Data Protection Insider, Issue 43

EDPS Releases Opinion on the Draft Europol Regulation

On 8th March the EDPS issued an Opinion on the draft proposals for amending the Europol Regulation. We presented the main features of the proposals in DPI #38. The EDPS Opinion focuses on the following six main points:

(1) Cooperation with private parties, both within and outside the EU. The EDPS points out that in the course of such cooperation Europol might share data with these parties, as requested by the national authorities, and that the safeguard that such transfers should not be ‘systematic, massive or structural’ should apply also to data sharing in the EU, not just internationally. In addition, Europol’s responsibilities as a processor vis-à-vis the national authorities should be regulated by a binding agreement.

(2) Processing of Biag Data for the purposes of ‘pre-analysis’, i.e. to determine whether the available data may fall within Europol’s scope. The EDPS recommends that such ‘pre-analysis’ should occur only where there exists ‘an objective necessity’ and that extending the maximum period for this analysis should be based on objective criteria, which are currently missing.

(3) Providing operational support, i.e. analysis of big data, to Member States in criminal investigations. The EDPS emphasizes that this change would be most impactful in terms of data protection as it will give Europol the power to process additional categories of personal data. In order to make sure that such a processing should remain the exception, ‘… the amended Regulation should lay down certain conditions and/or thresholds, such as scale, complexity, type or importance of the investigations.’

(4) Europol’s participation in R&D projects. The EDPS recommends that the scope of this participation should be restricted only to Europol’s tasks and welcomes the obligation to carry out a DPIA assessing the risks to all rights and freedoms. Furthermore, Europol, as a stakeholder in setting up the European Security Data Space, should take into account the EDPS’s comments to the European Strategy for Data and its AI Strategy into account.

(5) Transfers to third countries. The EDPS notes that the proposals seek to authorize Europol’s Executive Director to authorise ‘categories of transfers’, which is an unclear terms, and should be specified.

(6) The upcoming applicability of Regulation 2018/1725 to Europol. The EDPS recommends that the current provisions in the Europol Regulation on supervision by the EDPS should be deleted, so that it is unambiguous that the ones in Regulation 2018/1725 are applicable, as they give the EDPS more supervisory and enforcement powers. He welcomes the upcoming applicability of the coordinated supervision provisions of Regulation 2018/1725. The EDPS, however, emphasizes that he needs more human and technical resources to live up to the proposed extended supervisory tasks, such as assessing the necessity and proportionality of data received by Europol from Third Countries.

 

EDPS Releases Opinion on the Cybersecurity Strategy and the NIS 2.0 Directive

On 11th March the EDPS issued an Opinion concerning (1) the Union’s Cybersecurity Strategy and (2) the proposal amending the NIS Directive. The EDPS in principle supports the proposed cybersecurity measures, as cybersecurity is also essential for personal data security, as provided for in the GDPR. In his Opinion he advocates for integrating the privacy and data protection aspect into the cybersecurity measures as this ‘will ensure a   holistic   approach   and   enable   synergies to public and private organisations when managing cybersecurity and protecting the information they process without useless multiplication of efforts.’ At the same time he notes that some of the proposed cybersecurity measures could interfere with individual rights and freedoms. Thus, data protection by design and by default measures should be taken, ‘which will assist in integrating the appropriate safeguards such as pseudonymisation, encryption, data accuracy, data minimization, in the design and use of these technologies and systems.’ He then makes specific recommendations to the proposal, seeking to make the envisaged personal data processing more in line with the necessity and proportionality requirement, of which the following seven deserve special mention: (1) the need to clarify that the EU data protection framework (GDPR and ePrivacy Directive) applies to any personal data processing performed in the framework of the proposal; (2) the need to clarify whether the proposal focuses on ‘cybersecurity’ or ‘security  of  network  and  information systems’; (3) the need to clarify what data from the ‘WHOIS data’ might be disclosed and by what authorities data held in the TLD registers might be accessed, i.e. whether also by authorities outside the EEA, and what the criteria for granting access should be; (4) the need to clarify in more narrow terms what kind of proactive scanning CSIRTs may be requested to perform and which personal data this may involve; (5) he reminds that outsourcing cybersecurity should comply with the GDPR, especially with the provisions on data transfers when it is outsourced to a Third Country; (6) he criticizes the possibility for weakening end-to-end encryption through different solutions, including ‘backdoors’; and (7) recommends including measures to ensure the effective supervision by the data protection supervisory authorities as established by the GDPR.

 

EDPB-EDPS Issue Joint Opinion on the Data Governance Act

The EDBP and EDPS have now jointly published the ‘EDPB-EDPS Joint Opinion 03/2021 on the Proposal for a regulation of the European Parliament and of the Council on European data governance (Data Governance Act)’. In principle, the EDPB and EDPS recognise the legitimacy of the aim of the proposed Act: ‘The EDPB and the EDPS acknowledge the legitimate objective of fostering the availability of data for use by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU’. In relation to the substance of the proposed Act, however, they offer the more negative comment that: ‘… the Proposal, also having regard to the Impact Assessment accompanying it, does not duly take into account the need to ensure and guarantee the level of protection of personal data provided under EU law. The EDPB and the EDPS consider that this policy trend toward a data-driven economy framework without a sufficient consideration of personal data protection aspects raises serious concerns from a fundamental rights viewpoint’. In this regard, they offer critique in relation to numerous aspects of the proposed Act, amongst which the following five: (1) ‘the relationship of the Proposal with Union law in the field of personal data protection’ – including observations on the need to make definitions generally consistent between the Act and other relevant data protection law; (2) ‘Requirements applicable to data sharing service providers’ – including comments as to potential issues of transparency in relation to sharing provisions; (3) ‘Data altruism’ – including comments on the relationship between consent in the proposed Act and in the GDPR; (4) ‘International transfers of data’ – including comments on the scope of the Commission’s implementing powers regarding the conditions of international transfers; and (5) on ‘horizontal provisions on institutional settings[,] complaints[,] European Data Innovation Board (EDIB) expert group[,] delegated acts[,] penalties[,] evaluation and review[,] amendments to the single digital gateway regulation[,] transitional measures and entry into force’ – including comments concerning the role of DPAs as competent authorities in relation to the Act. This is a lengthy and detailed opinion and is worth reading for anyone interested in the development of the European data economy and data protection.

 

– EDPB Adopts Documents During 42nd and 43rd Plenary Sessions

The EDPB held its 46th Plenary Session on 9th March. During the sessions the EDPB adopted the following documents:

  • ‘EDPB Work Programme 2021-2022’;
  • ‘EDPB-EDPS Joint Opinion on the Data Governance Act’;
  • ‘Statement on the ePrivacy Regulation’;
  • ‘Guidelines on Virtual Voice Assistants’;
  • ‘Guidelines on Connected Vehicles (following public consultation)’;
  • ‘Guidelines on relevant and reasoned objection (following public consultation)’;
  • ‘EDPB feedback on the candidate European Cybersecurity Certification Scheme for Cloud Services (EUCS)’;
  • ‘Response to MEP Andrzej Halicki on follow-up letter regarding data sharing in the Polish elections’.

The documents are already available for consultation on the EDPB website.

EU Parliament Civil Liberties Committee on GDPR Implementation and Enforcement

On 16th March, the EU Parliament’s Civil Liberties Committee adopted a draft resolution on the evaluation of the GDPR. In the resolution, which was adopted by 41 to 2, the Committee concluded that the GDPR: ‘has been an overall success and that it was not necessary at this stage to update or review the legislation.’ However, the MEPs also made a number of more critical observations. In the first instance, ‘MEPs are concerned that many supervisory authorities across the EU lack sufficient human, technical and financial resources to perform their tasks and exercise their powers effectively… [and that there is] uneven enforcement of the GDPR by national DPAs resulting in the burden of enforcement falling on individual citizens.’ In turn, the MEPs observe that ‘the application of the GDPR has been particularly challenging for small and medium sized enterprises (SMEs) and some other organisations [and in this regard] the MEPs wish to see more support, information and training to be made available by national authorities, the European Commission and the European Data Protection Board (EDPB) to help with the quality of implementation.’ Equally, ‘MEPs are…concerned over abuse of the GDPR by some Member States public authorities in order to curtail journalists and NGOs and underscore that data protection rules should not be used as a way to put pressure on journalists to disclose their sources.’ Further, the MEPs suggest that ‘clear guidance from the DPAs and the EDPB is necessary on the appropriate implementation of the GDPR in public health policies’. The Parliament as a whole will now vote on the non-legislative resolution in the next plenary session – scheduled for 24th-25th March. It will be interesting to see what happens with the resolution moving forward.

 

– GDPR Fines Increasingly Appealed

On 15th March the WSJ reported that companies against which EU data protection authorities have issued sanctions have been increasingly appealing such decisions and some of the highest fines have been struck down or significantly reduced by the courts. The WSJ notes that this might signal that the data protection authorities and the courts might disagree about how to enforce the GDPR. This might motivate the companies to continue appealing the fines. In addition, as the WSJ points out, the appeals add an additional burden on what are deemed to be insufficient human and financial resources allocated to the data protection supervisory authorities. Some of the cited reasons for overturning the decisions are not following the legal procedure and other mistakes, especially as pointed out by the Belgian DPA. The article points out another issue from Germany and Austria. In Germany, in the framework of the appeal against the million-euro fine imposed on Deutsche Wohnen SE, a court effectively created the requirement that if the regulator cannot name a specific employee responsible for the infringement, then the fine cannot stand in court. In Austria recently a law came into force, pursuant to which a specific individual needs to be identified and it needs to be proven that he knew about the contested GDPR infringement and did not rectify it. This is reported to make investigations more difficult. Despite the reported difficulties, the WSJ reports that appealing fines might tarnish the reputation of the concerned company, especially if the fine is upheld. We note that it would be interesting to know also what financial costs the DPAs might incur in the course of such appeals and whether DPAs might therefore become less willing to appeal the decisions overturning the contested fines. 

About

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply