Commencing 2024 on a high: the EDPS has launched the celebrations for its 20th anniversary, with numerous initiatives and actions to take place throughout the year to fuel the future of privacy. January also marked Data Protection Day, a time to delve deeper into the data protection issues and approaches to take to protect individuals, and more. This issue is also part of our podcast series, the Newsletter Digest.
In this issue
EDPS Anniversary: celebrating 20 years of protecting personal data
This year, the EDPS is celebrating two decades of protecting privacy and personal data.
Join us as we build on our expertise, spanning four mandates, to fuel the future of data protection for the next 20 years.
Preparing for the data protection landscape of tomorrow requires an acute understanding of past, present and possible future dynamics between data protection, privacy, technology, policy and other fields.
To achieve this, the EDPS bases its anniversary on four key pillars, with a view of modernising and updating its approach to uphold the highest standards in privacy, to protect individuals. These include:
- A book and a timeline that analyses key data protection milestones and the EDPS’ influence and history in this remit over the last two decades, as well as an in-depth analysis of what is yet to come;
- 20 talks with leading voices from around the world who share their unique perspective on how data protection and privacy shapes their respective fields.
- A European Data Protection Summit - Rethinking Data in a Democratic Society, taking place on 20 June 2024, in Brussels, Belgium. During this event, we aim to foster dynamic and open discussions on the role of privacy and data protection in modern democracies by examining, in particular, the role of a state at a time of an ever-growing collection of information about citizens.
- 20 initiatives to discover how the EDPS uses its Anniversary as an opportunity to keep improving its work. We have already published five initiatives and throughout the year we will unveil all 20 initiatives. These are commitments and actions illustrating the EDPS' continuous aspiration to lead as a modern data protection authority.
You can follow our progress on the dedicated EDPS 20th Anniversary website.
Three key figures for 2023: measuring the impact of our work
As the European Data Protection Supervisor of the EU institutions, bodies, offices and agencies (EUI), we carry out a number of tasks to protect your personal data.
We advise the EU’s co-legislators - the European Parliament, the Council and the European Commission - on draft Regulations and other initiatives related to the protection of personal data. In 2023, we submitted 116 legislative consultations, that’s 6 more than in 2022. Our recommendations touched upon a plethora of different topics and measures impacting individuals’ privacy, such as taxation, finance, international agreements to fight crime, technology, to name a few.
As part of our work, we monitor and assess technological developments impacting the protection of personal data, especially in the EUIs. In this context, we handle personal data breaches that occur within EUIs. In 2023, there were 77 admissible data breach notification cases open submitted by EUIs and 4 notifications considered as inadmissible data breaches. With regard to the admissible cases, the top 3 root causes are : 1/ Human error, 2/ Technical bug, 3/ External attack.
Our work does not stop there, as a data protection authority; we also address complaints made by individuals against EUIs. This year, we received a total of 420 complaints, of which 73 were admissible and 347 were inadmissible on various matters.
Preserving the confidentiality of communications is essential to fundamental rights
The Regulation would allow providers of certain independent interpersonal communication services to continue to apply specific technologies to private communications in order to detect child sexual abuse material for two more years, whilst negotiations for a long-term Regulation are ongoing.
In its Opinion, the EDPS expresses concern about the aims of this Regulation, which would, in effect, restrict individuals’ fundamental rights to privacy and personal data, including their right to the confidentiality of communications.
The EDPS underscores that, although the use of specific technologies to detect child sexual abuse material would remain voluntary, it is still the EU’ s co-legislators responsibility to put in place measures to ensure that the Regulation complies with the EU’s Charter of Fundamental Rights.
In line with its previously issued recommendations, the EDPS reiterates that the proposed Regulation does not include sufficient and effective safeguards to prevent general and indiscriminate monitoring of private electronic communications.
Putting these safeguards in place is important, especially given the high error rates observed with certain technologies used for detecting child sexual abuse materials or child solicitation, such as grooming. The EDPS underscores the significant risk that technologies used to detect child sexual abuse material may flag consensually produced and shared imagery.
Computers, Privacy and Data Protection Conference: why does data protection matter?
To mark Data Protection Day 2024, the EDPS, together with the Privacy Salon, colleagues of CPDP Conferences and the Council of Europe, organised an exceptional Computers, Privacy and Data Protection Conference (CPDP) on 25 January.
Since its debut in 2007, CPDP has become a well-established platform gathering privacy experts, technology specialists, and other professionals from diverse backgrounds, to sculpt the data protection landscape. Over the years, the EDPS has supported and led many influential discussions on EU data protection law. Participating in this forum has also informed many of the EDPS’ decisions as the EU’s data protection authority for EU institutions, bodies, offices and agencies.
In this Data Protection Day edition of CPDP, topics brought to the table were diverse. These included:
- the regulation of global data flows
- the impact of data protection and privacy on human rights
- the international regulation of artificial intelligence
This one-day conference was rhythmed by dynamic panel discussions on data-driven practices, the future of digital governance, harmonising the procedural rules of the GDPR.
To find out more about this CPDP Conference organised for data protection day, click here.
EDPS assesses privacy impact of Regulation to combat migrant smuggling and human trafficking
The EDPS published on 23 January 2024 an Opinion on a Regulation to enhance police cooperation to prevent, detect, and investigate the smuggling of migrants and the trafficking of human beings, and to reinforce the role of the EU Agency for Law Enforcement Cooperation (Europol) in preventing and combating these crimes.
The EDPS makes a series of recommendations on four key issues in the proposed Regulation that could have an important impact on individuals’ personal data and privacy, including:
- the increased processing of biometric data;
- the role of the European Border and Coast Guard Agency (Frontex) in its cooperation with Europol;
- transfers of personal data by Europol to countries outside the EU/European Economic Area (EEA);
- Europol’s support to the competent authorities of the EU Member States. The EDPS’ Opinion also takes into account the findings and ongoing work of its supervisory activities regarding Europol and Frontex.
With this Opinion, the EDPS aims to strike a balance between helping the EU address illegal migration and keeping individuals and their personal data safe.
Data Protection Day: an exclusive chat with our data protection officer
All EU institutions, bodies, offices and agencies (EUIs), and most public and private entities in the EU/European Economic Area (EEA), have to have a data protection officer (DPO) to ensure that data processing activities comply with the EU’s data protection laws.
But, what is it like to be a data protection officer? And, more specifically, what is it like to be a DPO of the data protection authority in charge of supervising the way EUIs process personal data?
To find out, head over to our podcast, The Newsletter Digest - Bonus Episode #2, in which the EDPS’ data protection officer dives into their role, tasks, and discusses the future this profession hold, especially in light of Artificial Intelligence.
Working for an EUI or a public or private entity in the EU/EEA? Listen to this episode to find out more about the key ingredients needed for a robust data protection notice, how data protection breaches can be handled, and how to address individuals’ requests on data protection matters.
Interesting in the DPO profession? the EDPS’ DPO shares some of the essential skills and competences needed for this role in this episode.
How much time do children spend online? What are the consequences?
167 minutes is the average time that children spend online per day to either do their homework, play video games, or browse on social media. This number has dramatically increased over the last decade.
What are the consequences of this trend?
Our trainees from the European Data Protection Supervisor and the European Data Protection Board brought this issue to light in a panel discussion in which they invited key experts on the topic. This event was organised on the margins of the Computers, Privacy and Data Protection Conference, held on 25 January.
The Internet offers abundant entertainment and educational opportunities for children, but also risks and dangers. The virtual playground differs significantly from traditional ones. In these digital spaces, dangers are invisible at first sight. Employing measures that ensure the safety of children and protect their privacy in virtual playgrounds has become of paramount importance.
This stimulating discussion tackled some of the following big questions:
- What initiatives have data protection authorities taken to protect children’s privacy?
- What risks are children exposed to depending on their age group?
The objective of the panel was also to assess the effectiveness of the current applicable EU legislation, to understand the compliance difficulties that data controllers face when offering online services to children, and to seek solutions to ensure a cyber-safe and privacy-friendly virtual playground for children.
Can EU institutions send personal data to EU Member States’ intelligence authorities?
The EDPS has recently provided its advice to an EU institution, body, office, agency (EUI) on whether to send personal data to EU Member States’ intelligence authorities.
In its Opinion, the EDPS recommends that EUIs ask EU Member States’ intelligence authorities to justify their requests for personal data by providing the specific purpose for which they wish to receive this information and why this is necessary.
EUIs should also assess the reasons brought forward by the EU Member States’ intelligence authorities: whether access to certain data is proportional in light of the objectives pursued and the impact on individuals, for example. EUIs should also consider whether and how to limit the amount of data communicated to EU Member States’ intelligence authorities.
The EDPS bases its advice on the conditions for transmitting data to recipients other than EUIs established in the EU laid out under Article 9 of Regulation (EU) 2018/1725, the data protection regulation for EUIs, and on Protocol (No 7) on the privileges and immunities of the European Union, which governs some of the rules for EUIs.
EDPS publishes results of the Coordinated Enforcement Action on data protection officers
The EDPS published the results of its survey on the role, responsibilities and tasks of data protection officers in the EU institutions, bodies, offices and agencies (EUIs). The outcome of the survey demonstrates a high level of awareness and compliance of EUIs with data protection officers’ advice. Launched earlier in March 2023, the survey is part of the European Data Protection Board’s (EDPB) Coordinated Enforcement Action that the EDPS conducts alongside the other 26 data protection and privacy authorities of the European Union (EU) and the European Economic Area (EEA).
The Coordinated Enforcement Action focuses on the role, responsibilities and tasks of data protection officers in EUIs. To support this work, the EDPS sent a questionnaire to EUIs’ data protection officers to check their compliance with the applicable data protection law, Regulation (EU) 2018/1725. This involved, in particular, verifying data protection officers’ independence; how their advice is followed; and how they carry out their duties to ensure compliance with the applicable rules whenever EUIs are processing personal data.
The survey and accompanying report show that, in general, data protection officers have a tangible impact and influence on their respective EUIs. The EDPS takes positive note of this, acknowledging that the level of experience and expertise of data protection officers is high and clearly indicates that the role of data protection officers is becoming more professionalised. There is still room for improvement; the EDPS remarks that data protection officers lack time and resources to perform their duties optimally. In its report, the EDPS states that if data protection officers do not have sufficient time and resources to perform their duties, there is a risk that data protection is not perceived as a priority by their EUI, which may, even if not consciously, have a negative impact on the application of Regulation (EU) 2018/1725. Data protection culture must be further fostered, the EDPS writes in its report.