In the June 2017 edition of the EDPS Newsletter we introduce you to our new-look Newsletter and cover the EDPS Opinion on ePrivacy, our continuing work on data ethics and the launch of our 2016 Annual Report, as well as many other EDPS activities.
Following the launch of the new EDPS website in March 2017, the EDPS Newsletter has also undergone a makeover. By switching to a new online, mobile-friendly format, we hope to make our Newsletter more accesible and user-friendly, whether you are at home or on the move.
Readers should expect to receive the same content as before, but on a more frequent basis, as we endeavour to keep you better informed about our activities and other developments in data protection.
On 18 May 2017, the EDPS hosted a workshop on Data Driven Life. With the support of the Ethics Advisory Group (EAG), the workshop aimed to explore the positive and negative consequences of data-driven changes for society as a whole and how these changes might affect our ability to pursue our own life choices.
Attended by academics and practitioners from the scientific and research communities, the workshop focused on five areas in which data makes a big difference, with panels devoted to health and medical research, disaster response and risk management, the financial sector, democracy and smart cities.
This was the second workshop organised by the EDPS aimed at advancing the global debate on the ethical dimension of the digital revolution. Digital ethics will also be the core theme of the 2018 International Conference of Data Protection and Privacy Commissioners (ICDPPC), to be hosted by the EDPS and the Bulgarian data protection authority.
As we reach the mid-point of the current EDPS mandate and continue the countdown to the General Data Protection Regulation (GDPR), the EU must build on current momentum to reinforce its position as the leading force in the global dialogue on data protection and privacy in the digital age, the EDPS said to the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) on 4 May 2017, as he presented his 2016 Annual Report.
Giovanni Buttarelli, EDPS, said: “In March 2015 we launched the EDPS Strategy 2015-2019. It outlines three main goals for the current mandate and the actions required to achieve them. Though the publication of the GDPR on 4 May 2016 represented a big step towards achieving these goals, our work is far from complete. As we move into the second half of the current EDPS mandate, I intend to ensure that the aims outlined in our Strategy remain at the heart of all our efforts. This is particularly important in our work with the EU institutions and bodies, which must set an example that others can follow.”
The General Data Protection Regulation (GDPR) represents one of the EU’s greatest achievements in recent years, but without a complementary and effective legal tool to protect the fundamental right to private life, of which the confidentiality of our communications is a vital component, the EU privacy and data protection framework remains incomplete, the EDPS said on 24 April 2017, as he published his Opinion on the ePrivacy Regulation.
Giovanni Buttarelli, EDPS, said: “I welcome and support the Commission’s ambitious attempt to provide for the comprehensive protection of electronic communications. The extension of confidentiality obligations to a broader range of providers and services is a particularly important step forward, which reflects recent technological developments and our changing relationship with technology. However, certain improvements are necessary if the Regulation is to deliver on the promise of a high level of protection for electronic communications.”
The 41st meeting of the EDPS and the DPOs from the EU institutions and bodies took place on 1 June 2017 at the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA), in Tallinn, Estonia.
With just under a year left until the new data protection framework becomes fully applicable, our focus in Tallinn was on ensuring that the EU institutions and bodies have the knowledge and resources needed to lead by example in their application of data protection law. Discussion therefore focused on the topics of individuals’ rights, Data Protection Impact Assessments (DPIAs) and accountability. These are important areas of change under the General Data Protection Regulation (GDPR), which it is safe to assume will also be reflected in the new Regulation for EU institutions and bodies.
The next meeting between the EDPS and the DPO network will be hosted by the European Medicines Agency (EMA) in London. In the meantime, we will continue to work closely with our DPO partners and provide them with guidance on transparency, rights and obligations, to make sure that they are ready when the new rules come into force.
On 19 April, EDPS Director Christopher Docksey and Head of the EDPS Supervision and Enforcement Unit María Verónica Pérez Asinari attended a ceremony to mark the beginning of a new era in the data protection supervision of Europol.
In accordance with the new Europol Regulation, on 1 May 2017 the EDPS took over responsibility for the data protection supervision of Europol. The new Regulation also provides for the establishment of a Cooperation Board, for which the EDPS will provide the secretariat. The Board will facilitate cooperation between the EDPS and national supervisory authorities on issues requiring national involvement.
In our new role, we will carry out a range of duties, including:
We are ready for this new responsibility and fully aware of the need to strike the right balance between security and privacy when dealing with data processing for the purpose of law enforcement.
The first meeting of the Digital Clearinghouse took place on 29 May 2017. The meeting provided regulatory bodies from different sectors and countries with an opportunity to exchange views on how to respond to the challenges of the digital era.
Regulatory bodies have the necessary tools to address questions relating to the concentration of market and informational power. Working together, enforcers of consumer and data protection law may be able to support antitrust authorities in their efforts by ensuring that mergers benefit the long-term interests of individuals and that dominant companies do not close down choice in the market or harm their customers, for example.
The meeting of the Digital Clearinghouse took place shortly after the European Commission hosted an exchange between existing networks of consumer enforcers (the CPC network) and the Article 29 Working Party (WP29). Building on the Commission’s initiative, our efforts aim to bring together the various strands of work already being carried out in this area and add value to existing projects.
As part of our commitment to facilitating responsible and informed policymaking, the EDPS published a necessity toolkit on 12 April 2017. The toolkit is designed to help policymakers identify the impact of new laws on the fundamental right to data protection and determine the cases in which the limitation of this right is truly necessary.
Giovanni Buttarelli, EDPS, said: “The EU Charter of Fundamental Rights guarantees the right of every individual to data protection. Using an evidence-based approach, policymakers must be able to demonstrate that any planned limitation of this right, and any other rights that might be affected by the processing of personal data, including the right to privacy, is absolutely necessary, either to achieve an objective of general interest to all concerned or to protect the rights and freedoms of others. We believe the EDPS necessity toolkit will assist policymakers in doing this and therefore better ensure that the legislator remains accountable for its actions.”
In May 2017, a widely-publicised cyber-attack took place, gaining fame in the media under the hashtag #WannaCry. The attack cased damage in two steps: After infecting a computer system, the malware-encrypted data stored itself in this system and demanded a ransom payment in exchange for decryption (ransomware). To infect computer systems, the malware used code that had been stolen from an intelligence service.
While the high number of infected systems raised a lot of interest, a much larger number of systems were not actually affected by the malware. System owners who had applied a recent security update which closed the security loophole, or who had disabled the vulnerable functions, were not affected. System owners who had up-to-date secure backups of their data were able to restore their systems without paying any ransom.
In 2015, the EDPS warned that the use and collection of surveillance tools by state authorities should be subject to strict limitations. At ENISA’s Annual Privacy Forum, which took place in Vienna on 7 and 8 June 2017, Assistant Supervisor Wojciech Wiewiórowski reiterated this point: “The current attacks show that even state agencies cannot guarantee that their cyber weapons and their intrusive tools will not fall into the wrong hands and serve the criminals and attackers they were supposed to target. Many experts are expecting further attacks with other tools from the stolen collection, some of which may not yet be known to security experts.”
The attack should act as a wake-up call and highlight the importance of information security in ensuring that personal data is adequately protected. In March 2016, the EDPS issued guidance on the implementation of an Information Security Risk Management Process (ISRM). Though aimed specifically at the EU institutions, this guidance might also be applied to other organisations. As cybercrime becomes increasingly sophisticated, it is vital that those involved in collecting and processing personal data treat information security as an integral element of their data protection policy.
International organisations must deal directly with the challenges and uncertainty of globalisation. They are therefore expected to play a leading role in improving international data protection standards. To help them do this, the EDPS, in collaboration with the International Office for Migration, organised our sixth workshop on data protection in international organisations, which took place in Geneva on 11 and 12 May 2017.
Discussion focused on the processing of health data, cloud computing, the role of data protection officers (DPOs) and international transfers under the GDPR. We also touched on the complex issue of the scope of application of the GDPR to international organisations, and the need for clarification on the provisions applicable in the case of data transfers.
The workshop highlighted the steps being taken by international organisations to encourage a culture of data protection in their organisations, as well as their desire to be held accountable. It was particularly encouraging to learn about new initiatives to provide for the independent supervision of data processing in their organisations. We look forward to following up on these discussions in future events.
In celebration of Europe Day, the EU institutions opened their doors to the public once again on 6 May 2017. The annual EU Open Day provides the general public with an opportunity to learn more about the EU and its activities.
This year, the EDPS stand moved to the European Commission’s Berlaymont building. Throughout the day, EDPS staff were on hand to answer questions on privacy rights and the protection of personal information. Visitors were also able to test out our facial detection software, which determined their sex, age and mood.
The day was a great success, with a record number of people participating in the EDPS quiz and significant interest in both the activities on offer and the work of the EDPS. With the profile of data protection and privacy only set to increase over the coming years, the EDPS is already looking forward to welcoming people to our stand in 2018!
A major priority in the Strategy for the current EDPS mandate has been to forge global partnerships on privacy and data protection and provide a stronger basis for consensus on data processing practices and technologies. With this in mind, EDPS Giovanni Buttarelli travelled to Washington DC in mid-April 2017 for a series of meetings relating to recent EU developments on migration, border management and security and the EDPS project on digital ethics.
In addition to meeting with representatives from NGOs, civil society and the Federal Trade Commission, the EDPS attended the Global Privacy Summit organised by the IAPP. While much discussion focused on the Privacy Shield, the EDPS was encouraged to note that businesses and legal practitioners also appeared fully engaged with the General Data Protection Regulation, which will apply to all organisations who target services at, or who monitor individuals in, the EU from May 2018.
This was the first EDPS visit to the United States since the inauguration of the new President and he faced many questions on how the strategic relationship between the EU and the US might develop in the coming years. Although the Administration is yet to confirm its position on privacy and several key privacy posts remain vacant, there are some encouraging signs, with billions of dollars being invested into research on privacy and privacy-enhancing technologies. The EDPS is determined to remain open-minded.
On 30 March, EDPS Giovanni Buttarelli and Director of the European Union Agency for Fundamental Rights (FRA) Michael O’Flaherty signed a memorandum of understanding on increasing cooperation between the two organisations. The document not only reflects the close and constructive relationship the EDPS and the FRA already share, it also marks a common intention to better exploit synergies in our work and roles.
We are convinced that the rapport between data protection and privacy and other rights and freedoms under EU law is one of interdependence. Though the roles of our organisations are quite distinct, this memorandum of understanding should be seen as a statement of our determination to work in tandem to more effectively protect the rights and interests of the individual across all EU activities.
Keynote speech, given by Giovanni Buttarelli at the FutureTech Congress, Warsaw, Poland (25 May 2017)
Speech, given by Giovanni Buttarelli at the 19th Meeting of the Central and Eastern European Data Protection Authorities (CEEDPA), Tbilisi, Georgia (17 May 2017)
Opening speech, given by Giovanni Buttarelli at the Data Protection within International Organisations Workshop, Geneva, Switzerland (11 May 2017)
“The state of privacy 2017: mid-mandate report”, speech given by Giovanni Buttarelli at the presentation of the 2016 EDPS Annual Report to the LIBE Committee of the European Parliament, Brussels (4 May 2017)