularly sensitive.
In the context of future legislation on AML/CFT measures, the EDPS also recommends that appropriate safeguards are in place to guarantee compliance with the principles of data minimisation, purpose limitation and data protection-by-design, as well as the right of individuals to be informed when their data is collected and the purpose(s) for which data will be processed.
The EDPS aims to contribute to the discussion on encryption based on an in-depth understanding of the many ways cryptography works, its technical capabilities and limits. On 3 June 2020, the EDPS organised the first virtual IPEN Workshop.
With the theme State of the art in encryption and its role for protection of privacy and personal data, the online event attracted nearly two hundred participants and gathered experts on encryption and data protection to share their thoughts and views on the topic. Panellists included, Wojciech Wiewiórowski, the European Data Protection Supervisor; Professor Bart Preneel, director of the COSIC Institute at Leuven University and lead scientist for the Belgian Covid app; Stefano Leucci, data protection lawyer and DPO at FCA Bank; Iraklis Symeonidis, computer scientist and Commissioner Marit Hansen of the Data Protection Commission Schleswig-Holstein (Germany).
Among the topics discussed were the use of cryptography in the economy and society, the role of digital communications and encryption in times of COVID-19, as well as the challenges of enforcing the GDPR provisions on encryption in practice.
As a follow up workshop, the IPEN organised a Webinar on the Use of Encryption for Privacy Enhancing Technologies (PETs) on 24 June, to deepen the discussion and further explore other aspects of encryption.
For more information about IPEN, visit the dedicated page on our website.