In the EDPS July 2022 Newsletter, read our latest EDPS-EDPB Joint Opinions and Press Releases on the European Health Data Space and the EU's Data Act. Look back on the events we have organised, such as the EDPS Conference 2022, the 50th EDPS-DPO meeting, and the International Organisation workshop co-organised with the World Food Programme. In this issue, you can also find our latest Press Releases and Opinions on a number of diverse subjects, such as on geographical indications (GI) of products circulated in the EU, on recovering and confiscating assets obtained by criminals, and plenty more.
In this issue
Protecting the personal data of EU producers
While supporting the Proposal for a Regulation on geographical indications for wine, spirits, agricultural products, and quality schemes for agricultural products in its Opinion published on 22 July 2022, the EDPS recommends that a number of measures related to the processing of personal data are clarified and added.
The Proposal includes measures that aim to help manage more effectively the registration and certification processes for EU Member States’ producers of wine, spirits, agricultural products when they apply for a geographical indication under the EU’s quality scheme, which allows them to protect and certify their product in the EU, to avoid for example the misuse or imitation of their products.
Wojciech Wiewiórowski, EDPS, said: “I welcome the measures envisaged in the Proposal to protect personal data. In particular, I welcome the clarification of the roles and responsibilities of the European Commission and Member States’ authorities with regard to the processing operations laid down in the Proposal. At the same time, further improvements are needed, for example, there is a need to explicitly specify instances of joint controllership in relation to the processing of personal data.”
Proposal on asset recovery and confiscation: EDPS welcomes commitment to data protection
In its Opinion published on 20 July about the European Commission’s Proposal for a Directive on recovery and confiscation of assets, the EDPS recognises that processing personal data in this context is liable to have a significant impact on the individuals concerned and constitutes an interference with individuals’ rights guaranteed by the EU Charter of Fundamental Rights, including the right to data protection. The EDPS therefore welcomes the fact that the Proposal explicitly underlines the particular importance that the protection of personal data, according to EU law, is ensured.
The Proposal aims to help EU Member States’ competent authorities to identify, freeze, manage, and confiscate assets obtained through criminal activities by organised crime groups. To achieve this, the Proposal aims to facilitate cooperation between relevant authorities involved in the ceasing of these assets.
Wojciech Wiewiórowski, EDPS, said: “While I support the objectives of the Proposal, which will contribute to combatting organised crime across the EU, its potentially significant impact on the individuals concerned is undeniable. Therefore, the European Parliament and the Council must ensure that the limitations to the right to data protection apply only in so far as is strictly necessary, and that robust data protection safeguards are present”.
European Health Data Space must ensure strong protection for electronic health data
On 14 July 2022, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted their Joint Opinion on the European Commission’s Proposal for the European Health Data Space (EHDS). The Proposal aims to facilitate the creation of a European Health Union and to enable the EU to make full use of the potential offered by a safe and secure exchange, use and reuse of health data.
The EDPB and the EDPS welcome the idea of strengthening the control of individuals over their personal health data. However, they draw the co-legislators’ attention to a number of overarching concerns and urge them to take decisive action. In particular, the EDPB and the EDPS acknowledge that Chapter IV of the Proposal, which aims to facilitate the secondary use of electronic health data, may generate benefits for the public good. At the same time, the EDPB and the EPDS consider that these further processing activities are not without risks for the rights and freedoms of individuals.
New EU funding rules: processing of personal data must be clarified
In its Opinion published on 12 July, the EDPS fully supports the goals of the proposed amendments to the financial rules on the general budget of the European Union, but strongly recommends specifying the types of personal data to be processed, from where this data is sourced, as well as the means and duration of the processing.
According to the European Commission’s proposal, the amendments of the financial rules aim to improve the way financial and personal data is processed to prevent, detect, investigate, correct fraud or financial irregularities effectively, when distributing EU funding. Concretely, the Proposal introduces an obligation, for the different bodies implementing the EU budget, to record data about the recipients of EU funding, and to use a single-integrated IT system for data-mining and risk-scoring to analyse this data.
Wojciech Wiewiórowski, EDPS, said: “Whilst processing personal data to ensure the proper management of EU funds may be necessary, the new rules should also include further safeguards to protect individuals concerned against the risks of their data being misused. In addition to these clear and precise rules, the necessary technical and organisational measures should be put in place to protect this data, in compliance with EU data protection law, namely Regulation (EU) 2018/1725 and the General Data Protection Regulation”.
Amended Europol Regulation weakens data protection supervision
Following the publication of the amended Europol Regulation in the Official Journal of the EU today, the EDPS expresses its concerns that the amendments, which will enter into force on 28 June 2022, weaken the fundamental right to data protection and do not ensure an appropriate oversight of the European Union Agency for Law Enforcement Cooperation (Europol).
The amended Europol Regulation, Regulation (EU) 2022/991, expands considerably the mandate of Europol with regard to exchanges of personal data with private parties, the use of artificial intelligence, and the processing of large datasets.
Europol is now allowed, in specific cases, to process large datasets, leading to a substantial increase in the volume of individuals’ personal data processed and stored by the Agency. Consequently, data relating to individuals that have no established link to a criminal activity will be treated in the same way as the personal data of individuals with a link to a criminal activity.
The EDPS regrets that the expansion of Europol’s mandate has not been compensated with strong data protection safeguards that would allow the effective supervision of the Agency’s new powers.
Putting in place strong safeguards is crucial since the impact of the amended Regulation on personal data protection is further aggravated by the fact that EU Member States have the possibility to retroactively authorise Europol to process large data sets already shared with Europol prior to the entry into force of the amended Regulation. The EDPS has strong doubts as to the legality of this retroactive authorisation.
EDPS Conference 2022: A pan-European approach is going to be necessary for effective enforcement
On 16 and 17 June 2022, European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski welcomed over 2000 participants, both in-person and remotely, at his conference titled, “The future of data protection: effective enforcement in the digital world”.
With a line-up of over 100 distinguished speakers sharing their different views and visions, a total of 16 breakout sessions, workshops, and more, the two-day conference of the EDPS fostered crucial conversations on the future of data protection.
In his keynote speech delivered today to conference participants, Wojciech Wiewiórowski stated that he strongly believes that a pan-European data protection enforcement model is going to be a necessary step to ensuring real and consistent high-level protection of the fundamental rights to data protection and privacy across the European Union (EU).
This statement comes after two days of important discussions on the need for effective enforcement, and collective consideration for building a culture of compliance, following reflections on what currently works under the General Data Protection Regulation’s (GDPR) governance model, and what could be improved.
Celebrating the 50th EDPS-DPO meeting!
On 14 June 2022, following two years of online meetings due to the COVID-19 pandemic, the network of 70 Data Protection Officers (DPOs) of the EU institutions, bodies and agencies (EUIs) met in person to celebrate its 50th meeting with the EDPS. As a follow-up to the meeting, EDPS Director Leonardo Cervera Navas summarised his reflections in a blogpost.
At the meeting, the EDPS and network of DPOs took stock of the good work done so far and launched a forward-looking reflection about the future of this network that has added so much value and pleasure to our work.
The role of the Data Protection Officers is key since the adoption of the GDPR and the EUDPR. Often, the principle of accountability only becomes a reality when there is a good DPO working hard, hand in hand with the data controller. This is because Data Protection Officers know the core needs of their organisations very well. They are therefore in an ideal position to advise on how best to strike a good balance between the needs of the organisation they serve and the rights of the data subjects concerned.
Data protection is sometimes mistaken as the piece of legislation that “makes it difficult” for private and public organisations to process personal data. In fact, in our highly digitised societies, the processing of personal data is often not only necessary but also beneficial for the data subjects themselves. Therefore, the real issue is not that the processing of personal data becomes more difficult but rather than data controllers become more accountable. This is the ultimate goal of the DPOs in our system and I am proud to say that they do it very well.
Concluding his blogpost, EDPS Director Leonardo Cervera Navas thanked the DPO community for their hard work, stating that he looked forward to continuing this cooperation in the years to come because safeguarding fundamental rights should no longer be a radical dream, but an obvious reality.
A new United Nations convention on cybercrime: fundamental rights come first
The EDPS published on 18 May 2022 its Opinion concerning the EU’s participation in the United Nations’ negotiations for a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes (the future UN convention on cybercrime).
While reiterating support, in principle, to international cooperation in combatting cybercrime, the EDPS includes in its Opinion recommendations to ensure that the future UN convention upholds individuals’ data protection and privacy rights according to EU law.
The EDPS is concerned that, if not specifically addressed, the future UN convention risks weakening the protection of individuals’ fundamental rights, including the rights to data protection and privacy guaranteed under EU law, given the large number of countries, which each have their own legal system, that are partaking in its negotiations. As such, the EDPS advises the EU not to become party to the future UN convention on cybercrime, if its final draft does not guarantee these fundamental rights.
Wojciech Wiewiórowski, EDPS, said: “Exchanging personal data between EU countries and non-EU countries to combat cybercrime comes with great responsibility. Strong safeguards must be put in place to ensure that the protection of individuals’ personal data in a non-EU country is not undermined, especially when sharing sensitive data related to alleged criminal activities”.
EDPS welcomes much-needed harmonised rules on cybersecurity and information security for all EUIs
On 17 May 2022, the EDPS published two Opinions, one on the Proposal for a Regulation laying down measures for a high common level of cybersecurity in the EU institutions, bodies, offices and agencies (EUIs) (‘Cybersecurity Proposal’) and one on the information security in the EUIs (‘Information Security Proposal’’).
The EDPS welcomes the aim of the Proposals to improve the cybersecurity and information security of EUIs, by establishing common rules and minimum-security requirements that are aligned with relevant objectives of the EU’s Cybersecurity Strategy. Both Proposals are interlinked with the NIS 2.0 Proposal , which aims to harmonise and strengthen cybersecurity practices across the European Union, and for which the EDPS had issued an Opinion.
Wojciech Wiewiórowski, EDPS, said: “With the NIS 2.0 Directive just agreed by the co-legislators last week, the European Commission has gone one step further by proposing corresponding rules for EUIs in a timely manner. These will be the first legal acts devoted exclusively to regulating data security in the EUIs, including at the EDPS. There is no protection of personal data without effective security risk management and measures. At the same time, it is essential to protect personal data processed in the information security and cybersecurity contexts. I believe the texts provide a good basis, but can be improved with more assurances for the rights and freedoms of individuals when their data is processed in security operations.”
Solidarity & Digital Solidarity: 2022 International Organisations Data Protection Workshop
On 12-13 May, the EDPS co-organised with the World Food Programme the 2022 edition of the International Organisations workshop, in Rome, Italy. As a follow-up, Supervisor Wojciech Wiewiórowski published a blogpost summarising his key thoughts and reflections about the workshop.
Initiated in 2005, the EDPS’ objective for these workshops has always aimed to provide a platform to bring together international organisations to share experience, practice and analysis of common challenges. This rationale appears to be more relevant than ever in 2022, with over 100 participants and more than 50 organisations represented at the workshop.
The first panel session of the workshop was an opportunity to hear from various stakeholders and from international organisations about significant legal, policy or technological updates related to privacy & data protection from the perspective of their work.
Moving on to the second panel session of the workshop, participants considered Data Subjects’ Rights, specifically the challenges and opportunities for International Organisations. The aim was to get an overview of current best practices and the challenges of enforcing data subjects’ rights and discussions included governance, response time and technology used.
The workshop concluded with a session focusing on “Digital Transformation and Data Protection an Oxymoron?”, during which participants looked at the tension between innovation and data protection and considered the challenges including anonymisation, role determination, security, data sharing, for instance in AI, cloud computing or Blockchain.
The discussions on both days of the workshop demonstrated the commitment of the international organisations’ data protection community. The EDPS will continue to support their efforts and continue to contribute to increasing global cooperation.
The EU’s Data Act: data protection must prevail to empower data subjects
On 5 May 2022, the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) published their Joint Opinion on the proposed Data Act.
The EDPS and EDPB welcome the efforts made to ensure that the Data Act does not affect the current data protection framework. At the same time, since the Data Act would also apply to highly sensitive personal data, the EDPS and EDPB urge the co-legislators to ensure that data subjects’ rights are duly protected. The access, use and sharing of personal data by entities other than data subjects should occur in full compliance with all data protection principles and rules. Moreover, products should be designed in such a way that data subjects are offered the possibility to use devices anonymously or in the least privacy intrusive way possible.
The Data Act aims to establish harmonised rules on the access to, and use of, data generated from a broad range of products and services, including connected objects (‘Internet of Things’), medical or health devices and virtual assistants. The Data Act also aims to enhance data subjects’ right to data portability under Art. 20 of the General Data Protection Regulation.
Speeches and Publications
- Privacy in the resilient state of human condition - Wojciech Wiewiórowski , Closing remarks by Wojciech Wiewiórowski at the Computers, Privacy and Data Protection conference 2022, Brussels, Belgium.