With its presentation of the Annual Report 2021; the launch of two social media platforms; the preparation of upcoming events, the EDPS has been busier than ever this month. You can now read all about it in our April newsletter.
In this issue
Coming up: EU Open Day 2022!
Want to know more about how the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) protect your personal data and data protection rights?
Join us on EU Open Day to meet our team, participate in interactive activities, and learn more about data protection on Saturday 7th May 2022, from 10 am to 6pm (CEST), at the Berlaymont Building, Ground Floor, Digital Village, in Brussels, Belgium.
EDPS launches pilot phase of two social media platforms
EU institutions, bodies, offices and agencies (EUIs) participating in the pilot phase of these platforms will be able to interact with the public by sharing short texts, images and videos on EU Voice; and by sharing, uploading, commenting videos and podcasts on EU Video.
The two platforms are part of decentralised, free and open-source social media networks that connect users in a privacy-oriented environment, based on Mastodon and PeerTube software. By launching the pilot phase of EU Voice and EU Video, the EDPS aims to contribute to the European Union’s strategy for data and digital sovereignty to foster Europe’s independence in the digital world.
Wojciech Wiewiórowski, EDPS, said: “With the pilot launch of EU Voice and EU Video, we aim to offer alternative social media platforms that prioritise individuals and their rights to privacy and data protection. In concrete terms this means, for example, that EU Voice and EU Video do not rely on transfers of personal data to countries outside the European Union and the European Economic Area; there are no advertisements on the platforms; and there is no profiling of individuals that may use the platforms. These measures, amongst others, give individuals the choice on and control over how their personal data is used.”
The EDPS’ Conference is fast approaching!
On 16 and 17 June 2022, the European Data Protection Supervisor will host a conference in Brussels, Belgium, bringing together global stakeholders from the digital regulatory sphere to reflect on and discuss current approaches to enforcement models.
Titled “The future of data protection: effective enforcement in the digital world”, the conference aims to facilitate discussions on the world’s best practices when it comes to enforcement action and cooperation, while also exploring alternative models of enforcement for the digital future.
Interested in joining us and our guest speakers in Brussels for the EDPS Conference 2022?
You can now register to attend the conference in-person here, where a number of limited spaces are available.
Can’t join us in Brussels? You can also register here to attend parts of the conference online.
To find out more about the EDPS’ Conference, its programme and guest speakers, visit the EDPS’ dedicated Conference website here.
EDPS Annual Report 2021
Today, the EDPS published its Annual Report 2021. The report highlights the EDPS’ achievements regarding European Union institutions’ (EU institutions) compliance with the data protection framework. The Report also underscores the EDPS’ increasing role in advocating for the respect of privacy and data protection in EU legislation.
In 2021, the EDPS increased the use of its corrective powers. Amongst the enforcement actions taken by the EDPS this year, particular significance is attributed to the Decision to order Europol to delete datasets with no established links to criminal activity, which the EDPS sees in the context of respecting the rule of law and upholding a mature checks and balances system.
This year was also unprecedented in terms of EDPS advice given to the EU legislator. With 88 Opinions, including Formal Comments, issued in 2021, compared to 27 in 2020, the EDPS addressed a record number of legislative consultations. This increase demonstrates a recognised importance of embedding data protection in EU law. Looking beyond the landscape of the EU institutions, the EDPS has also actively maintained its cooperation with civil society, academia, and various other stakeholders.
In the spirit of joint responsibility for the success of the General Data Protection Regulation, the EDPS also continued its active participation in the European Data Protection Board’s work, by proposing or partaking in a variety of initiatives.
The executive summary of the Annual Report 2021 will be made available in all official languages of the EU in due course.
EDPB & EDPS adopt joint opinion on the extension of the EU Digital COVID Certificate Regulation
The EDPB and EDPS have adopted a joint opinion on the European Commission’s proposals to extend the current Regulations on the EU Digital COVID Certificate (EUDCC) by 12 months and to amend certain provisions, such as a broadening of the types of COVID tests accepted in the context of travels within the EU and clarifying that vaccination certificates should contain the number of doses administered to the holder, regardless of the Member State in which they have been administered.
The EDPB and the EDPS take note that the proposal does not alter substantially the existing provisions of the Regulations with regard to the processing of personal data. In line with the previous joint opinion on the initial COVID Certificate Regulations, the EDPB and the EDPS recall that compliance with data protection rules does not constitute an obstacle for fighting the COVID-19 pandemic. Given the unpredictability of the possible prolongation of the pandemic, the EDPB and the EDPS understand the need to extend the applicability of the EUDCC Regulation.
However, since this proposal aims to extend the duration of a measure to fight the COVID-19 pandemic, the relevant scientific evidence and additional measures in place, should be regularly assessed to ensure the respect of general principles of effectiveness, necessity and proportionality.
The EDPB and EDPS regret that no impact assessment was carried out by the Commission. In addition, the EUDCC Regulation provides for a duty for the EU Commission to submit a report to the European Parliament and the Council on the impact of the Regulation on the facilitation of free movement, fundamental rights and non-discrimination. The EDPB & EDPS strongly consider that the Commission should annex this report to the current proposal.
EDPS issues a reprimand to the European Border and Coast Guard Agency (Frontex) for moving to the cloud without proper data protection assessment
On 1 April 2022, the EDPS reprimanded the European Border and Coast Guard Agency (Frontex) for a breach of the Data Protection Regulation (EU) 2018/1725, applicable to Union institutions, offices, bodies and agencies.
The EDPS found that Frontex moved to the cloud without a timely, exhaustive assessment of the data protection risks and without the identification of appropriate mitigating measures or relevant safeguards for processing. Frontex also failed to demonstrate the necessity of the planned cloud services, as it has not shown that the chosen solution (“Microsoft 365”) was the outcome of a thorough process whereby the existence of data protection compliant, alternative products and services meeting Frontex’s specific needs were assessed. In addition, Frontex failed to demonstrate that it limited Microsoft’s collection of personal data to what is necessary, based on an identified legal basis and established purposes. Frontex therefore breached the accountability principle as well as its obligations as a controller and the requirements of data protection by design and by default.
In addition to the reprimand, the EDPS ordered Frontex to review its Data Protection Impact Assessment and the Record of Processing activities relating to the processing of personal data in cloud services.
Anticipating new technologies and their impact on data protection
As part of the EU’s research and innovation programme, Horizon Europe, the EDPS co - organised with one of Brussels’ universities, Vrije Universiteit Brussel, the closing event of Panelfit, which took place on 30th and 31th March 2022.
Panelfit, or Participatory Approaches to a new Ethical and Legal Framework for ICT, focuses on “Anticipatory Compliance”, which translates to proactively anticipating practical ways of regulating new or emerging technologies to ensure their compliance with EU data protection law.
The Supervisor, Director and several EDPS colleagues were invited to share their views based on their experiences of developing TechSonar, the EDPS’ new foresight initiative that aims to anticipate upcoming technology trends to better understand future developments in the technology sector from a data protection perspective.
Speaking at the event, the Supervisor highlighted the importance of acting in advance, instead of reacting to new technologies once they are on the market ready for public consumption. By acting in advance, it is possible to foresee the risks that these technologies may present for individuals’ freedoms and fundamental rights, including their right to privacy and personal data. Having the knowledge of these risks sooner rather than later allows data protection authorities, like the EDPS, to have an impact on the development of these technologies so that they comply with data protection law to protect individuals. At the same time, it will also be possible to better support innovation and the value-creation that these technologies offer.
The EDPS looks forward to further discussing the topic of anticipatory compliance in the technology arena during its upcoming conference on 16 and 17 June 2022, titled “The Future of Data Protection: Effective enforcement in the digital world”.
Video recordings of the Panelfit event can be found here.
Granting and restricting data protection rights
One way of ensuring that EU institutions, bodies, offices (EUIs), their data protection officers, their members of staff, comply with EU data protection law is to make sure that they understand their rights and obligations when it comes to processing personal data.
To this end, colleagues from the EDPS’ Supervision and Enforcement Unit (S&E) regularly organise training sessions at the European School of Administration to explain different data protection concepts of Regulation (EU) 2018/1725, as well as how to apply these concepts on a practical level.
S&E colleagues delivered a training session to more than 165 participants on 29th March 2022, which focused on data protection rights, especially the rights to access; rectification; erasure, as well as on the restrictions of these rights.
Participants were presented with different circumstances in which these rights may be exercised by individuals, such as in the context of EUIs’ selection procedures, administrative inquiries, and how EUIs’ controllers should respond in these cases. S&E colleagues also provided some guidance on which legal grounds EUIs’ controllers may be able to rely on to justify the restrictions of these rights.
The EDPS is currently planning upcoming training sessions on certain challenging aspects of Regulation (EU) 2018/1725. EDPS colleagues also deliver personalised training sessions to the staff of EUIs at the request of their respective data protection officers.
EDPS work on the use of ICT products and services by EUIs
The EDPS works closely with the EU institutions, bodies, offices and agencies (EUIs) to ensure that they comply with their obligations under the applicable data protection law, Regulation (EU) 2018/1725 (the Regulation), when contracting ICT products and services from external providers, through various initiatives.
As an example, the EDPS has carried out in recent years investigations into the use of ICT products and services, notably the use of Microsoft products and services, by EUIs, both to identify compliance issues and help EUIs to remediate these issues.
Given the complexity that stems from ensuring that EUIs comply with the Regulation when contracting ICT products and services, especially if contracting these services may involve the processing of individuals’ data outside the EU/EEA, the EDPS prepared in February 2022 a document on this topic.
The document collates the EDPS’ important work in this area, including its recommendations following previous and ongoing investigations into the use of Microsoft products and services by EUIs, the impact of the Schrems II ruling if EUIs had or have contracts for products and services with companies that process individuals’ data outside the EU/EEA, and more.
While this document is mainly targeted to EUIs’ data protection officers, who are responsible for ensuring that their respective EUIs comply with the Regulation when contracting ICT products and services, it may be of use to other entities within the EU Member States that may encounter similar challenges under the General Data Protection Regulation.
Frontex’s transfers of personal data in the context of return operations
In the absence of an adequacy decision recognising that a non-EU/EEA country affords the same level of data protection as in the EU/EEA, EU institutions, bodies offices and agencies may be able to transfer personal data to non-EU/EEA countries, using derogations provided in the applicable data protection law, Regulation (EU) 2018/1725 (the Regulation), in certain specific contexts.
Against this background, Frontex, the European Border and Coast Guard Agency, consulted the EDPS on the use of derogations to transfer personal data when carrying out return operations. Undertaking return operations involves the processing of individuals’ personal data when individuals from non-EU/EEA countries are returned to their respective countries.
Most of the non-EU/EEA countries where return operations are carried out do not have an adequacy decision in place or another similar type of mechanism provided under Article 48 of the Regulation that ensures an essentially equivalent level of protection when transfers of personal data between the EU/EEA and a non-EU/EEA country occur. As such, Frontex consulted the EDPS on whether a derogation on the basis of public interest could be used to transfer personal data in this context.
In its Opinion, the EDPS highlighted that the use of a derogation based on public interest to transfer personal data to non-EU/EEA countries should be used as a last - resort measure. This is to avoid the motif of public interest of becoming a way of justifying all types of transfers of personal data, especially if Frontex is to evolve into the “EU’s Return Agency”.
Instead, the EDPS advises Frontex on other measures and steps to take beforehand.
The EDPS suggests Frontex to base their transfers of personal data on re-admission agreements, which regulate the conditions under which migrants are returned to their non-EU/EEA country, to ensure that appropriate safeguards are put in place for the protection of individuals’ personal data according to Article 48 of the Regulation.
The EDPS also reiterated that transfers of personal data to a non-EU/EEA country should comply with the strict conditions laid down under Article 50 (1) (d) of the Regulation. In concrete terms, this means that Frontex needs to be able to justify and prove that the transfer of individuals’ personal data to non-EU/EEA countries is necessary for important reasons of public interest. To achieve this, an assessment must be made, taking into account the following criteria: the type and volume of personal data transferred; whether this type of personal data is recurrent or not; whether there is an existing data protection regime in the non-EU/EEA country to which this personal data is transferred that would limit the risks for individuals’ personal data.