In our September newsletter, read our latest press releases: one on consumer credits, and one on Schengen; find out what synthetic data is; how the EDPS addresses complaints related to EU institutions; as well as our recent Formal Comments on a multitude of subjects!
In this issue
Fair access to credit through consumer protection and data protection
On 26 August, the EDPS published his Opinion on the European Commission’s proposed Directive on consumer credits. The proposal aims to modernise existing consumer credit rules to address changes brought about by digitalisation and other market trends, such as the increased use of online sales channels or new forms of consumer credits, for example short-term high-cost loans.
The EDPS considers that the Proposal has a clear impact on the protection of individuals’ rights and freedoms with regard to the processing of personal data, in particular the provisions concerning creditworthiness assessment and personalised offers on the basis of automated processing.
Wojciech Wiewiórowski, EDPS, said: “The use of personal data has a decisive impact on one’s ability to obtain fair access to credit. Creditworthiness assessments are necessary in the interest of both creditors and consumers, and it is crucial that appropriate safeguards are in place to ensure that individuals’ personal data are effectively protected. In this sense, data protection also means consumer protection.”
The EDPS invites the legislator to pursue further harmonisation and consumer protection by further specifying the categories of data that may and may not be used to assess creditworthiness. In this regard, the EDPS supports the prohibition of processing social media data and health data for this purpose, as outlined in the Proposal.
Giovanni Buttarelli Award 2021
The Global Privacy Assembly 'Giovanni Buttarelli Award 2021' has been launched. The award, presented annually at the GPA Open Session, ensures that Giovanni's legacy and advocacy for international collaboration continue.
Find out more here
“Schengen evaluations”: individuals’ fundamental rights are a priority
On 27 July 2021, the EDPS published his Opinion on the European Commission’s proposed Regulation establishing an evaluation and monitoring mechanism to verify whether the rights and obligations related to Schengen are applied (Schengen evaluations). The Schengen area includes most EU Member States and several non-EU countries, and enhances the freedom of movement for millions of individuals. EU Member States are responsible for upholding the rights and obligations related to Schengen, which include measures on border management, the Schengen visa, police cooperation and data protection, for example.
The Commission’s proposal, repealing Regulation (EU) 1053/2013, has several objectives, such as streamlining the verification procedures of the Schengen evaluations to increase their effectiveness and efficiency. The EDPS welcomes that the proposal seeks to strengthen EU Member States’ involvement in the Schengen evaluation and monitoring mechanism (Schengen evaluations), as well as greater cooperation between the European institutions, bodies and agencies (EUIs) that are involved in the application of the rights and obligations related to Schengen.
In his Opinion, the EDPS supports, in particular, the reform’s goal to put in place measures ensuring that individuals’ fundamental rights are protected when verifications occur.
Nevertheless, the EDPS recommends that the proposed Regulation clearly defines the scope of the Schengen evaluations by drawing up a non-exhaustive list of relevant policy fields that would be subject to evaluation. The reformed evaluation and monitoring mechanism (Schengen evaluations) should also continue to provide for evaluations dedicated to data protection, carried out by data protection experts.
Exploring the concept of synthetic data
What is synthetic data? The concept of synthetic data is the ability to create new artificial data based on an individual’s personal data - otherwise known as original data - while keeping its similar statistical properties. Keeping similar statistical properties as the ones presented in the original data means that anyone analysing the synthetic data, a data analyst for example, should be able to draw the same statistical conclusions from the synthetic data as if they had been given the original data.
What role can synthetic data have in the context of data protection? This was the chosen topic at the latest EDPS IPEN webinar workshop convening approximately 170 expert practitioners and professionals in data protection and privacy from Europe and beyond on 16 June 2021.
Head of the EDPS’ Technology and Privacy Unit, Thomas Zerdick, summarises the key discussions held between the workshop’s participants in a blogpost published on 14 July 2021.
During the event, discussions focused on the benefits and challenges of using synthetic data instead of original data as a way to protect individuals’ privacy.
As guest speakers shared their views, they agreed that the main challenges are, whether synthetic data can still be useful for set purposes, such as scientific or medical research, in the same way as original data belonging to individuals would be; and whether synthetic data represents a sufficient measure against privacy attacks.
An Orwellian Premonition: a discussion on the perils of biometric surveillance
Twice a year, the EDPS and EDPB offer five-month paid traineeships to young people from different professional or academic backgrounds. It has become a tradition that these trainees organise a data protection conference at the end of their traineeship; this year was no exception.
Following the EDPS and EDPB’s Joint Opinion on the European Commission’s recent proposal for an AI Regulation, the trainees planned a conference titled: “An Orwellian Premonition: a discussion on the perils of biometric surveillance”, held on 14 July 2021.
Distinguished speakers from wide-ranging areas of expertise - lawyers, university professors, civil liberty activists to name a few - were invited to share their views on the technical, legal and ethical elements of biometric surveillance. Concerns about the different ways biometric data could possibly be abused if biometric surveillance is legalised were highlighted. Panellists also widened the scope of the conference by including an international perspective to this issue.
You can find out more about the outcome of these fruitful presentations and discussions by reading the EDPS and EDPB trainees’ blogpost, which summarises the main takeaway points of this conference.
EU institutions’ competitions: what are the conditions for releasing candidates’ results?
In July 2021, the EDPS addressed two complaints against two institutions. Both complainants submitted that they were not granted access to their respective assessment results following their participation in an EPSO competition as part of the EU institutions, bodies and agencies’ (EUIs) recruitment procedure.
As a supervisory authority, the EDPS has received a number of complaints on this subject matter over the last year. The EDPS reiterates that it is crucial that the EUI organising the competition preserves the secrecy and independence of the panel assessing candidates. At the same time, the EUI should ensure that individuals participating in these competitions have access to their results. To achieve this, the EUI in question should provide candidates with their assessment results in a clear and intelligible form without disclosing the identities and comments of the members of the selection panel.
Following these two complaints, both candidates have received appropriate and transparent feedback on their performance during these competitions.
These steps, advised by the EDPS, allow EUIs involved in the organising of competitions to respect the privacy of those involved, as well as giving transparent and comprehensive information to candidates being assessed during these competitions.
Unauthorised access to employee's data
In July 2021, the EDPS received a complaint of an EU institution's employee claiming that the institution's coordinators had unauthorised access to their personal information regarding special leave.
Employees of EU institutions bodies and agencies (EUIs) may request special leave on personal grounds, in the event of a serious illness that they or their immediate family may have for example, which prevents them from working. Reasons determining special leave may include sensitive information on the staff member concerned. Access to this information can only be given to the direct manager of the staff member involved.
Following the complainant’s claim in which they submit that the EUI's coordinators had access to sensitive information on their mother’s and their child’s illnesses, the EDPS carried out an investigation.
With this investigation, the EUI in question reviewed and corrected their policy to ensure that the personal data of employees that is collected is limited to what is necessary and relevant to a specific purpose. Likewise, access to employees’ personal data should be limited to members of staff that need such data to perform their task, such as determining the grounds for special leave of an employee.
By amending their policy, the EUI in question focuses on protecting individuals’ personal data and avoids unnecessary intrusion into their employees’ privacy. It is the responsibility of the EUI's data controller to analyse the risks their decision(s) may have on their employees’ privacy rights.
Addressing complaints made by EUIs’ members of staff is part of the EDPS’ day-to-day work to make sure that their privacy rights are respected. In this present case, the EDPS did not issue an official Decision as the complaint was settled amicably as the EUI took the necessary steps - verified by the EDPS - to remediate the situation. Nevertheless, the EDPS recommends that the EUI involved apologises to the complainant as they suffered distress and discomfort due to the unauthorised access to their personal data.
The European Database on Medical Devices
On 9 July 2021, the EDPS issued Formal Comments on one of the European Commission’s proposed Implementing Regulation on the European Database on Medical Devices (Eudamed). The proposed Implementing Regulation specifies how the already existing Regulation on Eudamed, Regulation (EU) 2017/745, should be put in place, including how the database should function.
The Eudamed database can be accessed and used by relevant actors in the field, such as competent authorities and bodies, manufacturers and producers of medical devices. Such access to and use of the database must be regulated in order to ensure that individuals’ personal data encoded in the database is adequately protected; this may include additional security and authentication measures for example.
In its Formal Comments, the EDPS recommends that the Implementing Regulation should include the categories of personal data that may be processed in the Eudamed database. Given the possibility that health data - which is considered as a special category of data due to its particularly sensitive nature - may be processed, the Implementing Regulation must provide for robust protection measures according to the EU’s data protection laws, the General Data Protection Regulation for EU Member States and Regulation (EU) 2018/1725 for European institutions, bodies and agencies.
The EDPS further advises that individuals whose personal data is processed in the Eudamed database are duly informed in what capacity their personal data is processed; who has access to their personal data and who processes their personal data; and for what purpose(s) their personal data is processed. To facilitate this process, the EDPS also suggests that a specific contact point is appointed to answer individuals’ queries on how their personal data is processed.
Road transport and data protection
On 6 July 2021, the EDPS issued Formal Comments on the European Commission’s draft Implementing Regulation on the functionalities of the public interface connected to the Internal Market Information System (IMI) for posting drivers in road transport.
The IMI is an information system that facilitates the access to, communication and coordination of information across relevant authorities in the EU Member States. The IMI includes a variety of information related to the EU’s single market, such as information on EU businesses for example, as well as information on the posting of drivers in road transport. A posted driver is an employee who is sent by his employer to carry out his duties in another EU Member State on a temporary basis.
The multilingual public interface, as envisaged by the Commission in their draft Implementing Regulation, would facilitate the submission of and access to certificates, declarations and other documents about the posting of drivers in road transport by authorised users of the interface and other competent authorities. Such infrastructure would imply the processing of individuals’ personal data, such as details on the transport manager, drivers and transport operators.
In its Formal Comments, the EDPS recommends that individuals’ personal data in the public interface is stored for a limited period of time in light of the purpose for which this data is processed. This personal data should therefore be deleted when it is no longer necessary. The EDPS also recommends that the retention periods for the processing of additional personal data should be clarified and included in this proposed Implementing Regulation.
Given the number of authorised users and competent authorities that may have access to information on the posting of drivers in road transport via the public interface, the EDPS recommends that the draft Implementing Regulation includes the roles and responsibilities of those that will be processing individuals’ personal data.
EU - UK transfers of personal data in competition matters
On 5 July 2021, the EDPS issued its Formal Comments concerning the European Commission’s possible Agreement between the European Union (EU) and the United Kingdom (UK) on the cooperation and exchange of information in competition matters.
The EDPS found that the envisaged Agreement does not provide the legal basis for transfers of individuals’ personal data to occur between the EU and the UK. Such legal basis is provided by the UK Adequacy Decision adopted by the European Commission on 28 June 2021. With this UK Adequacy Decision, the European Commission recognises that the UK ensures an adequate level of protection of individuals’ personal data as the protection offered in the EU, without the need for further authorisations for the flows of personal data from the EU to the UK to occur.
Adding a reference to the Adequacy Decision to the proposed Agreement would therefore clarify that individuals’ personal data transferred to the UK is sufficiently protected according to the EU’s data protection standards, as well as in the context of the EU-UK agreement on cooperation and exchange of information on competition law enforcement.
Regulating foreign subsidies for EU projects
On 29 June 2021, the EDPS issued Formal Comments on the European Parliament and the Council’s proposed Regulation on foreign subsidies distorting the EU’s internal market. Foreign subsidies include public authorities from non-EU countries that provide funds for various projects based in the EU, such as a project in a specific EU Member State for example.
The envisaged proposal aims to provide additional rules and requirements so that these foreign subsidies do not create unfair competition within the EU’s internal market. To meet this objective, the Proposal foresees a number of steps in which these foreign subsidies would be assessed. These assessments would include, for example, preliminary reviews, in-depth investigations by the European Commission.
In its Formal Comments, the EDPS notes that the proposed Regulation is likely to involve the processing of personal data. The review of foreign subsidies will imply the collection of personal data of the beneficiaries of the funds for example. Therefore, the EDPS recommends that the proposed Regulation explicitly refers to compliance with EU data protection legislation - the General Data Protection Regulation for EU Member States and Regulation (EU) 2018/1725 for European institutions, bodies and agencies - as competent authorities of EU Member States and the European Commission may review these foreign subsidies.
More specifically, when it comes to issuing a public decision after evaluating a foreign subsidy, the proposed Regulation should include the necessary steps to ensure that all confidential information, including personal data related to the subsidy, is adequately protected.
The EDPS makes additional comments concerning the processing of individuals’ personal data collected in the context of investigating foreign subsidies. The personal data collected in this context should be limited to what is necessary for a specific purpose and stored for a defined and limited period of time that is necessary for the specific purpose pursued by the proposed Regulation.
An electronic system to verify the flow of VAT-exempt goods
On 17 June 2021, the EDPS issued Formal Comments on the European Commission’s draft Implementing Regulation on the storage of and automated access to information on the imports of goods that are exempt from value-added tax (VAT).
Under this draft Implementing Regulation, storage and automated access to this information would be done via an electronic system. This would contribute to the administrative cooperation and fraud prevention in the field of value-added tax.
The EDPS did not make any recommendations as the draft Implementing Regulation did not give rise to specific concerns related to the protection of individuals’ personal data since the electronic system is a well-established and used tool in EU Member States. However, he did not exclude the fact that the recording and exchanging of information on VAT-exempt importations may result in the collection of personal data. Such processing, if it occurs, should be aligned with the EU’s data protection laws.
Protecting the marine environment
On 14 June 2021, the EDPS issued Formal Comments on the European Parliament and the Council’s proposed Regulation on the conservation and management measures in the Western and Central Pacific Fisheries Convention Area.
The aim of the proposed Regulation is to integrate the conservation and management measures adopted by the Western and Central Pacific Fisheries Commission (WCPFC) into EU law. The WFCPC, which the EU is part of, is the regional fisheries management organisation responsible for managing fisheries resources in the Western and Central Pacific Ocean.
As part of this proposed Regulation, the measures envisaged aim to manage fish stock and preserve the marine environment in this area by regulating the number of fishing vessels that can enter the area, regulating fishing opportunities for example. Such measures may include the processing of individuals’ personal data, such as the recording of the identity, address and nationality of those owning a vessel, those who are authorised or are demanding the authorisation to fish in this area.
In its Formal Comments, the EDPS recommends that this proposed Regulation should explicitly include that EU laws on data protection, the General Data Protection Regulation for EU Member States and Regulation (EU) 2018/1725 for European institutions, bodies and agencies, are applicable, as this is currently lacking.
It should also be made clear in the proposed Regulation who decides the purpose(s) for which individuals’ personal data may be processed, otherwise known as the data controller, and by whom this data will be processed. In this specific case, certain processing operations may involve relevant authorities from EU Member States and the European Commission as joint controllers of personal data for example.
The EDPS also advises that the proposed Regulation includes a retention period during which individuals’ personal data will be stored. The retention period must be limited to what is strictly necessary, depending on the purpose(s) for which this data is processed and the type of data that is being processed.