Newsletter (115)
30 days of preserving privacy and data protection, what does that look like? Read our newsletter to register to our upcoming event on young people and children's privacy; our work in protecting people at EU borders, how we support AI innovation whilst protecting people's privacy and more!
In this issue
From Cradle To Cloud: Surveillance and Digitalisation Around Childhood
How to ensure AI compliance in EU institutions? The EDPS AI-Act Correspondent Network
Coordinated Supervision Committee: working together to protect privacy across the EU
Competition, Innovation and Data Protection
Migration Management: data protection is one of the last lines of defence for vulnerable individuals
CPDP.ai 2025: The world is watching
Upholding the fundamental right to data protection: a guide for EU co-legislators
EU Entry-Exit System: a progressive start of operations and its impact on data protection
From Cradle To Cloud: Surveillance and Digitalisation Around Childhood
Privacy is no child’s play, and the EDPS and the EDPB trainees have decided to tackle this topic.
They invite you to join their upcoming conference discussing children’s fundamental rights to privacy in today’s digitalised world. From AI-powered toys and chatbots, to rising exposure on social media platforms, the latest technological developments are having an unprecedented impact on young people in the digital world. These tools are also transforming the educational landscape. Learning environments processing sensitive student datamay bring risks of profiling or automated decision-making
-
When:
4 July 2025, 14:00 - 16:30 (Brussels time)
-
Where:
European Parliament, Brussels, Belgium & online
This begs to discuss several questions:
- How do technological developments affect children’s fundamental right to privacy, from social media to AI agents?
- What are the privacy implications of personalised learning?
- How to foster privacy compliance and literacy in the classroom?
Join us on 4 July 2025; be part of important debates, with experts from tech, data protection and academia, to discuss the privacy and safety of children online.
How to ensure AI compliance in EU institutions? The EDPS AI-Act Correspondent Network
Since the entry into force of the AI Act in August 2024, the EDPS is deploying its resources to ensure that AI systems used by EU institutions (in addition to EU bodies, offices and agencies) comply with the AI Act’s rules to protect people’s fundamental rights in the EU.
How?
One of the ways the EDPS supports both compliance with the AI Act and AI innovation is by meeting regularly with the AI-Act Correspondent Network, an informal forum composed of representatives - known as AI Correspondents - from each one of the 78 participating EU institutions, bodies, offices and agencies.
Launched by the EDPS AI Unit in September 2024, the aim of the Network is to address EU institutions’ issues in the realm of the AI Act, and to foster cross-institutional collaboration. Its kick-off meeting took place in January 2025, setting the stage for collaborative exploration of AI governance issues.
The AI-Act Correspondent Network met for the second time in May 2025 for an online workshop on practical questions regarding the AI Act. Some of the topics addressed during the meeting related to the classification of high-risk AI systems, the distinction between deployer and provider, and the fundamental rights impact assessment of AI systems.
To facilitate the exchange of documents, guidance, and practical Q&As amongst AI network participants, a digital platform was launched to collaborate more actively and efficiently on key issues that AI systems raise.
Going forward
Looking ahead, the second meeting of the AI-Act Correspondent Network will take place in early October. This ongoing initiative highlights the EDPS' continuous commitment to fostering informed dialogue and cooperation amongst and with EU institutions (in addition to EU bodies, offices and agencies) on how to apply the AI Act.
Coordinated Supervision Committee: working together to protect privacy across the EU
In 2024, the EDPS took on the task of coordinating the Coordinated Supervision Committee (CSC), reinforcing its commitment for a strong, unified data protection oversight across the EU. The CSC mandate has evolved, becoming the default coordinating forum for supervising the EU’s large scale IT systems, and other forms of cooperation between the EU and EU Member States’ authorities.
Now in June 2025, it’s time to track the progress and actions made.
But first, what is the CSC?
Established under Article 62 of Regulation (EU) 2018/1725, the CSC brings together the EDPS and data protection and privacy authorities from the EU/EEA to ensure effective and consistent supervision of:
- large-scale IT systems, such as the Schengen Information System, and the Visa Information System;
- EU bodies, agencies and offices, such as Europol, in charge of law enforcement cooperation; Eurojust, in charge of criminal justice cooperation; and the European Public Prosecutor’s Office (EPPO), in charge of investigating, and prosecuting crimes against the EU’s financial interests.
As cross-border data exchanges grow, the CSC has become a vital mechanism for bridging the gap between EU Member States’ authorities and EU-level oversight, enhancing accountability, consistency, and the enforcement of EU data protection law.
The EDPS plays a central role in the CSC, operating within the framework of the European Data Protection Board (EDPB), the independent EU board in charge of collaborating and promoting a consistent application of the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED).
Key achievements include:
- coordinating action on the supervision of data held and processed by Europol concerning minors; a targeted initiative to assess the processing of data of children under the age of 15 who are named as suspects, to be followed by a joint report;
- launching the ETIAS Working Group, with a focus on preparing the CSC for the supervision of the European Travel Information and Authorisation System (ETIAS), by flagging and mitigating data protection concerns, and working on guidance for data controllers;
- launching the Entry/Exit System Working Group to prepare the CSC for the supervision of the Entry/Exit System, a planned system of the European Union for the automatic electronic monitoring and recording of border crossings of third-country nationals (non-EU/EEA/Swiss citizens) at all border crossings of the Schengen Area. The Working Group focuses on data protection aspects and currently on the information and communication campaign promoting and explaining the Entry/Exit System’s launch and operation.
- agreeing on a method for handling Europol-related complaints;
The EDPS will continue to promote high standards of data protection and supervisory cooperation across the EU through its active participation in the CSC in the coming years.
For more information, check out the Coordinated Supervision Committee webpage here.
Competition, Innovation and Data Protection
On 3 June 2025, the High-level Debate on Competition, Innovation and Data Protection took place, an event organised jointly by the European Data Protection Supervisor (EDPS), the German Federal Commissioner for Data Protection and Freedom of Information (BfDI), and the Bavarian Data Protection Commissioner (BayLfD).
The event brought together more than 280 stakeholders to discuss the need for a consistent and coherent application of the GDPR and the EU's Digital Rulebook. Legislation enacted in recent years - including the Digital Services Act, the Digital Markets Act, the Data Act and the Artificial Intelligence Act - underscore the importance of processing of personal data for today's digital economy. At the same time, the General Data Protection Regulation (GDPR) aims to ensure individuals' fundamental rights in the digital environment.
Interest in the event highlighted the need to strengthen cooperation with various competent digital regulators to ensure the effective protection of citizens’ rights, foster innovation, and enhance the EU’s competitiveness.
Video recordings
The video recording of the debate is now available:
Video Highlights on the EDPS Website and YouTube Channel
Full Recording on the EDPS Website and YouTube Channel
More on cooperation between digital regulators
If you would like to learn more about cooperation between different digital regulators, please see the EDPS’ Proposal to establish a ‘Digital Clearinghouse 2.0’.
A “Digital Clearinghouse 2.0 would provide digital regulators with a forum to exchange and coordinate on issues of common interest, to align at the level of priorities and legal interpretations.
Migration Management: data protection is one of the last lines of defence for vulnerable individuals
The EDPS published on 28 May 2025 an Opinion on the Proposal for a Regulation establishing a common system for the return of third-country nationals staying illegally in the EU.
The objective of the Proposal is to ensure the effective return and re-admission of third-country nationals (nationals from outside the EU/EEA) illegally staying in the EU by providing Member States with simplified and common rules.
In light of the impact of the proposal on concerned individuals’ fundamental rights, including on their rights to privacy and to the protection of personal data, the EDPS considers that an in-depth fundamental rights impact assessment should be carried out to better identify and mitigate potential risks.
The EDPS also makes several specific recommendations, related to:
- the right to information given to individuals regarding the reasons for return decisions;
- the alignment of the proposal with the applicable EU legislation on data protection and other legal acts linked to the Pact on Migration and Asylum;
- the safeguards in case of transfers to third countries (non EU/EEA countries) of personal data of concerned individuals.
CPDP.ai 2025: The world is watching
On 21 May 2025, the EDPS attended the Computers, Privacy and Data Protection Conference (CPDP.ai), focusing on Artificial Intelligence, neurotechnology and neuroscience, data protection and privacy.
The conference, organised yearly, gathered a number of experts in the fields of tech, law, data protection, academia and relevant industries participating in 90 panels and over 30 workshops.
The EDPS organised two panels: one on navigating regulatory complexities, focusing on enforcing data protection in the field of Artificial Intelligence, and one on the interface between the AI Act and the GDPR examining how to combine innovation and privacy in Europe.
With multiplied regulatory frameworks as a response to the development of new technologies, cooperation is key for their effective application and enforcement, stressed Supervisor Wojciech Wiewiórowski in his address at the CPDP.ai Conference.
The AI Act does not replace existing EU regulations and laws but represents additional safeguards stemming from data protection frameworks. The requirements and safeguards under data protection law must continue to be respected.
Read about CPDP.ai Conferences
Upholding the fundamental right to data protection: a guide for EU co-legislators
The EDPS published its Guidance for co-legislators, on key elements to consider when drafting legislative proposals and other acts that imply the processing of individuals’ personal data on 7 May 2025.
With this Guidance, the EDPS provides practical guidance for the EU co-legislators to uphold the highest standard of the fundamental rights to privacy and data protection. The EDPS will continue to provide its recommendations to EU co-legislators where there is an impact on the protection of individuals’ rights and freedoms with regard to the processing of personal data.
In its Guidance, the EDPS concentrates its advice to ensure that measures taken by the EU co-legislators are clear, precise and foreseeable, for the effective protection of individuals’ personal data against the risk of its misuse.
When drafting legislative proposals and other acts entailing the processing of personal data, the following should be taken into account:
- a clear specification of the objectives and purposes for which personal data is processed;
- clarity regarding the roles and responsibilities of those processing individuals’ personal data;
- a demonstration of the necessity and proportionality of the envisaged processing of personal data in light of the objectives of a draft legislative proposal;
- delineation of the categories of personal data that are to be processed and the individuals concerned;
- a clear indication of the length for which personal data may be processed;
- appropriate safeguards in cases where personal data is to be disclosed to public authorities or other third parties;
- whether any envisaged restrictions on individuals’ rights are legitimate and limited to what is strictly necessary in light of the objectives pursued.
Read Press Release and Opinion to find out more.
EU Entry-Exit System: a progressive start of operations and its impact on data protection
The EDPS gave its advice on the proposed temporary derogation from certain provisions of the Entry/Exit System Regulation and the Schengen Borders Code Regulation, which define the rules governing the movement of people across EU external borders.
The Entry/Exit System is an EU-wide automated system that records the entry and exit of non-EU citizens in the EU, currently in the final stages if its development.
Under the proposed regulation, the temporary derogations would allow EU Member States to roll out the Entry-Exit System in phases over 180 days, permitting them to progressively introduce various important elements of the system, such as the introduction of biometric border checks. This would enable national authorities, travellers and carriers to adjust to the new border management processes and technologies.
The proposed temporary derogations or, more simply put, exceptions from certain obligations, would require EU Member States, for example, to ignore certain automated alerts, like non-EU/EEA individuals’ overstaying warnings, which may not be accurate during the progressive start phase, or to suspend the Entry-Exit System at particularly busy border points to avoid potential long waiting times at external borders.
From a data protection perspective, the EDPS is concerned about the accuracy of the data collected during the progressive start of the Entry-Exit System and its consequences for individuals.
As personal data processed in the Entry-Exit System may likely be incomplete during its progressive rollout, appropriate safeguards are necessary to counter negative consequences to non-EU/EAA travellers.
To further protect them, the EDPS advocates for additional safeguards:
- a clarification that no decisions that could negatively affect individuals should be taken solely on the basis that the relevant data in the Entry-Exit System is missing;
- the operation of automated tools, such as the duration of stay calculator and the list of overstays, should be suspended until the end of the progressive start of operations of the Entry-Exit System.
Federated Learning: a privacy-preserving approach to AI?
Federated Learning presents a promising approach to machine learning that can improve privacy in some particular cases when correctly applied.
How does this approach differ? By allowing multiple sources to separately use their data to build AI models, which are then combined to create one single AI model. The training data used remains on the devices from where it comes from; therefore, this data is decentralised, making Federated Learning a more privacy-preserving approach.
Whilst Federated Learning offers many data protection advantages, such as data minimisation, purpose limitation, disadvantages and risks remain, such as potential data leakage when models are updated and data quality issues.
Want to find out more? The EDPS has just issued a new TechDispatch Report investigating Federated Learning and its approach to and impact on privacy and personal data.
On-Device AI explained
Have you started running faster than a cheetah?
Sleeping better than a koala?
Taking the best route home to avoid traffic slower than a sloth?
You may be using apps with “On-Device AI” features processing personal data directly on your device. Like a smart watch, or other types of wearables, monitoring your sleep patterns, home appliances to help monitor your electricity consumption.
Smart wearables can use on-device AI to analyse health metrics, like your heart rate, or activity levels; you may be using it to record your 5k runs for example.
Self-driving cars, like self-driving taxis that are appearing in different parts of the world, may include on-device AI to detect and respond to dynamic environments, such as pedestrians crossing the road, traffic signals, road conditions.
These on-device AI technologies - which often include voice assistants - use your personal data to offer you personalised services.
Whilst on-device AI means that personal data processed remains on your device, therefore adhering to three of the important data protection principles: confidentiality, data minimisation and storage limitation, these systems still have an impact on your privacy.
Want to know more about how to stay safe when using on-device AI apps or devices, check out our TechSonar Report dedicated to the topic.