In newsletter #85, read about the EDPS' recommendations on the proposed EU-UK agreements; the EDPS' Opinions on the Digital Services Act and the Digital Markets Act; the EDPS-EDPB Joint Opinions on two sets of Standard Contractual Clauses (SCCs). Discover or rediscover the EDPS- EDPB trainees' podcast series entitled: Democratic Societies in the Digital Age; and the EDPS' TechDispatch #3/2020 on Personal Information Management Systems (PIMS); as well as many other topics!
In this issue
Data protection is non-negotiable in international trade agreements
On 22 February 2021, the EDPS published its Opinion on two proposed agreements between the European Union (EU) and the United Kingdom (UK): the Trade and Cooperation Agreement (TCA) and an agreement on the security procedures for exchanging and protecting classified information.
Given the close cooperation that is expected to continue between the EU and the UK, the EDPS welcomes these two agreements. In particular, the EDPS notes that the TCA is based on respecting and safeguarding human rights and the parties’ commitment to ensure a high level of protection of personal data.
Nevertheless, the EDPS regrets that the TCA fails to faithfully take over the EU’s horizontal provisions for cross-border data flows and for personal data protection. Such provisions, which the European Commission has repeatedly stated as non-negotiable, allow the EU to include measures to facilitate cross-border data flows in trade agreements while preserving individuals’ fundamental rights to data protection and privacy. Thus, in amending these horizontal provisions, the TCA creates legal uncertainty about the EU’s position on the protection of personal data in the context of trade agreements and risks creating friction with the EU data protection legal framework.
Wojciech Wiewiórowski, EDPS, said: “The wording agreed with the UK on data protection and privacy must remain an exception. We strongly recommend that the European Commission reiterates its commitment to the horizontal provisions as the only basis for a future trade agreement with other non-EU countries and that personal data protection and privacy rights will not be up for negotiation.”
EDPS-EDPB Podcast: Do all roads lead to datocracy?
The EDPS and EDPB trainees have launched a new podcast entitled Democratic Societies in the Digital Age. The three-part series brings together experts from wide-ranging professional backgrounds and nationalities to answer the following question: Do all roads lead to datocracy? Along the way, our guest speakers will share their thoughts on a number of pertinent topics, such as mass surveillance and facial recognition technologies, online manipulation and dark patterns, emerging technologies and future challenges.
In the first episode, published on 8 February 2021, Ella Jakubowska, Policy and Campaigns Officer at European Digital Rights, tackles the issue of mass surveillance and facial recognition. Ella Jakubowska shares information on the role of the data protection framework and the correlation between private and public surveillance actors. She also touches on the “mission creep” phenomenon and gives some advice on what individuals can do to “reclaim their face”.
For the second episode, published on 15 February 2021, the EDPS and EDPB trainees invited Finn Mystrad, Director of Digital Policy at the Norwegian Consumer Council, and Harry Brignull, expert witness in deceptive design practices, to tackle the issues of online manipulation and dark patterns. They cover the level of deceptiveness used online to trick users, for example, into purchasing items. Both guest speakers share their advice on how individuals can counteract online deception and manipulation.
Concluding this podcast series, the episode published on 22 February 2021 focuses on emerging technologies and future challenges that may have an impact on data protection. Jared Brown, Senior Advisor for Government Affairs at the Future of Life Institute, and Dr Gabriela Zanfir-Fortuna, Senior Counsel for Global Privacy at the Future of Privacy Forum, discuss, among a variety of topics, the influence of Artificial Intelligence on our societies.
All podcast episodes are available on the EDPS website.
EDPS Opinions on the Digital Services Act and the Digital Markets Act
On 10 February 2021, the EDPS published Opinions on the European Commission’s proposals for a Digital Services Act and a Digital Markets Act. Both Opinions aim to assist the EU legislators to shape a digital future rooted in EU values, including the protection of individuals’ fundamental rights, such as the right to data protection.
The EDPS welcomes the proposal for a Digital Services Act that seeks to promote a transparent and safe online environment. In his Opinion, the EDPS recommends additional measures to better protect individuals when it comes to content moderation, online targeted advertising and recommender systems used by online platforms, such as social media and marketplaces.
In his Opinion on the Digital Markets Act, the EDPS welcomes the European Commission’s proposal that seeks to promote fair and open digital markets and the fair processing of personal data by regulating large online platforms acting as gatekeepers. The EDPS highlights the importance of fostering competitive digital markets so that individuals have a bigger choice of online platforms and services that they can use.
Wojciech Wiewiórowski, EDPS, said: “Competition, consumer protection and data protection law are three inextricably linked policy areas in the context of the online platform economy. Therefore, the relationship between these three areas should be one of complementarity, not friction.”
To guarantee the successful implementation of the European Commission’s Digital Services Act package, the EDPS calls for a clear legal basis and structure for closer cooperation between the relevant oversight authorities, including data protection authorities, consumer protection authorities and competition authorities.
COVID-19: Manual Contact Tracing by EUIs
On 2 February 2021, the EDPS issued Orientations on the use of manual contact tracing by EU institutions, bodies and agencies (EUIs) in the context of the COVID-19 crisis. While manual contact tracing can help to limit the spread of the virus and ensure that EUIs remain a safe working environment, it also involves collecting, sharing and storing highly sensitive personal information, such as medical and health data.
In his Orientations, the EDPS distinguishes between the processing of health data of EUIs’ staff members and non-staff members who are visiting the EUIs’ premises. Concerning staff members, EUIs should only collect the health data of those who have a confirmed diagnosis of COVID-19 and who may come to the office, as they are more susceptible of passing on the virus to other colleagues. EUIs should not collect the health data of their staff that are exclusively teleworking or did not come to the office when they were contagious. As for non-staff members, the EDPS highlights that EUIs do not have the same authority to process their health data but considers that informing a non-staff member that they may have been in contact with an infected individual is a matter of public interest.
The EDPS recommends that medical professionals, such as an EUI’s medical officer, should be in charge of processing health data. When communicating to individuals that they have been in contact with a person that has a confirmed diagnosis of COVID-19, the EDPS advises the following:
- to not reveal the identity of the individual that has a confirmed diagnosis of COVID-19;
- to avoid informing simultaneously those who have been in contact with a person who has a confirmed diagnosis of COVID-19, as this would not respect the privacy of the individuals involved;
- refrain from including other, non-necessary, information about the infected person, such as information on their health condition or additional contact details that could identify the infected individual.
To find out more, read the EDPS Orientations on manual contact tracing by EU Institutions
The international exchange of personal data in law enforcement and criminal justice
On 2 February 2021, the EDPB adopted Recommendations on the adequacy referential under the Law Enforcement Directive (LED). The aim of this document is to provide a list of elements to take into account when assessing the adequacy of the protection of personal data in non-EU countries in the field of law enforcement and criminal justice. A similar adequacy referential under the GDPR was already adopted by the EDPB in 2018.
Building on the legal provisions of the LED and the case law of the Court of Justice of the EU, the document lays down the EU data protection standards for transfers in police cooperation and judicial cooperation in criminal matters. The adoption of the LED adequacy referential is timely, as it will provide practical guidance for the Commission when assessing the adequacy of the UK.
The EDPS played an active role in the preparation and adoption of the document, especially because the Commission’s adequacy decisions under Article 36 of the LED on the international exchange of personal data also serve as a legal basis for transfers by EU agencies, such as Europol, the law enforcement agency; Eurojust, the agency for criminal justice cooperation and EPPO, the independent body competent to fight crimes against the EU’s budget.
EASME: Let’s talk privacy-friendly teleworking tools!
On 29 January 2021, EDPS staff gave an online talk to staff from EASME - the executive agency for small and medium-sized enterprises - and other EU executive agencies about data protection in the fields of social media, remote communication and work tools.
As employees of EU institutions and agencies (EUIs), we are entitled to the protection of our privacy and personal data and we are obliged to protect others’ privacy when processing their data in our day-to-day work.
With most of their staff now teleworking because of the COVID-19 pandemic, EUIs are carrying out almost all of their operations remotely. While some EUIs already had the necessary tools in place for remote working, others had to adapt. As a result, we now use a variety of communication tools to work together at different times and places outside of our offices. This increased use of online services brought new challenges, in particular with regard to privacy and data protection.
The EDPS staff explained the relevant data protection obligations when EUIs select and use tools to support their processing operations. Based on its Orientations on reactions of EU institutions as employers to the COVID-19 crisis, the EDPS also gave executive agencies some tips on the most common issues and pitfalls to avoid when using social media and remote communication tools.
The EDPS emphasised that EUIs should not be too hasty in looking for new tools to support their work that they ignore data protection and security requirements.
EUIs should choose the communication and remote working tools that match a clearly defined use case. A use case is a technique to identify and describe:
- the scenarios in which the tool will be used;
- the goal of this tool;
- what the tool should and should not do;
- the behaviour of this tool, its scope and conditions for interacting with users;
- as well as the general requirements for the tool, including privacy, data protection and security requirements.
In addition to the use case, more detailed requirements should be identified and described separately.
In line with the principles of data protection by design and by default, EUIs must consider the most data protection and privacy-friendly solutions. During the talk, the EDPS presented possible alternatives to some of the most used tools.
The EDPS remains available to assist EUIs on how to select tools for remote working and will continue to monitor developments in this area.
Data for the public good: Building a healthier digital future
On 25 January 2021, the EDPS organised an online side event at this year’s Computers, Privacy and Data Protection (CPDP) conference entitled Data for the public good: Building a healthier digital future. The aim was to assess the impact of measures taken in response to the COVID-19 pandemic and identify ways in which data can be used to be better prepared for the next one.
The EDPS invited experts from the EU public health community, international organisations, academia and civil society to consider the following two questions:
- When will the new normal stop being normal?
- How can we ensure a safer healthier digital future?
The speakers stressed the importance of striking the right balance between taking measures to control the spread of any virus, such as COVID-19, and mitigating the adverse effects that these measures may have on fundamental rights, including the right to the protection of personal data.
The interplay between European law, scientific research, the use of health data, technology and data protection resulted in dynamic and insightful discussions between our distinguished speakers and the participants attending the event.
The speakers’ presentations can be found here.
Annual meeting: the European Commission Work Programme for 2021
On 19 January 2021, the EDPS’ Policy & Consultation Unit (P&C) held its annual meeting with the planning coordinators and data protection coordinators from across the European Commission services, including the Directorate-General for Justice and Consumers (DG JUST), the Legal Service and the DPO to discuss the Commission Work Programme for 2021.
EDPS’ P&C colleagues took stock of legislative consultations planned for this year under Article 42 of Regulation (EU) 2018/1725 as it is one of the European Commission’s responsibilities to consult the EDPS when proposed legislative acts, recommendations, delegated acts or implementing acts have an impact on the protection of individuals’ personal data. Once consulted, the EDPS gives its advice in the form of Opinions or Formal Comments.
At the meeting, colleagues from the Secretariat-General presented the updated internal Commission procedures to be applied by Commission services in case of formal and informal consultations of the EDPS.
EDPS & EDPB adopt Joint Opinions on new sets of Standard Contractual Clauses (SCCs)
On 15 January 2021, the EDPS and the EDPB adopted Joint Opinions on two sets of contractual clauses (SCCs). One opinion on the SCCs for contracts between controllers and processors and one on the SCCs for the transfer of personal data to third countries.
The Controller-Processor SCCs will have an EU-wide effect and aim to ensure full harmonisation and legal certainty across the EU when it comes to contracts between controllers and processors.
The EDPS and the EDPB welcome the controller - processor SCCs as a single, strong and EU-wide accountability tool that will facilitate the compliance of controllers and processors with their obligations under the General Data Protection Regulation (GDPR) and the similar legal framework for EU institutions and bodies (EUIs), Regulation (EU) 2018/1725.
Nevertheless, the EDPS and the EDPB request several amendments in order to bring more clarity to the text and to ensure its practical usefulness in the day-to-day operations of controllers and processors. For example, it should be made clear to the parties involved when, precisely, they can rely on these SCCs, and emphasise that situations involving transfers outside the EU should not be excluded.
The draft SCCs for the transfer of personal data to third countries, under article 46 (2) (c) of the GDPR, will replace the existing SCCs for international transfers that were adopted under the previous Data Protection Directive, Directive 95/46/EC. These SCCs have been updated to take into account the GDPR’s requirements, the “Schrems II” Judgement and to better reflect the widespread use of new and more complex processing operations, which often involve multiple data importers and exports.
Overall, the EDPS and the EDPB note that the draft SCCs present a reinforced level of protection for individuals but are of the view that several provisions could be improved or clarified. The SCCs should ensure that the personal data of EU citizens is afforded an essentially equivalent level of protection when transfers to third countries take place. Furthermore, the conditions under which SCCs can be used must be clear for organisations and individuals should be provided with effective rights and remedies.
The Website Evidence Collector 1.0 is out now!
On 12 January 2021, the EDPS released its Website Evidence Collector (WEC) version 1.0, available on our website here.
Originally launched in 2019 by the EDPS’ Technology and Privacy Unit, the WEC is a tool that collects evidence of personal data processing, such as cookies, or requests to third parties on websites. Data protection authorities, privacy professionals, data controllers and web developers can use the WEC to carry out their own website inspections and to better understand which information is stored during a website visit, such as the consecutive loading of a number of web pages without giving consent or logging in. The tool therefore helps to ensure that websites are compliant with the EU’s data protection regulations, namely the General Data Protection Regulation and Regulation (EU) 2018/1725.
After over a year of testing, the EDPS decided to call their latest version "1.0" to express the readiness for production use. The tool received a number of new configuration options to allow for example:
- browsing with the Do Not Track activated;
- custom browser profiles or pre-installed cookies.
In addition, the documentation was improved with, in particular, some proposals on how to carry out data evaluation.
The EDPS’ WEC is published as open source software under the European Union Public License (EUPL-1.2); the software is available for download via the EDPS’ website, on the European Commission’s collaborative platform Joinup and on the popular development platform GitHub.
The EDPS welcomes all contributions to the Website Evidence Collector in the form of ideas, bug reports or code. Feedback and suggestions for improvements can be sent to: firstname.lastname@example.org
TechDispatch #3/2020: Personal Information Management Systems
There is a growing need for individuals to have more control over their personal data, to choose what data they share and with whom they share this data. A Eurobarometer survey from March 2019 revealed that half of the respondents (51%) felt only in partial control over the information they provided online, while 30% believed that they had no control at all. Only 14% of the respondents thought they were in complete control.
In light of this, are Personal Information Management Systems (PIMS) the solution that will help individuals control their online identity? The EDPS explores this topic in its most recent TechDispatch #3/2020 on Personal Information Management Systems, published on 4 January 2021.
PIMS concept encompasses new products and services that enable individuals to manage their personal data in secure, local or online storage systems, and to share this data when and with whom they choose. Individuals can decide which online services and possible third parties may have access to their personal data. Many PIMS include “access control and access trail” features, which enable individuals to keep track of who has had access to their digital behaviour. The PIMS concept prioritises a human centric approach to personal data and enables new business models. It is a concept that, if correctly designed, aims to protect individuals against unlawful tracking and profiling techniques that go against data protection principles and human dignity.
To find out more about the benefits, opportunities and data protection issues that PIMS pose, read the EDPS’ TechDispatch #3/2020 on Personal Information Management Systems.
To receive future issues of the EDPS TechDispatch directly in your inbox, please sign up to our mailing list on the EDPS website.
What does COVID-19 reveal about our privacy engineering capabilities?
On 4 January 2021, the EDPS published a blogpost on the use of privacy engineering methods and tools in the conception and development of COVID-19 contact tracing apps. The blogpost was written as a follow-up to the Internet Privacy Engineering Network (IPEN) webinar, organised on 21 October 2020, that took stock of privacy experts’ and engineers’ recent and ongoing experiences with contact tracing apps.
The webinar focused on the technological issues of developing contact tracing apps, as well as the wider use of information technology for public health. Participants engaged in intense discussions on the challenges of developing apps that are both an effective tool to help control the spread of the virus and that ensure the protection of individuals’ privacy and personal data.
App developers explained that one of the risks they were aiming to address is related to traffic analysis: if only mobile apps registering a positive test for COVID-19 were transmitted to a country’s central database, such updates might reveal the identity of individuals that were infected. Data protection authorities (DPAs) shared that they were not always satisfied with the risk assessment and mitigation approaches chosen by app developers and were advocating for stronger and more effective measures.
As the EDPS continues to monitor these technological developments in cooperation with other DPAs and researchers, it appears that, mainly, what prevents a wide use of contact tracing apps is individuals’ lack of trust in their confidentiality. As such, improving the privacy features and increasing the transparency on the risks and benefits of these apps may encourage their use and therefore enhance their effectiveness to fight COVID-19.
EDPB Plenary: adoption of a Support Pool of Experts
During its 43rd plenary meeting on 15 December 2020, the European Data Protection Board (EDPB) adopted Terms of Reference for the EDPB Support Pool of Experts (SPE).
The SPE aims to assist data protection authorities dealing with resource-heavy and complex cases by providing, for example, analytical support that is useful for investigations and enforcement activities of significant common interest (e.g. when preparing investigative reports).
This initiative comes after the EDPS proposed the establishment of the SPE in July 2020 following the European Commission’s first review of the General Data Protection Regulation (GDPR), which emphasises that the consistent and efficient enforcement of the GDPR remains a priority.
As outlined in the EDPB Strategy 2021-2023, the Terms of Reference were developed with a view to preparing a pilot project of the SPE in 2021 to enhance cooperation and solidarity between all the members of the EDPB by sharing, reinforcing and complementing strengths, as well as addressing operational needs.
EDPB Guidelines: restrictions of individuals’ right to data protection
At the outbreak of the COVID-19 pandemic, a number of EU Member States declared a state of emergency to put in place exceptional measures to protect their citizens which, in certain cases, included restrictions of individuals’ right to data protection. It is in this context that the European Data Protection Board (EDPB) adopted on 2 June 2020 a Statement on restrictions on data subject rights in connection to the state of emergency in Member States.
In addition, the EDPB issued more general Guidelines on the restrictions of individuals’ right to data protection under Article 23 of the General Data Protection Regulation (GDPR) on 15 December 2020. The EDPS acted as lead rapporteur for the drafting of these guidelines based on its experience of producing similar guidelines on Article 25 of Regulation (EU) 2018/1725, which is the data protection regulation for EU institutions, bodies and agencies.
In its Guidelines, the EDPB highlights that any restrictions put in place by an EU Member State must respect the essence of the fundamental rights and freedoms of individuals. Restrictions should be necessary, proportionate and serve a legitimate purpose, such as national and public security, as well as other objectives of general public interest listed under Article 23 of the GDPR.
Furthermore, restrictions that are extensive and intrusive to such a degree that they void a fundamental right of its basic content cannot be justified. As such, in any case, the following examples would not respect the essence of the fundamental right to data protection as enshrined in the EU Charter of Fundamental Rights:
- a general exclusion of all individuals’ right to data protection in relation to all data processing operations;
- a general limitation of the rights mentioned in Article 23 of the GDPR of all individuals in relation to specific data processing operations.
The EDPB also emphasises the importance of the foreseeability criterion that EU Member States should apply before putting in place a restriction on individuals’ right to data protection. In some cases, the legislative measure laying down the restriction may not be limited in time if the reason for the restriction is to safeguard a continuing objective in a democratic society which is not in itself limited in time, such as the protection of judicial independence and judicial proceedings.
The EDPB Guidelines were open for public consultation until 12 February 2021. The final version of these Guidelines is yet to be adopted and may include some amendments.