In this issue, we cover the EDPS’ strategic document for EU institutions to comply with the “Schrems II” Ruling, celebrating European Cybersecurity Month and attending the Global Privacy Assembly.
The European Data Protection Supervisor (EDPS) issued on 29 October a strategic document aiming to monitor compliance of European institutions, bodies, offices and agencies (EUIs) with the “Schrems II” Judgement in relation to transfers of personal data to third countries, and in particular, the United States. The goal is that ongoing and future international transfers are carried out in accordance with EU data protection law.
Wojciech Wiewiórowski, EDPS, said: “Transfers of personal data by EUIs to third countries should comply with the EU Charter of Fundamental Rights, as well as applicable EU data protection legislation, specifically Chapter V of Regulation (EU) 2018/1725. To this end, the Strategy builds on the cooperation and accountability of controllers to assess whether the essentially equivalent standard of protection, based on the Court’s ruling, is guaranteed when transfers of personal data are made towards third countries. Furthermore, the EDPS will continue to closely cooperate with other Data Protection Authorities (DPAs) within the European Data Protection Board (EDPB) so that individuals’ personal data is consistently protected throughout the EU/EEA, when data transfers to third countries occur”.
In this context, the EDPS has developed an action plan to streamline compliance and enforcement measures, distinguishing between short-term and medium-term compliance actions.
As the strategy continues to be implemented, the EDPS strongly encourages EUIs to avoid transfers of personal data towards the United States for new processing operations or new contracts with service providers
The use of COVID-19 contact tracing apps rolled out in most EU Member States proves to be a continuous challenge on how new technology can be a part of the solution to tackle the global pandemic crisis while protecting sensitive data. In this respect, the EDPS organised on Wednesday 21 October an IPEN webinar on Contact Tracing Apps as a large scale exercise in privacy engineering.
The event gathered contact tracing app developers, national data protection authorities, and colleagues working in the field of data protection, to share experiences, challenges and learn about the day-to-day application of the legal obligations regarding data protection by design and by default.
The first part of the webinar provided participants with an overview on how contact tracing apps work and underlined the challenges that stemmed from developing these apps under enormous time constraints while integrating technological and data protection requirements to make their use suitable and secure for individual users.
On the technical side, participants learned that a unified approach was taken recently with the creation of the European Federation Gateway Service (EFGS). Run by the EU Commission, this digital infrastructure ensures that the communication of information between national apps' backend servers for contact tracing apps works seamlessly across borders. Thus, users will only need to install one app and will still be able to report a positive infection test or receive an alert, even if they travel abroad.
In the second part of the webinar, data protection authorities highlighted some of the legal implications of the deployment of contact tracing apps, including the dynamics of the assessment of a non-compliant use case: the Norwegian supervisory authority temporarily suspended the Smittestop app due to data protection concerns. According to them, a discussion with developers and the public on whether contact tracing apps uphold the data protection by design obligation and to what extent data generated and shared by the apps can be considered as personal data would be beneficial.
Read our TechDispatch#1 on Contact Tracing with Mobile Applications published earlier this year.
To celebrate European Cybersecurity Month, a campaign that takes place every October to raise awareness on technologies’ risks and opportunities, the EDPS published a blogpost on 5G, its purpose and impact on privacy and security.
5G is the fifth generation of cellular network technology designed to offer faster connections, higher capacity and improve service quality for cellular communication. This technology facilitates the interconnectivity of billions of devices and the further development and use in our daily lives of Smart Workplaces, wireless internet for Smart Homes, virtual reality, autonomous driving and even remote medical care.
As the EU aims to deploy 5G infrastructure and services across the Digital Single Market by 2020, with its full implementation planned after 2021, what are the implications of this technology in terms of security and privacy?
Overall, 5G’s capacity and potential involves the rapid collection of high volumes of data. Notable examples include location-tracking data, and information generated by the myriads of connected devices, such as personal details on individuals’ health. This data represents high-value information for advertising and surveillance that can be particularly harmful to vulnerable individuals who may be targeted for political, religious or commercial reasons.
Further risks have been identified regarding individuals’ personal data, as major 5G network and device manufactures are located or process data in third countries which do not necessarily provide the same level of protection as guaranteed by EU data protection law.
While 5G is an essential and necessary tool for digital transformations, going forward, its implementation must be carried out with full respect for individuals’ fundamental rights and legal obligations set out by EU data protection law. Controllers and processors of data have the appropriate tools at their disposal to take technological and organisational measures to both protect individuals’ personal data and reap the benefits of 5G for our society.
Between 12- 15 October, the EDPS took part in the Global Privacy Assembly (GPA), the premier global forum for data protection and privacy authorities.
The GPA, previously known as the International Conference of Data Protection Commissioners (ICDPPC), continues to be an opportunity for more than 130 supervisory authorities from across the globe to connect and share their perspectives on the developments in the field of data protection.
More specifically, participants discussed key elements of their international cooperation during which the EDPS continued to promote a fair and sustainable digital economy and a common vision on digitisation and technology. The EDPS’ goal is to shape a safer digital future for all.
A number of resolutions were adopted during the assembly on the impact that technologies may have on data protection, such as Facial Recognition and Artificial Intelligence. Part of the sessions that were organised focused on the COVID-19 pandemic and ongoing data privacy challenges that this health crisis poses.
As the event drew to a close, the EDPS reaffirmed that data protection and privacy are the foundations for democracy in a time of digitisation. Technology should serve humankind and be re-engineered along the lines of fundamental rights and values as well as the principles of data protection by design and data protection by default.
The 2020 workshop of data protection within International Organisations was a markedly different event than in previous years.
The continuing global health crisis has prevented an in-person workshop this year and so the EDPS hosted a shorter, online workshop on the afternoons of 8 & 9 October 2020.
This workshop, initiated by the EDPS in 2005, aims to bring together international organisations to share experience and best practice in the field of data protection and analyse the impact as part of good governance within international organisations.
In light of the COVID-19 pandemic, the theme of this year’s meeting was Data Protection in International Organisations in Times of Crisis. There was a definite appetite for the workshop and the theme, with over 140 participants from international organisations engaging in the discussions.
To help facilitate an overview of the state of play of data protection within international organisations, distinguished speakers – experts and academics from Europe and beyond, as well as colleagues from the EDPS – gave presentations on a number of pertinent subjects.
Topics discussed over the two afternoons included the impact of the pandemic for the protection of personal health data in a humanitarian context, remote working, contact tracing apps, level of preparedness and lessons learned during the COVID-19 pandemic and new developments and best practice to facilitate transfers to international organisations.
On 1 October 2020, the EDPS issued Formal Comments on the draft Commission Implementing Decision related to specific conditions for the Entry/Exit System (EES) website.
The Entry/Exit System (EES) was established by Regulation (EU) 2017/2226 to register entry and exit data, including information on the refusal of entry of third country nationals who applied for a short stay in the Schengen area.
In its advice, the EDPS proposed that the European Commission set up a website that explains the EES’s purpose and informs third country nationals on how their personal data is handled and the rights they have in this respect. The website should enable third country nationals to access the EES’ web services in order to verify how long they are entitled to stay in the Schengen Area.
Core recommendations included:
The EDPS will continue to assist and advise on the data privacy and security implications that the development of the EES website entails.
On 31 July 2020, the EDPS issued Formal Comments on the draft Commission Delegated Regulation concerning the European Public Prosecutor’s Office’s (EPPO) processing and categorising of personal data using a case management system (CMS). This Regulation is due to amend the Council Regulation (EU) 2017/1939 of 12 October 2017.
The EDPS emphasised that the processing of personal data regarding criminal investigations will have a significant impact on the lives of individuals’ concerned. For this reason, the legal framework applicable to EPPO must ensure that the limitations to the rights to privacy and data protection in the fight against criminal offences are necessary and proportionate. In practice, this means that EPPO’s processing, categorising and indexing of personal data in their CMS should be done according to the principle of data minimisation.
The draft Commission Delegated Regulation enumerated four categories of individuals’ personal data which may be processed in the CMS index:
a) a suspected or accused person;
b) a convicted person;
c) a person who reported or is a victim of offences;
d) contacts or associates referred to in points (a) and (b).
While the EDPS welcomes this proposed classification in line with Article 51 of Council Regulation (EU) 2017/1939, he points out that the latter category referring to “contacts or associates” could be too broadly interpreted; consequently leading to a large and inappropriate processing of data. Data collected must be limited to serving a specific and justified purpose according to EPPO’s duties only.
On 3 July 2020, the EDPS issued Formal Comments on Frontex’s draft working arrangements with third countries. The EDPS highlighted the lack of clear and essential data protection safeguards to ensure compliance with EU data protection law, with regard to the processing of personal data.
A number of recommendations were made on the circumstances in which exchanges of personal data may occur, the exercise of individuals’ data privacy rights, transfers of personal data to third parties and on the security and confidentiality of data.
The EDPS noted that particularly sensitive data may be exchanged between Frontex and third countries which would require, where applicable, additional precautionary and security measures. In some instances, the processing of data will be subject to restrictions and its purpose carefully defined. Article 90 of the EBGC Regulation further clarifies that data processed by Frontex for the purpose of identifying suspects of cross-border crime can only be exchanged with Europol, Eurojust or Member States’ competent authorities.
Other issues were touched on, such as the redress mechanisms to apply in cases where judicial remedies are not available in a third country committing to Frontex’s working arrangements. The EDPS also elaborated on how independent oversight can guarantee that the relevant third country and Frontex comply with specific provisions incorporated in a working arrangement.
As a supervisory authority for EU institutions, the EDPS will continue to closely monitor the development of Frontex’s activities in this area.