Our last newsletter of the year 2022 is out now! Read up on our latest conference on data protection in the field of criminal justice; our Opinions, like the one on the EU Media Freedom Act. Learn more about which technologies should be monitored in 2023. And do not forget to follow us on EU Voice and EU Video, our two alternative social media platforms, which you can learn more about in this issue!
The Newsletter Digest
In this issue
Are you following us on EU Voice and EU Video?
On EU Voice, you can find short posts about our work, such as our Opinions, latest Press Releases, and Consultations, which you can comment on to interact with us and other users, bookmark a publication, share with others, and more. On EU Video, you can find short informational videos on the EDPS’ activities, podcast episodes, as well as video recordings of some of our past events.
EU Voice and EU Video are two social media platforms that we launched earlier in April 2022 as additional communication channels to our popular Twitter account: @EU_EDPS and LinkedIn account: EDPS - European Data Protection Supervisor. EU Voice and Video are platforms that are part of decentralised, free and open-source social media networks that connect users in a privacy-oriented environment, therefore prioritising their rights to privacy and data protection.
We cannot wait for you to engage with us on our new platforms. Register to Mastodon by subscribing to one of the available servers and follow us!
To find out more about the EDPS’ launch of the pilot phase of these two platforms and the strategy behind them, read our Press Release.
Supporting data protection officers
The EDPS-Data Protection Officers’ network meetings are crucial to enhance cooperation between the EDPS and DPOs, highlights EDPS Director Leonardo Cervera Navas in his blogpost, published on 6th December.
These meetings, held twice a year with the DPOs of the EU institutions, bodies, offices and agencies (EUIs), are an opportunity to acknowledge the hard and efficient work being done, and the challenges that may arise in the future in the field of data protection.
Amongst the multitude of topics discussed, the latest EDPS-DPO network meeting, held on 6 December 2022, focused on personal data breaches, handling individuals’ requests to access their personal data, and other practical guidance based on issues either encountered by data protection officers, or issues that have been subject to case law.
To maximise the interactivity of this meeting, workshops, activities and presentations were organised to facilitate discussions amongst DPOs and between DPOs and the EDPS. These exchanges provide helpful feedback from DPOs, which, in turn, contribute to informing the EDPS’ work when producing guidelines, organising training sessions and providing advice.
To find out more about the EDPS - DPO Network, read blogpost written by EDPS Director Leonardo Cervera Navas.
IPEN Webinar: Central Bank Digital Currency
Should countries in the EU and beyond offer central bank digital currency in addition to traditional banknotes and coins?
Whilst 90 percent of central banks around the world have already explored a state-owned digital currency with different design choices, the European Central Bank has decided to start exploring this option by 2024.
Anticipating this, the EDPS organised an Internet Privacy Engineering Network (IPEN) webinar, on 1st December 2022 on Central Bank Digital Currency during which our guest speakers - both data protection and technology experts - reflected on the privacy and technology challenges that this new mode of payment may pose.
Amongst the topics discussed, the IPEN webinar focused on the process of validating transactions. Namely, who would be involved in this process, what would be their role, and can this process ensure that the privacy of individuals making payments is protected?
Other topics explored during the workshop included the technology requirements necessary to develop a digital currency that is privacy compliant and effective; how to monitor and audit these technologies; how to prevent the creation of “fake digital money”.
Missed the event? Curious to find out more? The video recordings of the event are now available in the agenda of the IPEN Webinar here.
Supervision Conference: data protection and criminal justice
On 29th November 2022, the EDPS co-organised with the European Union Agency for Criminal Justice Cooperation - Eurojust, and the European Public Prosecutor’s Office - EPPO, a conference on data protection in the field of criminal justice in the EU.
With approximately 200 participants attending the event, either remotely or in-person, guest speakers - composed of data protection experts, criminal law practitioners, and policymakers - shared their views on the following topics: the reform of Eurojust in the age of digitalisation; EPPO’s first year of operations; how to supervise Eurojust and EPPO in a more effective way.
During the first session, distinguished guest speakers discussed how the amendments to the Eurojust Regulation, in addition to several legislative proposals, may impact Eurojust in its processing of personal data, including the possible implications these changes may have on personal data transfers to partners outside the EU and European Economic Area.
To keep momentum going, the second session zoomed in on EPPO’s first year of operations. EPPO is the first independent EU body mandated to investigate criminal offences against the financial interests of the EU. Whilst strategic decisions are centralised, investigative work is carried out by European Delegated Prosecutors according to national rules of criminal procedure. As such, exchanges focused on the coordinated approach that is required to supervise effectively EPPO’s data processing activities and the enforcement of individuals’ data protection rights.
The last session of the day explored how the EDPS, as the data protection authority of Eurojust and EPPO, together with competent supervisory authorities within the EU Member States, can ensure effective coordination and supervision of Eurojust and EPPO, in light of a complex and patchy enforcement landscape.
Catch up on the conference by streaming the video recording of the event available here.
EU-wide cybersecurity requirements to protect privacy and personal data
The EDPS published on 15th November 2022 its Opinion on a proposed Regulation laying down cybersecurity requirements for products with digital elements. Concretely, the proposed Regulation aims to set out EU-wide cybersecurity requirements for a broad range of hardware and software products and their remote data processing solutions. These include, for example, browsers, operating systems, firewalls, network management systems, smart meters or routers.
Wojciech Wiewiórowski, EDPS, said: “The cybersecurity of products with digital elements is of utmost importance to protect effectively individuals’ fundamental rights in the digital age, including their rights to privacy and data protection. Harmonised cybersecurity requirements across the EU should reduce the risks for Europeans of being victims of cyber-attacks and of the vast consequences that these may entail, such as the theft and misuse of their personal data.”
EU Media Freedom Act: EDPS calls for better protection for all journalists and a ban on highly advanced military-grade spyware
In its Opinion published on 14th November 2022, the EDPS welcomes the objectives pursued in the proposed EU Media Freedom Act to protect media freedom, independence and pluralism across the EU. Media freedom is a precondition for the functioning of media services in the EU’s internal market and, more importantly, a key enabler for the rule of law and democratic accountability in the EU.
Nevertheless, the EDPS is concerned that the measures envisaged to protect journalists, their sources, and media service providers included in the proposed EU Media Freedom Act may not be effective in practice. In this respect, the EDPS’ recommendations are twofold. Firstly, to clarify that any journalist would benefit from the protection offered by the proposed Media Freedom Act. Secondly, to further define and restrict the possibility to waive the protection of journalistic sources and communications, particularly the exceptions related to the prohibition of intercepting communications using spyware or other forms of surveillance of media service providers.
2023: Which technologies are worth monitoring?
The 2022-2023 TechSonar report is now available!
Published on 10 November 2022, the TechSonar report delves into five technologies worth monitoring this upcoming year. These are: central bank digital currency; metaverse; synthetic data; federated learning; and fake news detection systems.
In a few pages, the EDPS’ technology champions provide you with a summary of each technology, its positive aspects, how this technology is used, but also its data protection challenges. The report also provides you with some further reading and links to further research, amongst other information.
Initiated in 2021, TechSonar was created to anticipate emerging technology trends. Its main purpose is to better understand future developments in the technology sector from a data protection perspective. This way, the EDPS can help guide the evolution of these technologies in a way that not only respects, but also protects individuals’ privacy and data protection rights.
The selection of technologies worth monitoring in the following year is achieved by using a methodology that the EDPS has adopted. This includes numerous phases: initial scouting of trends; collective brainstorming; collective review; publishing and advocacy; and continuous monitoring. A number of factors are also considered to select technology trends, such as looking at which technologies are the most studied, prototyped and used in countries around the globe; identifying the relationship between different organisations that are using specific technologies; which technologies are the most commercialised, for example.
To find out more about the technologies worth monitoring in 2023 and some behind-the-scenes facts about TechSonar, read the TechSonar Report, available here.
EDPS Conference 2022: the report is out!
Missed the EDPS Conference, The future of data protection: effective enforcement in the digital world, held last June 2022? Our post-conference report is out now for you to re-live or discover this memorable event.
The report, available on the EDPS website since 10 November 2022, summarises key conversations, speeches, workshops, and breakout sessions. Topics covered, include:
- whether effective enforcement is important for the General Data Protection Regulation to be successful;
- how enforcement works in practice;
- a discussion on structural limitations of current governance models;
- potential solutions to challenges related to enforcement.
With this report, the EDPS hopes to have captured the essence of a conversation on the future of data protection and effective enforcement, which has only just began to unfold.
You can also:
Donating organs and data protection
On 7 September 2022, the EDPS issued an Opinion on a proposal to regulate the quality and safety standards of substances of human origin for human application.
With this Proposal, the EU legislators aim to regulate the quality and safety standards of substances of human origin (SOHO) by harmonising oversight practices across the EU and EU Member States to facilitate the development of safe, effective and innovative SOHO therapies, procedures and treatment, including, for example, the donation of sperm, tissues, cells, embryos, and excluding solid organs.
The Proposal also aims to positively impact individuals’ fundamental rights, namely the right to health protection, privacy, non-discrimination and informed consent, based on the values of solidarity and altruism between donors and recipients.
The donation of substances of human origin involves the processing of both donors’ and recipients’ personal data, including their identity and health data. It is on this matter that the EDPS delivered its Opinion.
Whilst welcoming most measures linked to the processing of personal data that are included in the Proposal, the EDPS recommends that, amongst others, the EU legislators define the maximum duration for which personal data may be used.
The Proposal is founded upon voluntary and unpaid donations, and would require that individuals’ consent to donate substances of human origin is both informed and freely given. This means that individuals who wish to give their human substances should be able to do so freely, with the knowledge and understanding of how these will be used. Whilst the EDPS understands this ethical and legal requirement, he highlights in his Opinion that individuals’ consent to process their personal data and individuals’ consent to donate organs, or other human substances, are two different, separate, types of consent. The EDPS recommended that such specific distinction is made clear in the proposal.
Concluding its Opinion, the EDPS recommends that the Proposal clearly identifies the specific purpose for which data may be reused, if this became applicable.
Speeches & Publications
Speech by Wojciech Wiewiórowski at LIBE Committee in hearing on exchange of personal data between Frontex and Europol - Processing of Personal Data for Risk Analysis (PeDRA) project.
Speech by Wojciech Wiewiórowski in panel 'Vulnerable People, Marginalization and Data Protection', at Brussels Privacy Symposium organised by Brussels Privacy Hub (VUB) and Future of Privacy Forum (FPF)
Opening remarks by Wojciech Wiewiórowski at EDPS Conference on Supervision in the criminal justice area