2019 - An Overview

In 2019 we reached the end of a five-year supervisory mandate at the EDPS, which began with the appointment of Giovanni Buttarelli and Wojciech Wiewiórowski as EDPS and Assistant Supervisor respectively in December 2014. At the start of this mandate, we published the EDPS Strategy 2015-2019, which has served as the inspiration for our work over the past five years.

Our work in 2019 therefore focused on consolidating the achievements of the preceding years, assessing the progress made and starting to define priorities for the future.

Sadly, in August 2019, EDPS Giovanni Buttarelli passed away. He leaves behind a legacy that will shape not only the future of the EDPS, but the future of data protection globally.

In December 2019, former Assistant Supervisor Wojciech Wiewiórowski was appointed by the Council and the European Parliament as the new EDPS and began work on defining a new EDPS Strategy for the 2019-2024 mandate. In accordance with the new rules on data protection in the EU institutions, the position of Assistant Supervisor was abolished.

The new EDPS Strategy will be published in March 2020 and will define our priorities and objectives for the years to come.

2.1 A new chapter for data protection

In 2019, the EU’s new data protection framework celebrated its first anniversary. One of the three objectives set out in our Strategy 2015-2019 was to open a new chapter for EU data protection. Our work in 2019 therefore focused on putting the new rules into practice.

In the case of the General Data Protection Regulation (GDPR), this meant continuing to provide and support the secretariat of the European Data Protection Board (EDPB), while also contributing fully as a member of the EDPB. Made up of the 28 EU Member State data protection authorities (DPAs) and the EDPS, the EDPB is responsible for ensuring the consistent implementation of the GDPR across the EU.

As a member of the EDPB, we contributed to several initiatives in 2019. This included working with the EDPB to produce the first joint EDPS and EDPB Opinion, on the processing of patient data through the EU’s eHealth network, as well as issuing joint advice to the European Parliament on the EU response to the US CLOUD Act, which gives US law enforcement authorities the power to request the disclosure of data by US service providers, regardless of where in the world this data is stored.

December 2019 marked a year since the new data protection rules for the EU institutions - set out in Regulation (EU) 2018/1725 - came into force. Our focus over the year was therefore on ensuring that the EU institutions were able to effectively implement these rules. This involved continuing to work closely with the Data Protection Officers (DPOs) in the EU institutions to assess the progress made and discuss how to overcome any of challenges encountered, as well as continuing our programme of data protection training activities for EU institution employees.

In addition to this, we also stepped up our enforcement activities, making use of the powers granted to the EDPS under the new Regulation. In June 2019, for example, we announced the results of our first round of remote inspections of EU institution websites, highlighting several areas in which the EU institutions concerned needed to improve.

One area in which we were particularly active over the course of 2019 was in conducting investigations into the data processing activities of the EU institutions. The EDPS launched four investigations in 2019, addressing a variety of issues. Our aim is to ensure that these investigations leave a lasting, positive impact, strengthening cooperation between the EDPS and the institutions concerned, improving the data protection practices of the EU institutions and ensuring the highest levels of protection for all individuals.

Our investigation into the use of Microsoft products and services by EU institutions is a particularly good example of this, having resulted in the establishment of The Hague Forum. Set to meet for the second time in early 2020, the Forum provides a platform for discussion on both how to take back control over the IT services and products offered by the big IT service providers and the need to collectively create standard contracts instead of accepting the terms and conditions as they are written by these providers.

New legislation is also in place for two of the EU’s law enforcement agencies. The EDPS is now well established as the data protection supervisor for operational activities at Europol, the EU body responsible for supporting the law enforcement authorities of the Member States in the fight against serious international crime and terrorism. In late 2019 we also took over similar responsibilities at Eurojust, the EU agency responsible for supporting and improving coordination and cooperation between the competent judicial authorities in the EU Member States on matters relating to serious organised crime.

With public security certain to remain an important policy concern for the EU over the coming years, we are determined to ensure that the EU is able to achieve increased security without applying any undue restriction to individual data protection rights. Our roles at Europol and Eurojust therefore focus on ensuring increased operational effectiveness while ensuring that fundamental rights, including the rights to data protection and privacy, are adequately protected.

2.2 Providing guidance and advice

Improving the security of EU borders is a priority for the EU legislator and will remain so over the coming years. The EDPS therefore continues to provide advice and guidance to the European Commission, the European Parliament and the Council on new initiatives in this area, while also working with national DPAs and EU institutions to ensure the continued security of EU information systems.

While we recognise the need for greater EU security, this should not come at the expense of data protection and privacy. EDPS Opinions on proposals such as an EU-US agreement on cross-border access to electronic evidence and European Production and Preservation Orders for electronic evidence in criminal matters, all aim to ensure that both the personal data rights of the individuals concerned and EU borders are protected.

We also continued our close cooperation with DPAs to ensure effective and coordinated supervision of the EU’s large-scale IT databases, used to support EU policies on asylum, border management, police cooperation and migration.

In addition to this, we have endeavoured to provide policymakers with tools to help assess the compliance of proposed EU measures that would impact the fundamental rights to privacy and the protection of personal data with the Charter of Fundamental Rights. On 19 December 2019, we published our Guidelines on assessing proportionality. Combined with our Necessity Toolkit, these Guidelines provide practical guidance for policymakers helping to simplify the challenges they face in assessing the necessity and proportionality of certain policy proposals and therefore ensure that fundamental rights are adequately protected.

Our guidance is not limited to policymakers, however. In 2019 we also issued Guidelines on the roles and concepts of controller, processor and joint controllership, in an attempt to clarify these concepts and help those working in the EU institutions to better understand their roles and comply with data protection rules.

In addition to this, a significant focus of our work in 2019 was on developing and sharing technological expertise. With so much of our lives now reliant on the use of technology, this expertise is essential to ensuring effective data protection and the EDPS has consistently aimed to take the lead in sharing helpful analyses of new technological developments.

Through our TechDispatch publication, launched in July 2019, we contribute to the ongoing discussion on new technologies and data protection. Focusing on a different emerging technology each issue, we aim to provide information on the technology itself, an assessment of its possible impact on privacy and data protection and links to further reading on the topic.

Following the first round of our remote inspections of EU institution websites, we also took the step of publicly sharing the Website Evidence Collector (WEC) tool developed by the EDPS. The tool is available on the EDPS website and on the code collaboration platform GitHub as free software and allows for the collection of automated evidence of personal data processing. By sharing the WEC, we hope to provide DPAs, privacy professionals, data controllers and web developers with the tools to carry out their own website inspections.

Lastly, we continued our work on developing the Internet Privacy Engineering Network (IPEN), which brings together experts from a range of different areas to encourage the development of engineering solutions to privacy problems. Five years on from when it was first established, IPEN is now in a position to move beyond more general discussion of the issues surrounding privacy engineering and towards a more targeted approach, focused on developing practical solutions to privacy engineering problems.

2.3 An international approach to data protection

Over the past five years, the EDPS has dedicated significant time and energy to the development of greater data protection convergence globally. While data flows internationally, across borders, data protection rules are still decided on a largely national, and at best regional, basis.

Throughout 2019 we have therefore continued to work with our regional and international partners to mainstream data protection into international agreements and ensure consistent protection of personal data worldwide. In particular, we have worked closely with the EDPB on the topic of international data transfers, participating in the review of the Privacy Shield agreement for data transfers between the EU and the US, as well as the EDPB contribution to the hearing on the Schrems case at the EU Court of Justice, focused on the legality of standard contractual clauses for data transfers.

We also persisted in the pursuit of our goal to foster global debate on digital ethics. Building on the success of the 2018 International Conference of Data Protection and Privacy Commissioners, co-hosted by the EDPS in Brussels, in 2019 we sought to ensure that the debate on ethics in the digital sphere continued to move forward. We therefore launched a series of webinars, which we published in the form of a podcast on our website. Each webinar focused on a specific area of concern identified during the conference, allowing us to explore the topic in more detail.

Discussion on digital ethics also continued at the 2019 International Conference, both through the working group on Artificial Intelligence, Ethics and Data Protection, and through the organisation of an EDPS side event, focused on the environmental impact of digital technologies.

2.4 Internal administration

The size and responsibilities of the EDPS continue to increase. A priority for the EDPS Human Resources, Budget and Administration (HRBA) unit in 2019 was therefore to ensure that the EDPS has the appropriate resources to carry out its tasks. This included the completion of a competition for experts in the area of data protection and the publication of a reserve list from which to draw new staff members, as well as stepping up efforts to maximise and acquire office space to accommodate our growing population.

We also endeavoured to improve learning and development opportunities for existing staff members, in particular through the launch of an internal coaching initiative. In addition, significant progress was made in the areas of finance and procurement, with the introduction of more efficient processes for financial operations; this will continue to be an area to work on in 2020.

As we begin the new mandate, our focus will be on continuing to improve the efficiency of administrative processes, in order to ensure that the EDPS is well equipped to respond to new challenges in data protection.

2.5 Communicating data protection

The reach and influence of EDPS communications is constantly expanding. Effective communication is vitally important in ensuring that information on EDPS activities reaches the relevant external audience.

With public interest and engagement with data protection increasing, our communication efforts in 2019 aimed to build on successes of previous years and reinforce our status as a respected, international leader in the data protection field. This involved sustained efforts in several areas, including online media, events and publications and external relations with press and stakeholders.

With a new mandate now underway, our focus for the coming year will be on continuing to develop our communications tools to support the successful implementation of the new Strategy, to be published in March 2020.

2.6 Key Performance Indicators 2019

We use a number of key performance indicators (KPIs) to help us monitor our performance. This ensures that we are able to adjust our activities, if required, to increase the impact of our work and the efficiency of our use of resources. Our KPIs reflect the strategic objectives and action plan defined in our Strategy 2015-2019.

The KPI scoreboard below contains a brief description of each KPI and the results on 31 December 2019. In most cases, these results are measured against initial targets.

In 2019, we met or surpassed - in some cases significantly - the targets set in six out of the eight KPIs, with KPI 2 just falling short of the set target.

These results reflect the positive outcome we have had in implementing relevant strategic objectives during the last year of the 2015-2019 Strategy.

Finally, KPI 7 cannot be measured in 2019, as the staff survey is conducted only once every two years.

KEY PERFORMANCE INDICATORS		RESULTS AT 31.12.2019	TARGET 2019
Objective 1 - Data Protection goes digital
KPI 1 Internal indicator	Number of initiatives promoting technologies to enhance privacy and data protection organised or co-organised by EDPS	9 initiatives	9 initiatives
KPI 2 Internal & External Indicator	Number of activities focused on cross-disciplinary policy solutions (internal & external)	7 activities	8 activities
Objective 2 - Forging global partnerships
KPI 3 Internal Indicator	Number of cases dealt with at international level (EDPB, CoE, OECD, GPEN, International Conferences) for which EDPS has provided a substantial written contribution	62 cases	10 cases
Objective 3 – Opening a new chapter for EU Data Protection
KPI 4 External Indicator	Number of opinions/comments issued in response to consultation requests (COM, EP, Council, DPAs...)	26 consultations	10 consultations
KPI 5 External Indicator	Level of satisfaction of DPOs/DPCs/controllers on cooperation with EDPS and guidance, including satisfaction of data subjects as to training	90%	70%
Enablers – Communication and management of resources
KPI 6 External Indicator	Number of followers on the EDPS social media accounts (Twitter, LinkedIn, YouTube)	40421 (L: 20357, T: 18424, Y: 1640)	Number of followers of previous year + 10%
KPI 7 Internal Indicator	Level of Staff satisfaction	N/A	75%
KPI 8 Internal Indicator	Budget implementation	91.69%	90%

GETTING IN TOUCH WITH THE EU

In person
All over the European Union there are hundreds of Europe Direct information centres. You can find the address of the centre nearest you at: https://europa.eu/european-union/contact_en

On the phone or by email
Europe Direct is a service that answers your questions about the European Union. You can contact this service:

• by freephone: 00 800 6 7 8 9 10 11 (certain operators may charge for these calls),
• at the following standard number: +32 22999696 or
• by email via: https://europa.eu/european-union/contact_en

FINDING INFORMATION ABOUT THE EU

Online
Information about the European Union in all the official languages of the EU is available on the Europa website at: https://europa.eu/european-union/index_en

EU publications
You can download or order free and priced EU publications at: https://publications.europa.eu/en/publications. Multiple copies of free publications may be obtained by contacting Europe Direct or your local information centre (see https://europa.eu/european-union/contact_en).

EU law and related documents
For access to legal information from the EU, including all EU law since 1952 in all the official language versions, go to EUR-Lex at: http://eur-lex.europa.eu

Open data from the EU
The EU Open Data Portal (http://data.europa.eu/euodp/en) provides access to datasets from the EU. Data can be downloaded and reused for free, both for commercial and non-commercial purposes.

Contact

Further details about the EDPS can be found on our website at http://www.edps.europa.eu.

The website also details a subscription feature to our newsletter.

 

www.edps.europa.eu
EU_EDPS
EDPS
European Data Protection Supervisor

 

Luxembourg: Publications Office of the European Union, 2019

© Photos: iStockphoto/EDPS & European Union

© European Union, 2019

Reproduction is authorised provided the source is acknowledged.

Print	ISBN 978-92-9242-531-9	ISSN 1831-0494	doi:10.2804/937854	QT-AB-20-001-EN-C
PDF	ISBN 978-92-9242-541-8	ISSN 1831-0508	doi:10.2804/73413	QT-AB-20-001-ES-N
HTML	ISBN 978-92-9242-530-2	ISSN 1977-8333	doi:10.2804/31125	QT-AB-20-001-EN-Q