In the October 2018 edition of the EDPS Newsletter we cover the latest developments relating to the upcoming GDPR for EUI, the security of identity cards and copyright in the Digital Single Market.
The much-anticipated Regulation aligning data protection rules for the EU institutions with the General Data Protection Regulation (GDPR) is now just around the corner and the EDPS is getting ready for its adoption.
Evolutionary rather than revolutionary, the new Regulation will repeal and replace Regulation 45/2001. Though not anticipated to come into force before 11 December 2018, it has already earned its own special moniker: the GDPR for EUI - the General Data Protection Regulation for European Union Institutions. The GDPR for EUI not only requires an amendment to the legal basis, but also the implementation of new legal procedures.
As the supervisory authority for the EU institutions, it is our job to help facilitate the transition to the new Regulation, by providing training on the new rules and raising awareness about the changes. It is also essential that we review all public information and other relevant documents, including Guidelines, and update them to reflect the developments enacted by the GDPR for EUI.
We have already published Guidelines on risk assessments and data protection impact assessments (DPIAs), as well as on how to deal with any new obligations concerning transparency and information. Additionally, we are updating and drafting new documents on accountability, the role of Data Protection Officers (DPOs), administrative fines, restrictions on data subject rights and data breaches. Keep an eye out for updates on the EDPS website!
The EDPS will also run a special communications campaign on the GDPR for EUI in December, aimed at all EU staff members. We would like to reassure each and every EU institution that they will receive all necessary support and assistance from the EDPS in their transition to the new Regulation.
Consumer law and data protection can no longer afford to work in silos. The EU needs a big-picture approach to addressing systemic harms to individuals in digital markets, involving closer cooperation between enforcers in order to avoid legal uncertainty, the EDPS said, as he published his Opinion on the legislative package A New Deal for Consumers.
The package is composed of the Proposal for a Directive as regards better enforcement and modernisation of EU consumer protection rules and the Proposal for a Directive on representative actions for the protection of the collective interests of consumers. The Opinion follows consistent calls from the EDPS for coherent enforcement by authorities responsible for the digital economy and society, including consumer, data protection and competition authorities.
Giovanni Buttarelli, EDPS, said: “I support the aim of the Proposal to extend benefits to consumers who receive services without paying a monetary price. With ‘free’ the preferred price for many digital markets, the consumer should be protected irrespective of whether a contract under which a trade supplies or undertakes to supply digital content or services requires payment. Consumer law, like data protection law, needs to be effective in tackling any harm arising from the digitisation of people’s lives. Increasing the concentration and complexity of digital markets has diminished people’s ability, whether as consumers or as data subjects, to control their digital lives, including what happens to data about them. However, the solution is not to pretend that personal data is a mere economic asset. This means ensuring that there is no such reference to personal data in contract definitions for the supply of digital content or a digital service. Therefore, the safeguards under the Charter of Fundamental Rights and the GDPR must be upheld. Closer alignment between consumer and data protection will require policymakers, as well as regulators, to deepen their dialogue and mutual understanding.”
The EDPS has not let up on its pledge to train EU managers and staff members on the GDPR for EUI, the new data protection Regulation for EU institutions set to apply from 11 December 2018. First on the list was a visit to Stockholm for the annual meeting of the network of web managers from the EU agencies and bodies. This meeting provided us with an excellent opportunity to interact directly with the EU’s communication officers, providing advice on the data protection reform, as well as on new obligations concerning data protection practices on the web and social media.
Next up was Turin. At the request of the European Training Foundation’s (ETF) Data Protection Officer (DPO), two members of the EDPS Supervision and Enforcement Unit provided training for management and staff on the new Regulation. Attendees were not limited to the ETF - colleagues from other EU agencies in Italy also took part, including participants from the European Food Safety Authority (EFSA), the Joint Research Centre (JRC), and the European University Institute (EUI).
Concrete case studies and thought-provoking questions were central to the success of the two-day training in Turin. This motivated the participants to work together to solve tricky privacy problems, share their ideas and reflect on how to manage any new obligations required by the Regulation.
Just over a week later, on 1-2 October 2018, the same two EDPS representatives travelled to Luxemburg at the invitation of the Court of Justice of the European Union’s (CJEU) DPO. Over 400 guests attended the training session on the fast-approaching GDPR for EUI, with participants hailing from the CJEU, the Court of Auditors and the European Investment Bank, as well as from the European Council, Parliament and Commission. The session was web streamed and will be available to watch soon on the videos section of the EDPS website.
On 4 October 2018, we provided another two-hour training session to EU managers at the European Union School of Administration (EUSA). Once again, the session proved a success. Enthusiastic EUSA attendees asked a number of practical questions and are now in a stronger position to negotiate the new Regulation once it comes into effect.
We invite anyone working for the EU institutions and bodies to consider taking part in any future training events offered by the EDPS. We have already assisted hundreds of EU controllers and staff members - and we only want this number to increase over the coming weeks and months.
The EDPS has adopted an Opinion on whether Europol should serve as an accrediting body for law enforcement agencies (LEAs) looking to access personal data in the WHOIS database, the Internet’s Domain Name System.
Before the General Data Protection Regulation (GDPR) came into effect on 25 May 2018, anyone registering a new domain name would have their personal data publicly displayed on the internet, through the WHOIS service. This included names, email addresses, phone numbers, and other forms of identifying information.
However, in order to adhere to the requirements of the GDPR, the Internet Corporation for Assigned Names and Numbers (ICANN), which is responsible for the WHOIS service, has since called for registries and registrars to redact all personal data from publicly accessible WHOIS databases. This has caused problems for LEAs, who no longer have the easy access to the personal data of domain name registrants that they once had. Agencies looking to access WHOIS datasets now need to conclude formal legal procedures to get their hands on the relevant information.
In the search for a solution to the administrative burdens and long delays now facing LEAs, ICANN and the Article 29 Working Party (now the European Data Protection Board) have opened up a debate on how to improve LEA access to the WHOIS database. The possibility was raised that Europol, the EU’s law enforcement agency, might play a role here, by acting as a law enforcement accreditor. This would involve providing assurances to registries and registrars that the EU LEAs looking to access WHOIS records are indeed legitimate authorities.
In our Opinion, we recommended that Europol could act as a law enforcement accreditor, so long as the activity falls within Europol’s mandate, as a support authority for the Member States. On the grounds that acting as an accrediting body would not actually involve the processing of any personal data - Europol would merely provide confirmation that an LEA is legitimate - we saw no reason as to why it should not act as such a facilitator.
In April 2018, the European Commission published a Proposal for a Directive on rules facilitating the use of financial information for law enforcement purposes, building on the work started in the 2015 Anti-Money Laundering Directive. Among other things, the Proposal aims to provide competent authorities with direct access to information held in centralised bank registries or data retrieval systems. It also aims to facilitate cooperation between Financial Information Units (FIUs). The goal is to prevent and combat serious crime, specifically money laundering and terrorist financing, more effectively.
On 10 September 2018, the EDPS published formal Comments on the Proposal, which took note of the concerns expressed by the Commission’s Regulatory Scrutiny Board relating to the scope of the initiative. Since the Proposal seeks to extend the exchange of information to include serious crimes, law enforcement agencies (LEAs) would have increased access to individuals’ financial information. We therefore identified a need for the Commission to better clarify the scope of the initiative. This would include providing clear definitions on the authorities mentioned within the text, including designated competent authorities, tax authorities, and anti-corruption agencies. A thorough examination of how EU data protection rules apply to the Proposal is also needed.
We also noted that the collection and processing of some sensitive personal data does not appear necessary for the anti-money laundering purposes outlined in the Proposal, while welcoming the requirement that the processing of this data can only be carried out under the instruction of a Data Protection Officer (DPO).
Lastly, we raised concerns relating to the right to information. The Proposal contains no provisions ensuring the right of individuals to be informed about the processing of their personal data in centralised bank account registers, nor about exchanges of their data. Whilst recognising that rights may be limited in the context of criminal investigations, they should not be denied entirely. At some point, they should be informed.
What happens next? The Proposal is currently awaiting the decision of the European Parliament’s LIBE Committee. The EDPS will continue to keep a keen eye on any future developments.
Back in August, we issued an Opinion on the Commission’s Proposal for a Regulation seeking to strengthen the security of identity cards and other documents issued to EU citizens and their families who exercise their right to free movement within the EU. The goal is to improve the security features of EU citizens’ identity cards and non-EU family members’ residence cards.
Our Opinion states that the Proposal does not sufficiently justify the need to process two separate types of biometric data (facial images and fingerprints), as the stated purposes could be achieved using a less intrusive approach.
The Proposal would have an impact on up to 370 million EU citizens, potentially subjecting 85% of the EU population to mandatory fingerprinting requirements. Taking into account this wide scope and the sensitive nature of the data involved, the necessity of the measures proposed must be clearly demonstrated. Moreover, explicit safeguards must be established to ensure that implementing the Proposal at national level does not lead to the setting up of national fingerprint databases.
While the storage of fingerprint images does enhance the way in which EU databases communicate and exchange information - known as interoperability - it also increases the amount of biometric data that is processed, which inflates the risk of impersonation in the case of a personal data breach. Accordingly, the EDPS recommends limiting the fingerprint data stored in the chip of residence documents significantly, to include only a subset of the characteristics extracted from the fingerprint image.
Finally, the EDPS advocates setting the minimum age limit for collecting children’s fingerprints under the Proposal to 14 years old. This is in line with the approach taken in other instruments of EU law.
On 10 July 2018, the EDPS issued an Opinion on the European Commission’s Proposal for a new Directive on the re-use of Public Sector Information (PSI). In proposing to amend the current Directive, the Commission is looking to facilitate the re-use of PSI throughout the EU - including legal, traffic, meteorological, economic and financial data - by harmonising the basic conditions for re-use.
Our Opinion provides specific recommendations on how to clarify the relationship between the PSI Directive and the exceptions outlined in the GDPR. It also addresses the issue of how to deal with the cost of data anonymisation and the use of data protection impact assessments (DPIAs) for sensitive sectors, such as healthcare.
In particular, we specified that specific wording be used to better clarify the coherence between the PSI Directive and the GDPR. Furthermore, due to the high costs associated with anonymising personal data, we suggested that every organisation falling within the scope of the PSI Directive should be able to charge for anonymisation expenses.
The EDPS also stressed the importance of protecting the rights of individuals. Whilst it may be true that more data than ever is generated and processed by machines, much of it still falls within the definition of personal data. As such, we specifically highlighted the various challenges that arise in trying to differentiate between personal and non-personal data.
On 3 July 2018, the EDPS issued formal Comments on Article 13 of the Proposal for a Directive of the European Parliament and of the Council regarding copyright in the Digital Single Market.
After careful examination, the EDPS welcomed the efforts made in Article 13 of the Proposal to restrict any interference with fundamental rights - including the rights to privacy and data protection - while at the same time safeguarding copyright. Likewise, the EDPS welcomed the inclusion of a personal data minimisation requirement, as well as references to the EU Charter of Fundamental Rights and to the GDPR.
However, whilst recognising that the provisions of the Proposal do not mandate a general surveillance of internet activity, it could present a risk if the measures taken are not appropriate and proportionate. As such, we advised that strict scrutiny of Member States’ transposition of the Directive and the measures taken by service providers and the right holders be considered. The GDPR would also be applicable, as the Proposal would almost certainly involve the processing of personal data, specifically in relation to the measures required from content sharing service providers.
As a final point, the EDPS recommended that the co-legislator reflect on the practical consequences of the obligations created in Article 13 of the Proposal. This includes the risk of interference with fundamental rights and the potential for distorting competition in ways that would harm these rights. EU law should ensure a vigilant implementation of the Directive and the implementation of relevant safeguards, such as data protection by design.
The European Parliament adopted its negotiating position on 12 September 2018. Negotiations have now begun with the Council and an agreement in expected in early 2019.
Though they may be exempt from national laws, including those relating to data protection, international organisations are influential advocates for the development of a privacy culture. Their position means that they are able to spread knowledge about data protection and privacy in parts of the world where, for various reasons, it has not necessarily been high on the agenda.
The EDPS supports international organisations in their efforts to develop their own data protection frameworks and to share knowledge and experience with one another. An important part of this work takes place as part of a series of workshops; an initiative launched by the EDPS in 2005.
In July 2018, Assistant Supervisor Wojciech Wiewiórowski participated in the seventh edition of this workshop, which the EDPS had the pleasure of co-organising in Copenhagen alongside our hosts, the Office of the United Nations High Commissioner for Refugees.
The workshop focused on a range of topics. These included privacy standards and oversight mechanisms for international organisations, how to put the principle of accountability into practice, international transfers and the legal grounds for processing personal data in the international organisations context.
Throughout our discussions there was a common determination to make data protection part of the working culture of international organisations and to ensure that these organisations are held accountable. I have no doubt that the fruitful dialogues initiated at this workshop will lead to further collaboration between international organisations as they continue to develop their approaches to data protection. The EDPS will continue to lend our full support to this effort.
On 8 October 2018, the EU Agency for Network and Information Security (ENISA) teamed up with the European Digital SME Alliance and the Hellenic Data Protection Authority to co-host a workshop on data security. The Security of Personal Data Protection workshop, held in Athens, was a follow up to another workshop on the security of personal data processing that took place earlier in the year in Rome, also aimed at SMEs.
The EDPS, represented by Dina Kampouraki from the IT Policy team, was invited to chair a panel entitled Personal Data Breaches: What an SME Should Do/Know. The panel discussed obligations regarding the notification of personal data breaches both to supervisory authorities and to data subjects (Articles 33 and 34 of the GDPR).
The discussion pinpointed a number of privacy-related challenges that SMEs are facing after the introduction of the GDPR. For instance, the panel considered the need to observe the timeframes in reporting data breaches, the complexity of the legislation for small businesses, and the costs of training to make sure that all employees are familiar with the new rules.