2019 could be described as a year of transition, across Europe and the world.
It was the year the world finally woke up to the reality of the climate crisis and demanded action from governments and individuals. The EDPS contributed to the discussion, launching a debate on the role that emerging technologies can play in both exacerbating and alleviating the problem.
It was the year that Hong Kong rose up to protect itself against the dark side of technology, opening the world’s eyes to the dangers of complacency and technological determinism. Protestors’ masks have become a symbol of defiance across the world against the use of surveillance techniques and the debate has taken centre stage in Europe, with EU leaders and policymakers focused on evaluating the legality and morality of the use of facial recognition technologies.
It was also a year of great change for the EU. A new Parliament, a new Commission and even a new (though very familiar!) EDPS took office, bringing with them new priorities and perspectives. With a clear focus on developing an effective response to digital challenges at the top of the EU agenda, it is clear that the EDPS and our colleagues at the European Data Protection Board (EDPB) are in for a busy few years!
With new legislation on data protection in the EU now in place, our greatest challenge moving into 2020 is to ensure that this legislation produces the promised results. This includes ensuring that new rules on ePrivacy remain firmly on the EU agenda. Awareness of the issues surrounding data protection and privacy and the importance of protecting these fundamental rights is at an all time high and we cannot allow this momentum to decline.
For the EDPS, this includes a continued effort to maintain the highest standards of data protection practice across all EU institutions, bodies, offices and agencies. With an eye on the European Parliament elections in May 2019, the EDPS and other EU data protection authorities (DPAs) worked hard to raise awareness of the dangers of online manipulation, both within and outside the EU institutions, helping to ensure that the elections passed without incident. We followed this up with an investigation into the Parliament’s use of the company NationBuilder to manage its election website, ensuring that citizens’ data is adequately protected when in the hands of an EU institution.
Another EDPS investigation, into contractual agreements between the EU institutions and Microsoft, brought the issue of the EU’s digital sovereignty to the fore. This is undoubtedly an area that both the EDPS and the EU in general will continue to explore over the coming years, as Europe looks to develop its own unique and independent approach to the digital revolution.
Tragically, however, we will have to do this without the help of one of the data protection community’s greatest advocates for the protection and promotion of human dignity.
Giovanni Buttarelli was a visionary thinker in the field of data protection and beyond, who led the EDPS as both Supervisor and Assistant Supervisor for almost ten years. His actions and achievements over the course of his career have shaped data protection across the EU and globally. This Annual Report serves as a tribute from his staff to him and his vision; of an EU that leads by example in the debate on data protection and privacy in the digital age.
2019 - An Overview
In 2019 we reached the end of a five-year supervisory mandate at the EDPS, which began with the appointment of Giovanni Buttarelli and Wojciech Wiewiórowski as EDPS and Assistant Supervisor respectively in December 2014. At the start of this mandate, we published the EDPS Strategy 2015-2019, which has served as the inspiration for our work over the past five years.
Our work in 2019 therefore focused on consolidating the achievements of the preceding years, assessing the progress made and starting to define priorities for the future.
Sadly, in August 2019, EDPS Giovanni Buttarelli passed away. He leaves behind a legacy that will shape not only the future of the EDPS, but the future of data protection globally.
In December 2019, former Assistant Supervisor Wojciech Wiewiórowski was appointed by the Council and the European Parliament as the new EDPS and began work on defining a new EDPS Strategy for the 2019-2024 mandate. In accordance with the new rules on data protection in the EU institutions, the position of Assistant Supervisor was abolished.
The new EDPS Strategy will be published in March 2020 and will define our priorities and objectives for the years to come.
2.1 A new chapter for data protection
In 2019, the EU’s new data protection framework celebrated its first anniversary. One of the three objectives set out in our Strategy 2015-2019 was to open a new chapter for EU data protection. Our work in 2019 therefore focused on putting the new rules into practice.
In the case of the General Data Protection Regulation (GDPR), this meant continuing to provide and support the secretariat of the European Data Protection Board (EDPB), while also contributing fully as a member of the EDPB. Made up of the 28 EU Member State data protection authorities (DPAs) and the EDPS, the EDPB is responsible for ensuring the consistent implementation of the GDPR across the EU.
As a member of the EDPB, we contributed to several initiatives in 2019. This included working with the EDPB to produce the first joint EDPS and EDPB Opinion, on the processing of patient data through the EU’s eHealth network, as well as issuing joint advice to the European Parliament on the EU response to the US CLOUD Act, which gives US law enforcement authorities the power to request the disclosure of data by US service providers, regardless of where in the world this data is stored.
December 2019 marked a year since the new data protection rules for the EU institutions - set out in Regulation (EU) 2018/1725 - came into force. Our focus over the year was therefore on ensuring that the EU institutions were able to effectively implement these rules. This involved continuing to work closely with the Data Protection Officers (DPOs) in the EU institutions to assess the progress made and discuss how to overcome any of challenges encountered, as well as continuing our programme of data protection training activities for EU institution employees.
#EDPS training on new #dataprotection regulation for #EUinstitutions addressed to high-level management at @Europarl_EN - @W_Wiewiorowski stresses the importance of #transparency of operations and #accountability in the heart of #EU #democracy
In addition to this, we also stepped up our enforcement activities, making use of the powers granted to the EDPS under the new Regulation. In June 2019, for example, we announced the results of our first round of remote inspections of EU institution websites, highlighting several areas in which the EU institutions concerned needed to improve.
One area in which we were particularly active over the course of 2019 was in conducting investigations into the data processing activities of the EU institutions. The EDPS launched four investigations in 2019, addressing a variety of issues. Our aim is to ensure that these investigations leave a lasting, positive impact, strengthening cooperation between the EDPS and the institutions concerned, improving the data protection practices of the EU institutions and ensuring the highest levels of protection for all individuals.
#EDPS investigation into IT contracts: stronger cooperation to better protect #rights of all individuals - Read the press release: europa.eu/!uk73nK
Our investigation into the use of Microsoft products and services by EU institutions is a particularly good example of this, having resulted in the establishment of The Hague Forum. Set to meet for the second time in early 2020, the Forum provides a platform for discussion on both how to take back control over the IT services and products offered by the big IT service providers and the need to collectively create standard contracts instead of accepting the terms and conditions as they are written by these providers.
New legislation is also in place for two of the EU’s law enforcement agencies. The EDPS is now well established as the data protection supervisor for operational activities at Europol, the EU body responsible for supporting the law enforcement authorities of the Member States in the fight against serious international crime and terrorism. In late 2019 we also took over similar responsibilities at Eurojust, the EU agency responsible for supporting and improving coordination and cooperation between the competent judicial authorities in the EU Member States on matters relating to serious organised crime.
#EDPS takes on a new supervisory role at Eurojust - A new supervisory framework for the processing of personal data at the EU Agency for Criminal Justice Cooperation (Eurojust) comes into force today. Read press release europa.eu/!qG87gn
With public security certain to remain an important policy concern for the EU over the coming years, we are determined to ensure that the EU is able to achieve increased security without applying any undue restriction to individual data protection rights. Our roles at Europol and Eurojust therefore focus on ensuring increased operational effectiveness while ensuring that fundamental rights, including the rights to data protection and privacy, are adequately protected.
2.2 Providing guidance and advice
Improving the security of EU borders is a priority for the EU legislator and will remain so over the coming years. The EDPS therefore continues to provide advice and guidance to the European Commission, the European Parliament and the Council on new initiatives in this area, while also working with national DPAs and EU institutions to ensure the continued security of EU information systems.
While we recognise the need for greater EU security, this should not come at the expense of data protection and privacy. EDPS Opinions on proposals such as an EU-US agreement on cross-border access to electronic evidence and European Production and Preservation Orders for electronic evidence in criminal matters, all aim to ensure that both the personal data rights of the individuals concerned and EU borders are protected.
We also continued our close cooperation with DPAs to ensure effective and coordinated supervision of the EU’s large-scale IT databases, used to support EU policies on asylum, border management, police cooperation and migration.
In addition to this, we have endeavoured to provide policymakers with tools to help assess the compliance of proposed EU measures that would impact the fundamental rights to privacy and the protection of personal data with the Charter of Fundamental Rights. On 19 December 2019, we published our Guidelines on assessing proportionality. Combined with our Necessity Toolkit, these Guidelines provide practical guidance for policymakers helping to simplify the challenges they face in assessing the necessity and proportionality of certain policy proposals and therefore ensure that fundamental rights are adequately protected.
Our guidance is not limited to policymakers, however. In 2019 we also issued Guidelines on the roles and concepts of controller, processor and joint controllership, in an attempt to clarify these concepts and help those working in the EU institutions to better understand their roles and comply with data protection rules.
In addition to this, a significant focus of our work in 2019 was on developing and sharing technological expertise. With so much of our lives now reliant on the use of technology, this expertise is essential to ensuring effective data protection and the EDPS has consistently aimed to take the lead in sharing helpful analyses of new technological developments.
Through our TechDispatch publication, launched in July 2019, we contribute to the ongoing discussion on new technologies and data protection. Focusing on a different emerging technology each issue, we aim to provide information on the technology itself, an assessment of its possible impact on privacy and data protection and links to further reading on the topic.
#EDPS Website Evidence Collector receives Global #Privacy & #DataProtection Award for innovation at #ICDPPC2019! @W_Wiewiorowski The award emphasises that DPAs can approach enforcement tasks in technically sophisticated way to address new DP challenges europa.eu/!ph37BY
Following the first round of our remote inspections of EU institution websites, we also took the step of publicly sharing the Website Evidence Collector (WEC) tool developed by the EDPS. The tool is available on the EDPS website and on the code collaboration platform GitHub as free software and allows for the collection of automated evidence of personal data processing. By sharing the WEC, we hope to provide DPAs, privacy professionals, data controllers and web developers with the tools to carry out their own website inspections.
Lastly, we continued our work on developing the Internet Privacy Engineering Network (IPEN), which brings together experts from a range of different areas to encourage the development of engineering solutions to privacy problems. Five years on from when it was first established, IPEN is now in a position to move beyond more general discussion of the issues surrounding privacy engineering and towards a more targeted approach, focused on developing practical solutions to privacy engineering problems.
Looking back on 5 years #EDPS #IPEN - The Internet Privacy Engineering Network (IPEN) aims to encourage privacy-friendly technological development through the promotion of state of the art practices in #privacy engineering
2.3 An international approach to data protection
Over the past five years, the EDPS has dedicated significant time and energy to the development of greater data protection convergence globally. While data flows internationally, across borders, data protection rules are still decided on a largely national, and at best regional, basis.
Throughout 2019 we have therefore continued to work with our regional and international partners to mainstream data protection into international agreements and ensure consistent protection of personal data worldwide. In particular, we have worked closely with the EDPB on the topic of international data transfers, participating in the review of the Privacy Shield agreement for data transfers between the EU and the US, as well as the EDPB contribution to the hearing on the Schrems case at the EU Court of Justice, focused on the legality of standard contractual clauses for data transfers.
#ePrivacy & its future developments discussed by experts from #EU institutions and national authorities at Berlin Group meeting - #EDPS @W_Wiewiorowski, #LIBE @BirgitSippelMEP, #EU2019FI @kpieti, #EC Peter Eberl, Berlin #DataProtection Commissioner Maja Smoltczyk
We also persisted in the pursuit of our goal to foster global debate on digital ethics. Building on the success of the 2018 International Conference of Data Protection and Privacy Commissioners, co-hosted by the EDPS in Brussels, in 2019 we sought to ensure that the debate on ethics in the digital sphere continued to move forward. We therefore launched a series of webinars, which we published in the form of a podcast on our website. Each webinar focused on a specific area of concern identified during the conference, allowing us to explore the topic in more detail.
Discussion on digital ethics also continued at the 2019 International Conference, both through the working group on Artificial Intelligence, Ethics and Data Protection, and through the organisation of an EDPS side event, focused on the environmental impact of digital technologies.
2.4 Internal administration
The size and responsibilities of the EDPS continue to increase. A priority for the EDPS Human Resources, Budget and Administration (HRBA) unit in 2019 was therefore to ensure that the EDPS has the appropriate resources to carry out its tasks. This included the completion of a competition for experts in the area of data protection and the publication of a reserve list from which to draw new staff members, as well as stepping up efforts to maximise and acquire office space to accommodate our growing population.
We also endeavoured to improve learning and development opportunities for existing staff members, in particular through the launch of an internal coaching initiative. In addition, significant progress was made in the areas of finance and procurement, with the introduction of more efficient processes for financial operations; this will continue to be an area to work on in 2020.
As we begin the new mandate, our focus will be on continuing to improve the efficiency of administrative processes, in order to ensure that the EDPS is well equipped to respond to new challenges in data protection.
2.5 Communicating data protection
The reach and influence of EDPS communications is constantly expanding. Effective communication is vitally important in ensuring that information on EDPS activities reaches the relevant external audience.
With public interest and engagement with data protection increasing, our communication efforts in 2019 aimed to build on successes of previous years and reinforce our status as a respected, international leader in the data protection field. This involved sustained efforts in several areas, including online media, events and publications and external relations with press and stakeholders.
With a new mandate now underway, our focus for the coming year will be on continuing to develop our communications tools to support the successful implementation of the new Strategy, to be published in March 2020.
2.6 Key Performance Indicators 2019
We use a number of key performance indicators (KPIs) to help us monitor our performance. This ensures that we are able to adjust our activities, if required, to increase the impact of our work and the efficiency of our use of resources. Our KPIs reflect the strategic objectives and action plan defined in our Strategy 2015-2019.
The KPI scoreboard below contains a brief description of each KPI and the results on 31 December 2019. In most cases, these results are measured against initial targets.
In 2019, we met or surpassed - in some cases significantly - the targets set in six out of the eight KPIs, with KPI 2 just falling short of the set target.
These results reflect the positive outcome we have had in implementing relevant strategic objectives during the last year of the 2015-2019 Strategy.
Finally, KPI 7 cannot be measured in 2019, as the staff survey is conducted only once every two years.
|KEY PERFORMANCE INDICATORS
|RESULTS AT 31.12.2019
|Objective 1 - Data Protection goes digital
|Number of initiatives promoting technologies to enhance privacy and data protection organised or co-organised by EDPS
Internal & External Indicator
|Number of activities focused on cross-disciplinary policy solutions (internal & external)
|Objective 2 - Forging global partnerships
|Number of cases dealt with at international level (EDPB, CoE, OECD, GPEN, International Conferences) for which EDPS has provided a substantial written contribution
|Objective 3 – Opening a new chapter for EU Data Protection
|Number of opinions/comments issued in response to consultation requests (COM, EP, Council, DPAs...)
|Level of satisfaction of DPOs/DPCs/controllers on cooperation with EDPS and guidance, including satisfaction of data subjects as to training
|Enablers – Communication and management of resources
|Number of followers on the EDPS social media accounts (Twitter, LinkedIn, YouTube)
|40421 (L: 20357, T: 18424, Y: 1640)
|Number of followers of previous year + 10%
|Level of Staff satisfaction
GETTING IN TOUCH WITH THE EU
All over the European Union there are hundreds of Europe Direct information centres. You can find the address of the centre nearest you at: https://europa.eu/european-union/contact_en
On the phone or by email
Europe Direct is a service that answers your questions about the European Union. You can contact this service:
- by freephone: 00 800 6 7 8 9 10 11 (certain operators may charge for these calls),
- at the following standard number: +32 22999696 or
- by email via: https://europa.eu/european-union/contact_en
FINDING INFORMATION ABOUT THE EU
Information about the European Union in all the official languages of the EU is available on the Europa website at: https://europa.eu/european-union/index_en
You can download or order free and priced EU publications at: https://publications.europa.eu/en/publications. Multiple copies of free publications may be obtained by contacting Europe Direct or your local information centre (see https://europa.eu/european-union/contact_en).
EU law and related documents
For access to legal information from the EU, including all EU law since 1952 in all the official language versions, go to EUR-Lex at: http://eur-lex.europa.eu
Open data from the EU
The EU Open Data Portal (http://data.europa.eu/euodp/en) provides access to datasets from the EU. Data can be downloaded and reused for free, both for commercial and non-commercial purposes.
Further details about the EDPS can be found on our website at http://www.edps.europa.eu.
The website also details a subscription feature to our newsletter.
Luxembourg: Publications Office of the European Union, 2019
© Photos: iStockphoto/EDPS & European Union
© European Union, 2019
Reproduction is authorised provided the source is acknowledged.