Newsletter (92)
For our first EDPS Newsletter of the year 2022, discover what we have been up to in January, but also learn more about, or rediscover, some of our important work of the year 2021!
In this issue
EDPS celebrates Data Protection Week 2022
Online targeting for political advertising: stricter rules are necessary
International cooperation to fight crime should comply with EU law
Looking for a 2022 resolution? Subscribe to our TechDispatch!
Passenger Locator Forms when traveling by air
EU-Interpol cooperation to fight crime
The EU’s Financial Sector and the digital world
EDPS celebrates Data Protection Week 2022
Ahead of Data Protection Day on 28 January 2022, the European Data Protection Supervisor, Wojciech Wiewiórowski, published a blogpost and a video summarising his reflections on what this day represents, on how far we have come in the field of data protection, and on the challenges that lie ahead for data protection in Europe’s digital future.
Amongst other topics, the EDPS takes the opportunity to reaffirm his commitment to protecting the fundamental right to data protection; he touches on the importance of advocating for technologies that are created according to the EU’s values and principles; and presents his plans for his upcoming conference, titled “The future of data protection: effective enforcement in the digital world”.
To discover or rediscover why we celebrate Data Protection Day, read the EDPS’ blogpost and watch his video.
Your Data, Your Rights
EU institutions, bodies, offices and agencies, as well as public and private entities within the EU’s Member States, may process your personal data in their day-to-day activities. As an individual, you are entitled to a certain number of rights when your data is being processed, under EU data protection law.
Are you aware of your rights? Need a quick refresher? To mark Data Protection Week 2022, the EDPS has prepared a factsheet for you to discover, or learn more about, ten of your most important data protection rights. From the right to access to the right to erasure, read our factsheet, published on 24 January 2022, to find out more.
Online targeting for political advertising: stricter rules are necessary
The EDPS published on 20 January 2022 his Opinion on the EU legislators’ proposed Regulation on transparency and targeting for political advertising.
In his Opinion, the EDPS welcomes the overarching aims of the proposed Regulation. By laying down rules and obligations for providers of political advertising and related services to be more transparent in their use of targeting techniques, this proposal seeks to promote free and fair elections in the EU, therefore strengthening the EU’s democratic process.
The EDPS recommends the EU legislators to consider stricter rules concerning online targeted advertising for political purposes, in addition to the proposed measures to make this type of advertising more transparent.
In particular, the EDPS recommends that the proposed Regulation includes a full ban on microtargeting for political purposes, which consists of targeting an individual or a small group of individuals with political messages according to some of their perceived preferences or interests that their online behaviour may reveal.
International cooperation to fight crime should comply with EU law
The EDPS published on 20 January 2022 his Opinion on two Proposals: one to authorise EU Member States to sign the second Protocol to the Budapest Convention on Cybercrime, and one to authorise EU Member States to ratify this same Protocol.
The Budapest Convention on Cybercrime aims to facilitate the investigating and prosecuting of crimes, in particular cybercrimes, through international cooperation. The second Protocol of this Convention aims to enhance cooperation between law enforcement authorities of different Parties for the collection of evidence for the purpose of specific criminal investigations or proceedings. In addition, the Protocol includes provisions for direct cooperation between the law enforcement authorities and service providers across borders.
Wojciech Wiewiórowski, EDPS, said: “Investigating and prosecuting crime is a legitimate aim, for which international cooperation, including the exchange of information, plays an important role. The EU needs sustainable agreements for sharing personal data with non-EU countries for law enforcement purposes. These agreements should be fully compatible with EU law, including the fundamental rights to privacy and data protection.”
New Regulation on European Union Agency for Asylum (EUAA) will strengthen personal data protection of asylum seekers
The 19 January 2022 marked the entry into force of Regulation 2021/2303, establishing a European Union Agency for Asylum (EUAA) to replace and succeed to the European Asylum Support Office (EASO), and transform it into a fully-fledged asylum agency.
Regulation 2021/2303, which forms part of the 2016 package to reform the Common European Asylum System (CEAS), grants the EUAA new powers to improve the implementation and functioning of the CEAS by strengthening practical cooperation and information exchange among Member States.
The EDPS welcomes the entry into force of Regulation 2021/2303, as it places a stronger emphasis on data protection in the field of asylum when compared to the previous Regulation 439/2010. Given the importance of protection of personal data when dealing with the most vulnerable in society, the new Regulation includes a dedicated chapter on data protection, outlining the purposes for which personal data can be processed and emphasising the principle of proportionality in data processing.
The EDPS expects the EUAA to fully apply and respect these rules as from the date of their application and will continue to monitor their implementation.
EDPS orders Europol to erase data concerning individuals with no established link to a criminal activity
On 3 January 2022, the EDPS notified Europol of an order to delete data concerning individuals with no established link to a criminal activity (Data Subject Categorisation). This Decision concludes the EDPS’ inquiry launched in 2019.
In the context of its inquiry, the EDPS admonished Europol in September 2020 for the continued storage of large volumes of data with no Data Subject Categorisation, which poses a risk to individuals’ fundamental rights. While some measures have been put in place by Europol since then, Europol has not complied with the EDPS’ requests to define an appropriate data retention period to filter and to extract the personal data permitted for analysis under the Europol Regulation. This means that Europol was keeping this data for longer than necessary, contrary to the principles of data minimisation and storage limitation, enshrined in the Europol Regulation.
The EDPS has decided to use its corrective powers and to impose a 6-month retention period (to filter and to extract the personal data). Datasets older than 6 months that have not undergone this Data Subject Categorisation must be erased. This means that Europol will no longer be permitted to retain data about people who have not been linked to a crime or a criminal activity for long periods with no set deadline. The EDPS has granted a 12-month period for Europol to comply with the Decision for the datasets already received before this decision was notified to Europol.
Continue to Read the EDPS Press Release
Read the EDPS Decision
Read the EDPS’ Frequently Asked Questions’ paper on this topic.
Looking for a 2022 resolution? Subscribe to our TechDispatch!
As part of the EDPS Technology & Privacy unit’s task to monitor new technologies, we regularly publish TechDispatch reports to explain emerging developments in technology.
For these reports, initially launched in 2019, the EDPS won the Global Privacy and Data Protection 2021 Award in the category “Education and Public Awareness”, on the occasion of the 43rd Global Privacy Assembly 2021, in October last year.
The Global Privacy Assembly (GPA) is an international forum with more than 130 data protection and privacy authorities worldwide. The GPA's Global Privacy and Data Protection Awards celebrate the achievements of the GPA community, and rewards good practices in the field of data protection. As such, receiving this award confirms and underlines the EDPS’ commitment to ensuring that the public is informed about emerging developments in technology and their impact on privacy and data protection.
Our complete collection of TechDispatch reports is available on the EDPS website here. These reports feature a variety of topics, such as card-based payments; Facial Emotion Recognition; Personal Information Management System, quantum computing, and more.
We look forward to publishing more TechDispatch reports in 2022. To be the first one to receive our TechDispatch reports, why not subscribe here.
TechSonar 2021-2022: updates!
The EDPS has updated its TechSonar 2021-2022 Report, initially launched in September 2021.
The Report is the EDPS' first official publication on the topic of technology foresight. It features an updated version of the technology trends for this upcoming year, such as synthetic data; just walk out technology; digital therapeutics; and more.
The Report also presents the EDPS’ Data Protection Technology Sonar, a foresight methodology in the field of data protection. This foresight methodology consists of five steps: the initial scouting of potential new trends; a brainstorming session to select trends worth observing for the upcoming year; a peer review of these trends; the publication of a report summarising our findings; and a continuous monitoring of the trends included in the report.
With our TechSonar Reports and new methodology, we hope to anticipate the developments of technology trends to ensure that data protection and privacy features are embedded in these emerging technologies, from the earliest stages of their conception. We look forward to sharing our findings with the data protection community regularly.
To find out more on the trends and the underlying foresight methodology, read the TechSonar Report 2021-2022.
Passenger Locator Forms when traveling by air
On 14 December 2021, the EDPS published his Formal Comments on the EU legislators’ Proposal concerning the establishment of Passenger Locator Forms (PLF).
The Proposal aims to create an obligation for EU Member States to put in a place a national system of digital PLFs for the sole purpose of managing COVID-19 contact tracing when individuals are travelling by air travel to an EU Member State.
Using digital PLFs involves the processing of individuals’ personal data, such as an individual’s address, details of their journey, where they have stayed when travelling, and potentially their COVID-19 vaccination status, to be able to establish whether they have, or may have been, in contact with another individual that has COVID-19.
The EDPS welcomes that the Proposal seeks to limit the purpose and time for which PLFs may be used in the context of the COVID-19 pandemic.
The EDPS also considers that the requirement for EU Member States to have national digital PLF systems should be limited to what is absolutely necessary to ensure the performance of effective contact tracing measures, so as to miminise the impact on individuals’ freedom of movement.
Should EU Member States - based on their respective national laws - still seek to use individuals’ personal data, collected via the PLFs, for purposes outside the specific remit of the Proposal, these would need to respect the fundamental rights to privacy and data protection; and the criteria laid down in the GDPR concerning the processing of personal data for a purpose other than for which the data has been collected.
Read the EDPS’ Formal Comments, available in English, French and German.
EU-Interpol cooperation to fight crime
On 25 May 2021, the EDPS issued an Opinion on a proposed cooperation agreement between the EU and Interpol, the International Criminal Police Organisation.
The proposed cooperation agreement would be a binding legal instrument that touches on a diverse range of subject matters, of which some have an impact on the protection of personal data.
Given the heightened risks that come with the processing of individuals’ personal data related to crime, the EDPS highlights in his Opinion that the agreement should not weaken the protection of individuals’ fundamental rights, in particular the rights to privacy and data protection, currently ensured under EU primary law, such as Treaties and the Charter of Fundamental Rights, and secondary law, such as EU Regulations or EU Directives.
In his Opinion, the EDPS also makes recommendations concerning transfers of individuals’ personal data to an international organisation, in this case Interpol.
In principle, no additional requirements need to be met if the international organisation can prove that it can ensure an adequate level of protection for individuals’ personal data as guaranteed in the EU. If this is not the case, exceptions for certain transfers of individuals’ personal data may apply, if appropriate data protection safeguards are put in place.
In this regard, the EDPS’ recommendations aim to make sure that the proposed agreement provides for an adequate level of protection for individuals’ personal data, in compliance with the EU’s data protection laws, and the EU’s Charter of Fundamental Rights. The EDPS’ recommendations include technical and organisational measures as safeguards to protect individuals’ data.
Read the EDPS’ Opinion, available in English, French and German.
The EU’s Financial Sector and the digital world
With the aim of contributing to the stability of the EU’s financial markets, the EU legislators proposed a Regulation on the Digital Operational Resilience for EU financial entities on 24 September 2020. The Proposal provides measures for:
- the management of risks linked to the use of ICT tools in the EU’s financial sector;
- the management, classification and reporting of incidents when using digital tools;
- the testing of measures and procedures put in place to both prevent and manage risks that may occur when using digital tools;
- managing the risks that may occur when delegating certain ICT operations to third parties;
- the processes, which involve the sharing of financial information between relevant entities.
Since this Proposal may involve the processing of individuals’ financial data, the EDPS was consulted for its Opinion, which was published on 10 May 2021.
In its Opinion, the EDPS welcomes the overarching aim to foster a comprehensive and well-documented ICT risk management framework for the EU’s financial sector.
To strengthen this proposed framework, the EDPS recommends that the EU’s data protection principles are embedded throughout the design, process and use of the ICT infrastructure and other digital tools within the EU’s financial entities. In this context, the Proposal should also define clearly the roles and responsibilities of who will process individuals’ financial data, for what purposes, and for how long, writes the EDPS in his Opinion.
Read the EDPS Opinion, available in English, French and German.
Zoom in on the EDPS' Factsheets
The EDPS regularly publishes factsheets focusing on a specific aspect of its work, or to raise awareness of a particular area of data protection law and its impact on the way your personal data may be processed.
As an example, on 27 January 2021, the EDPS published a factsheet on its enforcement powers under Regulation (EU) 2018/1725 - the data protection regulation for EU institutions, bodies, offices and agencies.
With this factsheet, you can learn more about the EDPS’ corrective and investigative powers, and when these may be exercised by the EDPS.
Like every factsheet published on the EDPS Website, the factsheet on the EDPS’ enforcement powers includes further reading resources for you to be able to delve deeper into the topic at hand.
Read the EDPS’ Factsheet on the enforcement powers of the EDPS.
Speeches and Publications
Remarks by the European Data Protection Supervisor, Wojciech Wiewiórowski, at the Committee on Civil Liberties, Justice and Home Affairs (LIBE) meeting on Europol in Brussels, Belgium.
Speech: "La contribución de España en el desarrollo y garantía del derecho fundamental a la protección de datos personales en la Unión Europea" by the EDPS Director Leonardo Cervera Navas at University of Salamanca.