What's in store for newsletter #105? In this issue, CSAM: the point of no return? EDPS actions on Artificial Intelligence, the digital euro, how to be smarter than a hacker? And more diverse topics to read now. This issue is also part of our podcast series, the Newsletter Digest.
In this issue
CSAM proposal: the point of no return?
Following the EDPS - EDPB Joint Opinion and other past and recent developments on the EU legislators’ proposed Regulation on the topic of Child Sexual Abuse Material (CSAM), the EDPS organised an exclusive Seminar to discuss this topic.
The CSAM Proposal aims to prevent and combat child sexual abuse online by detecting the dissemination of child sexual abuse material and grooming. Whilst there is a consensus about the paramount importance of this task, many stakeholders question the effectiveness, necessity and proportionality of the proposed measures.
With more than 300 people attending either in-person or remotely coming from academia to governmental organisations, the Seminar focused, in its first part, on the main issues at stake in the CSAM Proposal, and provided an analysis of the substantial criticism it has received.
The second part of the Seminar aimed to tackle specific aspects of the Proposal, such as the use of detection orders as a proposed way of combatting the dissemination of child sexual abuse material online. Participants discussed, amongst other things, the accuracy and legality of these detection orders.
Taking stock of the main remarks made on the CSAM Regulation and on its implications, the third part of the Seminar explored alternative ways forward to the Proposal, by looking at approaches chosen by other countries to deal with this societal problem, for example.
Looking for more-detailed information? Read the EDPS’ Opinion on combatting child sexual abuse and EDPS-EDPB Joint Opinion on Child Sexual Abuse Material.
EDPS in action: data protection and artificial intelligence
With Artificial Intelligence (AI), the digital landscape is evolving. As the data protection authority of the EU institutions, bodies, offices and agencies (EUIs), it is the EDPS’ aim to ensure that AI technology is developed in a human-centric and sustainable way, respecting the rights to privacy and data protection.
The EDPS’ commitment to making AI embody the EU’s values and principles, especially those related to privacy and personal data protection, has only accelerated in the last few years.
Most recently, in October 2023, the EDPS issued its Final Recommendations on the AI Act.
The AI Act aims to regulate the development and use of AI systems in the EU, including in the EUIs. With this Opinion, the EDPS provides specific suggestions focusing on the EDPS’ future tasks as the authority in charge of overseeing AI systems in the EUIs.
Also in October, the EDPS published its Opinion on two directives on AI liability rules. The EDPS’ remarks focus on making sure that individuals who suffer damages caused by AI systems used by EUIs are protected in the same way as individuals who suffer damages caused by AI systems used in the private sector.
Additionally, the EDPS has worked on other initiatives permeating to AI, including with other data protection and privacy authorities on the topic of Generative AI.
This #CyberSecMonth, be smarter than a hacker
Whilst, adopting habits and measures to keep personal data safe should not just happen during October but all year round, the EDPS has gathered some of its advice to raise your awareness this Cybersecurity Month, with a focus on social engineering techniques.
This October, meet Finley and Amari, the main characters of our brand new comic to learn more about the social engineering technique of pretexting.
Did you know that pretexting consists of creating a fake, yet plausible, scenario to gain someone’s trust to trick them into sharing sensitive information, downloading a malware, sending money to criminals, or otherwise harming themselves or the organisation they work for? In our comic, you can find out what to do, and, importantly, what not to do to protect yourself from this type of technique.
Looking to learn how to recognise other types of social engineering techniques to not give away personal data?
This month, we have also explored the topic of ransomware, phishing and, more generally, a hacker's possible course of action to help you spot any suspicious behaviour or activity to protect yourself and the organisation you work for.
And the winner is.... TechSonar
The EDPS’ TechSonar reports on emerging technologies won the Global Privacy Assembly Award 2023 of the Innovation Category.
Upon receiving the award at the annual Global Privacy Assembly’s conference in Bermuda on 16-20 October 2023, which brings together 130 data protection and privacy authorities from across the globe, the European Data Protection Supervisor expressed his gratitude and pride that TechSonar, initiated in 2021, is recognised as a forward-looking project. The creation of TechSonar stems from the important need to anticipate technologies, to act in advance, instead of reacting to new emerging technologies, to make Europe more resilient to the evolving digital landscape, he stated.
With each TechSonar report, EDPS experts in foresight and technologies seek to identify and understand the trajectory of key technology trends and developments, and their impact on individuals’ privacy and data protection rights. Its latest edition, available here, covers Fake News Detection, Central Bank Digital Currency, the Metaverse, Federated Learning, and Synthetic Data.
Digital euro: ensuring the highest data protection and privacy standards
On 18th October, the European Data Protection Supervisor and the European Data Protection Board (EDPB), issued a Joint Opinion on the proposed Regulation on the digital euro as a central bank digital currency. The digital euro aims to provide individuals with the possibility to make payments electronically, both online and offline, as an additional means of payment alongside cash.
The EDPB and the EDPS acknowledge that the proposed Regulation addresses many data protection aspects of the digital euro, notably by addressing an offline modality to minimise the processing of personal data. In particular, the EDPB and the EDPS strongly welcome that digital euro users will always have the choice to pay in digital euros or in cash. At the same time, the EDPB and the EDPS make several recommendations to better ensure the highest standards of personal data protection and privacy for the future digital euro.
EDPS Supervisor Wojciech Wiewiórowski said: “We welcome and support the commitment in the proposed Regulation to ensure high levels of data privacy for the use of the online digital euro, and an even higher level of protection for the use of the offline digital euro. In our Joint Opinion, we suggest further improvements to ensure that the rights to privacy and to the protection of personal data are effectively preserved. In particular, we make recommendations to ensure that only the necessary personal data of users of the digital euro is processed, and to avoid excessive centralisation of personal data by the European Central Bank (ECB) or national central banks.”
Preventing and fighting harassment
Our recommendations focus on the possible restriction of individuals’ privacy and data protection rights when their personal data is processed by the Chief Confidential Counsellor and confidential counsellors of the European Commission to prevent and fight against psychological and sexual harassment.
The right to restrict individuals’ privacy and data protection rights, such as restricting individuals’ right of information, access, or rectification of personal data can only be done under exceptional circumstances.
In its Supervisory Opinion, the EDPS points out ways to ensure better compliance with Regulation (EU) 2018/1725, also known as the EUDPR, which is the data protection regulation for the EU institutions, bodies, offices, and agencies (EUIs). As a general rule, and in this specific context, the EDPS suggests that the data protection officers of EUIs are consulted prior to any decisions to restrict individuals’ privacy and data protection rights, and to inform individuals concerned why such restrictions are put in place. In addition, individuals should also be informed when these restrictions no longer apply. We further recommend that the affected individuals should be informed of their right to lodge a complaint with the EDPS, if they consider that their privacy and data protection rights are infringed upon.
You can read the full list of recommendations made by the EDPS in its Supervisory Opinion to the European Commission here.
Is your EUI planning to restrict individuals’ privacy and data protection rights in upcoming decisions? Read our advice here.
We have also written dedicated guidelines on the restriction of individuals’ privacy and data protection rights in the context of preventing and fighting harassment.
The GDPR, a moral compass for data spaces in the EU?
By 2025, the data economy represents 6 percent of the EU’s gross domestic product, equating to 830 billion euros, predicts the European Commission. With such an impact, it is crucial to foster an environment allowing the data economy to thrive whilst ensuring that individuals’ fundamental rights, including their rights to privacy and personal data, are complied with.
To reflect on this delicate dynamic, the EDPS was invited on 2nd October by ENISA - the European Cybersecurity Agency, and AEPD - the Agencia Espanola de Proteccion de Datos, the Spanish Data Protection Authority, to contribute and moderate pertinent discussions on:
- the role of the General Data Protection Regulation (GDPR) in the context of data spaces;
- the intricacies of the European Health Data Space.
The outcome of the exchanges the EDPS held with experts, policymakers, industries and other stakeholders was clear: as we move to a data-centric future, the GDPR must serve as a compass to guide us on how to use data in a responsible way that benefits EU citizens first, in order to foster trust in these data spaces.
Cybersecurity in the EU institutions
Soon, a new Cybersecurity Regulation for EU institutions, bodies, offices and agencies (EU institutions) will come into force.
Here are some of the key points on which the EDPS has been raising EU institutions’ awareness, to ensure that they are prepared.
- EU institutions will have a limited timeframe to comply with certain obligations, for example, to establish cybersecurity frameworks, to conduct cybersecurity risk assessments, cybersecurity plans, and to conduct maturity assessments.
- In addition to naming a Data Protection Officer under the currently enforced data protection regulation, Regulation (EU) 2018/1725, EU institutions will also have to appoint a Local Cybersecurity Officer to facilitate compliance with the Cybersecurity Regulation.
Likewise, the EDPS’ role, as data protection authority of the EU institutions, will evolve.
In response to the EDPS's recommendations on the Cybersecurity Regulation, the EDPS will become a member of the Inter-Institutional Cybersecurity Board. Within this remit, the EDPS will promote the integration of data protection in the cybersecurity activities of the EU institutions. In addition, the EDPS will cooperate closely with CERT-EU, the Computer Emergency Response Team for EU institutions, to address major cybersecurity incidents that may result in personal data breaches.
EDPS investigations: what happens during a hearing?
The EDPS conducts investigations to establish whether an EU institution, body, office or agency (EUIs) has breached applicable data protection rules.
Before reaching an investigation’s final decision, the EDPS undertakes a number of steps, such as conducting an evidence-gathering meeting, conducting an inspection, and sending a preliminary assessment. A preliminary assessment contains the investigation’s findings of fact, an initial legal assessment of those findings, including any alleged infringements of the Regulation, and envisaged corrective measures.
A hearing may then be organised at the request of the involved parties to the investigation so that they can share their observations on the EDPS’ preliminary assessment before any enforcement action takes place. To this end, parties can exercise their right to be heard.
To clarify how this works, the EDPS adopted on 27 September 2023 “Rules on the Hearing in EDPS investigations”. These rules cover procedural aspects of the hearing, such as questions that may be submitted to the concerned parties, how the parties can submit their observations, how confidential information is handled, and other important details.
EDPS training session: how to apply the EUDPR?
On 27 September 2023, the EDPS’ Supervision & Enforcement Unit gave a 3-hour online training session to staff of the European Institute of Innovation & Technology (EIT) on the practical application of the Regulation (EU) 2018/1725, also known as the EUDPR, the data protection regulation for EU institutions, bodies, offices and agencies.
To ensure a comprehensive and effective training session, the EDPS integrated concrete examples encountered by the EUI concerned to the application of data protection.
The EDPS dedicated part of its training session on some key data protection principles that must be put into practice before any data processing operation, namely the accountability principle to ensure that compliance with the EUDPR is demonstrated, and data protection by design and by default obligations.
During the training session, participants also had the opportunity to review the rules on transfers of personal data outside the EU and European Economic Area, as well as requirements in the context of outsourcing projects.
The final part of the training session focused on Data Protection Impact Assessments and personal data breaches.