In our November newsletter, find out about our upcoming data protection conference in 2022; read up on our participation in the 43rd Global Privacy Assembly and other events relating to data protection; catch up on our latest Formal Comments and recent publications.
In this issue
EDPS announces data protection conference in 2022
In a video address, European Data Protection Supervisor Wojciech Wiewiórowski (EDPS) announced that his conference, titled “The future of data protection: effective enforcement in the digital world”, will be held between 16 and 17 June 2022 in Brussels, Belgium.
Explaining in more detail the aim of his conference in a leaflet published on 15 November 2021, the EDPS seeks to bring together stakeholders from the digital regulatory sphere to reflect on and discuss enforcement models pertaining to data protection, competition, digital markets and services, artificial intelligence.
With his conference, the EDPS looks forward to encouraging, in particular, a constructive discussion on the different approaches to data protection enforcement. The conference also aims to facilitate the sharing of best practices in this area.
EDPS attends annual conference of German data protection officers
As part of its work, the EDPS regularly participates in debates, conferences and discussions with a variety of professionals working in the field of data protection. To this end, Head of the EDPS’ Technology and Privacy Unit, Thomas Zerdick, attended the annual congress of the Association of the Data Protection Officers of Germany, between 27 and 29 October 2021 in Munich.
Founded in 1989, the Association of Data Protection Officers of Germany or the Berufsverband der Datenschutzbeauftragten Deutschlands (BvD) represents the interests of around 1,800 data protection officers of companies, public agencies, and consultants from all over Germany.
On this occasion, Thomas Zerdick presented data protection developments in the EU, including the challenges and opportunities that data protection authorities may face now and in the coming years. He also presented the EDPS’ and the EDPB’s latest work, as well as providing an overview of the EU’s latest legislative proposals, such as the proposal on Artificial Intelligence, as well as the European Court of Justice’s latest judgements and pending cases. Thomas Zerdick stressed that one of these interesting pending cases merited attention, namely the request for a preliminary ruling from the Fővárosi Törvényszék (Hungary) in case C-132/21, which seeks to clarify the relationship between a supervisory authority and a court, when examining the existence of an infringement under the data protection rules.
Cybersecurity Month: Stop, Think and Look!
As part of the EU’s cybersecurity awareness month, the EDPS produced a short factsheet focusing on the different phishing methods that hackers may use to obtain your personal information.
Did you know that hackers might try to trick you into giving your personal data away by sending emails, text messages, using messaging apps, phone calls? Hackers may use these methods of communication to impersonate a governmental organisation or other legitimate entity that you may use or be in contact with on a regular basis.
The EDPS’ short factsheet, titled Stop, Think and Look, published on 28 October 2021, provides you with some of the tips and tricks to help you recognise phishing attempts so that you can protect your personal information.
Take a look at our factsheet, available on the EDPS website, to stay safe online.
Biometric Identification Systems
Public concerns about biometric surveillance, artificial intelligence, facial, emotional and behavioural recognition are steadily increasing. A significant amount of research is being carried out across the EU on these topics, which, as part of its work, the EDPS monitors.
Among various research papers, an interesting report, titled “Biometric and behavioural mass surveillance in EU Member States”, was published on 25 October 2021. The report provides an overview of biometric identification systems that have been tested or deployed in various countries across the EU, some of which for law enforcement purposes. For each case examined, the report includes the possible legal justifications, challenges and effects that the use of biometric identification systems may have on individuals.
In response to the European Commission’s proposal for an Artificial Intelligence Act, the EDPS and the EDPB issued a Joint Opinion on 21 June 2021 calling for a general ban on any use of artificial intelligence for automated recognition of human features in publically accessible spaces. The European Parliament adopted a resolution in the same vein on 13 July 2021.
The EDPS reiterates that given the lack of a full picture of the impact of these technologies on our society, a precautionary principle approach should be followed.
The 43rd Global Privacy Assembly
The EDPS took part in the 43rd Global Privacy Assembly, hosted by the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI) in Mexico, between 18 and 21 October 2021.
The Global Privacy Assembly, previously named International Conference of Data Protection and Privacy Commissioners, is an international forum with more than 130 data protection and privacy authorities.
The Supervisor, Director and EDPS colleagues participated in various online panels. Discussions ranged from the future of privacy and technology to individuals’ digital and privacy rights in a hyper-connected society. The topic of artificial intelligence, its challenges and opportunities, was also on the menu of discussions.
As the Global Privacy Assembly ended, a number of resolutions were adopted concerning:
- the Assembly’s Strategic Direction;
- data sharing for the public good;
- children’s digital rights;
- governments’ access to data; and
- the future of the Global Privacy Assembly.
To find out more about the 43rd Global Privacy Assembly, its reports and resolutions, please consult the following webpage on the EDPS website.
First Giovanni Buttarelli Award
During the Global Privacy Assembly, an international conference held in October 2021, the first Giovanni Buttarelli Award was presented to Ms Zuboff, Professor Emerita at Harvard Business School, for her exceptional contribution to international data protection and privacy.
The Giovanni Buttarelli Award was launched in August 2021, by the Chair and Executive Committee of the Global Privacy Assembly, in memory of Giovanni Buttarelli, former European Data Protection Supervisor and Executive Committee member.
The award ensures that Giovanni’s legacy and advocacy for international cooperation continue.
COVID-19 booster shots and data protection
On 18 October 2021, the EDPS issued Formal Comments concerning Regulation (EU) 2021/953 on the Digital COVID Certificate and its technical specifications, in particular the introduction of a booster shot of the COVID-19 vaccine.
Many EU Member States have announced or have already started to administer COVID-19 vaccine doses in addition to the standard primary vaccination series, specifically to individuals who may not have responded adequately to the primary vaccination series. Additionally, EU Member States are considering ‘booster’ doses for individuals who responded adequately to the primary vaccination series. In this regard, special attention should be paid to the situation of vulnerable groups who may receive additional vaccination doses as a matter of priority.
The current Digital COVID Certificate Regulation provides for the number of vaccine doses received by an individual to be included on the Certificate itself. Therefore, conclusions may be drawn about an individual’s pre-existing health condition if the booster dose is indicated on their certificate, leading to an unnecessary or non-consensual disclosure of information related to an individual’s health.
The EDPS welcomes the European Commission’s proposed measures allowing EU Member States, if they decide to administer additional doses to specific groups of the population only, to consider issuing vaccination certificates indicating the administration of such additional dose only upon request and not automatically, since Regulation (EU) 2021/953 offers this flexibility.
By extension, the EDPS supports the fact that individuals concerned will not be required to produce a certificate indicating that they have received a booster dose when exercising their right to free movement within the EU. Such condition will remain valid until EU Member States limit the acceptance of vaccination certificates issued following the completion of the primary vaccination series for the purposes of free movement, if scientific evidence prove that protection afforded by the primary vaccination series decreases below a certain level after a certain period.
Concluding his Formal Comments, the EDPS reiterates the importance of only processing individuals’ data, in this case health data, that is necessary for the purpose envisaged.
A new Sustainable Fisheries Partnership Agreement
This SFPA aims to establish a framework for legal, environmental, economic and social governance for fishing activities carried out by EU fishing vessels in Mauritanian fishing areas.
One of the objectives of this agreement is also to prevent and combat illegal fishing. Meeting this objective may involve administrative cooperation and the exchange of information, such as:
- identification and contact data;
- activities of a fishing vessel or relating to a fishing vessel, such as its location, journeys, fishing activities;
- personal data relating to the owners of fishing vessels, crew members, operators, for example.
In light of this processing of data, the EDPS welcomes that specific data protection measures are included in the SFPA.
Nevertheless, the EDPS recommends that further clarifications are made. The agreement should include precisely which categories of personal data may be processed, for what purposes, by whom and for how long. By extension, the roles and responsibilities that the European Commission may have in the context of data processing should be made clear in the provisions of the SFPA.
Importantly, the EDPS recommends that data protection measures and related provisions on transfers of personal data are put in place.
EDPS talks data protection and privacy with students
On 13 October 2021, Head of the EDPS’ Technology and Privacy Unit, Thomas Zerdick, contributed to a lecture held at the University of Maastricht in the context of the “Advanced Master in Privacy, Cybersecurity, Data Management and Leadership” course.
During this lecture, Thomas Zerdick exchanged with students on the topic of synthetic data, a technology recently explored in an IPEN webinar. Subsequent discussions were also held on how to ensure that data protection is embedded throughout the different stages of a technology’s development to protect individuals’ privacy.
As a Head of Unit at the EDPS, Thomas Zerdick was able to give an insight into the challenges and opportunities that data protection authorities may face now and in the coming years. To this end, he also presented the EDPS’ technology monitoring and foresight efforts, such as its latest initiative, TechSonar.
As the lecture drew to a close, Thomas Zerdick reiterated that it is crucial to properly enforce data protection legislation as a fundamental building block of the EU’s digital sovereignty efforts.
The EDPS looks forward to continuing discussions with various actors in the field of data protection as part of its work.
Data Protection training with DG FISMA
The EDPS’ Supervision and Enforcement Unit (S&E) pursued their successful training sessions with an online training delivered to the Directorate‑General for Financial Stability, Financial Services and Capital Markets Union (DG FISMA), on 12 October 2021.
With 65 participants attending the online training, S&E colleagues provided an overview of the data protection principles and rules that DG FISMA should apply in their day-to-day operations, such as sending out newsletters; organising events and conferences; selecting experts.
The training session also focused on the concept of consent, more precisely how DG FISMA should ensure that individuals’ consent to the processing of their personal data is specific, informed and freely given.
During the second part of the training session, S&E colleagues reiterated the importance of communicating to the EDPS if a data breach occurs and the steps to take to protect individuals’ personal data in this context.
The topic of Data Protection Impact Assessments (DPIA) was also touched on. S&E colleagues detailed the steps and purpose of a DPIA, which is to analyse and plan any measures to mitigate the risks that certain processing operations of individuals’ personal data may entail.
To keep the online training session interactive, S&E colleagues prepared online questionnaires and polls for attendees to participate in. This initiative received positive feedback.
A European Digital Identity Wallet
By having an EU Digital ID Wallet, EU citizens would be able to identify themselves online to administrative agencies, but also carry out private transactions, such as applying for a bank account, or renting a car. EU citizens using the EU Digital ID Wallet would also be able to store the electronic versions of other documents, their driving licence or medical certificates for example. The EU digital ID would be recognised across all EU Member States. EU citizens would have control over who can access their digital ID and what personal data is disclosed.
In his Formal Comments, the EDPS emphasises that the measures to be put in place to protect EU citizens’ personal data depend on the type of technology infrastructure used for the setup of the EU Digital Identity, which will be determined at a later stage. The EDPS welcomes the precautionary measures that are already included in the proposal concerning the use of the EU Digital Wallet. In addition, he emphasises that the potential use of blockchain technology, where appropriate, must be in line with the EU’s General Data Protection Regulation, applicable to EU countries, and any foreseen guidelines produced by the European Data Protection Board in this area.
The EU Digital ID Wallet will be issued by EU Member States’ authorities or entities on their behalf. As such, the EDPS included in his Formal Comments recommendations for better coordination between the EU’s data protection authorities and other relevant supervisory authorities, for a safe and reliable functioning of the infrastructure of the EU’s Digital Identity.
Furthermore, the EDPS supports the intention to avoid a mix-up of identities by introducing additional safeguards guaranteeing that EU citizens’ electronic documents, such as a citizen’s medical certificate stored in the EU Digital Wallet, are not incorrectly connected to another citizen’s EU Digital Wallet.
Nevertheless, the EDPS raises his concerns on whether a system of unique identifiers corresponding to each EU citizen using the EU Digital Identity is the right approach. Relying on a unique identifier in the form of a numeric or alphanumeric key instead of a name, birth place and date, or other personal data to identify a person, might violate human dignity, when applied to all aspects of social life.