In newsletter #97, learn about and sign up to our upcoming Supervision Conference. Read up on our latest audit on three of the EU's large IT systems, our Formal Comments on Smart Meters, our latest Supervisory Opinion, and more!
In this issue
Supervision Conference: mark your calendars for 29 November 2022!
Join us on 29 November 2022, from 8h45 to 18:00 CET, at Borschette Conference Centre in Brussels, Belgium or online, for the first Supervision Conference of the EDPS co-organised with Eurojust - the European Union Agency for Criminal Justice Cooperation, and EPPO - the European Public Prosecutor’s Office.
This conference will focus on data protection in the field of criminal justice in the EU. We invite data protection experts, criminal law practitioners and policymakers to discuss the latest developments concerning EPPO and Eurojust and their impact on the related data protection framework. We will also aim to reflect on the EDPS’ role as a supervisory authority, and the ways to improve cooperation and compliance between the EDPS, Eurojust and EPPO respectively.
There is more to come yet. During the conference, we hope to focus on the following topics:
- the recent changes in Eurojust’s legislative framework and their impact on the way the agency processes personal data;
- a review of the first year of EPPO’s operations, in particular the challenges and opportunities related to its heterogenic structure;
- the potential improvements in the governance model to make supervision more effective and better coordinated at European and national level.
Registration to attend the Supervision Conference, both in person and remotely, is now open! Register here.
More information can be found on the Supervision Conference webpage.
How are you protecting your personal data from phishing and ransomware attacks?
This October marks the 10th anniversary of the European Cybersecurity month! Held each year in October, this EU annual campaign is dedicated to promoting cybersecurity amongst EU citizens and EU organisations. On this occasion, the EDPS has produced two factsheets: one on phishing and one on ransomware to provide you with some tips and tricks on how to protect your personal data.
The number of phishing and ransomware attacks are growing. These types of attacks are also becoming more sophisticated, therefore presenting a threat to the functioning of and trust in the digital economy.
Introducing the cybersecurity campaign and EDPS factsheets in a short video, European Data Protection Supervisor Wojciech Wiewiórowski states that the General Data Protection Regulation has set the highest standards to safeguard individuals’ fundamental rights to privacy and data protection in the EU Member States. With this legislation, organisations operating in the EU must ensure an appropriate level of security of IT systems and embed data protection principles when developing and using technologies to process personal data. In fact, cyberattacks, such as phishing and ransomware, do not just concern big businesses and organisations, but can happen to anyone.
Phishing occurs when cyber-attackers trick you into sharing your personal data, by sometimes asking you to provide your usernames and passwords to access online platforms. Ransomware occurs when cyber-attackers take control of your IT systems by using malware or exploiting system vulnerabilities, and then asking you for a payment in exchange for you to be able to regain access to your IT systems, or to prevent the selling or publishing of your personal data.
Both types of cyberattacks often start with a simple email, phone call or private message. Cybercriminals aim to impersonate a real organisation that you may be in contact with regularly, such as your bank or your energy provider.
With the EDPS’ factsheets, you can learn more about how these cyberattacks take place, as well as measures you can take before or after a cyberattack occurs to protect yourself and your data.
Time to inspect: EDPS audits three EU large IT systems
As part of its Annual Inspection Plan 2022, the EDPS carried out between 17 and 21 October an audit of the following three EU large IT systems’ data processing activities.
- Eurodac - an IT system containing fingerprints to help with the sifting of asylum applications;
- VIS - which helps with the managing of short-term visas in the Schengen Area; and
- SIS II - an IT system for the sharing of information to facilitate the management of EU borders.
These three large IT systems’ operations are managed by eu-LISA, the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice.
Audits are one of the ways the EDPS verifies whether and how data protection law and principles are applied in practice within the EU institutions, bodies, offices and agencies (EUIs). When creating its Annual Inspection Plan, the EDPS chooses to inspect a number of EUIs depending on various factors, such as according to a risk analysis of an EUI’s activities; the type and categories of personal data processed by an EUI; whether there have been complaints submitted to the EDPS about a particular EUI. In addition, the EDPS is required to conduct regularly audits of the EU’s large IT systems.
During its audit, the EDPS checked whether its recommendations from previous audits had been correctly followed and applied for each system. This included, reviewing measures related to IT Security Governance, security incidents and data breaches. The EDPS also reviewed the methodology and practices employed to develop and test systems to ensure that these are built according to the data protection by design and by default principles. Whilst these large IT systems have been in production for already quite a few years, the EDPS audit team identified relevant improvements to be made in terms of data protection and security.
Concluding its audit, the EDPS audit team highlighted that they appreciated the fruitful collaboration with eu-LISA.
Have a look at our Audits’ page on the EDPS website to keep up to date with our latest audits!
To find out more about the EDPS Audit process, read our factsheet: “What to expect when we inspect?”
AI Convention: stronger protection of fundamental rights is necessary
In its Opinion published on 13 October 2022, the EDPS welcomes the opening of negotiations for a Council of Europe convention on artificial intelligence, human rights, democracy and the rule of law (Convention). The EDPS considers the Convention as an important opportunity to complement the European Commission’s proposed Artificial Intelligence Act by strengthening the protection of individuals’ fundamental rights, such as the rights to privacy and to the protection of personal data.
Wojciech Wiewiórowski, EDPS, said: “The Convention is an opportunity to develop the first legally binding international instrument on artificial intelligence according to EU standards and values on human rights, democracy and the rule of law. To achieve this, the Convention should include appropriate, strong and clear safeguards to protect individuals who may be affected by the use of AI systems”.
Historical archives: can an EUI derogate from upholding individuals' data protection rights?
The EDPS issued a Supervisory Opinion on the European Central Bank’s (ECB) processing of personal data for historical archives, on 5 October 2022.
The ECB is in charge of supervising banks and the financial system of the EU and may process personal data in the context of its work, such as personal data related to individuals’ financial information, if necessary.
Under EU data protection law, EU institutions, bodies, offices and agencies (EUIs) are allowed to derogate from certain data protection rights of individuals, for example when personal data is processed for archiving purposes in the public interest, subject to certain conditions.
The EDPS’ main recommendations included in its Supervisory Opinion are the following:
- the ECB should ensure that it provides information to individuals about the subsequent transfer of their personal data to the historical archives at the same time as providing information about the processing of their personal data when it is initially collected;
- the ECB should clarify certain concepts, such as the concept of “sensitive personal data” envisaged for processing;
- contrary to what the ECB currently envisages, the right to data portability - a right that gives an individual the possibility to receive their personal data in a machine-readable format to be able to transmit it to another controller - should not be subject to a derogation, as it appears that this right is not applicable in the archiving context;
- the ECB should seek support from their data protection officer before taking any decision to derogate from individuals’ data protection rights.
What misunderstandings do you have about Machine Learning?
Machine Learning is a branch of artificial intelligence used to help resolve specific and limited problems, such as classifying and predicting tasks. To achieve these results, machine learning models are trained using relatively large volumes of data. Once trained, these systems use the patterns learned to produce their output. Therefore, the performance of machine learning models depends greatly on the accuracy and representativeness of the data used. On a day-to-day basis, machine learning models may be applied to social media, virtual personal assistance, self-driving cars, for example.
The widespread deployment of machine learning in everyday devices may increase the expectations, and possibly, the misconceptions surrounding these models. For this reason, the EDPS, together with the Data Protection Authority of Spain: Agencia Española de Protección de Datos (AEPD), have produced a short publication, titled “10 Misunderstandings about Machine Learning”, published on 22 September 2022 and available for you to read here.
In just a few short pages, the EDPS and the AEPD aim to help you bust some of the myths linked to machine learning, such as:
- Are machine learning systems less subject to human biases?
- Can machine learning systems improve over time?
- How accurate and qualitative should the data used to train machine learning systems be?
This short publication is part of a long-standing collaboration between the EDPS and the AEPD who jointly aim to dispel misunderstandings on technologies and their impact on data protection. Other publications that are part of this series include, “14 misunderstandings on biometric identification and authentication” and “10 misunderstanding on anonymisation”, which are also available to you on the EDPS website.
Read “10 misunderstandings about machine learning” to find out more.
EDPS orders Europol to erase data concerning individuals with no established link to a criminal activity
On 16 September 2022, the EDPS requested that the Court of Justice of the European Union (CJEU) annuls two provisions of the newly amended Europol Regulation, which came into force on 28 June 2022. The two provisions have an impact on personal data operations carried out in the past by Europol. In doing so, the provisions seriously undermine legal certainty for individuals’ personal data and threaten the independence of the EDPS - the data protection supervisory authority of EU institutions, bodies, offices and agencies.
These new provisions, articles 74a and 74b, have the effect of legalising retroactively Europol’s practice of processing large volumes of individuals’ personal data with no established link to criminal activity. This type of personal data processing is something that the EDPS found to be in breach of the Europol Regulation, which it made clear in its Order issued on 3 January 2022 requesting Europol to delete concerned datasets within a predefined and clear time limit.
The EDPS notes that the co-legislators have decided to retroactively make this type of data processing legal, therefore overriding the EDPS Order.
EDPB & EDPS: “Lack of resources puts enforcement of individuals’ data protection rights at risk”
“We are deeply concerned that the 2023 budget, if not substantially increased, will be significantly too small to allow the EDPB and the EDPS to fulfil their tasks appropriately,” Andrea Jelinek, Chair of the European Data Protection Board (EDPB), and Wojciech Wiewiórowski, European Data Protection Supervisor (EDPS), write in an Open Letter, dated 12 September 2022, to the European Parliament and the European Council.
The EDPB budget forms part of the broader budget of the EDPS. The budget is proposed by the European Commission and approved by the European Parliament and the Council of the European Union (article 314 of the TFEU). During the preparation of the General budget of the European Union 2023, the EDPS made two consecutive budget proposals to the European Commission requesting an increase of staff and financial resources, to enable the EDPB and EDPS to manage their expanding range of tasks and growing workload. The requested increase, below the ceiling of the EU’s seven year financial plan, was rejected by the European Commission.
Andrea Jelinek said: “The EDPB plays an essential role in the implementation of the General Data Protection Regulation (GDPR). There are high expectations regarding the GDPR’s success in reining in data protection abuses, especially by large tech companies. However, the EDPB Secretariat is currently understaffed and at risk of no longer being able to fulfil its legal duties at the service of the EDPB and of the GDPR. Should this happen, the enforcement of individuals’ data protection rights would be weakened and the credibility of the GDPR undermined.”
Wojciech Wiewiórowski said: “The public expects data protection authorities to deliver the promise of the GDPR. This also relies, however, on our ability to ensure effective cooperation and run robust cases, supported with high quality legal analysis. Current scarce resources create a serious obstacle - to the detriment of EU citizens. Our concerns have been echoed by civil society, academia and policymakers gathered at the EDPS Conference on The Future of Data Protection, which I take as a sign of acknowledgement of importance of adequate funding for the EDPB and the EDPS”.
Candidates' personal data in recruitment procedures
On 9th September 2022, the EDPS responded to a complaint from an individual claiming that they were not provided access to their personal data in the context of a recruitment procedure organised by one of the EU institutions, bodies, offices and agencies (EUIs).
The complainant submitted that they were not granted access to a report including the reasons for which they were not selected for the pre-selection interview, and a report on their performance on exercises conducted during the assessment centre phase of the EUI’s recruitment procedure.
Whilst the EDPS considers that information included in these types of reports is qualified as personal data of an individual, he concludes that the EUI in question did not violate the complainant’s right of access to their personal data.
Explaining its reasoning, the EDPS notes that the EUI did not prepare reports including evaluation criteria for the selection of any candidates to attend the pre-interview phase of the recruitment procedure. Therefore, there were no reports for all candidates to access at this stage; consequently, the EUI in question had acted in line with its obligations.
Concerning the assessment centre phase of the EUI’s recruitment procedure, the EDPS understands that, while the complainant did not received access to a specific and separate report on their performance for this particular stage, they did receive a detailed report on their overall performance during the recruitment phases they partook in, including the assessment centre phase. As such, the EDPS considers that the complainant has received sufficient information, and therefore access to their data, about their performance during the phases of the recruitment procedure in which they participated.
EDPS services meet with the Secretariat of the European Parliament’s LIBE Committee
In its day-to-day work, the EDPS not only issues Opinions, Formal Comments, or Supervisory Opinions to EU institutions, bodies, offices and agencies (EUIs), but also collaborates with them by holding frequent meetings to take stock of data protection challenges and developments, as well as delivering training sessions and presentations.
As an example, representatives of the three data protection units of the EDPS met with the Secretariat of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) on 9 September 2022. The meeting was an opportunity to present our work as the data protection authority of the EUIs and independent authority providing legislative advice to the EU legislators.
We also provided updates to the LIBE Committee on our recent initiatives, including our Opinion on the proposal for the Artificial Intelligence Act jointly issued with the European Data Protection Board, as well as our latest initiative in technology monitoring, TechSonar.
The second part of the meeting focused on the supervisory activities of the EDPS, including the supervision of Europol’s data processing operations.
For the EDPS, such exchanges are always informative, and help strengthen its collaboration with our stakeholders.
EDPS attends roundtable of G7 Data Protection and Privacy Authorities
For the first time ever, the EDPS participated in a Roundtable of G7 Data Protection Authorities in Bonn, Germany, between 6 and 8 September 2022, at the invitation of the Federal Data Protection Authority of Germany.
This official event was organised by the Federal Data Protection Authority of Germany in the context of the German Presidency of the “Group of Seven”, an inter-governmental political forum consisting of Canada, France, Germany, Italy, Japan, the United Kingdom, and the United States, as well as the European Union. The EU was represented by the EDPS, Wojciech Wiewiorowski, and the Chair of the European Data Protection Board (EDPB).
At the event, the G7 data protection authorities discussed a wide range of topics, including:
- the “data free flow with trust” concept;
- the intersection of privacy, competition and consumer protection;
- international data transfer tools;
- privacy-enhancing technologies and de-identified data;
- the use of principles of data minimisation and purpose limitation to meet the challenges of commercial surveillance;
- the role of privacy and data protection authorities in the setting and promoting of an ethical and cultural model for the governance of artificial intelligence.
Read the EDPS’s keynote speech, "Data Free Flow with Trust and international data spaces from an EU perspective", delivered during the event.
You can read more about the Roundtable of G7 Data Protection and Privacy Authorities on the website of the Federal Data Protection Authority of Germany, here.
Smart meters: who can access your metering and electricity consumption data?
Over the last few years, one of the aims of the EU and EU Member States is to find new ways to help EU citizens save energy, both to protect the climate and their wallets. Contributing to this, the EU legislators passed a directive in 2019, named Directive (EU) 2019/944, which imposes certain electricity-saving measures to be carried out in the EU Member States, including the roll-out of smart metering systems.
A smart meter system is an electronic device that measures energy consumption and exchanges consumption data with energy suppliers and services to monitor the use of electricity and for billing purposes. Whilst being a useful energy-saving tool, it presents risks for the protection of individuals’ personal data since it may reveal patterns and precise details about one’s private life, such as the time during which an individual is on holiday or absent from their home if their energy consumption is low or non-existent for a period of time.
It is in this context that the EDPS issued on 24 August 2022 Formal Comments on the EU Commission’s Implementing Regulation on the access to metering and electricity consumption data by energy suppliers and related services, which is available on the EDPS website here. One of the aims of this Implementing Regulation is to allow participants of the electricity market, such as entities offering energy-related services to final customers, to have a mutual and clear understanding of the roles, responsibilities and procedures to access metering and electricity consumption data generated by smart meters.
The EDPS focuses its recommendations on the processing of individuals’ personal data by entities offering energy-related services to final customers. In its Formal Comments, the EDPS reiterates that, under the ePrivacy Directive, smart-meters can be considered as a “terminal equipment”, like a mobile device. As such, under the ePrivacy Directive, access to information stored in a “terminal equipment” would require, in principle, the consent of its user, unless access to such information is strictly necessary for the provider of an information society service to deliver the service explicitly requested by the user.
In addition, the EDPS sets out the following recommendations:
- it must be made clear in the Implementing Regulation for what purposes individuals’ metering and consumption data will be processed and for how long this data will be stored;
- the roles and responsibilities of the actors processing individuals’ metering and electricity consumption data must also be clarified in the Implementing Regulation.
Discover or re-discover the EDPS’ TechDispatch on Smart Meters, which explores in more depth the impact of this technology on data protection.
Speeches & Publications
- Speech of Wojciech Wiewiórowski at the Joint Parliamentary Scrutiny Group, European Parliament, Brussels, Belgium
- Speech by Wojciech Wiewiórowski at Forum for EU-US Legal Economic Affairs, the Mentor Group in Washington DC, US
- “Data Free Flow with Trust and international data spaces from an EU perspective”, Keynote Speech of Wojciech Wiewiórowski at the G7 DPA Roundtable 2022 in Bonn, Germany.