In newsletter #87, catch up on the latest EDPB - EDPS Joint Opinion on Artificial Intelligence; find out how you can learn more about data protection with the EDPS' new online training programme; read the EDPS' curated Case Law Digest on international transfers of personal data; and much more!
In this issue
EDPB & EDPS call for ban on use of AI for automated recognition of human features in publicly accessible spaces, and some other uses of AI that can lead to unfair discrimination
The EDPB and the EDPS strongly welcome the aim of addressing the use of AI systems within the European Union, including the use of AI systems by EU institutions, bodies or agencies. At the same time, the EDPB and EDPS are concerned by the exclusion of international law enforcement cooperation from the scope of the Proposal.
The EDPB and EDPS also stress the need to explicitly clarify that existing EU data protection legislation (GDPR, the EUDPR and the LED) applies to any processing of personal data falling under the scope of the draft AI Regulation.
Taking into account the extremely high risks posed by remote biometric identification of individuals in publicly accessible spaces, the EDPB and the EDPS call for a general ban on any use of AI for automated recognition of human features in publicly accessible spaces, such as recognition of faces, gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioural signals, in any context.
Similarly, the EDPB and EDPS recommend a ban on AI systems using biometrics to categorise individuals into clusters based on ethnicity, gender, political or sexual orientation, or other grounds on which discrimination is prohibited under Article 21 of the Charter of Fundamental Rights.
Furthermore, the EDPB and the EDPS consider that the use of AI to infer emotions of a natural person is highly undesirable and should be prohibited, except for very specified cases, such as some health purposes, where the patient emotion recognition is important, and that the use of AI for any type of social scoring should be prohibited.
New EDPS training on Regulation 2018/1725: sign up now!
Are you a staff member of a European institution, body, office or agency (EUI), such as a case officer, project manager, Head of Sector, Head of Unit? Do you process individuals’ personal data in your line of work? Do you need to learn about or deepen your knowledge of Regulation 2018/1725 (EUDPR)?
Look no further! The EDPS has launched an online course entitled: "EUDPR fast-track training course for practical application in your daily task", available on EU Learn.
The course provides you with an overview of Regulation 2018/1725 by explaining key concepts and your obligations under this Regulation, as well as giving you practical advice on how to ensure that the individuals’ personal data that you process is protected.
The course is divided into 5 comprehensive modules; the first four modules cover the basics as well as more complex notions, such as:
- the accountability principle;
- data protection by design and by default in practice;
- data protection impact assessments;
- what to do when transfers of personal data with other EUIs or entities outside the EU/EEA occur.
The fifth and final module gives you the opportunity to assess yourself with 38 questions on data protection. Detailed feedback and more information for each question is also available to enhance your learning experience.
Whether you are handling selection and recruitment procedures, staff appraisals, administrative inquiries, organising events, dealing with contracts, grants and tenders; personal data is everywhere! As a member of staff, you have obligations and rights under Regulation 2018/1725 (or EUDPR), therefore the EDPS encourages you to sign up to this course via EU Learn here.
EDPS Case Law Digest: transfers of personal data outside the EU/EEA
On 10 June 2021, the EDPS published a Case Law Digest on transfers of personal data outside the EU/EEA.
The EDPS’ Case Law Digest aims to highlight the main concepts when it comes to transfers of personal data outside the EU/EEA, as interpreted by the case law of the Court of Justice of the European Union (CJEU). With this Case Law Digest, the EDPS reiterates the overarching principle of the ‘EU law of transfers’ according to which the continuity of protection of personal data, and therefore the protection of fundamental rights and freedoms of the individual, even when her or his personal data ‘travel’ outside of the EU/EEA.
To help the reader navigate this complex topic and the extensive judgements of the CJEU, from Lindqvist in 2003 to Schrems II of 16 July 2020, the EDPS has curated 9 questions addressing key issues concerning transfers of personal data, including:
- What does an adequate level of protection mean when transfers of personal data to non-EU countries occur?
- When, why and subject to which conditions are Standard Contractual Clauses (SCC) considered valid by the CJEU as a tool for transfers of personal data?
- What are the powers available to EU/EEA data protection authorities when transferring personal data to non-EU/EEA countries?
To find out more, read the EDPS Case Law Digest.
An interactive training session with the European Economic and Social Committee
On 8 June 2021, EDPS colleagues from the Supervision and Enforcement Unit (S&E) delivered a 3-hour online training session to the members of the European Economic and Social Committee (EESC). S&E colleagues demonstrated how Regulation 2018/1725 applies in the context of the EESC’s day-to-day work, highlighting the main obligations, principles and rules to be complied with under this Regulation.
Among the topics covered, S&E colleagues emphasised on several data protection principles, such as:
- data protection by design and by default;
- data protection in the context of outsourcing;
- transfers of personal data within and outside the EU/EEA;
- processing of personal data when more than one data controller is involved in the processing of individuals’ data, otherwise known as joint controllership;
- personal data breaches;
- individuals’ data protection rights.
To ensure that this online session remained interactive, S&E colleagues prepared a series of exercises showcasing different circumstances involving the processing of individuals’ personal data in the context of the EESC’ s work. For each circumstance, participants were invited to choose via an online poll the best action to take from those proposed to ensure that individuals’ personal data is protected.
Both the members of the EESC and S&E colleagues found this session productive. S&E colleagues regularly run similar training sessions throughout the year at the request of the European institutions’, bodies’ or agencies’ (EUI) data protection officers (DPO) or data protection coordinators (DPC). If you are a member of staff of an EUI processing individuals’ personal data in your day-to-day work, why not ask your DPO or DPC to organise a tailor-made training session with the EDPS’ S&E colleagues.
DPOs - EDPS 49th meeting: a menu of workshops and exchanges on current data protection issues
To mark the 49th meeting of the EDPS and the European institutions, bodies and agencies’ network of data protection officers (DPO) held on 4 June 2021, EDPS Director Leonardo Cervera Navas wrote a blogpost sharing the outcome of this important biannual event.
A series of online workshops and exchanges were held on current data protection issues, from data protection breaches to the use of software alternatives to large-scale providers, as well as international transfers and cloud services to name a few examples.
With these online workshops, the EDPS aims to recreate the interactive and dynamic environment akin to our traditional in-person meetings pre-COVID-19. It is also an opportunity for DPOs to share their concerns, queries and reflections with the EDPS about how to put data protection rules into practice in their day-to-day work when the processing of individuals’ personal data is involved.
These meetings are one of the ways to reinforce trust, improve communication and foster a close cooperation between the EDPS and the network of DPOs in order to be able to face many upcoming challenges in data protection efficiently and collectively.
To find out more, read the blogpost written by EDPS Director Leonardo Cervera Navas.
What to expect when we inspect: data protection audits explained
On 2 June 2021, the EDPS published a factsheet on how the EDPS carries out its data protection audits.
Audits are one of the tools that the EDPS uses to ensure that European institutions, bodies and agencies (EUIs) comply with the applicable data protection law, Regulation 2018/1725, and therefore protect individuals’ personal data.
If you are a member of staff of an EUI involved in the processing of individuals’ personal data, this factsheet will allow you to learn more about when, why and which EUIs are audited, and about the three stages of an EDPS data protection audit.
As a member of staff of an EUI, you might have to partake in the process of an EDPS data protection audit. For example, the EDPS may ask you to provide evidence that you and your EUI are complying with data protection law. It is an obligation to assist the EDPS in their gathering of evidence, therefore we encourage you to consult this factsheet to understand your role in this process.
EDPS statement on EPPO becoming operational
The 1 June 2021 marked another important date for Europe as it is the day the European Public Prosecutor's Office (EPPO) became operational.
For the first time in EU history, an independent European body is given the power to investigate and prosecute criminal offences against the European Union's financial interests. This is undoubtedly an important and difficult task, which also brings new challenges for the EDPS’ supervision activities.
In the past months, the EDPS has been working closely and constructively with EPPO to safeguard the fundamental rights of individuals when processing their data. As a supervisory authority, the EDPS has done and continues to do its best to help EPPO integrate the data protection rules into its procedures and IT systems.
The EDPS is aware that the complexity of EPPO's legal landscape will represent continuous challenges. The body's multi-layered structure and the interplay between the EPPO Regulation and national provisions implementing the law enforcement directive will require coordination between the EDPS and the national data protection authorities.
The EDPS wishes EPPO all the best and will continue to support this new European body in fulfilling its data protection obligations.
The EDPS opens two investigations following the “Schrems II” Judgement
On 27 May 2021, the EDPS launched two investigations, one regarding the use of cloud services provided by Amazon Web Services and Microsoft under Cloud II contracts by European Union institutions, bodies and agencies (EUIs) and one regarding the use of Microsoft Office 365 by the European Commission.
These investigations are part of the EDPS’ strategy for EU institutions to comply with the “Schrems II” Judgement so that ongoing and future international transfers are carried out according to EU data protection law.
In line with his strategy, the EDPS ordered EUIs in October 2020 to report on their transfers of personal data to non-EU countries. The EDPS’ analysis shows that because of diverse processing operations, in particular when using tools and services offered by large service providers, individuals’ personal data is transferred outside the EU and to the United States (US) in particular.
The EDPS’ analysis also confirms that EUIs increasingly rely on cloud-based software and cloud infrastructure or platform services from large ICT providers, of which some are based in the US and are therefore subject to legislation that, according to the “Schrems II” Judgement, allows disproportionate surveillance activities by the US authorities.
The objective of the first investigation is to assess EUIs’ compliance with the “Schrems II” Judgement when using cloud services provided by Amazon Web Services and Microsoft under the so-called “Cloud II contracts” when data is transferred to non-EU countries, in particular to the US.
The objective of the second investigation into the use of Microsoft Office 365 is to verify the European Commission’s compliance with the Recommendations previously issued by the EDPS on the use of Microsoft’s products and services by EUIs.
TechDispatch #1/2021: Facial Emotion Recognition
In this TechDispatch edition, published on 26 May 2021, the EDPS’ Technology and Privacy Unit explores the data protection implications of Facial Emotion Recognition (FER).
FER is a technology that analyses facial expressions from both static images and videos to reveal information on a person’s emotional state. The source of the images or videos can vary from surveillance cameras; cameras placed close to advertising screens; or even social media, to name a few examples. FER comprises three steps: face detection, facial expression detection and classifying an expression to an emotional state. This technology often builds on Artificial Intelligence to recognise and interpret human emotions.
Although FER can be used for a variety of purposes, from offering personalised services; in healthcare; or for law enforcement, this technology comes with data protection implications and concerns, such as:
- whether processing data with FER is necessary and proportional for the purpose envisaged;
- whether the use of FER generates accurate data;
- whether FER discriminates on grounds of skin colour or ethnic origin.
To find out more on the data protection implications of this technology, read the TechDispatch #1/2021 on Facial Emotion Recognition.
GDPR: a three-year-old who must still learn to walk before it runs
In a blogpost published on 25 May 2021, European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski shares his thoughts and reflections on the General Data Protection Regulation (GDPR) which entered into force three years ago, on 25 May 2018.
In his blogpost, the EDPS takes note of the GDPR’s achievements for Europe and its citizens. Since its entry into force, the GDPR has served as an example to follow by other jurisdictions which are implementing similar laws to protect individuals’ privacy.
Nevertheless, the EDPS acknowledges that progress is yet to be made; he expresses his three wishes for the three-year-old GDPR: Courage, Growth and Resilience, which describe his vision for the GDPR both in the short and long term.
To find out more about the meaning behind the EDPS’ three wishes for the GDPR in the years to come, read the EDPS blogpost.
EDPS issues 5 Formal Comments related to large-scale IT systems
In May 2021, the EDPS issued 5 sets of Formal Comments on matters related to the functioning of large-scale IT systems in the field of Justice and Home Affairs. Large-scale IT systems are used to support EU policies on asylum, border management, policy cooperation and migration.
The first Formal Comment, published on 10 May 2021, addresses the requirements to be able to use audio and video to conduct an interview - if necessary - when individuals from non-EU countries apply for travel authorisation to EU Member States. Such requirements aim to ensure that the individuals interviewed have their privacy and personal data protected.
The second Formal Comment, published on 17 May 2021, focuses on the cooperation procedure between the following large-scale IT systems in the event of a security incident:
- the future Entry-Exit System (EES);
- the Visa Information System (VIS);
- the Schengen Information System (SIS);
- the future European Travel Information and Authorisation System (ETIAS);
- the European Criminal Records Information System (ECRIS) for nationals from non-EU countries; and
- EURODAC, a database including fingerprint data from asylum seekers.
The third Formal Comment, published on 17 May 2021, is on the European Search Portal (ESP), a centralised single-search interface that allows the searching of individuals’ information across the following EU’s large-scale IT systems: SIS, VIS, EURODAC, EES, ETIAS, ECRIS for nationals from non-EU countries. For the ESP to become operable, the EDPS recommends that eu-LISA, the European Union Agency for the Operational Management of large-scale IT systems in the Area of Freedom, Security and Justice, in cooperation with the EU Member States, create a profile for each category of users that will need to have access to the search portal, based on the purpose of this access. These technical measures would ensure that individuals’ personal data is sufficiently protected.
The fourth Formal Comment, published on 17 May 2021, concerns the same ESP, which will also be used to search data related to individuals or their travel documents in the databases of Europol, an EU body which actively cooperates with EU Member States’ law enforcement authorities to combat serious international crime and terrorism, and Interpol, the international criminal police organisation. In its Formal Comments, the EDPS addresses in particular the technical measures of the interoperability between the ESP, Europol and Interpol to ensure that individuals’ personal data is sufficiently protected.
In its fifth Formal Comment, published on 17 May 2021, the EDPS makes recommendations regarding the Multiple-Identity Detector (MID), one of the components that contributes to the interoperability of the EU’s large-scale IT systems, facilitating therefore the search of individuals’ personal data and their travel documents for example. The MID aims to prevent identity fraud by creating links between individuals’ personal data located in the EU’s different databases, for example SIS or ETIAS. Linking identities with the MID means that there are new and additional data processing operations involved. As such, linking data between the different databases should be strictly limited to the data necessary to verify an individual’s identity.
The five Formal Comments are available on the EDPS website in English, French and German.
Transfers of data between the European Commission and the Turkish Medicines and Medical Devices Agency
On 12 May 2021, the EDPS issued its first Decision on the use of an administrative arrangement as a tool providing appropriate safeguards for the transfer of individuals’ personal data to non-EU/EEA countries. The administrative arrangement in question concerns transfers of individuals’ personal data between the European Commission and the Turkish Medicines and Medical Devices Agency (TMMDA) in the context of the Turkish participation in the EU regulatory system for medical devices, EUDAMED, a system for the coordination of information on medical devices available in the EU.
To issue its Decision, the EDPS assessed whether the administrative arrangement provides sufficient guarantees to ensure that individuals’ personal data transferred outside the EU/EEA benefits from an essentially equivalent level of protection as in the EU/EEA.
Given the similarities between the data protection regulation (Regulation 2018/1725) for European institutions, bodies and agencies, such as the Commission, and the data protection regulation (the General Data Protection Regulation) for other entities in the EU/EEA, the EDPS based its assessment on the European Data Protection Board’s Guidelines for transfers of personal data between EEA and non-EEA public authorities and bodies. These Guidelines explain the criteria of the minimum data protection safeguards to include in the administrative arrangement.
As examples, the EDPS considered the following factors, which it deems, in its Decision, as providing sufficient data protection safeguards to ensure an essentially equivalent level of protection as in the EU/EEA:
- the principle of purpose limitation, meaning whether the transfer of individuals’ data is limited to the purpose envisaged;
- the principle of data accuracy, i.e., to ensure that the data collected is accurate;
- the principle of data minimisation, meaning that the collection of an individual’s personal data should be limited to what is strictly relevant and necessary to accomplish a specified purpose;
- the principle of storage limitation, meaning that an individual’s data cannot be kept longer than it is needed.
As a result of its assessment, the EDPS nevertheless recommends in its Decision that the Commission amends the following clauses included in the administrative arrangement to ensure that individuals’ data is appropriately safeguarded:
- the purpose for which individuals’ data may be processed;
- transparent information on how, what, why and for how long individuals’ data may be processed;
- information for individuals on their data protection rights;
- security and confidentiality measures for when individuals’ data may be processed;
- redress, meaning what options are available for individuals in case their data is not adequately protected;
- oversight of the processing operations of individuals’ personal data.
Concerning the possible access to individuals’ personal data by national security or law enforcement authorities, the EDPS reiterates that the Commission - as data exporter - is responsible for seeking and assessing whether the authorities in Turkey - as data importer - provide sufficient data protection safeguards. The EDPS also advises the Commission to keep records of the laws in force in Turkey governing the sharing of personal data with other public bodies, including for surveillance purposes. These records should be communicated to the EDPS within six months after the date of the EDPS Decision.
The EDPS asks the Commission to report on an annual basis the implementation of the Decision issued. The Commission should inform the EDPS without undue delay of any suspended transfers of data or in the event of a revision or termination of the administrative arrangement with the TMMDA.
The EDPS and the EDPB celebrate Europe Day!
Europe Day, celebrated every year on the 9 May, is a special day for many. As the independent data protection authority in charge of supervising the way European institutions, bodies and agencies process your personal data, it is a chance for us to celebrate the achievements made in the field of data protection and privacy.
On this occasion, with the European Data Protection Board (EDPB) - the independent European body contributing to the consistent application of data protection rules throughout the European Union - we created an interactive webpage to help you learn more about what both of our institutions do on a daily basis.
As you scroll down the EDPS - EDPB webpage, you will be able to consult both of our institutions’ videos and brochures to find out more about data protection; how your personal data is processed when using social media or search engines for example; and about your privacy rights.
New video and factsheet: personal data breaches in a nutshell
A personal data breach occurs when the security of a person or people’s personal data is breached; this can happen accidentally or deliberately and may affect the confidentiality, integrity or availability of personal data. This may be caused when an email containing a person’s personal data is sent to the wrong person who should not have access to such information; when an electronic device containing non-encrypted personal data is lost; or when using weak passwords for accounts, to name a few examples. In the event of a personal data breach, the implications for a person may be quite serious, such as possible identity theft or damage to their reputation.
Both the video and the factsheet aim to provide an overview to European institutions, bodies and agencies (EUIs) of the type of personal data breaches that may happen, how to prevent these breaches from happening, and what to do in the event that a breach still happens in a step-by-step guide, based on the obligations set out in Regulation (EU) 2018/1725.
Given the similarities between Regulation (EU) 2018/1725, applicable to EUIs, and the General Data Protection Regulation (Regulation (EU) 2016/679), applicable to other entities in the EU, this factsheet and video can provide an overview of personal data breaches to other entities processing personal data in the EU, such as public administrations, that have to follow similar procedures and notify their national data protection supervisory authorities.
The factsheet and video on personal data breaches are available in English, French and German on the EDPS Website.
The “once-only” technical system for the automated exchange of information
On 6 May 2021, the EDPS issued Formal Comments on the European Commission’s draft Implementing Regulation on the technical and operational specifications of the “once-only” technical system. The system seeks to enable automated cross-border exchange of evidence among competent authorities at the explicit request of citizens or businesses, according to the Single Digital Gateway Regulation which aims to streamline access to information for certain administrative procedures across the EU.
In its Formal Comments, the EDPS examines the different components of this technical system, as well as the roles and responsibilities of the European Commission and relevant authorities of the EU Member States.
The EDPS also provides additional recommendations to promote compliance with the principles of data minimisation, accuracy, data quality and transparency. The draft Implementing Regulation governing this system should guarantee that the processing of individuals’ personal data is limited to a specific purpose, that this data is accurate, and that all processing operations of this data is done in a transparent way. In this respect, the EDPS welcomes the fact that users of the technical system will be able to preview evidence and that the competent authorities will be obliged to permanently delete this evidence in case a user does not explicitly approve its use.
The EDPS also highlights the duties of the Commission and the competent authorities to implement appropriate technical and organisational security measures. In this context, the EDPS considers that a logging and auditing process may be particularly useful to help ensure that the system’s security measures are fit for purpose so that individuals’ personal data is protected.
How can carriers verify individuals-from-non-EU-countries’ travel authorisation?
On 30 April 2021, the EDPS issued Formal Comments on the European Commission’s draft Implementing Regulation related to carriers’ obligations, such as air or sea carriers, to verify visa-exempt-individuals-from- non-EU-countries’ travel authorisation prior to their departure to the Schengen Area, as required by law, specifically Regulation 2018/1240.
To verify individuals-from-non-EU-countries’ travel authorisations; air, sea or international carriers transporting individuals by coach, are to send a query to the European Travel Information and Authorisation System (ETIAS). This query is made via a secure access to a digital gateway that is managed by the European Commission.
In its Formal Comments, the EDPS evaluates technical specifications of this digital gateway, and whether technical and organisational measures are envisaged to ensure that individuals’ personal data is sufficiently protected.
Specifically, the EDPS makes remarks on the registering and unregistering of carriers and the individual(s)’ data retention period in case of the latter, which should be expressly referred to in the Commission’s Implementing Regulation.
In addition, the EDPS stresses that individuals’ personal data included in the read-only database, accessed via a digital gateway by carriers, has to be accurate and consistent with the personal data stored in ETIAS. The read-only database should be updated on a daily basis to ensure this accuracy.
When it comes to having access to individuals’ personal data, carriers will also have obligations to comply with. As per the Commission’s draft Implementing Regulation, only carriers’ authorised-members of staff should have access to individuals’ personal data encoded in the read-only database. The read-only database should only be accessible to them via robust authentication methods.
Protecting individuals’ personal data in the EU’s information systems
On 30 April 2021, the EDPS issued Formal Comments on the European Commission’s Draft Implementing Regulations related to the interoperability of EU information systems in the field of police and judicial cooperation, asylum and migration. These information systems include ETIAS, the European Travel Information and Authorisation System; EES, the Entry-Exit System; VIS, the Visa Information System, to name a few examples.
Since these systems involve the processing of individuals’ personal data in the EU’s relevant databases, the Commission’s Draft Implementing Regulations are aimed to ensure that data quality control mechanisms are put in place and to govern the procedures for storing this data in these databases so that individuals’ personal data is sufficiently protected. In practical terms, these envisaged measures should ensure that individuals’ personal data stored in the EU’s various databases are for a specific purpose, limited to what is necessary and stored for a limited period of time. The data must also be accurate, handled with confidentiality and integrity. Individuals should also be informed of how their data is processed and why.
In its Formal Comments, the EDPS did not identify any substantial issues with the draft which might affect individuals’ right to personal data protection.
Speeches and Articles
- Speech by Wojciech Wiewiórowski on the occasion of the Internet Privacy Engineering Network (IPEN) webinar: "Synthetic data: what use cases as a privacy enhancing technology?" in Brussels, Belgium (via video link)
- Remarks by the European Data Protection Supervisor, Wojciech Wiewiórowski, at the Committee on Civil Liberties, Justice and Home Affairs (LIBE) meeting on the follow-up to the EDPS admonishment of Europol in Brussels, Belgium.