Newsletter (85)

The EDPS and EDPB trainees have launched a new podcast entitled Democratic Societies in the Digital Age. The three-part series brings together experts from wide-ranging professional backgrounds and nationalities to answer the following question: Do all roads lead to datocracy? Along the way, our guest speakers will share their thoughts on a number of pertinent topics, such as mass surveillance and facial recognition technologies, online manipulation and dark patterns, emerging technologies and future challenges.

In the first episode, published on 8 February 2021, Ella Jakubowska, Policy and Campaigns Officer at European Digital Rights, tackles the issue of mass surveillance and facial recognition. Ella Jakubowska shares information on the role of the data protection framework and the correlation between private and public surveillance actors. She also touches on the “mission creep” phenomenon and gives some advice on what individuals can do to “reclaim their face”.

For the second episode, published on 15 February 2021, the EDPS and EDPB trainees invited Finn Mystrad, Director of Digital Policy at the Norwegian Consumer Council, and Harry Brignull, expert witness in deceptive design practices, to tackle the issues of online manipulation and dark patterns. They cover the level of deceptiveness used online to trick users, for example, into purchasing items. Both guest speakers share their advice on how individuals can counteract online deception and manipulation.

Concluding this podcast series, the episode published on 22 February 2021 focuses on emerging technologies and future challenges that may have an impact on data protection. Jared Brown, Senior Advisor for Government Affairs at the Future of Life Institute, and Dr Gabriela Zanfir-Fortuna, Senior Counsel for Global Privacy at the Future of Privacy Forum, discuss, among a variety of topics, the influence of Artificial Intelligence on our societies.  

All podcast episodes are available on the EDPS website.

Listen to Episode 1: Mass Surveillance and Facial Recognition
Listen to Episode 2: Dark Patters and Online Manipulation
Listen to Episode 3: Emerging Technologies and Future Challenges

On 2 February 2021, the EDPS issued Orientations on the use of manual contact tracing by EU institutions, bodies and agencies (EUIs) in the context of the COVID-19 crisis. While manual contact tracing can help to limit the spread of the virus and ensure that EUIs remain a safe working environment, it also involves collecting, sharing and storing highly sensitive personal information, such as medical and health data.

In his Orientations, the EDPS distinguishes between the processing of health data of EUIs’ staff members and non-staff members who are visiting the EUIs’ premises. Concerning staff members, EUIs should only collect the health data of those who have a confirmed diagnosis of COVID-19 and who may come to the office, as they are more susceptible of passing on the virus to other colleagues. EUIs should not collect the health data of their staff that are exclusively teleworking or did not come to the office when they were contagious. As for non-staff members, the EDPS highlights that EUIs do not have the same authority to process their health data but considers that informing a non-staff member that they may have been in contact with an infected individual is a matter of public interest.

The EDPS recommends that medical professionals, such as an EUI’s medical officer, should be in charge of processing health data. When communicating to individuals that they have been in contact with a person that has a confirmed diagnosis of COVID-19, the EDPS advises the following:

• to not reveal the identity of the individual that has a confirmed diagnosis of COVID-19;  
• to avoid informing simultaneously those who have been in contact with a person who has a confirmed diagnosis of COVID-19, as this would not respect the privacy of the individuals involved;
• refrain from including other, non-necessary, information about the infected person, such as information on their health condition or additional contact details that could identify the infected individual.

To find out more, read the EDPS Orientations on manual contact tracing by EU Institutions

On 29 January 2021, EDPS staff gave an online talk to staff from EASME - the executive agency for small and medium-sized enterprises - and other EU executive agencies about data protection in the fields of social media, remote communication and work tools.

As employees of EU institutions and agencies (EUIs), we are entitled to the protection of our privacy and personal data and we are obliged to protect others’ privacy when processing their data in our day-to-day work.

With most of their staff now teleworking because of the COVID-19 pandemic, EUIs are carrying out almost all of their operations remotely. While some EUIs already had the necessary tools in place for remote working, others had to adapt. As a result, we now use a variety of communication tools to work together at different times and places outside of our offices. This increased use of online services brought new challenges, in particular with regard to privacy and data protection.

The EDPS staff explained the relevant data protection obligations when EUIs select and use tools to support their processing operations. Based on its Orientations on reactions of EU institutions as employers to the COVID-19 crisis, the EDPS also gave executive agencies some tips on the most common issues and pitfalls to avoid when using social media and remote communication tools.

The EDPS emphasised that EUIs should not be too hasty in looking for new tools to support their work that they ignore data protection and security requirements.

EUIs should choose the communication and remote working tools that match a clearly defined use case. A use case is a technique to identify and describe:

• the scenarios in which the tool will be used;
• the goal of this tool;
• what the tool should and should not do;
• the behaviour of this tool, its scope and conditions for interacting with users;
• as well as the general requirements for the tool, including privacy, data protection and security requirements.

In addition to the use case, more detailed requirements should be identified and described separately.

In line with the principles of data protection by design and by default, EUIs must consider the most data protection and privacy-friendly solutions. During the talk, the EDPS presented possible alternatives to some of the most used tools.

The EDPS remains available to assist EUIs on how to select tools for remote working and will continue to monitor developments in this area.

On 19 January 2021, the EDPS’ Policy & Consultation Unit (P&C) held its annual meeting with the planning coordinators and data protection coordinators from across the European Commission services, including the Directorate-General for Justice and Consumers (DG JUST), the Legal Service and the DPO to discuss the Commission Work Programme for 2021.

EDPS’ P&C colleagues took stock of legislative consultations planned for this year under Article 42 of Regulation (EU) 2018/1725 as it is one of the European Commission’s responsibilities to consult the EDPS when proposed legislative acts, recommendations, delegated acts or implementing acts have an impact on the protection of individuals’ personal data. Once consulted, the EDPS gives its advice in the form of Opinions or Formal Comments.

At the meeting, colleagues from the Secretariat-General presented the updated internal Commission procedures to be applied by Commission services in case of formal and informal consultations of the EDPS.

On 12 January 2021, the EDPS released its Website Evidence Collector (WEC) version 1.0, available on our website here.

Originally launched in 2019 by the EDPS’ Technology and Privacy Unit, the WEC is a tool that collects evidence of personal data processing, such as cookies, or requests to third parties on websites. Data protection authorities, privacy professionals, data controllers and web developers can use the WEC to carry out their own website inspections and to better understand which information is stored during a website visit, such as the consecutive loading of a number of web pages without giving consent or logging in. The tool therefore helps to ensure that websites are compliant with the EU’s data protection regulations, namely the General Data Protection Regulation and Regulation (EU) 2018/1725.

After over a year of testing, the EDPS decided to call their latest version "1.0" to express the readiness for production use. The tool received a number of new configuration options to allow for example:

• virtualisation;
• browsing with the Do Not Track activated;
• custom browser profiles or pre-installed cookies.

In addition, the documentation was improved with, in particular, some proposals on how to carry out data evaluation.

The EDPS’ WEC is published as open source software under the European Union Public License (EUPL-1.2); the software is available for download via the EDPS’ website, on the European Commission’s collaborative platform Joinup and on the popular development platform GitHub.

The EDPS welcomes all contributions to the Website Evidence Collector in the form of ideas, bug reports or code. Feedback and suggestions for improvements can be sent to: tech-privacy@edps.europa.eu

Download the EDPS’ Website Evidence Collector now!

On 4 January 2021, the EDPS published a blogpost on the use of privacy engineering methods and tools in the conception and development of COVID-19 contact tracing apps. The blogpost was written as a follow-up to the Internet Privacy Engineering Network (IPEN) webinar, organised on 21 October 2020, that took stock of privacy experts’ and engineers’ recent and ongoing experiences with contact tracing apps.

The webinar focused on the technological issues of developing contact tracing apps, as well as the wider use of information technology for public health. Participants engaged in intense discussions on the challenges of developing apps that are both an effective tool to help control the spread of the virus and that ensure the protection of individuals’ privacy and personal data.

App developers explained that one of the risks they were aiming to address is related to traffic analysis: if only mobile apps registering a positive test for COVID-19 were transmitted to a country’s central database, such updates might reveal the identity of individuals that were infected. Data protection authorities (DPAs) shared that they were not always satisfied with the risk assessment and mitigation approaches chosen by app developers and were advocating for stronger and more effective measures.

As the EDPS continues to monitor these technological developments in cooperation with other DPAs and researchers, it appears that, mainly, what prevents a wide use of contact tracing apps is individuals’ lack of trust in their confidentiality. As such, improving the privacy features and increasing the transparency on the risks and benefits of these apps may encourage their use and therefore enhance their effectiveness to fight COVID-19.

Read Blogpost
View speakers’ presentations held at the IPEN webinar

At the outbreak of the COVID-19 pandemic, a number of EU Member States declared a state of emergency to put in place exceptional measures to protect their citizens which, in certain cases, included restrictions of individuals’ right to data protection. It is in this context that the European Data Protection Board (EDPB) adopted on 2 June 2020 a Statement on restrictions on data subject rights in connection to the state of emergency in Member States.

In addition, the EDPB issued more general Guidelines on the restrictions of individuals’ right to data protection under Article 23 of the General Data Protection Regulation (GDPR) on 15 December 2020. The EDPS acted as lead rapporteur for the drafting of these guidelines based on its experience of producing similar guidelines on Article 25 of Regulation (EU) 2018/1725, which is the data protection regulation for EU institutions, bodies and agencies.

In its Guidelines, the EDPB highlights that any restrictions put in place by an EU Member State must respect the essence of the fundamental rights and freedoms of individuals. Restrictions should be necessary, proportionate and serve a legitimate purpose, such as national and public security, as well as other objectives of general public interest listed under Article 23 of the GDPR.

Furthermore, restrictions that are extensive and intrusive to such a degree that they void a fundamental right of its basic content cannot be justified. As such, in any case, the following examples would not respect the essence of the fundamental right to data protection as enshrined in the EU Charter of Fundamental Rights:

• a general exclusion of all individuals’ right to data protection in relation to all data processing operations;
• a general limitation of the rights mentioned in Article 23 of the GDPR of all individuals in relation to specific data processing operations.

The EDPB also emphasises the importance of the foreseeability criterion that EU Member States should apply before putting in place a restriction on individuals’ right to data protection. In some cases, the legislative measure laying down the restriction may not be limited in time if the reason for the restriction is to safeguard a continuing objective in a democratic society which is not in itself limited in time, such as the protection of judicial independence and judicial proceedings.

The EDPB Guidelines were open for public consultation until 12 February 2021. The final version of these Guidelines is yet to be adopted and may include some amendments.

Read the EDPB Guidelines on restrictions under Article 23 of the GDPR