Newsletter (102)


Newsletter (102)

With summer time bringing its plethora of data protection and privacy conferences, May has been busy for the EDPS. As per tradition, we attended CPDP, the Annual Privacy Forum, but also organised our own Conference for the 5th anniversary of the GDPR. In this newsletter, you can also read about our latest Opinions. This issue is also part of our podcast series, the Newsletter Digest.

Have a listen now!

Explainable Artificial Intelligence needs Human Intelligence

IPEN event logo with statue, lightbulb, AI, Open Brain

Modern Artificial Intelligence (AI) models often work as opaque decision-making engines (black boxes); reaching conclusions without much transparency or explanations on how a given result is obtained. In an era where AI has become an integral part of our lives, where recruiters, healthcare providers, and other fields, rely on this tool to make decisions impacting individuals, understanding the way AI works is essential.

Could Explainable Artificial Intelligence, or XAI, be a way forward, a potential solution? But, what is XAI, how does it work in practice? What are its benefits, but also its risks, its relationship with data protection? What impact may XAI have in the years to come?

These are some of the questions that our distinguished guest speakers and experts tackled during the EDPS’ Internet Privacy Engineering Network (IPEN) hybrid event, chaired by EDPS Director Leonardo Cervera Navas.

IPEN, established almost 10 years ago by the EDPS, brings together data protection and technology experts, as well as other pertinent actors, to discuss relevant challenges of embedding data protection and privacy requirements into the development of technologies.

To find out more about XAI, its benefits, but also risks, and relationship to data protection, check out the video recordings of the IPEN event. You can also read the EDPS Director’s blogpost summarising his reflections on XAI.

A special day: the GDPR’s Birthday


Did you know that the General Data Protection Regulation (GDPR) came into force 5 years ago, on 24th May 2016?

On this occasion, the EDPS together with the German Federal Commissioner for Data Protection and Freedom of Information and the Bavarian Data Protection Commissioner organised a special event: “5th Anniversary of the GDPR: Still a benchmark in the EU digital landscape?”

With more than 300 attendees, in addition to distinguished speakers, the event sustained much interest, during which many pertinent discussions flourished, including a panel discussion on assessing whether the GDPR has and is delivering on its aims, promises and expectations, and potential area of improvements.

At the event, speakers and participants focused on the GDPR’s practical functioning and enforcement, and discussed its place regarding the digital rulebook, a new regulatory framework, which includes the Digital Markets Act, the Digital Services Act, and the future Artificial Intelligence Act, for example.

Missed the event or want to re-watch some of the panels or keynote speeches? The video recording of the full event is now available on the EDPS website.

CPDP 2023: Ideas that drive our digital world

CPDP: Ideas that drive our digital world

“Ideas that drive our digital world” was the topic of this year’s 16th International Conference on Computers, Privacy and Data Protection (CPDP), which took place in Brussels, on 24-26 May 2023.

CPDP is one of the leading data protection and privacy conferences in Europe and around the world. It is a platform that triggers in depth discussions and innovative ideas to ensure data protection.

The conference, held each year, gathers academics, lawyers, practitioners, policy-makers, industry and civil society from all over the world to discuss and exchange ideas on the latest emerging issues and trends in the data protection and technology fields.

As per tradition, EDPS colleagues were also present; sharing their views and expertise by participating in key panel discussions held. This included a panel on enforcement of data protection by design and default, which explored the consequences for the uptake of privacy-enhancing technologies in the EU, panels on targeted and behavioural advertising, a workshop on the right of access to police databases to name a few examples.

Concluding this CPDP edition, the European Data Protection Supervisor, Wojciech Wiewiórowski, highlighted that when it comes to protecting individuals’ fundamental rights to privacy and data protection, context matters, because what is deemed to respect privacy in one situation can sometimes be deemed as its utter disrespect in another. The emerging ideas that drive our digital world are continuously changing the context, he stated as final remarks.

Read the Supervisor's concluding remarks made at CPDP, available here.

Time for a break? Grab an espresso with #teamEDPS

person sitting behind a computer

Curious to find out more about what it is like to work for a small and dynamic EU institution like the EDPS?

Meet Ute, Dina, Stefano and Julia from the EDPS! In a short series of videos, they will tell you more about their career path, their work and the tasks that they do to help protect your personal data, and what makes the EDPS so special.

Find out more about our German colleague, Ute, who conducts and coordinates data protection audits. She has been working for the EU institutions for over 20 years and never ceases to be amazed by the diverse people she comes into contact with in her day-to-day work.

Learn more about Dina, who is a Technology and Privacy Officer at the EDPS, from Greece. Her job is to analyse the privacy risks that new technologies may pose. During her time at the EDPS, she enjoys developing and learning new skills through the various training opportunities that the institution has to offer.

Stefano, our cat lover from Italy, started working at the EDPS as a trainee. After passing an EPSO competition, he joined the EDPS as a full-time employee. Since then, he has been able to come up and orchestrate new projects at the EDPS, like TechSonar, which studies upcoming technology trends.

And then there is Julia, who is an Information and Communication Officer at the EDPS, from France and the United Kingdom. What she enjoys the most about working at the EDPS is the ability to take on a variety of tasks. She also values the work-life balance the institution promotes; this has allowed her to learn a new language.

Contrary to what you might think, the EDPS is not just for lawyers. Our institution also employs Human Resources’ professionals, Technology Specialists, Communication Experts, and Policy Advisers who contribute to its functioning. Want to find out more about the people behind the EDPS? Read about colleagues’ experiences here.

How the EDPS and DPO network cooperate with each other


What is a data protection officer (DPO) and how do they help protect your personal data?

Most public and private organisations or entities in the EU have a DPO. According to the data protection rules applicable to EU institutions, bodies, offices and agencies (EUIs), all of them must have a DPO.

For the EDPS, DPOs are the true guardians of data protection in practice. With their work, DPOs build the bridge between organisations and citizens, by providing practical advice on how to ensure compliance with data protection law.

Part of the EDPS’ job, as a supervisory data protection authority of the EUIs, is to support DPOs in their work, which it does, by, for example, providing guidance and training sessions, discussing topics in roundtables and organising bi-annual meetings each year.

This year was no exception. After meeting earlier in December 2022, the EDPS and the network of EUIs’ DPOs met again this 12th May 2023 for its 52nd meeting to take stock of the work done, the progress made, as well as the challenges that lie ahead on diverse matters permeating to data protection. At the EDPS’ request, a small group of DPOs was actively involved in the preparation of the meeting.

Up high on the agenda was the complex issue of transfers of personal data outside the EU/European Economic Area, for which a dedicated session was planned. This was followed by a series of workshops; presentations the EDPS’ pilot projects Nextcloud and the use of Open Source Software; our alternative social media platforms, EU Voice, and EU Video, which were especially important because EUIs have the chance to play a unique role in paving the way to a more sustainable approach to the use of technology.

You can read more about the 52nd EDPS-DPO meeting and cooperation in a blogpost, written by EDPS Director, Leonardo Cervera Navas.

Introducing TechDispatch Talks!

techdispatch talks

Do you make contactless payments when you go to the grocery store, or pay for goods online?

The answer is most likely to be yes, because digital payments are increasingly growing and are even expected to rise by 11.8 percent by 2027. As a response to the fast-adoption of digital, contactless, cryptocurrency or e-commerce payments, central banks from around the world are exploring the possibility of launching their state-owned digital currency in addition a more traditional form of payment, bank notes and coins.

What lies ahead for digital currencies, and how will these influence individuals’ fundamental rights, such as privacy and data protection?

These are some of the questions that Stefano Leucci, Legal Officer at the EDPS, tackles in a new EDPS podcast series, titled TechDispatch Talks, available here.

TechDispatch Talks discusses new and emerging technologies and their impact on data protection.

Stay tuned for new episodes soon, and listen to Episode 1 now.

International Agreements to fight crime require strong data protection safeguards


The EDPS has issued five Opinions on the European Commission’s Recommendations to open negotiations for International Agreements on the exchange of personal data between Europol, the EU Agency for Law Enforcement, and the competent authorities of five Latin American countries: EcuadorBrazilPeruBolivia, and Mexico to fight serious crime and terrorism.

The EDPS Opinions aim to provide advice on further developing data protection safeguards in these future International Agreements so that individuals’ personal data is protected according to EU standards.

The EDPS recommends that the future International Agreements explicitly list the criminal offenses and purposes, for which individuals’ personal data may be exchanged. The International Agreements should also provide for a periodic review of the time during which transferred personal data is stored, and to put in place appropriate measures to ensure that these time periods are respected. The EDPS also notes that additional safeguards are put in place for special categories of data (such as personal data revealing ethnic origin or sexual orientation), as well as in the case of automated processing.

Taking into account the risks associated with transfers of personal data from a country outside the European Union/European Economic Area to Europol, especially in light of Europol’s extension of powers in its updated Regulation, the EDPS recommends that the future International Agreements explicitly exclude transfers of personal data that has been obtained in violation of human rights.

Read Press Release

Read Opinions: EcuadorBrazilPeruBolivia, and Mexico

Road Safety and Privacy

road safety

The EDPS issued on 25 April 2023 three Opinions on three Proposals of the European Commission that are part of the “Road Safety package”. This includes a Proposal on cross-border exchange of information concerning road-safety-related traffic offenses; one on driving licences; and one on a new proposed Directive on the EU-wide effect of certain driving disqualifications concerning major offenses related to road safety.

Wojciech Wiewiórowski, EDPS, said: “I welcome this set of Directives as a way to promote further road safety and facilitate the free movement of individuals across the EU. Handling personal information for these purposes must be done in compliance with EU data protection law, especially in the context of cross-border investigations of road-safety-related traffic offences. Access to driving licence data by public authorities should be properly defined and limited to what is strictly necessary and proportionate. The proposals need to be amended to ensure that this is the case.”

Read the EDPS Press Release

Read EDPS Opinions

Fame vs Privacy : data protection dilemna for Gen Z and Gen Alpha


Have you listened to our three-part podcast series Fame vs Privacy? It’s a podcast series that delves into what data protection means to Gen Z and Gen Alpha digital users.

In just a few episodes, the podcast series explores a wide range of topics: from the Digital Services Act and how it can influence the future of Big Tech companies, to how targeted advertising can affect Gen Z and Gen Alpha, and the risks that social media can have on young people.

You will also hear more about some of the potential solutions that the EDPS is promoting, such as alternative social media platforms, to help digital users stay safe online.

Have a listen now!

Listen to Episode 1: 15 seconds of fame for loss of personal data. What does data protection mean to GEN Z and GEN Alpha digital users?

Listen to Episode 2: How to combat emerging risks targeting vulnerable users of social media?

Listen to Episode 3: Alternative social media platforms vs future challenges for policymakers

Speeches & Articles


Keynote Speech by Wojciech Wiewiórowski at the ENISA Annual Privacy Forum 2023 in Lyon, France.

"Protecting Privacy on a continuous orbit" - Wojciech Wiewiórowski's Closing Remarks at CPDP 2023, Brussels, Belgium.

Keynote by Wojciech Wiewiórowski at the Datenschutzkongress 2023, Berlin, Germany.