In our October newsletter, discover our new initiative, TechSonar, and rediscover our award-winning TechDispath reports! Read up on our latest Formal Comments, and our Guidelines for EU institutions' return to the workplace, and more!
In this issue
Foresight: an essential element to analyse tech trends
To our great delight, the EDPS TechDispatch initiative has received the Global Privacy and Data Protection 2021 Award in the category of “Education and Public Awareness”, on the occasion of the 43rd Global Privacy Assembly 2021, hosted by INAI (Mexico) on 20 October 2021.
The Global Privacy Assembly is an international forum with more than 130 data protection and privacy authorities. The Global Privacy Assembly first met in 1979 under the name of International Conference of Data Protection and Privacy Commissioners (ICDPPC).
The GPA Global Privacy and Data Protection Awards celebrate the achievements of the GPA community, and rewards good practices adopted in the field of privacy and data protection. As such, the Supervisor and members of EDPS staff appreciate the recognition received for our commitment to explain the impact of new technologies to the wider public.
Launched in 2019, the aim of the TechDispatch is to inform and raise awareness of the potential data protection issues surrounding new technologies.
The TechDispatch reports provide factual descriptions of a new technology, a preliminarily assessment of its possible impacts on privacy and the protection of personal data, and links to further recommended reading.
EDPS launches TechSonar
On 28 September 2021, the EDPS launched a new initiative, TechSonar.
The EDPS’ TechSonar reports aim to anticipate emerging technology trends to better understand their future developments, especially their potential implications on data protection and individuals’ privacy.
In a blogpost explaining the philosophy of the TechSonar reports, European Data Protection Supervisor Wojciech Wiewiórowski emphasises the need to act in advance, to anticipate the developments of technology trends to ensure that data protection and privacy features are embedded in these emerging technologies, from the earliest stages of their conception.
In the first EDPS TechSonar 2021-2022 report, technology experts from the EDPS have chosen to explore the following six foreseen technology trends:
- smart vaccination certificates;
- synthetic data;
- central bank digital currency;
- just walk out technology;
- biometric continuous authentication;
- digital therapeutics.
For each technology trend, the TechSonar report includes information about what this technology may entail; its impact on our day-to-day lives; as well as its possible implications on individuals’ privacy, both the positive and negative aspects.
EDPS Data Protection Talk: “Strategic Foresight and Data Protection”
As part of its regular data protection talks, EDPS members of staff attended a virtual presentation, on 28 September 2021, on “Strategic Foresight and Data Protection” by Mr Roberto Poli, who is a Professor at the University of Trento, Italy and the UNESCO Chair in the anticipatory systems.
This data protection talk is part of the wider EDPS TechSonar initiative launched on 28 September 2021, which focuses on foreseeing developments of technology trends and their impact on data protection. As such, the data protection talk focused on the importance and benefits of understanding and anticipating changes in technology trends and how to develop this skill.
Discussions with Professor Poli helped the EDPS to come up with various steps and a methodology to foster foresight, which is one of the EDPS’ aims set out in its 2020-2024 strategy published in June 2020. The proposed methodology includes the research, analysis, review, and monitoring of technology trends to prepare and, to a certain extent, predict their impact on individuals’ day-to-day lives and privacy.
As the data protection authority of the EU institutions, offices, bodies and agencies, the EDPS aims to use these skills and knowledge to contribute in particular to the ongoing and wider debate on foresight within these institutions, and to stimulate foresight and debates on technology trends among the EU’s data protection authorities.
EDPS welcomes AML package but suggests improvements to protect individuals’ personal data
On 22 September 2021, the EDPS published his Opinion on the European Commission’s proposed Anti-Money Laundering legislative package (AML).
The EDPS welcomes the AML package and supports the general interest to fight money laundering and the financing of terrorism effectively. He welcomes the envisaged harmonisation of the AML/CFT framework through the enactment of a Regulation, as this will result in a more consistent application of the main rules by EU Member States. Moreover, he sees the harmonisation of the supervisory activities at EU level under the same European authority as a positive step, but calls for a clear definition of the roles, from a data protection perspective, of all stakeholders involved in the supervision model.
The EDPS notes that the proposed AML package takes a risk-based approach to the screening of banks’ clients in order to assess whether they may represent a money-laundering risk. While the EDPS appreciates the value of the risk-based approach underpinning the proposed legislative package, he considers that further clarifications are needed to minimise intrusion into individuals’ privacy and to ensure full compliance with data protection rules.
Wojciech Wiewiórowski, EDPS, said: “I recognise the importance of combatting money laundering and the financing of terrorism. At the same time, it is also important that the measures envisaged to achieve this goal are fully in line with the EU’s data protection laws and principles. In particular, the processing of individuals’ personal data must remain limited to what is necessary and proportionate in light of the specific purpose(s) set out in the proposals.”
Connecting bank account registers
On 6 September 2021, the EDPS published his Formal Comments on the access of EU Member States’ law enforcement authorities to the platform connecting bank account registers across the European Union for the purpose of preventing, detecting, investigating or prosecuting a serious criminal offence, such as different types of fraud.
The EDPS welcomes that the data protection implications of such decision have been considered and assessed. He reiterates in his Formal Comments that the access to individuals’ financial information - such as the IBAN, name of the account holder - by law enforcement authorities should be limited to what is strictly necessary in light of specific purposes.
To facilitate the cooperation between law enforcement authorities across the EU, the EU legislator foresees the setup of an EU-wide interconnection of bank account registers. The EDPS recommends that data protection principles are embedded throughout the infrastructure’s development.
Protecting the consumer and their personal data
On 18 August 2021, the EDPS issued its Formal Comments on a proposed Regulation concerning rules on the safety of products to enhance the protection of consumers.
The proposed Regulation includes measures to monitor the online sale of dangerous products.
In its Formal Comments, the EDPS states that the monitoring of such products should not involve the processing of individuals’ personal data - such as the identity of the purchaser or the identity of the provider of products - if possible. Should the processing of personal data concerning the purchase, circulation and other information linked to the dangerous product(s) be necessary, it should be limited to what is needed in light of specific purposes.
Consequently, the proposed Regulation should provide for specific clauses explaining in what circumstances individuals’ personal data may be processed; for how long; in what capacity; and for what reasons. Individuals should be informed in a transparent and clear way about how their personal data may be processed.
To successfully enhance the protection of consumers, as envisaged by the proposed Regulation, the EDPS emphasises the necessary cooperation between the EU’s consumer protection authorities and the EU’s data protection authorities. Protecting consumers goes hand in hand with protecting their personal data.
EDPS Guidelines for EUIs’ return to the workplace
As EU institutions, bodies and agencies (EUIs) develop their respective strategies for their employees’ return to the office, the EDPS published its guidelines on 9 August 2021 titled, Return to the Workplace and EUIs’ screening of COVID immunity or infection status.
The EDPS’ guidelines include recommendations on EUIs’ possible use of COVID antigen test results; their use of employees’ vaccination status; and their use of EU COVID Certificates (COVID Certificates) to mitigate the risk of transmitting the virus in the workplace amongst colleagues.
Before putting in place these measures, the EDPS recommends that:
- EUIs carefully assess whether these measures would comply with the EU data protection law applicable to EUIs, Regulation (EU) 2018/1725, to minimise the intrusion into individuals’ privacy;
- the measures envisaged by EUIs are in line with the legislation of the EU Member State where the EUI in question is located, as well as that Member State’s latest public health guidance and recommendations made by their Data Protection Authority.
Specifically concerning information on employees’ vaccination status, the EDPS considers that there is no legal basis for EUIs to request this information. Nevertheless, EUIs may collect information on employees’ vaccination status in an anonymised way, for example a survey, to support their risk assessments when planning their strategies to return to the workplace.
When it comes to the use of employees’ COVID antigen test results and COVID Certificates - which include employees’ personal data - the EDPS recommends that the following two distinctions are made to determine whether the processing of this personal data falls under the scope of Regulation (EU) 2018/1725.
- If the EUI proceeds to manual verifications of the antigen test results and COVID certificates without further storing or registering this information, then this would not qualify as the processing of personal data under Regulation (EU) 2018/1725.
- If the EUI proceeds to the verification of the antigen test results and COVID certificates by scanning QR codes or recording the results in a database for example, this would be considered as processing employees’ health data. Health data is considered as a special category of data where extra precautions for its processing are to be taken under Regulation (EU) 2018/1725.
Overall, the EDPS emphasises in his Guidelines that when EUIs plan their employees’ return to the office they should do so without intruding on employees’ privacy, by selecting measures that demand the least amount of processing of employees’ personal data. EUIs should also assess whether such processing of individuals’ personal data is necessary and proportionate in light of the measures envisaged for a return to the workplace. The least intrusive measures should always be the preferred option to select.
EU-Japan Agreement in criminal matters
On 16 July 2021, the EDPS published its Formal Comments on the possible opening of negotiations to amend the EU’s current agreement with Japan on mutual legal assistance in criminal matters (EU-Japan Agreement).
The amendment of the current EU-Japan Agreement, which entered into force on 2 January 2011, would ensure that the purposes for and measures related to the processing of individuals’ personal data for criminal matters and other law enforcement issues are consistent with the EU’s Law Enforcement Directive (LED).
In its Formal Comments, the EDPS welcomes the aim to amend the EU-Japan Agreement so that it respects and follows the data protection principles included in the LED, therefore contributing to the Agreement’s robust data protection framework.
Nevertheless, the EDPS makes a number of recommendations, including those detailed below.
- The agreement should explicitly mention that individuals’ personal data transferred by an EU Member State to Japan should not be used for any form of cruel or inhuman treatment towards any individual concerned.
- The agreement should include measures that restrict the possibilities of subsequent transfers of individuals’ personal data to other countries or authorities other than the ones mentioned in the EU-Japan Agreement. This recommendation would ensure that the protection of individuals’ personal data is essentially equivalent as the protection afforded in the EU and as the protection guaranteed by the EU-Japan Agreement.
The EDPS made other suggestions concerning the storage, correction, deletion and recording of individuals’ personal data, which should be clearly explained in the EU-Japan Agreement.
On 24 June 2021, the EDPS issued an Opinion on the European Commission’s Proposal to regulate the crypto-assets’ markets.
The proposed Regulation includes a series of obligations and requirements concerning the trading of electronic money tokens, rules on the authorisation and supervision of those issuing and/or providing electronic money tokens, rules to protect individuals purchasing electronic money tokens. Overall, the Regulation seeks to prevent abuse in the crypto-assets’ markets.
The EDPS made a number of recommendations concerning this proposal, in particular on the responsibilities of those issuing crypto-assets.
As per the proposal, it is envisaged that issuers of crypto-assets may process the personal data of those purchasing crypto-assets by using various technologies and infrastructures, such as blockchain - a type of technology used in this case to record the purchasing and issuing of crypto-assets. Concerning the processing of individuals’ personal data, issuers of crypto-assets may be considered as data controllers, since they decide for which purposes individuals’ data may be processed and in what capacity, as well as the overall configuration of the crypto-asset project.
Given the type of personal data that may be processed and the infrastructure possibly used for this processing, the EDPS recommends that the issuers of crypto-assets - as possible data controllers - carry out a Data Protection Impact Assessment (DPIAs). A DPIA would allow issuers of crypto-assets to evaluate the risks of all possible processing operations, and measures to mitigate such risks, as per the obligation set out in the General Data Protection Regulation applicable to EU Member States.
In its concluding remarks, the EDPS suggests that issuers of crypto-assets explain in a transparent and simple way to individuals purchasing crypto-assets how their personal data may be processed.