In Newsletter #84, we cover the EDPS end of year message, meeting data protection officers (DPOs) of the European institutions and bodies (EUIs), Opinions on eHealth and the New Pact on Migration and Asylum, and a fruitful exchange with the European Intellectual Property Office (EUIPO).
In this issue
Projecting our future: A privacy carol
In a blogpost published on 18 December 2020, European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski gives his personal outlook on this past year.
The Supervisor reflects on 2020’s challenges, notably the COVID-19 pandemic which, in his view, exacerbated inequalities. This unique year has tested civilisation’s unity, solidarity, hope and courage. But also confirms the importance of protecting people and their fundamental rights such as the right to data protection. With this in mind, he shares his perspective on the upcoming year:
Wojciech Wiewiórowski, EDPS, wrote: “More than digital sovereignty, I would like to refer to the EU’s digital values leadership in 2021. The digital values leadership is at the core of the EU’s ambition to not only be strategically autonomous in digital-driven choices, but also to inspire and promote the same values around the globe."
International data transfers top of the agenda for the 48th EDPS - DPO meeting
To mark the 48th meeting convening the EDPS and the network of data protection officers (DPOs) of the 68 EU institutions and bodies (EUIs) on Friday 11 December 2020, EDPS Director Leonardo Cervera Navas published a blogpost recounting this important event.
The online meeting was an opportunity for DPOs to voice their concerns on issues related to international transfers in light of the EDPS’ recently published Compliance Strategy and the EDPB’s Recommendations following the “Schrems II” Judgement. This session was particularly pertinent as the EDPS is acutely aware of the challenges that the Judgement’s implementation poses for EU institutions and bodies. Questions predominantly focused on technical details, such as the practical consequences for existing and new contracts, how to conduct Transfer Impact Assessments (TIAs), or the margin of manoeuvre with regard to the use of derogations or supplementary measures. As these complexities were discussed, European Data Protection Supervisor Wojciech Wiewiórowski reiterated that efforts to comply with “Schrems II” is a joint venture between the EDPS and data controllers in the EU institutions and bodies.
The second part of the meeting, entitled “Technology, Privacy in 2020 and beyond - a futuristic retrospective”, provided DPOs with a review of the tech challenges impacting the protection of personal data and privacy, as well as an overview of what 2021 may bring in this area.
As the event drew to a close, Leonardo Cervera Navas praised the continued cooperation between the EDPS and the data protection officers of the EU institutions and bodies.
Protecting the most vulnerable
In light of the amendments and proposals presented in the New Pact on Migration and Asylum by the European Commission, the EDPS published its Opinion on 30 November 2020.
One major change concerns the Regulation applicable to EURODAC, an EU database that identifies asylum seekers applying for international protection by collecting their fingerprint data.
While the EDPS understands the need for a more effective management of migration and asylum, he underlines that data protection is one of the last lines of defence for vulnerable individuals such as migrants and asylum seekers approaching the EU external borders. He therefore calls for an in depth fundamental rights and data protection impact assessment (DPIA), which was already recommended in his Opinion 07/2016 with regard to the proposed extension of the scope of Eurodac.
The change in the legislation would imply automatic linking of all data corresponding to the same third-country national in a “sequence” in the EURODAC database, potentially broadening EU Member States and Union authorities’ access to sensitive information that may not be relevant to assess applications for asylum. In this context, the EDPS recommends that the authorities of the Member States and the Union bodies should continue to only be able to see the data that is relevant for the performance of their tasks, even if the data sets are linked in a sequence.
Moreover, the EDPS recommends that the Commission
- clarifies the type of data stored in the database in line with the data protection principles of necessity and proportionality;
- updates the database’s security infrastructure with appropriate data protection safeguards;
- introduces the single model of coordinated supervision.
On the proposal for a Screening Regulation, which consists of collecting information on the identity, health and security checks of third-country nationals, the EDPS advises the Commission to evaluate their method of collecting and processing this data. In practical terms, this would mean taking into account the practices enforced at national level featuring different levels of efficacy, ensure that the information processed is accurate and uphold individuals’ right to rectify and/or supplement this data if needed.
The Schengen Information System: A tool for judicial cooperation
The EDPS was consulted on the European Commission’s amended Implementing Decision 2013/115/EU on the SIRENE Manual and other measures related to the Schengen Information System II (SIS II) on 20 November 2020.
Reformed in 2018, SIS II is also used in police and judicial cooperation in criminal matters, allowing the exchange of supplementary information with Europol - the EU Agency for Law Enforcement Cooperation - when an alert is issued. The rules and procedures that govern the exchange of this information are set out in the SIRENE Manual.
While the EDPS did not identify any major issues since the amendment relates to the technical nature of the Implementing Decision, it recommends that Europol keep statistics about the requests and replies related to the sharing of data from SIS II with third countries or bodies.
A European Health Data Space
On 17 November 2020, the EDPS published a Preliminary Opinion on the European Health Data Space (EHDS) as part of the Commission’s European strategy for data. The aim is to create a collaborative platform to exchange health data and foster medical and scientific research, therefore becoming an essential tool to prevent, detect and cure diseases. The goal of the EHDS is to enhance the effectiveness, accessibility and sustainability of healthcare systems.
This Preliminary Opinion aims to contribute to the Commission’s work on the future EHDS, in particular through the identifying of the essential elements that should be considered in the development of the EHDS from a data protection perspective, namely the legal basis, the governance and the right to data portability.
The EDPS supports the objectives of the EHDS, and says that protecting individuals’ personal data should be a priority in this initiative. Data protection laws - such as the GDPR- and appropriate safeguards should be embedded in the development of the EHDS, due to the sensitive nature of the information being processed. In the context of the COVID-19 pandemic, the European Union has seen more than ever the need for the GDPR data processing principles to be fully applied. In line with the recent European Council Conclusions, the EDPS recalls the fundamental rights to data protection and privacy, and calls for data protection principles to be integrated in future eHealth solutions that will soon be at the heart of all European eHealth systems.
Against this backdrop, the EDPS advises the Commission to clearly demarcate the nature, categories, and purpose of the data being processed; along with pinpointing the roles and responsibilities of each of the actors involved in making this data available on the EHDS sharing platform. Additionally, the technical requirements of the platform should be instrumental in ensuring the right to data portability.
The EDPS considers that solidarity between EU Member States, data protection authorities, EHDS users and healthcare professionals combined with an entrenched data governance mechanism embodying EU values will ensure that individuals’ personal data is managed in an ethical, responsible and safe way.
Combatting child sexual abuse online
On 11 November 2020, the EDPS issued Opinion 7/2020 in relation to the Commission's Proposal for a Regulation on a temporary derogation from certain provisions of the ePrivacy Directive (2002/58/EC). The Proposal relates to the voluntary use of technologies for the purpose of combatting child sexual abuse online by "number-independent interpersonal communications services".
The measures envisaged by the Proposal would constitute an interference with the fundamental rights to respect for private life and data protection of all users of very popular electronic communications services, such as instant messaging platforms and applications. Confidentiality of communications is a cornerstone of the fundamental rights to respect for private and family life and protection of personal data. Interference with confidentiality of communications is possible, but only under certain conditions.
The issues at stake are not specific to the fight against child abuse but to any initiative involving the collaboration of the private sector for law enforcement purposes. Child abuse is a particularly abhorrent crime and the objective of enabling effective action to combating child sexual abuse online clearly amounts to an objective of general interest recognised by the Union and seeks to protect the rights and freedoms of others.
Given the nature of the interference at hand, however, the EDPS considers that the measures to detect, remove and report child sexual abuse online must be accompanied by a comprehensive legal framework which meets the requirements of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.
In order to satisfy the requirement of proportionality, the legislation must lay down clear and precise rules governing the scope and application of the measures in question and imposing minimum safeguards. Opinion 7/2020 provides an overview of the safeguards that are necessary to ensure that the persons whose personal data is affected have sufficient guarantees that their data will be effectively protected against the risk of abuse.
The Commission's Proposal will inevitably serve as a precedent for future legislation in this field. The EDPS therefore considers it essential that the Proposal is not adopted, even in the form of a temporary derogation, until all the necessary safeguards set out in its Opinion are integrated.
Schrems II & international transfers
As a member of the European Data Protection Board (EDPB), the EDPS actively contributed to the drafting of Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, and the Recommendations on the European Essential Guarantees for surveillance measures published on 10 November 2020.
These documents were adopted after the ‘Schrems II’ ruling, to ensure that ongoing and future international data transfers are carried out in accordance with EU data protection law.
EDPB Recommendations on supplementary measures
The Recommendations aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where such measures are needed to ensure an essentially equivalent level of protection when personal data is transferred to third countries. In doing so, the EDPB seeks a consistent application of the GDPR and the CJEU’s ruling across the EEA.
The Recommendations include a roadmap of the steps data exporters must take to determine if they need to put in place supplementary measures to be able to transfer data outside the EEA in accordance with EU law, and to help them identify those that could be effective. To assist data exporters, the Recommendations also contain a non-exhaustive list of examples of supplementary measures and some of the conditions they would require to be effective. The supplementary measures may be of a technical, contractual and organisational nature and some specific examples are provided.
Data exporters remain responsible for making the concrete assessment in the context of the transfer, the third country law and the transfer tool they are relying on. Data exporters must proceed with due diligence and document their process thoroughly, as they will be held accountable for the decisions they take on that basis. Data exporters will, in many cases, come to the conclusion that supplementary measures will not be sufficient to address the risks identified.
The Recommendations on supplementary measures are subject to public consultation until 21 December 2020.
EDPB Recommendations on European Essential Guarantees
The EDPB also adopted the Recommendations on the European Essential Guarantees (EEG) for surveillance measures. This document is an update of the previous WP29 Working document on the EEG to take into account the “Schrems II” Judgment and other CJEU judgments (in particular, Privacy International and La Quadrature du Net). EEG concern the guarantees to be taken into account when assessing the interference stemming from the surveillance measures by a third country’s public authorities, being national security or law enforcement authority, to the rights to privacy and to data protection, when transferring personal data. They are therefore not to be confused with the overall assessment made by the Commission of a third country's legal system when it decides on the adequacy of a third country, although they are part of this assessment.
The four EEG are the following:
- processing should be based on clear, precise and accessible rules;
- necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated;
- an independent oversight mechanism should exist;
- effective remedies need to be available to the individual.
Tax compliance and data privacy
Recognising the importance of tax compliance as a matter of public interest, the EDPS emphasises the need to strike a balance between protecting individuals’ personal information and enforcing an effective proposal to tackle tax evasion. To this end, the principles of data protection by design and by default, data minimisation and data accuracy in the context of automatic exchanges of information between national tax authorities should apply.
To manage the ‘secure central interface’ which allows administrative cooperation on taxation, the EDPS refers the Commission to the Guidelines on the protection of personal data in IT governance and management of EU institutions to ensure security of processing in compliance with Regulation (EU) 2018/1725. Technical and logistical support ought to be provided in collaboration with EU Member States via defined administrative arrangements under Directive 2011/16/EU.
As a supervisory authority, the EDPS may follow up on possible updates concerning the ‘secure central interface’ and, more broadly, the implications stemming from the Commission’s role within processing operations in the context of administrative cooperation on taxation.
Fruitful cooperation with EUIPO
On 19 October, European Data Protection Supervisor Wojciech Wiewiórowski (EDPS) and Executive Director of the European Union Intellectual Property Office Christian Archambeau (EUIPO) met remotely, at the request of their DPO, for a fruitful exchange focusing on how to extend their cooperation on data protection issues. Both colleagues expressed a mutual willingness to take part in further discussions to draw on each other’s experiences and knowledge.
In this spirit, colleagues from the Supervisory & Enforcement Unit (S&E) organised a two-day training session covering obligations under Regulation (EU) 2018/1725, a review of individuals’ rights and restrictions, and the application of data protection principles in the context of remote working, in-person events, procurement and outsourcing activities. EUIPO’s data controllers, data protection coordinators and their Heads of Units also received a training on the implementation of data protection safeguards in different circumstances, for example when processing health data in a post-pandemic society. The session concluded with an analysis on data sharing mechanisms with non-EEA international organisations, public authorities and private companies.
As a follow up, colleagues from the Technology & Privacy Unit (T&P) had a virtual visit of EUIPO’s Digital Transformation Department (DTD), which manages all of the agency’s IT infrastructure and applications. T&P learned more about EUIPO’s 44 projects planned for next year, including the use of blockchain technology, 3D printing and 21 distinct AI tools and services, all developed in-house. Productive discussions were held on a range of matters, such as incident management, software’s development lifecycle, video conference platforms, data protection breaches and cloud computing. The conversation ended with the data protection challenges of cutting-edge technologies.
The EDPS and EUIPO view these sessions as an ongoing effort to strengthen and promote a strong data protection culture in their organisations’ respective duties and daily activities.
EDPS Decision: The right to access personal data
On 22 September 2020, the EDPS issued a decision on a complaint made by a candidate who was refused access to their personal data by an EU institution (EUI) during a selection procedure. The candidate, who was excluded from the process because of a conflict of interest, wanted to receive the Selection Board’s sub-score suggestions and observation notes from their participation in the preliminary stage of the competition, as well as the log files and audit trails related to the submitted application.
The EUI justified their decision based on three arguments. Claiming that the candidate’s disqualification meant that they could not have access to this information, the scores were not finalised and that such disclosure would undermine the Selection Boards’ confidential proceedings.
The EDPS considers that the assessment of the candidate’s performance by way of observationa notes and sub-score suggestions amounts to personal data relating to an identified person, and must therefore be given to them as long as they do not directly or indirectly identify any individual member of the Selection Board. In addition, the EDPS highlights that the candidate’s elimination from the process was not an eligible ground to prevent them from accessing their results.
Applying the Staff Regulation Article 6 of Annex III, the EDPS notes the importance of protecting the anonymity of the Selection Board members, at the same time, this reason cannot be invoked at the expense of the individual’s fundamental right to access their personal data.
Consequently, the EDPS proposes that an overall evaluation summarising the candidate’s scores, as well as the log files and audit trail, should be shared with them, without giving away the identity of those who were authorised to handle the complainant’s personal data.
Data protection & customs declarations
On 31 August 2020, the EDPS issued Formal Comments on the Implementing Regulation, which harmonises customs declarations and notification requirements in the Union Custom Code (UCC), in order to simplify the procedure for the movement of goods in and outside the EU.
The EDPS welcomes the approach to unify and update the formats and codes of the data requirements for declarations, notifications and proof of the customs status of Union goods to customs authorities, as this would enhance the data quality and efficiency of the overall process.
The EDPS notes that the exchange and storage of information between customs authorities as well as between customs authorities and economic operators mainly involve information concerning legal persons. In this context, the EDPS reiterates that the judgement of the Court of Justice of European Union in Joint Cases C-92/09, Volker und Markus Schecke Gbr v. Land Hessen, and C-93/09, Eifert v. Land Hessen and Bundesanstalt für Landwirtschaft und Ernahrung, in which the Court ruled that the name of a legal person should be considered as personal data if the official title of the legal person identifies one or more natural person. Consequently, it cannot be excluded that the common data requirements would also concern the processing of personal data within the scope of the GDPR.
Furthermore, the EDPS notes that the draft Delegated Regulation entails the processing of limited categories of personal data for the performance of the customs declaration obligations pursuant to the UCC.
In the light of the above, the EDPS concludes that the draft Delegated Regulation does not raise data protection issues that would merit specific recommendations.
On 28 August 2020, the EDPS responded to the European Commission’s legislative consultation on an EU scheme rating the smart readiness of buildings. The scheme uses a specific indicator to assess how a building’s energy consumption fluctuates depending on the occupants’ needs, coupled with the use of built-in home appliances such as self-adapting thermometers. By weighing up these competing factors, the scheme could optimise a building’s overall energy performance.
In its Formal Comments, the EDPS indicates the initiative implies that some personal information about occupants’ daily activities would be processed, in addition to data from smart home devices.
A prior assessment of cybersecurity and privacy threats, in line with the principle of privacy by design and by default is recommended in order to identify, address and inform users about relevant data protection risks before using ‘smart-ready technology’ or ‘smart-ready services’.
The EDPS emphasises that the proposed regulation should ensure a high level of protection of personal data, delineating the purpose, type and nature of data being processed, particularly when incorporating home automation systems.
EU-Canada data transfers in the area of customs cooperation
In the context of the EU’s trade agreement with Canada, the Council drew up a proposal facilitating the mutual recognition of the EU and Canada’s economic partnership programmes to simplify trade activities and harmonise border controls by customs authorities. The Joint Customs Cooperation Committee (JCCC) will be in charge of overseeing its application, as this proposal would be a legally binding decision between customs authorities.
On 26 August 2020, the EDPS reaffirmed the requirements for international transfers of personal data, and gave some indications on monitoring the application of data protection rules.
Data transfers between EU Member States and Canada’s respective customs authorities are conditional on whether the third country of destination for the transfer is able to guarantee the same level of data protection enforced in the EU, apply appropriate safeguards and specific derogations to satisfy different types of data processing operations outlined in Chapter V of the GDPR. Such data protection safeguards are enforceable between public authorities.
The EDPS considers that the proposal should lay down all the conditions under which processing individuals’ personal data is permitted, and to clearly define data protection authorities’ role in monitoring the application of data protection rules.
Technical rules for the Schengen Information System
On 26 August 2020, the EDPS issued its Formal Comments on the European Commission’s draft Implementing Decisions on the technical rules surrounding the entering, updating, deleting and searching data in the Schengen Information System II (SIS II) and on the minimum data quality standards and technical specifications for biometric data.
The EDPS highlights that processing personal data - especially biometric data - of a large number of people is liable to have a significant impact on the individuals concerned. It is therefore essential that both the legal framework and the technical rules applicable to SIS II are fully compliant with the EU’s data protection laws.
In particular, the EDPS emphasises that powers delegated to eu-LISA - the EU agency responsible for the operational management of SIS II, among large-scale IT systems- to further define and develop a number of technical criteria should depend on a strong legal basis. These additional technical criteria should be either formally adopted - or at least reviewed - and officially approved by the Commission, especially as these would be legally binding between EU Member States, Europol, Eurojust and Frontex. The same approach should apply to any subsequent amendments.
Finally, the EDPS notes that the sub-delegation of powers by the Commission to a Union agency raises a number of questions such as legal competence and allocation of responsibilities, which are to be closely monitored.