The EDPS aims to ensure that EU institutions are not only aware of their data protection obligations, but can also be held accountable for complying with them. We have several tools we can use, all of which are aimed at encouraging the development of a data protection culture in the EU institutions:

•  Prior checks/Prior consultations: Under Regulation 45/2001, EU institutions and bodies had to inform the EDPS of any procedure they planned to carry out which might have posed a risk to the protection of personal data. We examined the proposals and provided recommendations on how to address these risks. Under the new Regulation, prior checks no longer exist in this form. However, in certain cases, EU institutions and bodies must consult the EDPS after carrying out a data protection impact assessment for a planned risky procedure.

•  Complaints: We handle complaints from individuals relating to the processing of personal data by the EU institutions. We investigate these complaints and decide on the best way to handle them.

•  Monitoring compliance: The EDPS is responsible for ensuring that all EU institutions and bodies comply with data protection rules. We monitor compliance in various ways, including through visits and inspections.

•  Consultations on administrative measures: We issue Opinions on administrative measures relating to the processing of personal data, either in response to a specific request from an EU institution or on our own initiative.

•  Guidance: We issue Guidelines for the EU institutions, designed to help them better implement data protection principles and comply with data protection rules.

•  Working with Data Protection Officers (DPOs): Each EU institution and body must appoint a DPO, who is responsible for ensuring that their institution complies with data protection rules. We work closely with DPOs, providing them with training and support to help them perform their role effectively.

•  Training the EU institutions and bodies: We provide training sessions for managers and staff members of the EU institutions and bodies. These help to ensure compliance with data protection rules and respect for the rights and freedoms of individuals, and to encourage the development of a data protection culture within each institution. These training sessions focus on helping institutions to go beyond compliance and demonstrate accountability.

The EDPS acts as an advisor on data protection issues to the EU legislator. We aim to ensure that data protection requirements are integrated into all new legislation, policy initiatives and international agreements. This is done by providing guidance on proposed legislation to the European Commission, as the institution with the right of legislative initiative, and the European Parliament and the Council, as co-legislators. We use several tools to help us:

•  Informal Comments: In line with established practice, the Commission consults the EDPS informally before adopting a proposal with implications for data protection. This allows us to provide them with input at an early stage of the legislative process, usually in the form of informal comments, which are not published.

•  Opinions: Our formal Opinions are available on our website and are published in the Official Journal of the EU. We use them to highlight our main data protection concerns and recommendations on legislative proposals. They are addressed to all three EU institutions involved in the legislative process.

•  Formal Comments: Like our Opinions, our formal Comments address the data protection implications of legislative proposals. However, they are usually shorter and more technical, or only address certain aspects of a proposal. We publish them on our website.

•  Court Cases: We can intervene and offer our data protection expertise before the EU courts either on behalf of one of the parties in a case or at the invitation of the Courts.

•  Cooperation with national DPAs: We cooperate with national DPAs through the EDPB, which ensures the consistent application of the GDPR through guidelines, recommendations and best practices, opinions and binding decisions, and provides the European Commission with advice on data protection issues. We also work with national DPAs to ensure a consistent and coordinated approach to the supervision of a number of EU databases.

Many new technologies process personal data in a range of different and innovative ways. The aim of this data processing is often to gain economic or other benefits. Data protection and privacy measures must adequately address new technological developments. This will ensure that individuals are protected from the risks these new data processing activities might entail.

The EDPS monitors technological developments and their impact on data protection and privacy. Knowledge and expertise in this area allows us to effectively perform our supervision and consultation tasks. This capacity and competence will only continue to grow in importance, due to the changes introduced by the GDPR and the new Regulation for the EU institutions and bodies. Our activities include:

•  Monitoring and responding to technological developments: We monitor technological developments, events and incidents and assess their impact on data protection. This allows us to provide advice on technical matters, particularly in relation to EDPS supervision and consultation tasks.

•  Promoting privacy engineering: In 2014 we launched the Internet Privacy Engineering Network (IPEN) in collaboration with national DPAs, developers and researchers from industry and academia and civil society representatives. Our aim is to both develop engineering practices which incorporate privacy concerns and encourage engineers to build privacy mechanisms into internet services, standards and apps.

•  Establishing the state of the art in data protection by design: With the GDPR and Regulation 2018/1725 now fully applicable, it has become a legal obligation for all controllers to take account of the state of the art of data protection friendly technology when designing, maintaining and operating IT systems for the processing of personal data. In order to ensure consistent application of this rule across the entire EU, it is important that DPAs establish a common understanding of the state of the art and its development. With this in mind, the EDPS cooperates with the national supervisory authorities to assess and evaluate existing and developing technological and organisational options.

•  Keeping track of IT at the EDPS: As the data protection supervisor for the EU institutions, we should set the standard for data protection compliance. We therefore continually monitor and improve the technology used by the EDPS to ensure that it works effectively and efficiently while remaining in line with data protection requirements.

One of the three objectives set out in our Strategy was to open a new chapter for EU data protection. Technological development is moving at a rapid pace and the way in which we live, as individuals and as a society, is also changing rapidly to accommodate this. Logically, the EU’s data protection rules also required an update, not aimed at slowing down innovation, but at ensuring that individuals’ fundamental rights are protected in the digital era.

On 25 May 2018, new data protection legislation became fully applicable to all companies and organisations operating in the EU Member States. The General Data Protection Regulation (GDPR) marked the first step towards ensuring comprehensive and effective protection of personal data and privacy for all individuals in the EU.

With this new legislation came the establishment of the European Data Protection Board (EDPB) (see section 4.1.1). Made up of the 28 EU Member State data protection authorities (DPAs) and the EDPS, this new body is entrusted with ensuring the consistent implementation of the GDPR across the EU. Charged with providing the secretariat for this new EU body, a significant amount of our time and effort in early 2018 went into ensuring that the Board would be prepared to deal with its heavy workload from day one of the new Regulation. We have continued to support the EDPB secretariat administratively throughout the year, as well as participating fully as a member of the Board itself.

We moved yet another step closer to achieving a comprehensive framework for data protection with the adoption of new rules for the EU institutions and bodies. Regulation 2018/1725 came into force on 11 December 2018, bringing the rules for the EU institutions in line with the rules set out in the GDPR (see section 4.1.2).

As the supervisory authority for data protection in the EU institutions and bodies, we faced the significant challenge of ensuring that they were all prepared for these new rules. In 2017, we embarked on a campaign of visits, training sessions and meetings (see figure 2), which intensified over the course of 2018. These were aimed at raising awareness and about the new rules and helping to ensure that the EU institutions had the knowledge and tools to put them into practice.

A specific focus of these activities was on encouraging the development of a culture of accountability within the EU institutions. We wanted to ensure that they not only comply with data protection rules, but that they can demonstrate this compliance. Integral to this was creating awareness that the processing of personal data, even when done lawfully, can put the rights and freedoms of individuals at risk. These activities will continue into 2019, as we endeavour to ensure that the EU institutions lead the way in the application of new data protection rules.

The misuse of personal data for tracking and profiling purposes and the role of technology in our society was a topic of significant public debate in 2018. The EDPS and the data protection community in general were at the forefront of this debate, with the EDPS contributing on two main fronts: through our Opinion on online manipulation and personal data (see section 4.4.17) and our Opinion on Privacy by Design (see section 4.1.4).

While the former focused on the need to extend the scope of protection afforded to individuals’ interests in today’s digital society, the latter looked to address the new challenges resulting from technological and legal developments. On the legal side, the new generation of data protection rules laid down in the GDPR, Directive 2016/680 and Regulation 2018/1725 on the processing of personal data by EU institutions requires that controllers take account of the state of the art in technical and organisational measures to implement data protection principles and safeguards. This also requires that supervisory authorities are aware of the state of the art in this domain and that they follow its development. Cooperation in this field is of crucial importance in order to ensure that these principles are applied consistently. The Opinion also built on our work with the Internet Privacy Engineering Network (IPEN) (see section 4.4.16) to encourage dialogue between policymakers, regulators, industry, academia and civil society on how new technologies can be designed to benefit the individual and society.

The new data protection rules also introduce the principle of accountability (see section 4.4.2). All controllers, including the EU institutions and bodies, must ensure that they are able to demonstrate compliance with the new rules. This also applies to the management and governance of their IT infrastructure and systems. To help with this, we extended our catalogue of specific guidelines to include, among others, Guidelines on the use of cloud computing services by the EU administration and further guidance on IT management and IT governance (see section 4.4.3). In 2018, we also began a systematic programme aimed at verifying EU bodies’ compliance with EDPS guidelines.

1 May 2018 marked one year since the EDPS took over responsibility for supervising the processing of personal data for operational activities at the EU’s law enforcement agency, Europol. One of the action points set out in our Strategy as integral to opening a new chapter for data protection in the EU is to promote a mature conversation on security and privacy. As an EU agency charged with ensuring the security of the EU while protecting the fundamental rights to privacy and data protection, Europol is a great example of the progress we are making in this area (see section 4.2).

We continue to maintain a strong relationship with Europol’s Data Protection Officer (DPO) and Data Protection Function (DPF) Unit, which allows us to anticipate any possible problems and plan future activities (see section 4.2.1). We carried out our second inspection of data processing activities at the agency in May 2018 (see section 4.2.3) and continued to provide advice and deal with complaints where required (see sections 4.2.4 and 4.2.5).

The security of EU borders remains a hot topic and the EU legislator put forward several new proposals in 2018 aimed at increasing security and improving border management. While we recognise the need for greater EU security, this should not come at the expense of data protection and privacy.

Facilitating responsible and informed policymaking is another of the action points required in order to open a new chapter in EU data protection. With this in mind we issued several Opinions on proposed EU border policy in 2018 (see section 4.3.4). One of these focused on the future of information sharing in the EU, addressing Proposals for two Regulations which would establish a framework for interoperability between EU large-scale information systems. As the implications of this proposal for data protection and other fundamental rights and freedoms are uncertain, we will launch a debate on this issue in early 2019 to ensure they are explored in detail.

We also continued our close cooperation with DPAs to ensure effective and coordinated supervision of the EU’s large-scale IT databases, used to support EU policies on asylum, border management, police cooperation and migration (see sections 4.3.1 and 4.3.2).

Facilitating responsible and informed policymaking is far from limited to the field of EU security and border policy, however. In 2018, the EDPS issued 11 Opinions, including two upon request from the Council, on matters ranging from jurisdiction in matrimonial matters to the interoperability of EU large-scale information systems.

We also issued 14 sets of formal comments. These are equivalent to Opinions, but typically shorter and more technical. Some of our comments were expressly requested by the European Parliament, or one of its Committees, and concerned not the initial legislative proposals, but draft amendments and outcomes of negotiations between the co-legislators.

Taking into account that we also dealt with over 30 informal consultations on draft proposals by the Commission, these numbers clearly demonstrate the increased need for, and relevance of, independent expert advice on the data protection implications of EU initiatives, as well as growing interest from EU institutional stakeholders. We look forward to continuing this mutually beneficial cooperation in the coming years in the context of strengthened legislative consultation powers under the new Regulation 2018/1725.

We also continued our efforts to ensure that activities within the EU institutions are carried out in accordance with the relevant data protection laws, issuing prior-check Opinions, investigating complaints and monitoring compliance through the various tools available to us (see section 4.4).

The Strategy commits the EDPS to forging partnerships in pursuit of greater data protection convergence globally. While data flows internationally, across borders, data protection rules are decided on a largely national, and at best regional, basis.

With this in mind, we continue to work with our regional and international partners to mainstream data protection into international agreements and ensure consistent protection of personal data worldwide (see section 4.5.2).

We are also involved in discussions on adequacy findings. These agreements are made by the European Commission on behalf of the EU Member States, and provide for the transfer of data from EU countries to non-EU countries whose data protection rules are deemed to provide adequate protection. Specifically, in 2018, we contributed to the second joint review of the EU-US Privacy Shield and the EDPB Opinion on a proposed adequacy agreement with Japan (see section 4.5.1).

We launched the EDPS Ethics Initiative back in 2015, as part of our commitment to forging global partnerships. We wanted to generate a global discussion on how our fundamental rights and values can be upheld in the digital era.

Three years on and digital ethics is now very much on the international agenda.

We began 2018 with the publication of the Ethics Advisory Group Report (see section 4.6.1). The Report is a useful tool in helping us to understand how the digital revolution has changed the way we live our lives, both as individuals and as a society. It also outlines the changes and challenges this implies for data protection. From here, we were able to expand our enquiry to reach a much larger audience, through a public consultation launched in early summer 2018 (see section 4.6.2). The results of the consultation revealed the importance of ethics moving forward and called for DPAs to play a proactive role in this.

However, it was the International Conference of Data Protection and Privacy Commissioners, dubbed the Olympic Games of Data Protection by EDPS Giovanni Buttarelli, that really launched the discussion on digital ethics onto the international agenda.

The public session of the International Conference focused on Debating Ethics: Dignity and Respect in Data Driven Life. With over 1000 people from a variety of different backgrounds, nationalities and professions in attendance, high-profile speakers and considerable media coverage, the event served to foster debate on the issue and put new ethical and legal questions high on the agenda of DPAs and others across the world. The EDPS is now seen as a leader in this area and will work hard to progress the debate (see section 4.7).

With our role and responsibilities expanding, good internal administration has been more important than ever in ensuring that we are able to achieve our goals.

The EDPS Human Resources, Budget and Administration (HRBA) Unit tackled two particularly big preparatory tasks in 2018 (see section 7.2). Work on preparations for the new EDPB secretariat intensified significantly in order to ensure that the Board was administratively and logistically prepared to start work on 25 May 2018. Among other things, this involved ensuring that all EDPB staff members were subject to the same rules as those working for the EDPS and able to benefit from the same rights.

Ahead of the new data protection Regulation for the EU institutions, we also had to ensure that all EDPS HR decisions complied with the new rules. We therefore undertook a full review of all EDPS HR data processing activities and revised our approach as needed.

In addition to a number of initiatives aimed at improving our HR policies, we launched a new open competition to create a pool of highly qualified data protection experts to satisfy our future recruitment needs. As we move into 2019, our main aim is to ensure an efficient and pleasant work environment for all those who work at the EDPS.

The importance of EDPS communication activities has increased considerably over the past few years (see section 7.1). Effective communication is essential in ensuring that we are able to achieve the goals set out in our Strategy. If our work is not visible, it cannot have the impact required.

In addition to consolidating our efforts to improve and increase the impact of our online presence, we launched and executed two communication campaigns. Our communication efforts for the 2018 International Conference not only helped to ensure that the conference itself was a success, but that the debate on digital ethics reached the widest possible audience.

In December 2018, we turned our attention to the new data protection Regulation for the EU institutions. Our communication campaign was designed to complement and reinforce ongoing awareness-raising activities, It was aimed not only at EU staff members, but also at ensuring that people outside the EU institutions were aware of the new rules and how they might affect them.

With the global presence and influence of the EDPS only set to increase, we anticipate another busy year ahead in 2019.

We use a number of key performance indicators (KPIs) to help us monitor our performance. This ensures that we are able to adjust our activities, if required, to increase the impact of our work and the efficiency of our use of resources. These KPIs reflect the strategic objectives and action plan defined in our Strategy 2015-2019.

The KPI scoreboard below contains a brief description of each KPI and the results on 31 December 2018. In most cases, these results are measured against initial targets.

In 2018, we met or surpassed, in some cases significantly, the targets set in the majority of our KPIs. This shows that implementation of the relevant strategic objectives is well on track and no corrective measures are needed.

In two cases we do not have monitoring results. In the case of KPI 6, in the course of 2018 we opted to monitor and prioritise our policy activities in relation to the relevant priority actions outlined in our Strategy, instead of publishing a list of priorities. We took this decision because we felt that this was a more efficient way of ensuring that we meet the targets set out in the EDPS Strategy.

In the case of KPI 7, we are not currently able to accurately measure the number of visitors to the EDPS website, due to a change in the cookie and tracking policy on our website (see section 7.1.1). This change is aimed at ensuring that users of our website will be able to consciously opt-in to having their online activity tracked on the EDPS website. It will therefore ensure that the website is as data protection friendly as possible. For this reason the results for KPI 7 are not complete.

The target for KPI 4 is readjusted yearly, in accordance with the legislative cycle.

KEY PERFORMANCE INDICATORS		RESULTS AT 31.12.2018	TARGET 2018
Objective 1 - Data protection goes digital
KPI 1 Internal Indicator	Number of initiatives promoting technologies to enhance privacy and data protection organised or co-organised by EDPS	9	9 initiatives
KPI 2 Internal & External Indicator	Number of activities focused on cross-disciplinary policy solutions (internal & external)	8	8 initiatives
Objective 2 - Forging global partnerships
KPI 3 Internal Indicator	Number of cases dealt with at international level (EDPB, CoE, OECD, GPEN, International Conferences) for which EDPS has provided a substantial written contribution	31	10 cases
Objective 3 - Opening a new chapter for EU data protection
KPI 4 External Indicator	Level of interest of stakeholders (COM, EP, Council, DPAs, etc.)	15	10 consultations
KPI 5 External Indicator	Level of satisfaction of DPO’s/DPC’s/controllers on cooperation with EDPS and guidance, including satisfaction of data subjects as to training	95%	70%
KPI 6 Internal Indicator	Rate of implementation of cases in the EDPS priority list (as regularly updated) in form of informal comments and formal opinions	N/A	N/A
Enablers - Communication and management of resources
KPI 7 Composite External Indicator	Number of visits to the EDPS website	N/A	Reach 195715 (2015 results) visits
	Number of followers on the EDPS Twitter account	14,000	9407 followers (2017 results) + 10%
KPI 8 Internal Indicator	Level of Staff satisfaction	75%	75%
KPI 9 Internal Indicator	Budget implementation	93.8%	90%

Figure 1. EDPS KPI analysis table

The new legislative framework was, once again, a significant focus of our work in 2018. Ensuring the successful launch of the European Data Protection Board (EDPB) and contributing to the work of the Board throughout the year was one aspect of this. The considerable time and effort invested in preparing the EU institutions for the new data protection rules applicable to their work was another. We also continued to push for the EU legislator to adopt the much-needed new Regulation on ePrivacy.

Our role as the data protection supervisor for the EU’s police authority, Europol, is now well established. After more than a year in this role, we now have a strong working relationship with our counterparts at Europol and are making good progress in our efforts to strike the right balance between security and privacy when dealing with data processing for the purpose of law enforcement.

Finding the right balance between security and privacy is also a concern in other areas of EU policy. We responded to several new policy proposals in 2018, aimed at keeping EU borders secure. Meanwhile, we continued to work closely with EU institutions and national authorities to ensure effective and coordinated supervision of the processing of personal data in existing border control systems.

However, it is not just EU border policy which has implications for data protection. In 2018 we issued Opinions on a wide range of different topics, all aimed at ensuring that the proposals put forward by the EU legislator adequately respect and protect the rights to data protection and privacy. One example of this was our Opinion on the interoperability of the EU’s large-scale databases.

In our role as a data protection supervisor, we responded to complaints, carried out inspections and issued prior check Opinions, in order to help the EU institutions ensure compliance with the relevant rules. We stepped up our close cooperation with Data Protection Officers (DPOs) and other EU staff members, organising meetings, visits and training sessions all aimed at preparing them for the new rules.

We continued to work closely with our data protection partners and others around the world, in our efforts to establish a more international approach to data protection policy. As in previous years, we contributed fully to European and international discussions on data protection, collaborating with the Council of Europe on the development of a new international convention on data protection, among other things. We monitored and provided advice on international data transfers and made further progress in our work with international organisations.

Digital ethics provided another forum for international cooperation, as we increased our efforts to encourage debate on the topic around the world and across disciplines. The 2018 International Conference of Data Protection and Privacy Commissioners proved a significant milestone for the EDPS Ethics Initiative, launching the debate on the international stage.

Achieving our goals and living up to expectations would not be possible without the support of our Secretariat. Their activities are essential to ensuring the administrative efficiency of the EDPS and making sure that our work reaches the audience it is intended for.

As the current EDPS mandate moves into its final year, we look to 2019 as a chance to consolidate and build on our achievements, in order to ensure that we are able to meet the objectives we set ourselves in the EDPS Strategy. With the importance of data protection now firmly established on the international agenda, we have no doubt that the EDPS will continue to serve as an important point of reference for all things data protection in the EU.

2018 marked the beginning of a new era in EU data protection. On 25 May 2018, the General Data Protection Regulation (GDPR) became fully applicable to all companies, organisations and institutions operating in the European Union. The new legislation also established the European Data Protection Board (EDPB), a new EU body responsible for facilitating cooperation between the EU’s national data protection authorities (DPAs). The EDPS participates fully in the activities of the Board and provides its secretariat.

Two days before the launch of the GDPR, the EU legislator reached an agreement on equivalent rules for the EU institutions, bodies and agencies. This legislation, which also defines the role and powers of the EDPS as the supervisory authority for the EU institutions, became fully applicable on 11 December 2018. In preparation for the new rules, we invested significant energy and resources in ensuring that the EU institutions were adequately prepared, providing training sessions for all levels of EU management and staff and producing relevant guidance, among other activities.

These two new Regulations, along with the Data Protection Law Enforcement Directive applicable since 6 May 2018, reinforce the EU’s position as a global leader in data protection and privacy practice. They also go a long way towards helping us to achieve the strategic objective of opening a new chapter for EU data protection, set out in the EDPS Strategy 2015-2019.

However, one piece of this regulatory puzzle is still missing. Only by concluding a new ePrivacy Regulation, which accurately reflects and supports the principles outlined in the GDPR, can we ensure that the fundamental rights of data protection and privacy are fully respected. In line with our Strategy commitments, we will continue to support the efforts of the EU legislator to come to an agreement on a new ePrivacy Regulation before the end of the current EU legislative period in May 2019.

4.1.1 The EDPB gets to work

On 25 May 2018, the day on which the GDPR became fully applicable for all businesses and organisations operating in the EU, the EDPB started its work.

Established under the GDPR, the Board replaces the Article 29 Working Party (WP29) as the forum for cooperation between the DPAs of the 28 Member States and the EDPS. It also takes on many new tasks, aimed at ensuring the consistent application of the GDPR across the EU. In addition to this, the Board is able to issue decisions, guidelines and statements on a wide range of topics.

Under the new legal framework, the EDPS is tasked with providing the secretariat for the EDPB. Operational from day one of the GDPR, the secretariat not only provides administrative and logistic support for the EDPB, but also carries out relevant research and analysis tasks. In addition to providing the secretariat, the EDPS is a full member of the Board and attended the five EDPB plenary meetings which took place between May and December 2018.

Much of the work carried out by the EDPB takes place within subgroups, each of which relates to a specific area connected to data protection. These include key provisions of the GDPR, international transfers, technology and financial matters, among many others.

EDPS representatives attended the subgroup meetings that took place in 2018. Among a number of topics, members shared their views on the consistency and cooperation mechanisms designed to harmonise data protection practice across the EU, including the functioning of the so-called One Stop Shop mechanism. Also discussed was the performance of the Internal Market Information (IMI) System, the IT platform used to exchange information on cross-border issues, as well as the challenges and types of questions received by DPAs under the GDPR. Most DPAs reported a substantial increase in the number of complaints received since 25 May 2018.

The Board adopted 26 Opinions in 2018, establishing a list of cases in which organisations must carry out Data Protection Impact Assessments (DPIAs). These lists are an important tool in ensuring the consistent application of the GDPR across the EU. An Opinion on the new eEvidence Regulation was also adopted, as well as various other letters and documents, including Guidelines on the territorial scope of the GDPR, on GDPR certification, on accreditation and on derogations for international transfers. On 5 December 2018, the EDPB also adopted an Opinion on the draft EU-Japan adequacy decision for international data transfers (see section 4.5.1).

In order to confront the Board’s increasing workload, the number of plenary meetings is set to double in 2019. As we enter a new era in data protection practice, we look forward to continued and increasing cooperation with our fellow DPAs through the newly-established EDPB.

4.1.2 The data protection Regulation for EU institutions

Regulation 2018/1725

While the GDPR applies to all companies and organisations that process personal data within the EU, it does not apply to the EU institutions, which must adhere to separate rules.

On 23 May 2018, two days before the GDPR became fully applicable, representatives from the European Parliament and the Council agreed on a new Regulation on the handling of personal data by EU institutions and other EU bodies. The text was adopted at the European Parliament Plenary Session on 13 September 2018 and in the Council a month later. On 23 October 2018, it was signed by the Presidents of the European Parliament and the Council of the EU. Published in the Official Journal of the EU as Regulation 2018/1725 on 21 November 2018, the new rules became fully applicable on 11 December 2018.

It is vital that, when dealing with the EU institutions, all EU employees and citizens are able to enjoy the same strengthened rights as they would under the GDPR. The new Regulation, therefore, brings the data protection rules for the EU institutions, previously set out in Regulation 45/2001, in line with the high standards provided for in the GDPR.

Regulation 2018/1725 also includes a specific chapter on the processing of operational personal data by EU agencies working in the field of law enforcement and judicial cooperation in criminal matters, such as Eurojust. These rules are aligned with those set out in the Law Enforcement Directive which, like the GDPR, became applicable in May 2018. The agencies operating in this area have the option to develop more detailed rules on the subject and include them in their founding acts. This will allow the agencies to account for any particularities in the way they operate.

For now, the processing of operational personal data by Europol and the European Public Prosecutor’s Office remains outside the scope of these new rules, with the European Commission set to review the situation by 2022.

Coordinating the transition to the new Regulation

In anticipation of the new rules, we worked closely with Data Protection Officers (DPOs) and other representatives from all EU institutions, bodies and agencies throughout 2017 and 2018 to ensure they were prepared. These activities included interactive workshops organised as part of our twice-yearly meetings with DPOs (see section 4.4.1), as well as targeted visits, training sessions and conferences. Our aim was to ensure that all EU staff involved in the processing of personal data, regardless of their place in the EU hierarchy, were aware of the new rules and what they entail.

Our awareness-raising campaign intensified in 2018, in order to provide the EU institutions with the necessary knowledge and tools to apply the new rules with ease. The campaign put particular emphasis on the importance of accountability, the idea that EU institutions not only comply with the new rules, but that they are also able to demonstrate this compliance. We asked top management to set the tone, by integrating data protection into risk management plans and ensuring that data protection is ingrained within the culture of their respective institution.

To help them with this, we published updated and new guidance documents on topics such as accountability, risk assessment and Data Protection Impact Assessments (DPIAs), data breach notifications and transparency and information obligations, as well as an updated position paper on the role of the DPO (see section 4.4.1). This guidance was reinforced through a programme of visits, training sessions and conferences, including a visit to EU institutions and bodies in Luxembourg by Assistant Supervisor Wojciech Wiewiórowski, a training session for staff at the EU agencies in Athens, an exchange with communication officers from the EU institutions and a training session for staff working for the EU agencies in Italy, as well as numerous bilateral and other meetings with top management in the EU institutions. (see figure 2).

As an EU institution, we are also subject to the new rules. To help us prepare, we set up an Internal Task Force on the Transition to the New Regulation. We wanted to ensure that were able to lead by example and act as an accountable data controller, while also providing assistance to other EU institutions.

We look forward to working in close cooperation with the EU institutions in this new era of data protection practice, in order to ensure that they continue to lead by example in the protection of personal data across the EU and globally.

4.1.3 ePrivacy: completing the EU’s data protection framework

While the GDPR regulates data protection, it does not apply to the privacy of communications. Further legislation is required, in the form of a Regulation on ePrivacy, to provide for comprehensive data protection within the EU and ensure legal certainty and a level playing field for market operators.

The current ePrivacy Directive was last updated in 2009. The proposed revision of these rules was presented by the European Commission on 10 January 2017. It would replace the Directive with a new ePrivacy Regulation, aligning the rules for electronic communications services with the standards set out in the GDPR.

Under the current rules, traditional electronic communications providers are subject to clear limitations on the way they use personal data. Companies classified as information society services, on the other hand, have flourished by exploiting loopholes in this legal framework. While traditional e-communications providers must seek consent for using communications data, information society services are not bound by the same obligations. There is, therefore, a clear and urgent need to close the loopholes in the current legislation and strengthen the protection of privacy and the security of online communications.

In October 2017, the European Parliament adopted a report and draft resolution on the proposed ePrivacy Regulation. We welcomed this as a positive attempt to strike a balance between the various interests at stake. Making progress in the Council, however, has been more challenging.

The scope for negotiation on many points of the proposal is limited, as it would involve compromising on the key principles of communications privacy. For example, when applied to the most sensitive types of personal data, proposed clauses allowing for the further processing of metadata for compatible purposes would likely widen the existing legal loophole and present service providers with a way of circumventing the high level of protection provided under the GDPR.

It is crucial that the new ePrivacy Regulation does not lower the level of protection provided by the GDPR. On the contrary, given the importance of ensuring the confidentiality of communications and the particularly sensitive nature of the metadata it involves, what is urgently needed is legislation that provides a higher level of protection. From a data protection and privacy perspective, we strongly believe that there is no excuse for failing to come to an agreement on the ePrivacy Regulation before the end of the current legislative period. Not doing so will only increase the risk of an uncertain outcome.

Figure 2. EDPS training programme 2018

4.1.4 Privacy by Design: technology that serves the people

The public debate on the misuse of personal data for tracking and profiling purposes and the role of technology in our society intensified over the course of 2018. One element of the debate is whether companies should be able to take advantage of technology exclusively as a means to increase profits, or whether they should also be obliged to use it to further the interests of individuals and the common good.

The GDPR introduced the principles of data protection by design and by default as essential obligations in ensuring accountability. Those responsible for collecting and processing personal data must put in place appropriate technical and organisational methods to ensure and demonstrate data protection compliance. Both principles have the potential to help establish the human perspective as the main driver for technological development. Data protection by design involves planning for the integration of personal data protection into new technological systems and processes from the design stage of a project and throughout its whole lifecycle, while data protection by default involves integrating privacy protection into all technological services and products as a default setting.

On 31 May 2018, just a few days after the GDPR became fully applicable, we published a Preliminary Opinion on Privacy by Design. The Opinion aimed to build on our work with the Internet Privacy Engineering Network (IPEN) (see section 4.4.16) and on the EDPS Ethics Initiative (see section 4.6), to encourage dialogue between policymakers, regulators, industry, academia and civil society on how new technologies can be designed to benefit the individual and society. We look forward to further debate on this issue in our attempts to establish a common approach to technological development which puts human dignity first.

Europol is the EU body responsible for supporting Member State law enforcement authorities in the fight against serious international crime and terrorism. On 1 May 2017, the EDPS assumed responsibility for supervising the processing of personal data at Europol.

The Europol Regulation tasks the EDPS with supervising the processing of personal data relating to Europol’s operational activities. We are also responsible for supervising the processing of personal data relating to Europol’s administrative activities, including personal data relating to Europol staff. However, this supervisory task is subject to the rules now set out in the new Regulation 2018/1725, which replaces Regulation 45/2001.

One of the main challenges we face in this role is to ensure that Europol strikes the right balance between security and privacy when dealing with data processing for the purpose of law enforcement. A secure and open Europe requires improved operational effectiveness in the fight against cross-border crime, but it also requires a commitment to protecting the fundamental rights and freedoms of individuals.

4.2.1 Continuous cooperation with Europol’s data protection unit

Under the Europol Regulation, Europol must appoint a Data Protection Officer (DPO), who is to act independently in the performance of all duties. Through close cooperation with Europol’s DPO and Data Protection Function (DPF) unit, we are better equipped to monitor Europol’s compliance with the Regulation and to provide advice to the DPF team when they need it.

We aim to facilitate and reinforce our cooperation by holding regular meetings with the DPF and other relevant operational staff. These meetings, which usually take place on a bimonthly basis, are an opportunity to discuss any new projects or data processing procedures planned by Europol, as well as other pending issues.

Over the past year, the EDPS and the DPF have met four times in The Hague, on 8 February, 24 April, 9 July and 16 October 2018. We also met with the DPF and other Europol staff members in Brussels on 25 September 2018. These meetings help us to anticipate specific issues relating to data processing activities at Europol and to define and plan for future activities, such as inspections or inquiries. Three EDPS staff members also participated in the European Data Protection Experts Network (EDEN) conference, which took place on 22-23 November 2018 (see section 4.2.7).

4.2.2 Supervising operational analysis projects

The Europol Regulation allows for the processing of personal data to support what is known as operational analysis. However, it specifies that these criminal investigations and criminal intelligence operations, which are carried out by Member State law enforcement authorities, must be performed as part of an operational analysis project.

Each operational analysis project relates to a particular type of crime, such as child pornography, cybercrime, drug trafficking, organised criminal groups, property crimes or terrorism. For each project, Europol is required to define and inform the EDPS about:

•  the specific purpose of the project;

•  the categories of data involved and the individuals it concerns;

•  the participants, which could be Member States, non-EU countries or organisations;

•  the length of time that the data will be stored;

•  the conditions for access to the data concerned and for any proposed transfer of this data.

At the end of 2018, Europol had a portfolio of 30 operational analysis projects. We did not receive formal notification of any new projects in 2018, although we were notified of smaller amendments to existing projects and were consulted on the envisaged amendments prior to the actual modification of the portfolio. All analysis projects are listed and described on the Europol website.

4.2.3 Inspecting Europol

On 8 May 2018, we issued a report on our first Europol inspection, carried out in December 2017. As with our other inspections (see section 4.4.6), the results were not shared publicly, but the report was shared with the national data protection authorities (DPAs) through the secretariat of the Europol Cooperation Board (see section 4.2.6). We outlined a number of recommendations for improvement and we will continue to work with Europol to ensure they put our recommendations into practice.

We carried out a second inspection from 22-25 May 2018. Three experts from the DPAs of France, Greece and Italy joined the inspection as part of the EDPS team. The Member States are Europol’s main information providers so, as well as benefitting from their expertise, the participation of national experts in the inspection process helps to raise awareness of any problems arising at Europol level which might have originated at national level. This could include problems with data quality or insufficient justification for the processing of sensitive data, for example. They can then consider how to tackle these problems in their supervisory activities at national level.

The legal part of the inspection focused on four topics, the first two of which were particularly high-profile:

1. The processing of data as part of Europol’s operational analysis project, Travellers: This concerns the personal data of individuals who travel to and from conflict zones, Syria in particular. It encompasses those known as foreign terrorist fighters and their families, including children.

2. The processing of data on migrants arriving at hotspots in Greece and Italy: The European Border and Coast Guard Agency (Frontex) interviews migrants upon their arrival in these countries. If an individual is believed to present a possible security risk, Member States can turn to Europol guest officers, also situated in the hotspots, to run checks on them.

3. The processing of data relating to individuals under the age of 18 in all operational analysis projects, particularly in cases when such individuals are labelled as suspects: Under the Europol Regulation, Europol is only permitted to process the personal data of under 18s if doing so is strictly necessary and proportionate to the aim of preventing or combatting crime under Europol’s mandate.

4. The processing of data in the Europol Information System: This is Europol’s database of suspects, convicted persons and potential future criminals. In particular, we focused on how this database is updated by Member States and Europol on behalf of non-EU countries.

The technical element of the inspection looked to build on the activities carried out as part of our first inspection. We focused on three areas in particular:

1. Europol’s information security management procedures;

2. user log management;

3. the validation process for new tools and IT systems.

We issued our inspection report on 19 December 2018. We will follow-up with Europol on our specific recommendations throughout the coming year.

In 2018, we also carried out remote inspections of two Europol websites as part of our follow-up exercise on the protection of personal data processed by EU institution websites (see section 4.4.7).

4.2.4 Advising Europol

The EDPS advises Europol on all matters concerning data protection, either on our own initiative or in response to a consultation.

Prior Consultations

Europol must submit a prior consultation request to the EDPS for every new data processing activity they plan to carry out which involves the processing of sensitive data or which might present a specific risk to individuals. Based on Europol’s submission, we analyse how far the proposed processing operation complies with the Europol Regulation and all other relevant data protection principles and rules. We then provide Europol with recommendations which they must implement in order to ensure compliance.

In 2018, we issued three Opinions. These all related to prior consultations received at the end of 2017. The Opinions concerned the following technical tools:

•  QUEST (Querying Europol Systems): An automatic interface used to facilitate cross-checking of data in the national databases and Europol’s suspect database. Through its simplified search mechanism, QUEST provides Member States with new search capabilities. This enables authorised Member State police officers to carry out simultaneous searches of the Europol information system and other national and international databases from their own working environments, using their national databases.

•  ETS (European Tracking Solution): A tool that enables specialist units, based predominantly in the Member States, to exchange geo-location data in near real-time. It is used to track and trace objects and individuals.

•  IRMa (Internet Referral Management application): A software tool used by Europol’s Internal Referral Unit (IRU) to help automate the referral process, the process of identifying online terrorist content and notifying online service providers of the need to remove it. Europol developed this tool and would like to provide it to Member States, to use for the same purpose.

Given that these Opinions refer to the use of tools by national law enforcement authorities, which may involve supervision by the respective national supervisory authorities, the EDPS shared the Opinions with them.

In 2018, we received one additional prior consultation on SIENA 4.0, the updated version of Europol’s secure message exchange system. It is used to manage the exchange of operational and strategic crime-related information among Member States, Europol and Europol’s other partners. We will issue feedback on this prior consultation in 2019.

Consultations and inquiries

We issued guidance and conducted own initiative inquiries on a number of issues in 2018. One of these cases was a consultation relating to the Internet Corporation for Assigned Names and Numbers (ICANN). Our Opinion addressed whether Europol should serve as an accrediting body for law enforcement agencies (LEAs) looking to access personal data in the WHOIS database, the Internet’s Domain Name System which is managed by ICANN.

Before the General Data Protection Regulation (GDPR) came into effect on 25 May 2018, the personal data of anyone registering a new domain name was publicly displayed on the internet, through the WHOIS service. This included names, email addresses, phone numbers and other forms of identifying information.

However, in order to adhere to the requirements of the GDPR, this previously public information is now being redacted. This has created problems for LEAs, who no longer have such easy access to the personal data of domain name registrants, and are now required to conclude formal legal procedures in order to access the relevant information.

Our Opinion concluded that Europol could act as a law enforcement accreditor. This would involve providing assurances to registries and registrars that any EU LEA seeking to access WHOIS records is indeed a legitimate authority, so long as the activity concerned falls within Europol’s mandate, as a support authority for the Member States.

In a separate case, we provided guidance on the transfer of personal data from the European Border and Coast Guard Agency (Frontex) to Europol. Frontex is involved in monitoring migratory flows and carrying out risk analysis on integrated border management, including internal security or security at the EU’s external borders. Our guidance concerned any data transfers from Frontex to Europol in relation to these activities.

In addition to this, we conducted an inquiry on data processed in the context of the ‘Crime Information Cell’ (CIC), a pilot project activated on board EUNAVFOR MED operation Sophia, operating in the Central Mediterranean Sea. Following a decision of the Council of the EU of 14 June 2018, specialised personnel from Europol and Frontex have embarked on board Flagship EUNAVFOR MED. The goal is to enhance the exchange of information between Common Security and Defence Policy (CSDP) and Justice and Home Affairs (JHA) actors on criminal activity in the Central Mediterranean and to disrupt criminal networks in the area, notably those involved in migrant smuggling and human trafficking.

We also advised Europol on possible developments relating to FIU.net. This is the decentralised information network which supports the EU’s Financial Intelligence Units (FIUs) in their fight against money laundering and the financing of terrorism. It is operated by Europol.

4.2.5 Dealing with complaints

The EDPS is also responsible for hearing and investigating complaints from people who believe that Europol has mishandled their personal data. Europol relies on national law enforcement authorities to provide them with the majority of the personal data it processes. As these national authorities are supervised by their national DPA, we work in consultation with the relevant national DPAs to investigate all admissible complaints and adopt decisions.

Of the two complaints received in 2017, only one was considered admissible. It related to a claim that Europol denied access to personal data requested by the individual concerned. We investigated the complaint, examining Europol’s file on the decision and taking into account the observations of the national DPA involved. Our conclusion, issued in 2018, was that Europol’s decision to refuse access to personal data was lawful in this case.

In 2018, we received just one complaint, which was deemed inadmissible.

4.2.6 Meeting with the Cooperation Board

Just as the EDPS is responsible for supervising the processing of personal data by Europol, the national DPAs are responsible for overseeing the processing of personal data by their respective national law enforcement authorities. As most of the data processed by Europol comes from the national law enforcement authorities, it is essential that we are able to cooperate effectively with the national DPAs.

In addition to activities such as joint supervision, much of this cooperation takes place in meetings of the Cooperation Board, for which the EDPS provides the secretariat. The Board has an advisory function and provides a forum to discuss common issues and develop guidelines and best practice.

Composed of representatives from the relevant national DPAs and the EDPS, the Board meets at least twice a year. In 2018, these meetings took place on 30 May and 3 October.

The first meeting provided an opportunity for us to share information on the supervisory activities that had taken place since our previous meeting on 16 November 2017. This included our first Europol inspection. It was also a chance to discuss the work programme of the Board for the next two years.

Assistant Supervisor Wojciech Wiewiórowski opened our second meeting. In his speech he stressed that fruitful cooperation between the EDPS and DPAs depends on trust and reciprocity. Only in such an environment can the Board be successful in protecting citizens’ rights.

We then focused on Europol activities that have an effect at national level. For example, Europol provides tools which facilitate the exchange of information between national law enforcement authorities and the national DPAs are responsible for supervising their use at national level. In this respect, discussions took place on the use of ETS by national law enforcement authorities and on possible developments of FIU.net (see section 4.2.4).

An update of a leaflet aimed at helping individuals to exercise their data protection rights in relation to Europol and a handbook for national law enforcement authorities on how to send data to Europol were also discussed.

We look forward to strengthening our cooperation with the Board as we work towards achieving the joint aim of a secure and open Europe.

4.2.7 Setting the tone at management level

On 8 March 2018, Catherine De Bolle, former Commissioner General of the Belgian Federal Police, was appointed as the new Executive Director of Europol. Accompanied by the Europol DPO and two members of her Cabinet, she visited the EDPS on 16 July 2018 to meet with EDPS Giovanni Buttarelli. This meeting was an excellent opportunity for both parties to get to know one another and establish the foundations for effective cooperation based on mutual trust.

Their exchange of views was both frank and constructive. The new Executive Director showed a good understanding of data protection issues in general and an even better knowledge of the main issues that Europol and the EDPS still need to address. Management sets the tone for cooperation throughout the whole organisation, so we look forward to continued and constructive cooperation at this level over the coming months and years.

In the spirit of leading by example through effective cooperation, on 22 November 2018, Assistant Supervisor Wojciech Wiewiórowski gave the keynote speech at a conference on Freedom and Security, jointly organised by the Europol Data Protection Experts Network (EDEN) and the Academy of European Law (ERA). He recalled the message outlined by former Europol Executive Director Rob Wainwright in his Data Protection Day 2018 blogpost, calling for tailored data protection rules for law enforcement. He also stressed that increased security can be achieved without restricting data protection rights. Through their continued and constructive cooperation, the EDPS and Europol are ideally placed to demonstrate this.

4.2.8 The Joint Parliamentary Scrutiny Group

The Joint Parliamentary Scrutiny Group (JPSG) is a parliamentary supervisory body made up of more than 120 representatives from the European Parliament and national Parliaments. Its job is to hold Europol accountable for its activities. The EDPS must support the JPSG in this role.

At least once a year, the JPSG organises a meeting with the EDPS to discuss Europol compliance with data protection rules and principles. In 2018, two meetings of the JPSG took place and the EDPS was invited to attend both. These took place in Sofia, Bulgaria on 19 March 2018 and in Brussels on 25 September 2018.

The meetings are an opportunity for us to provide the JPSG with an overview of EDPS supervisory activities, as well as to discuss more specific issues. At the Sofia meeting, for example, we addressed a series of recommendations relating to the exchange of personal data between Europol and eight different Middle Eastern and African countries. These recommendations were issued by the Commission in December 2017 and advised the Council of the EU to begin negotiations for international agreements with the eight countries on the exchange of data. The EDPS published an Opinion on these recommendations just before the JPSG meeting on 14 March 2018 (see section 4.3.4).

At the second meeting, we focused specifically on Europol’s reliance on cooperation to perform its role, the implications of this for data protection matters and on how we are working with Europol to address such implications. Europol’s partners are varied, including international partners, EU partners such as Frontex and partners at national level.

We look forward to cooperating further with the JPSG during the course of 2019.

As we set out in the EDPS Strategy, we are committed to facilitating responsible and informed policymaking within the EU and to promoting a mature conversation on security and privacy as part of our efforts to open a new chapter in EU data protection.

In recent years, the EU legislator has put forward a wide range of policy proposals aimed at increasing EU security and improving border management. Terrorist attacks, the migration crisis and the development of increasingly sophisticated technology are the main drivers behind these proposals, all of which aim to ensure that EU processes and policies remain up to the task of ensuring safe and secure EU borders.

We fully support these efforts and recognise the pressing need for EU policy to adapt to new realities. However, increased security must not come at the expense of the fundamental rights guaranteed in the EU Charter.

In line with the commitments identified in our Strategy, we seek to provide the legislator with appropriate legal advice, guidance and recommendations to ensure that policymakers are able to make informed decisions on EU border policy. Furthermore, we aim to support the legislator by working in close cooperation with our fellow EU data protection authorities (DPAs) to ensure that the tools used to implement EU border policy continue to function to the highest standards of EU data protection law.

4.3.1 Effective supervision of large-scale IT systems

The European Union operates several large-scale IT databases. These are used to support EU policies on asylum, border management, police cooperation and migration. Through the databases, national authorities, as well as some EU bodies, are able to exchange information relating to borders, migration, customs and police investigations.

The EDPS is responsible for supervising the processing of personal data in the central units of the databases, the majority of which are hosted by the EU’s Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA). The national DPAs are responsible for supervising how national authorities use these systems. The division of tasks between EU DPAs and the EDPS mirrors the division of tasks between the central unit managing the system and the national authorities using it. The relevant supervisory authority therefore depends on who processes the data.

One of our supervisory responsibilities is to carry out periodic inspections of the central databases. These inspections focus on the security and management of the systems, while the national authorities are responsible for ensuring the accuracy of the information entered into them. Through carrying out inspections, we are able to monitor data protection compliance, but also to work directly with eu-LISA to improve accountability in the management of these databases.

In 2018, we carried out on-site inspections of the Schengen Information System (SIS) and the Visa Information System (VIS). We will share our report and recommendations with eu-LISA, the European Parliament, the Council, the European Commission, and national DPAs in 2019 and follow up with them accordingly.

4.3.2 Coordinated supervision of large-scale IT systems

Just as the EDPS is responsible for supervising the central units of the EU’s large-scale IT databases, the national DPAs are responsible for supervising how their respective national authorities use these databases. In order to ensure the consistency of supervision efforts on both levels, all supervisory authorities involved, including the EDPS, cooperate through Supervision Coordination Groups (SCGs). Each of these groups is dedicated to a specific EU database.

Made up of representatives from the national DPAs and the EDPS, the SCGs meet regularly to ensure coordinated end-to-end supervision of all the databases. As the supervisory authority for the central units, the EDPS participates as a full member of these groups. We also provide the secretariat for the groups, working under the authority of their respective Chairs.

As in past years, the groups met twice in 2018. The SCGs for Eurodac, SIS and VIS met in June and November, while the SCG for the Customs Information System (CIS) met in May and October. The results of these meetings are published on their respective webpages on the EDPS website. The meetings continue to provide a valuable forum for cooperation between the Member State DPAs and the EDPS, while also respecting the role and competences of each.

The new data protection rules for the EU institutions and bodies provide for a single model of coordinated supervision of both large-scale IT systems and EU agencies and bodies, within the European Data Protection Board (EDPB). The EDPB has therefore launched an initiative to reflect on how to organise this coordinated supervision within the EDPB framework.

The SCGs will meet again in 2019 as part of our ongoing commitment to ensuring effective, efficient, coordinated and consistent supervision of these important databases.

4.3.3 Observing Schengen

The establishment of the Schengen area has made travelling between many EU countries a much easier and more enjoyable experience for EU citizens and others. However, the success of this initiative depends on a collaborative effort from all states involved.

Among the measures designed to ensure that all relevant Member States adequately implement Schengen rules are regular peer review exercises. Known as Schengen evaluations (SCHEVAL), these peer reviews are organised by the European Commission and carried out by experts from the Member States. The EDPS often participates as an observer in the data protection part of the evaluation.

With our experience supervising the central units of the SIS and VIS (see section 4.3.1), the EDPS is able to offer a different and complementary perspective on the SCHEVAL process. This is of clear added value in the supervision, enforcement and promotion of data protection in this highly sensitive area. Our input is also appreciated on a linguistic level, as the international composition of our institution means that the EDPS staff members taking part in the evaluation often speak the language of the country under evaluation.

The data protection aspect of the evaluation involves assessing the competent authorities’ compliance with data protection rules, including the security of the SIS and VIS databases; the independence, role and powers of the national data protection authority; public awareness of Schengen; and international cooperation. Over the course of a year, we usually take part in three SCHEVALs. In 2018 we acted as an observer for the evaluations of Switzerland, Latvia and Finland.

4.3.4 Protecting fundamental rights in the area of freedom, security and justice

Biometric ID cards

On 10 August 2018, we issued an Opinion on the Commission’s Proposal for a Regulation aimed at strengthening the security of identity cards and other documents issued to EU citizens and their families. This would involve improving the security features of EU citizens’ identity cards and the residence cards of non-EU family members.

The proposal would have an impact on up to 370 million EU citizens, potentially subjecting 85% of the EU population to mandatory fingerprinting requirements. Taking into account this wide scope and the sensitive nature of the data involved, we identified the vital need for the Commission to clearly demonstrate the necessity of the measures proposed. For example, the stated purposes for processing two separate types of biometric data, namely facial images and fingerprints, could be achieved using a less intrusive approach, and therefore fail to demonstrate necessity. We also cited the need to establish explicit safeguards to ensure that the implementation of the proposal at national level would not lead to the creation of national fingerprint databases.

While the storage of fingerprint images does enhance interoperability (see section 4.3.4), it also increases the amount of biometric data that is processed. This increases the risk of impersonation in the case of a personal data breach. Accordingly, we recommended significantly limiting the fingerprint data stored in the chip of residence documents, to include only a subset of the characteristics extracted from the fingerprint image.

Finally, the EDPS advocated setting the minimum age limit for collecting children’s fingerprints to 14 years old, in line with the approach taken in other instruments of EU law.

Wider debate needed on the future of information sharing in the EU

In order to address challenges relating to security and border management, the EU needs to adopt a smarter approach to information sharing. Interoperability could prove a useful tool, but it is also likely to have profound legal and societal consequences, as outlined in our reflection paper on the topic in November 2017.

On 16 April 2018 we followed up our reflection paper with an Opinion on the Proposals for two Regulations establishing a framework for interoperability between EU large-scale information systems. Interoperability is the process of enabling these large-scale EU databases to communicate and exchange information. It could help public authorities to manage issues relating to migration, asylum and security by facilitating the exchange of data held within the databases.

The proposals provide for the possibility to use the systems more extensively, beyond the specific objectives for which they were established. In particular, the data stored in the different systems would be gathered in order to combat identity fraud, but also to facilitate and allow for identity checks within Member State territory. They would also streamline law enforcement access to databases that do not contain law enforcement information. Of particular concern is the creation of a centralised database containing information about millions of non-EU citizens, including biometric data. The scale of the database and the nature of the data to be stored within it mean that a data breach could harm a very large number of people.

While law enforcement authorities need access to the best possible tools to fight terrorism and other serious crime, allowing law enforcement authorities to routinely access information not originally collected for law enforcement purposes has significant implications for the protection of fundamental rights. It is therefore essential that strict and appropriate legal, technical and organisational safeguards are built in to all EU databases, and that particular attention is given to defining their purpose and conditions of use.

Given the uncertain implications of this proposal for data protection and other fundamental rights and freedoms, we called for wider debate on the issue before any further steps are taken towards implementation.

Information exchange between Europol and non-EU countries in the fight against terrorism and serious crime

The European Commission adopted eight recommendations on 20 December 2017. In these recommendations, they asked the Council of the EU for authorisation to start negotiations with Algeria, Egypt, Israel, Jordan, Lebanon, Morocco, Tunisia and Turkey to conclude international agreements on the exchange of data between Europol and these eight non-EU countries.

The rules for the transfer of data from Europol to non-EU countries are outlined in the Europol Regulation. According to these rules, international agreements negotiated and concluded by the Commission would provide the required legal basis for the exchange of personal data between Europol and the authorities of these eight countries, with the aim of fighting serious crime and terrorism.

The EDPS issued an Opinion on the Commission’s recommendations on 14 March 2018. We stressed that any international agreements relating to the exchange of data between Europol and non-EU countries must strike a fair balance between the need to fight serious crime and terrorism and the need to protect personal data and other fundamental rights. Each agreement must also outline the specific conditions under which Europol can transfer personal data to the country concerned, recognising that these conditions will be different for each country.

We provided some general recommendations aimed at ensuring that the negotiated agreements include the appropriate safeguards required by the Europol Regulation, but we mainly focused on the Annexes to the Commission’s recommendations. These set out the mandates and directives the Council should give to the Commission in order to negotiate each agreement. As they include all data protection requirements with which the international agreements should comply, we provided recommendations on how to ensure that these requirements were comprehensive in scope.

Simplifying judicial cooperation on family matters

The Brussels IIa Regulation is a Council Regulation on jurisdiction. It concerns the recognition and enforcement of decisions in matrimonial matters and matters of parental responsibility, including international child abduction. The Council formally requested an EDPS Opinion on a Proposal for a recast of the Regulation, which we published on 15 February 2018. We then presented this to the Council on 1 March 2018.

The recast of the Brussels IIa regulation establishes uniform jurisdiction on rules for divorce, separation and annulment of marriage, as well as for disputes about parental responsibility in cross-border situations. Its main objective is to remove the remaining obstacles to the free movement of judicial decisions, in line with the principle of mutual recognition, and to better protect children’s interests by simplifying procedures and improving efficiency. The new rules also aim to avoid the creation of a new EU IT database, by improving cooperation between the central authorities involved in exchanging information within and across the Member States.

In our Opinion we provided specific recommendations to ensure that any processing of personal data is done lawfully and that suitable and specific safeguards are put in place to protect the fundamental rights and interests of the individuals concerned. We also recommended that clauses explaining the specific purposes for which data can be processed, and the individuals this concerns, be inserted into the text, in addition to explicit references to the need to respect the principles of data quality and minimisation.

To ensure that data is processed consistently and fairly across the EU, we reiterated the need to specify that any reference to the national law of a Member State should not lead to increased limitations on an individual’s right to information at national level. We also recommended establishing a principle in the Regulation to provide individuals with the right to access any information transmitted to the requesting authority of a Member State. To deal with cases where restrictions on an individual’s access and rectification rights are considered necessary, we expressed the need for a specific provision outlining the scope of these restrictions.

The EDPS is entrusted with ensuring that the EU institutions comply with data protection rules both when they process personal data themselves and when they develop new EU policies. In the case of the former, it means acting as a supervisory authority for all EU institutions and bodies, while the latter sees the EDPS adopt the role of an advisor to the EU legislator.

Much of our work in 2018 focused on ensuring that both the EDPS and the EU institutions and bodies we supervise were prepared for the new data protection rules, which became fully applicable on 11 December 2018. In line with the action points set out in the EDPS Strategy, a particular focus of our work has been on increasing accountability, ensuring that all EU institutions, including the EDPS, are capable of not only complying with data protection rules, but of demonstrating this compliance.

In addition to this, we continued to fulfil our standard obligations as a supervisory authority for the EU institutions. These include issuing recommendations to individual institutions in the form of prior-checking Opinions, dealing with complaints, carrying out regular audits and compliance visits and providing relevant training sessions on the new Regulation.

A second action point set out in the Strategy commits the EDPS to facilitating responsible and informed policymaking. Among the tools we have for doing this are our Opinions and Formal Comments. These allow us to provide specific recommendations on EU legislative proposals. Our efforts in 2018 included 11 Opinions, 14 sets of formal comments and over 30 informal consultations on draft proposals by the Commission. These numbers clearly demonstrate the increased need for, and relevance of, independent expert advice on the data protection implications of EU initiatives, as well as growing interest from EU institutional stakeholders.

With new technologies appearing every day, we are dedicated to ensuring that the data protection field takes the necessary steps to adapt to the digital era. EDPS initiatives such as the Internet Privacy Engineering Network (IPEN) aim to reinforce the new rules set out in the General Data Protection Regulation (GDPR) and encourage the development of privacy-friendly technologies.

We recognise that data protection alone cannot solve every problem, so to ensure that data protection goes digital we have also focused on developing cross-disciplinary policy solutions. Through initiatives such as the Digital Clearinghouse, for example, we hope to encourage increased cooperation between data protection and consumer protection authorities to ensure individuals’ rights are adequately protected.

4.4.1 The DPO function: EU institutions leading by example

Data Protection Officers (DPOs) from the 66 EU institutions, bodies, agencies and offices meet with the EDPS twice a year, as part of their DPO network meetings. These meetings reinforce collaboration between the DPOs and ensure that the EU institutions have the tools they need to lead by example in the application of data protection law.

With new data protection rules for the EU institutions under discussion, recent meetings have focused almost exclusively on helping the DPOs to ensure that they are ready for the new rules. This year’s first meeting, which took place in Brussels on 31 May 2018, was no exception.

Just a week before the 43^rd DPO meeting, the GDPR became fully enforceable and the Council announced a political agreement with the European Parliament on a GDPR for the EU institutions (see section 4.1.2). Unsurprisingly then, the day’s activities focused on ensuring that DPOs were equipped with all the necessary knowledge and tools not only to ensure compliance with the new rules, but to demonstrate this compliance, through applying the principle of accountability. With the aim of providing them with practical examples of how to apply the new rules, DPOs took part in several interactive exchanges, focused on specific case studies. These covered many topics, including social media and micro-targeting, data protection impact assessments (DPIAs) and IT governance.

To provide further support to the DPOs in the transition to the new rules, on 30 September 2018 we published an updated version of our 2005 position paper on the role of DPOs within the EU institutions. This paper also covers their relationship with the EDPS and provides guidelines on the profile of a DPO and the resources required for them to perform their role. The updated version brings the paper in line with the new rules set out in Regulation 2018/1725 and incorporates feedback from DPOs, gathered during a consultation period in spring 2018.

The new rules became fully applicable on 11 December 2018. On 12 December 2018, DPOs gathered once more in Brussels for the 44th EDPS-DPO meeting. The meeting was a chance to reflect on the new challenges faced by the EDPS and DPOs under the new legislation.

We planned the day’s activities around a series of case studies aimed at providing the DPOs with hands-on experience of how to deal with some of these new challenges. These included the restriction of individuals’ rights under the new rules, data breach notifications and joint controllership. We wanted to encourage the DPOs to see the new rules not as a burden, but rather as a reference tool on how to ensure respect for the rights of those individuals whose personal data the EU institutions use on a daily basis to carry out their tasks and responsibilities.

Before both DPO meetings, we organised an additional training session for recently-appointed DPOs and Assistant DPOs. The new DPOs were given useful information about their role and responsibilities, ending the day with a practical case study to put their knowledge into practice.

4.4.2 Reinforcing the accountability of EU institutions

Both the GDPR and the new data protection rules for the EU institutions stress the importance of accountability. This is the idea that the data controller, the person or organisation responsible for processing personal data, must not only comply with data protection rules, but be able to demonstrate this compliance. It is not a new concept, but the new rules place greater emphasis on it.

Accountability involves doing the right thing, for the right reasons, in a way that can be reproduced if required. In order to make this a reality, every organisation operating within the EU, including the EU institutions, must ensure that they adequately document all of their data processing activities.

To help the EU institutions with this, we issued an accountability on the ground toolkit. A preliminary version of the toolkit was published in February 2018, to help the EU institutions in their preparations for the new rules. An updated version, which accurately reflects the final version of the new Regulation 2018/1725, was issued in December 2018, to coincide with the day on which the new rules became fully applicable.

The toolkit provides guidance on how to document a processing operation, through what are known as records. It also sets out the criteria for determining when a DPIA, or threshold assessment, is required.

The toolkit complements the work on accountability we have been doing with DPOs (see section 4.4.1), as well as the training sessions and accountability visits we have carried out over the past two years to prepare the institutions for the new Regulation (see section 4.1.2).

4.4.3 Accountability in IT

Two months before the GDPR became enforceable, we issued two new sets of Guidelines. These Guidelines provide the EU institutions with advice on how to adapt to this new era in data protection, notable for the emphasis it places on the principle of accountability.

The Guidelines address data protection requirements for the management and governance of IT infrastructure in general, and for cloud computing services specifically. Published before the new rules for the EU institutions had been finalised, the Guidelines build on the principles outlined in the GDPR and complement our other efforts to prepare the EU institutions for the new rules (see sections 4.1.2, 4.4.1 and 4.4.2).

We fully support the idea that the EU institutions should benefit from the newest technological developments. Doing so will ensure that the EU administration is both efficient and transparent. The Guidelines aim to demonstrate that this can be done while maintaining full respect for fundamental rights. They clearly identify the limits which must be respected.

In advance of the publication of these Guidelines, we were invited to a workshop on security of personal data processing to present our provisional guidance for the EU institutions on documentation and obligations relating to DPIAs and the role played by IT security risk management in this.

Organised by the EU Agency for Network and Information Security (ENISA) and Italian data protection authority (DPA) Garante, the workshop took place in Rome on 8 February 2018. A focus of the discussion was on the need for organisations to better integrate personal data protection risk management into their working methods.

Integrating new obligations relating to both DPIAs and IT security into a common risk management process which addresses both IT security and data protection risks is undoubtedly a challenge. However, it avoids duplication and allows for a more successful implementation of the obligations outlined in the GDPR, making it much more efficient than implementing separate processes.

4.4.4 Data breach notifications: a how-to guide for EU institutions

To help the EU institutions with their preparations for the new rules (see sections 4.1.2, 4.4.1 and 4.4.2) we issued Guidelines on Personal Data Breach Notification.

Under the new Regulation, all EU institutions and bodies have a duty to report certain types of personal data breaches to the EDPS. They must do this within 72 hours of becoming aware of the breach. If there is a high risk that the breach will adversely affect individuals’ rights and freedoms, the EU institution must also inform the individuals concerned without unnecessary delay.

The costs and risks related to a data breach can be significant. Since the first mandatory data breach notification law was passed in California in 2002, the obligation to notify different types of breaches has spread across the world, in response to an increasing number of incidents. This obligation should not only act as a deterrent but also encourage organisations to do everything in their power to prevent breaches from occurring in the first place. The GDPR’s strict requirements on data breach notifications have already demonstrated the positive effects of this approach.

With the new data protection Regulation for EU institutions now in force, the institutions must ensure they have prevention and detection mechanisms in place for personal data breaches, as well as investigation and internal reporting procedures. The new Guidelines provide the necessary practical advice and background information for assessing and notifying the EDPS through a new online form, which can be found on our website.

4.4.5 Protecting privacy in the EU institutions

Data protection for conference organisation

On 10 April 2018, we responded to a complaint regarding the registration process for an international conference organised by one of the EU institutions. This process required individuals to submit a scanned copy of their passport or identity card, in order to verify their identity.

Our investigation found that the EU institution could have used a less intrusive means of verifying the identity of participants, such as checking passports or ID cards at the entrance to the conference and comparing them with the information submitted online. We also noted that in certain Member States it is illegal to photocopy passports unless justified by the law.

Furthermore, the EU institution failed to formally notify their DPO of the collection of scanned copies of individuals’ ID, as was required under Regulation 45/2001, the data protection rules applicable to the EU institutions at the time of the complaint.

We also responded to concerns about the transfer to the authorities of the host Member State of the personal data collected by the conference organisers. The EU institution claimed that this transfer was carried out on the premise that participants had consented to it. However, to qualify as a valid legal basis for the transfer of data, consent must be freely given. As participants were not able to register for this conference unless they gave their consent to share personal information with the host Member State authorities, their consent was not freely given. As a result, consent, in this case, cannot be considered a valid legal basis for the transfer of data.

Data processing for social media monitoring

On 21 March 2018, we adopted an Opinion on the processing of personal data for social media monitoring at the European Central Bank (ECB). The ECB intended to use an external contractor to monitor and track discussions about ECB related topics on different social media channels. Their aim was to gain a better understanding of how internet users perceive the ECB and to improve the ECB’s communication and reputation.

Specifically, the ECB wanted to collect information on what was being said about them, topics related to their activities, the tone used and how far the information was spread. The monitoring and analysis of the aggregated data on different groups of users was to be carried out by the external contractor, while the ECB would analyse this information and draft reports.

As some internet users, who are not public figures, may be indirectly identifiable by their quotes, their likes or their native language, we provided the ECB with some specific recommendations aimed at ensuring that the rights of individuals would be respected. In particular, we focused on the need to ensure the quality of the data collected and processed, provided recommendations on the content of the contract with the external contractor and advised the ECB on an individuals’ right of access to their own data. We also provided them with advice on the information they must provide to internet users and the security measures the contractor must adopt.

On 13 November 2018, we carried out an in-situ inspection at the ECB and were very happy to note that the ECB had put our recommendations into practice. In addition, almost all data used by the ECB communication team is now aggregated.

Number of complaints received

Figure 3. Evolution of the number of complaints, including inadmissible complaints, received by EDPS

EU institutions and bodies concerned

Figure 4. EU institutions and bodies concerned by complaints received by EDPS

Topics of complaints 2018

Figure 5. Type of violation alleged in complaints received by EDPS

Joint controllership: the case of the Online Linguistic Support tool

Erasmus+ is the European Commission’s programme for education, training, youth and sport. The Education, Audiovisual and Culture Executive Agency (EACEA) runs the programme for the European Commission’s Directorate General for Education and Culture (DG EAC), alongside national agencies in the Member States.

As part of the Erasmus+ programme, EACEA runs an online tool known as Online Linguistic Support (OLS). It is used to check if an individual’s language skills have improved during their stay abroad. Language skills are tested both before an individual leaves their home country and upon their return home. OLS also provides online language classes. The tests are mandatory for any individual receiving funding through Erasmus+, but any consequences relating to failing to take the test, such as a reduction in an individual’s mobility grant, are decided at national level.

Any processing of personal data proposed by an EU institution or body and considered to pose a specific risk to the rights and freedoms of the individuals concerned is subject to prior checking by the EDPS. However, while EACEA provides the online tool, it does not carry out an evaluation of the data collected by the tool. This is done at national level. We therefore informed EACEA that no prior check was necessary in this case.

Notifications to the EDPS

Figure 6. Evolution of Notifications received by EDPS

EDPS prior check Opinions per year

Figure 7. Evolution of prior check Opinions issued by EDPS

Notifications to the EDPS 2018
Core Business vs Administration

Figure 8. Percentage split between Core Business and Administration activities in the Notifications received by EDPS

The case raised an interesting question, however, which is relevant to many European systems, platforms and tools.

The EDPS sees the distribution of tasks between EACEA and DG EAC on the one hand, and national agencies on the other, as a case of joint controllership. This means that both EU and national authorities are responsible for determining the means and purposes of the processing of personal data. We therefore recommended that these joint controllers clarify their respective responsibilities, so that it is possible for individuals to address the right organisation immediately, depending on their needs. For example, in the case of the OLS, requests for access to personal data relating to test results should be addressed to the national agency of an individual’s home country, while the security of the OLS central system remains the responsibility of EACEA.

EU trade unions and the EDPS

On 29 January 2018, we responded to a consultation from a trade union for EU staff, relating to the conditions for sharing data within the same trade union.

Our Opinion found that these trade unions are not classified as EU institutions or bodies under the relevant provision of the rules for the EU institutions and bodies, set out at the time under Regulation 45/2001.

Nevertheless, as a general rule, any internal transfer of data should be governed by the need-to-know principle. We therefore advised the trade union to carry out an analysis to determine whether or not internal data transfers were necessary in this case.

EU institution websites must lead by example

The EDPS has received a number of complaints relating to the protection of privacy and personal data on the websites of certain EU institutions and bodies. These complaints related to:

•  the use of third-party services;

•  user consent relating to cookies:

•  the information provided to website users in the website’s cookie policy;

•  the information provided to users in the website’s privacy policy.

We have been working closely with the institutions concerned to resolve any possible issues raised in the complaints. This fits with our broader efforts to help all EU institutions and bodies ensure compliance with the applicable data protection laws, including our attempts to help them better protect the users of their websites. Included in this is our programme of remote inspections (see section 4.4.7) and the organisation of specific training sessions (see figure 2), among other activities. These efforts will continue into 2019 as we aim to ensure that every EU institution website complies with the relevant data protection requirements.

4.4.6 Catching up with the institutions: audits and visits

Audits and visits are two of several tools we use to monitor the EU institutions and ensure that they abide by the relevant data protection rules. Visits are also a useful tool in helping to raise awareness about data protection in the EU institutions and have proved particularly useful as part of our campaign to raise awareness and help prepare the EU institutions for the new data protection rules (see section 4.1.2).

We carried out seven audits and three compliance visits in 2018. With the new rules in mind, these were aimed at ensuring that the EU institutions have the right tools and knowledge to move beyond mere compliance, towards the approach based on accountability outlined in the new Regulation. It is vital that the EU institutions are able to lead by example in their application of data protection rules in order to help ensure the success of the GDPR EU-wide.

The results of audits are always shared directly with the institutions concerned. We then follow up in due course to ensure that our recommendations have been put into practice. Compliance visits, on the other hand, involve working with the respective EU institution to draw up a roadmap for compliance. We then follow up with the institution to ensure that the roadmap has been effectively implemented.

Under the new Regulation 2018/1725, we will continue to carry out audits and visits. The emphasis will remain on encouraging and ensuring an approach to data protection based on accountability, in line with the new rules.

4.4.7 Remote inspections of webservices

In November 2016, we published Guidelines on the protection of personal data processed through web services provided by EU institutions. In July 2018, we began a follow-up exercise, consisting of remote inspections of the web services offered by the EU institutions.

Remote inspections involve the remote scanning of web services, and can therefore be carried out on EDPS premises. Our approach is comprehensive, taking into account all of the web services offered by the EU institutions. For the first time in the history of the EDPS, we also automated part of the evidence collection and documentation.

As the number of web services reported by the institutions totals more than 700, we have organised the inspections in waves. Each wave is composed of a set of web services, with the first wave including those services likely to have the highest impact on the individuals using them.

The first inspection wave, which included the web services of the largest EU institutions as well as two Europol websites (see section 4.2.3), is now complete, while the second wave is due to finish in early 2019. Further inspection waves will take place throughout the coming year.

The results of the first inspection wave were welcomed by the EU institutions, triggering actions that have greatly improved their web service compliance. We hope to see a similar response to the results of future waves.

4.4.8 Transparency, re-use and data protection

This year’s annual Forum of Official Publishers took place on 8 June 2018, in Oslo, Norway. Our participation in this event is a good opportunity for us to demonstrate how data protection works in practice, when applied to official publications.

In our contribution, we reported on our experience and expertise as an advisor to the EU legislator, as the supervisor of the EU institutions and as the supervisor of the Publications Office of the European Union in particular. Our aim was to provide practical guidance on how to ensure compliance with data protection principles and rules when dealing with official publications.

We focused on three key topics aimed at helping publishers to navigate the GDPR:

•  The role of publishers in relation to personal data when they publish on behalf of national Courts, Justice Ministries or Parliaments. Specifically, we focused on clarifying the situations in which the publisher acts as a controller of personal data and when they act as a processor.

•  The right to erasure, also known as the right to be forgotten, including the conditions under which it applies and the limits to this right.

•  The data protection safeguards in place in case of the re-use of public sector information, allowed for under Directive 2003/98.

The event was also an opportunity to improve our engagement with Norway, a European Economic Area (EEA) country to which the GDPR applies, and with Japan, who attended the conference to give a presentation as an official publisher. The group expressed an interest in hearing updates on data protection matters as part of its future annual meetings.

4.4.9 Cross-border investigations of a different kind

Ever since the GDPR became enforceable on 25 May 2018, some EU institutions have experienced problems collecting required information from certain companies. These companies claim that the GDPR prevents them from providing the EU institutions with this data. Some of the institutions and bodies affected by this problem include:

•  the European Commission’s Directorate General for Competition (DG COMP), which works, among other things, on anti-trust matters;

•  the European Anti-Fraud Office (OLAF), which carries out external investigations on suspected fraud;

•  the European Investment Bank (EIB) and European Investment Fund (EIF), which need to audit funded projects.

In response to this problem, we made sure that the EU institutions concerned were fully informed about the law and how it is relevant to their work.

The collection of data necessary for fulfilling the task assigned to them by law is legal, and not restricted by the GDPR. The relevant EU institution or body is obliged to inform the individual concerned that they plan to process their personal data, but there are also exceptions to this rule, principally where informing the individual involved would jeopardise the investigation, particularly in its early stages.

However, the EDPS is unable to resolve this problem alone. This is because the main issue here concerns the obligations of the companies, who are controllers under the GDPR. As it is the job of national DPAs to supervise adherence with the GDPR within their respective countries, we turned to the European Data Protection Board (EDPB) (see section 4.1.1) to follow up on this matter. We hope to have a resolution to the problem as soon as possible.

4.4.10 Application for Return

Frontex Application for Return (FAR) is a platform which enables the exchange of information on returnees between the European Border and Coast Guard Agency (Frontex) and the Member States. Returnees are individuals from a non-EU country considered to be staying illegally in the EU and subject to a return decision issued by a Member State, through either an administrative or judicial procedure. The platform would allow Member States to inform Frontex about their return operations, including the number of returnees and where they will be returned to, as well as any type of material assistance they might require from Frontex.

On 26 September 2018 we issued a prior-checking Opinion on the FAR platform. We made a number of recommendations with specific reference to the data protection notice associated with this processing operation and to the need to ensure that all returnees are guaranteed the rights of access to and rectification of their personal data. We also stressed the need to carry out risk assessments in relation to the restriction of rights and in the field of IT security and anonymisation.

Return operations involve data processing operations where the individual concerned is particularly vulnerable. It is therefore vital to ensure that data protection principles are respected in order to preserve the dignity of these individuals.

4.4.11 Security verifications of external contractors

EU institutions often use external contractors to provide certain services, such as cleaning, security or IT. However, it is essential to ensure that these external contractors do not introduce security risks. In Belgium, some EU institutions do this by carrying out a security screening process in cooperation with the Belgian authorities.

Though a number of EU institutions had developed procedures relating to this screening process, others were less well-informed. On 30 October 2018, in response to a request from the European External Action Service (EEAS), we issued an Opinion on the topic in which we outlined several recommendations aimed at helping the EU institutions.

The Opinion stressed the importance of establishing a proper legal basis for carrying out the screening process, such as that put in place by the European Commission. EU institutions must also ensure that the individuals concerned are adequately informed about how both the relevant EU institution and the Belgian authorities will process their personal data and that they are made aware of their right to challenge any decisions made against them.

4.4.12 Supervising the EFTA Surveillance Authority

In October 2017, we took on the role of data protection supervisor for the EFTA Surveillance Authority (ESA). ESA’s main task is to ensure that the European Free Trade Association (EFTA) countries of Iceland, Norway and Lichtenstein respect their obligations under the European Economic Area Agreement.

EU data protection legislation also applies to the EEA. The EFTA countries are therefore required to establish independent national supervisory authorities to enforce the GDPR. However, the GDPR does not apply to EFTA institutions. As a result, even though EFTA institutions were exchanging personal data with the European Commission and other EU bodies on a regular basis, they were not subject to any data protection rules or supervision.

The special supervisory regime agreed upon in late 2017 closed this legal vacuum. It consists of:

•  ESA Decision 235/16/COL, based on the data protection rules for EU institutions set out in Regulation 45/2001, with minor changes to reflect the specific legal and operational environment in which ESA operates. This Decision provides for the supervisory role of the EDPS.

•  A Memorandum of Understanding (MoU) between ESA and the EDPS, establishing our powers and tasks as ESA’s data protection supervisor.

However, with the introduction of new rules for the EU institutions, this special supervisory regime is now out of date. In spite of our recommendations to the contrary, Regulation 2018/1725 does not cover data protection rules or supervision for the EFTA institutions.

With the EU institutions and bodies now bound by the new rules, it follows that ESA’s data protection regime must be updated, to bring it in line with these rules. Only through doing so will we be able to ensure the adequate protection of personal data in exchanges with the EFTA institutions.

4.4.13 Eurojust: a new supervisory role for the EDPS

The European Union Agency for Criminal Justice Cooperation (Eurojust) was set up to reinforce the fight against serious organised crime within the EU and to promote coordination and cooperation between national investigating and prosecuting authorities dealing with these crimes.

On 6 November 2018, the European Parliament and the Council adopted a new legal framework for Eurojust. It includes new rules on data protection, which task the EDPS with supervising the processing of personal data at Eurojust. It also provides for cooperation between the EDPS and the national DPAs within the framework of the EDPB on any issue requiring national involvement, in order to ensure coordinated supervision. Our new supervisory responsibilities will begin on 12 December 2019.

To prepare for this new supervisory role, we will coordinate internally and organise regular meetings with the DPO of Eurojust. The relevant EDPS staff members will also follow internal and external training sessions related to Eurojust supervision.

A first visit to the headquarters of Eurojust in The Hague took place on 29 November 2018 and more visits are planned in 2019, in order to ensure a smooth transition to EDPS supervision of Eurojust’s data processing activities.

4.4.14 Advising the EU institutions

Free and fair European elections

On 17 December 2018, we published an Opinion on the European Commission’s legislative package on free and fair European elections. The package consisted of four parts:

•  a Proposal for a Regulation concerning a verification procedure for infringements of rules on the protection of personal data in the context of the European Parliament elections;

•  a European Commission Communication on securing free and fair European elections;

•  a European Commission Recommendation on election cooperation networks, online transparency and protection against cybersecurity incidents and fighting disinformation campaigns relating to the European Parliament elections;

•  a European Commission Guidance document on the application of Union data protection law in the electoral context.

In our Opinion, we recognised the fact that the package underlined the role of social media platforms in the election process, as well as the consistency of the package with the Commission’s Code of Practice on online disinformation.

With European Parliament elections set for May 2019 and numerous other national elections scheduled throughout the year, we acknowledged the need to set up national election networks and a European coordination network, as outlined in the Commission’s Recommendation. Given our work in this area, we also expressed our interest in participating in the European network.

Our Opinion reinforced the urgency of the Commission’s call for Member States to assess the risks associated with the European Parliament elections, particularly potential cyber incidents that could affect the integrity of the electoral process.

Moreover, we felt that, for further clarity, a reference could have been included to the fact that personal data processed by the European Parliament, the Authority for European political parties and European political foundations and the Committee of independent persons will be done within the scope of the new Regulation for the EU institutions and bodies (see section 4.1.2).

We also provided several specific recommendations on the proposed Regulation, including the need to clarify the scope of the new measures and their aims and the need to ensure confidentiality in the exchange of information between DPAs and the Committee of independent persons. In addition, we advised including references to EDPS decisions and the current data protection legal framework.

A new deal for consumers

On 5 October 2018, we published an Opinion on the legislative package A New Deal for Consumers. The package consisted of the Proposal for a Directive as regards better enforcement and modernisation of EU consumer protection rules and the Proposal for a Directive on representative actions for the protection of the collective interests of consumers.

The EDPS has consistently called for a coherent approach to enforcement from authorities responsible for the digital economy and society. These include consumer, data protection and competition authorities. We reiterated this in our Opinion, stressing that consumer law and data protection can no longer afford to work in insolation. A big-picture approach to addressing systemic harms to individuals in digital markets is required, involving closer cooperation between enforcers in order to avoid legal uncertainty.

We welcomed the initiative to update the enforcement of consumer rules and supported the package’s aim to extend benefits to consumers who receive services without paying a monetary price. However, with free the preferred price for many digital markets, the consumer should be protected regardless of whether a contract to provide digital content or services requires payment or not.

Both consumer and data protection law must be effective in tackling any harm arising from the digitisation of people’s lives. Personal data cannot be treated as an economic asset. It is therefore vital to ensure that personal data is not mentioned in contract definitions for the supply of digital content or a digital service, in line with the safeguards provided for by the Charter of Fundamental Rights and the GDPR.

Closer alignment between consumer and data protection requires policymakers, as well as regulators, to deepen their dialogue and understanding. Initiatives such as the Digital Clearinghouse (see section 4.4.18) and the joint meetings of the EDPB and the Consumer Protection Cooperation Network are vital steps towards achieving this.

Rules on re-using Public Sector Information

On 10 July 2018 we issued an Opinion on the European Commission’s Proposal for a new Directive on the re-use of Public Sector Information (PSI). In proposing to amend the current Directive, the Commission was looking to facilitate the re-use of PSI throughout the EU by harmonising the basic conditions for re-use.

PSI data includes legal, traffic, meteorological, economic and financial data. Our Opinion provided specific recommendations on how to clarify the relationship between the proposed PSI Directive and the exceptions outlined in the GDPR. We also addressed how to deal with the cost of data anonymisation and the use of DPIAs for sensitive sectors, such as healthcare.

In particular, we specified that precise wording be used to better clarify the coherence between the PSI Directive and the GDPR. Furthermore, due to the high costs associated with anonymising personal data, we suggested that every organisation falling within the scope of the PSI Directive should be able to charge for anonymisation expenses.

We also stressed the importance of protecting the rights of individuals. While it may be true that more data than ever is now generated and processed by machines, much of it still falls within the definition of personal data. For this reason, we specifically highlighted the various challenges arising from trying to differentiate between personal and non-personal data.

Digital tools and processes in company law

On 25 April 2018, the European Commission adopted a proposal amending EU Directive 2017/1132 on the use of digital tools and processes in company law. In response to separate requests from both the Commission and the Parliament, we published an Opinion on the proposal on 26 July 2018.

The proposal sets out rules for online company registration and the electronic filing and publication of registered information on companies and branches and therefore entails the exchange of personal data. For example, information about the founder of a company or its director might be submitted in an online registration and electronically filed.

The proposal also provides for free of charge access in all Member States to a list of documents and information, the establishment of an optional access point to the platform for the EU institutions, and would introduce the once-only principle in the area of company law. The once-only principle would mean that companies would only have to submit relevant information once, to be shared with different authorities if required. Personal data would therefore also be accessible to various national authorities in business registers, as well as in documents required for cross-border operations such as mergers, divisions and conversions.

Additionally, the proposal would allow for the exchange of data on the disqualification of directors between national business registers. Such an exchange is likely to involve data relating to criminal convictions and offences. As this is considered as sensitive data, it requires appropriate safeguards.

We outlined several recommendations aimed at ensuring the highest level of protection for all personal data concerned. The proposal is now under negotiation in the Council and the European Parliament.

4.4.15 New technologies

Blockchain: assessing the implications for data protection

Blockchain has become a powerful buzzword in the world of technology and financial innovation. The technology is currently used as an enabler for Bitcoin and other so-called crypto-currencies, and sparked the development of Distributed Ledger Technology (DLT). Distributed ledgers such as blockchains are databases with many replicas under the shared control of distinct, often autonomous, participants.

Originally developed to secure online transactions through the use of sophisticated cryptography, EU industries and legislators are now assessing the viability of using blockchain in a variety of areas, from finance to e-government and even in personal healthcare. However, it is vital to ensure that these assessments consider the data protection implications of using distributed databases.

Whenever blockchain technology is used to process personal data the relevant data protection law applies. In the EU, this law is the GDPR. We have been following the evolution of blockchain since 2016 and have so far identified a number of data protection challenges, relating to areas such as storage limitation, controllership and individual’s rights, which we will look to investigate further in 2019.

4.4.16 Privacy engineering gaining ground

In February 2018, Assistant Supervisor Wojciech Wiewiórowski attended the Mobile World Congress in Barcelona, one of the world’s most important technology events. He participated in panels and roundtables alongside other data protection commissioners from around the world.

The event was a chance for privacy regulators to explain how data protection principles can be applied to new technology and how these principles protect the fundamental rights of citizens, while also outlining their expectations in relation to the measures taken by the industry to incorporate these principles into their products. Industry representatives, however, expressed their concerns that some legislative initiatives could lead to the unnecessary restriction of the cross-border data flows considered necessary for some business activities.

The EDPS participated in a debate with industry and consumer representatives on transparency and control for individuals in the collection and processing of their data in Internet of Things (IoT) environments. We highlighted the clear rules on this topic, outlined in the GDPR, and stressed the need for manufacturers and IoT device and service providers to adopt the principles of data protection by design and by default. To help them with this, we invited them to attend the IPEN workshop, which took place in Barcelona on 15 June 2018, organised with the support of the Polytechnic University of Catalonia (UPC).

IPEN was set up by the EDPS in 2014 to promote privacy engineering and bridge the gap between legal and IT engineering approaches to data protection. As in 2017, the 2018 workshop took place immediately after the ENISA Annual Privacy Forum. The main aim of the workshop was to assess the state of play of privacy engineering and privacy-enhancing technologies (PETs) in the wake of the GDPR, and to follow up on the outcome of last year’s trans-Atlantic workshop, which focused on research and development needs in privacy engineering.

IPEN participants provided updates on ongoing initiatives such as the IPEN wiki on privacy-related standardisation initiatives and the PETs maturity deposit. The relationship between ethics and technological developments was also a topic for discussion. We challenged those present to think about moving from privacy by design to the concept of human rights by design.

The Workshop provided an opportunity for businesses to present and demonstrate solutions combining innovation and data protection. Companies such as SAP, Qwant and Brave shared best practice on how to give users more control over their data. Academics reported on recent research results and presented practical tools to help detect privacy compliance issues and support regulators and controllers in implementing accountability.

The workshop marked an encouraging start to the GDPR era. We look forward to continuing this valuable interdisciplinary dialogue over the months and years to come.

4.4.17 Online manipulation and personal data

On 20 March 2018, we published an Opinion on online manipulation and personal data. The Opinion responded to fevered public debate on misinformation, responsible for distorting trust in the democratic process. It argued that the fundamental problem was not so-called fake news, but rather the abuse, on a massive scale, of personal information and the right to freedom of expression. This abuse is endemic to the digital information ecosystem which has evolved over the past two decades, which is dangerously complex, concentrated and lacking in explainability and accountability.

This ecosystem, often referred to as the AdTech ecosystem, depends on a cycle of constant tracking, profiling and targeting of individuals. It revolves around a handful of extraordinarily powerful platform intermediaries who, by determining what information is collected about people and presented back to them, act as effective gatekeepers for the online experience of most people today.

Restricted to commercial activities, the impact of this phenomenon on fundamental rights was already significant. Yet, as revelations from the last 12-18 months show, this volatile ecosystem has now been weaponised by actors with political motivations, including those wishing to disrupt the democratic process and undermine social cohesion. Opaque algorithmic decision-making rewards content which provokes outrage, on the basis that greater engagement generates revenue for the platforms in question. This poses obvious risks to fundamental values and democracy.

In our Opinion, we argued that much greater focus is needed on the role of regulators in working together to hold commercial and political players to account for how they process personal information. We identified a role here not only for DPAs, but also for competition authorities and audio visual service regulators and election monitors. New ePrivacy rules are also essential, to address market incentives and open up space for alternative business models which do not depend on constant surveillance and intrusive targeting (see section 4.1.3).

Above all, there is a need for DPAs to better collaborate with other regulators, particularly electoral and audio-visual regulators. With fears that political campaigns may be capitalising on centralised digital spaces and widely available data to circumvent existing laws, it is vital that we take action to protect the rights and interests of individuals in our digital society. We therefore proposed to hold a workshop in early 2019 and to invite electoral and audio visual regulators to participate in Digital Clearinghouse deliberations (see section 4.4.18).

4.4.18 A more coherent approach to challenges in the digital ecosystem: The Digital Clearinghouse

There are natural synergies between data protection, consumer protection and competition policy. However, the authorities responsible for enforcing laws in these fields have long acted in isolation, as if these synergies did not exist. Increased cooperation between these authorities would help to improve understanding of market dynamics and to develop more coherent and consistent responses to the challenges posed by the digital economy.

The EDPS Strategy refers to the need to work across disciplinary boundaries to address policy issues with a privacy and data protection dimension. In response to our own analysis and calls from regulators to establish a space for dialogue, we launched the Digital Clearinghouse. The first two meetings of the Clearinghouse took place in 2017.

Our third meeting, which took place on 21 June 2018, was the first to welcome the participation of authorities from outside the EU. Regulators and enforcement agencies discussed topics of concern to all authorities present, including:

•  the relevance of personal data in competition and consumer enforcement;

•  the fairness of privacy policies and terms and conditions in free online services;

•  collusive and personalised pricing and related theories of harm in digital markets;

•  unethical data collection and analysis for the purpose of targeted marketing.

On 10 December 2018, 31 authorities from the EU and other countries met for the fourth time. We expanded the scope of the meeting to include electoral regulators and discussed the impact of online manipulation on free and fair political activities, as part of the democratic process. With an emphasis on more practical cooperation, our discussions also focused on topics such as:

•  the deceptive framing of a free offer as unfair practice;

•  the opportunity to adopt structural remedies capable of provoking a change in current business models;

•  asymmetric regulation of access data;

•  the misuse of data protection by national authorities, including competition agencies, to frustrate investigations.

Authorities also debated non-price factors in competition and consumer enforcement analysis and agreed to continue parallel discussions on this, to develop a methodology to assess the real costs to individuals when the monetary cost of a service is zero or below marginal cost.

Moving forward, we aim to continue our efforts within the Digital Clearinghouse to ensure coherence in the areas of enquiry already under discussion, while also looking to contribute to and build on the work of existing networks.

In the digital era in which we are now living, everyone and everything is connected, regardless of where we are in the world. However, while personal data now flows freely across borders, data protection laws remain national or, at best, regional.

Better engagement and convergence on data protection at international level has been a subject of intense discussion for many years and Europe has assumed a leading position in shaping a global, digital standard for privacy and data protection. However, until more recently, little practical progress had been made.

Our Strategy 2015-2019 positions the EDPS at the forefront of this discussion. At the beginning of the present mandate we committed to forging global partnerships with the aim of building a global social consensus on the principles relating to data protection.

One way in which we have sought to achieve this objective is through working with our international and regional partners to mainstream data protection into international agreements. Our work with the Council of Europe and international organisations is a good example of this, as are our efforts to ensure that EU agreements on international data transfers, such as the Privacy Shield, fully respect the fundamental rights of the EU.

4.5.1 International data transfers

The EU-US Privacy Shield

The EU-US Privacy Shield has been in place since 1 August 2016. It is what is known as an adequacy decision, providing for a legal basis for the transfer of personal data from the EU to the US. The Privacy Shield is reviewed on a yearly basis, to ensure that it is implemented effectively, in a way that provides for adequate protection of personal data, in line with EU rules.

The second yearly review of the EU-US Privacy Shield took place on 18 and 19 October 2018. A team of representatives from the EU’s data protection authorities (DPAs), including a representative from the EDPS, took part in the review. A report on the results of this joint review is to be adopted at the January 2019 Plenary meeting of the European Data Protection Board (EDPB).

An adequacy decision for Japan

In September 2018, the European Commission published a draft adequacy decision for the transfer of personal data from the EU to Japan. Before adopting the decision, the Commission was required to consult the EDPB for an Opinion.

The EDPB adopted this Opinion on 5 December 2018, using its updated guidance document on adequacy decisions as a benchmark. As the first adequacy decision of the GDPR era, the EU-Japan adequacy decision will not only set the tone for any future adequacy decisions, but may also have an impact on the upcoming review of all adequacy decisions currently in place.

The Commission also consulted the EDPS and, on 4 September 2018, we provided preliminary informal comments on the draft decision. However, in contrast to our approach to the draft EU-US Privacy Shield in 2016, we did not issue an Opinion. This is because, as a member of the EDPB, we actively contributed to discussions on the EDPB Opinion, drawing particular attention to the role of the Board and the Commission’s accountability for adequacy decisions. Convinced that the EDPB Opinion represented a reasonable reflection of the Board’s discussions, we encouraged the Commission to take its observations and recommendations into account.

4.5.2 International cooperation

Council of Europe

The Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data was the first legally binding international instrument in the field of data protection. Adopted by the Council of Europe on 28 January 1981, any country can sign up to what is known as Convention 108.

53 countries are now party to the Convention and its additional Protocol regarding supervisory authorities and transborder data flows. These include Cape Verde and Mexico, where the Convention entered into force on 1 October 2018. When combined with the number of countries participating in the Committee of Convention 108 as observers, this number increases to 70 countries, all working together on privacy and data protection rights.

The role of the EDPS, as an EU institution, is to act as an observer in the Council of Europe’s expert groups on data protection. These groups include the Consultative Committee (T-PD) of Convention 108. We attend the meetings of the expert groups and provide comments, with a view to ensuring both a high standard of data protection and compatibility with EU data protection standards.

For some time now, the Council of Europe has been working to modernise Convention 108. The aim was to strengthen its effectiveness and ensure that it better reflected the realities of an increasingly connected world. The EDPS has followed this process throughout.

On 18 May 2018, the Protocol amending the Convention was adopted. It reaffirms the essential principles enshrined in the original Convention text and integrates new safeguards. Known as Convention 108+, the new Modernised Convention 108 was opened for signature on 10 October 2018 and signed by 21 states at an official ceremony.

In 2018, we contributed to the T-PD’s discussions on a recommendation on health-related data, ongoing work on the follow-up mechanism of Convention 108+, Artificial Intelligence (AI), the Internet Corporation for Assigned Names and Numbers (ICANN) and on law enforcement transborder access to data.

International Organisations

Though they may be exempt from national laws, including those relating to data protection, international organisations are influential advocates for the development of a privacy culture. Their position means that they are able to spread knowledge about data protection and privacy in parts of the world where, for various reasons, it has not necessarily been high on the agenda.

We support international organisations in their efforts to develop their own data protection frameworks and to share knowledge and experience with one another. An important part of this work takes place as part of a series of workshops, an initiative we launched in 2005.

In July 2018, Assistant Supervisor Wojciech Wiewiórowski participated in the seventh edition of these workshops, which we had the pleasure of co-organising in Copenhagen alongside our hosts, the Office of the United Nations High Commissioner for Refugees.

The workshop focused on a range of topics. These included:

•  privacy standards and oversight mechanisms for international organisations;

•  how to put the principle of accountability into practice;

•  international transfers;

•  the legal grounds for processing personal data in the international organisations context.

Throughout our discussions we noted a common determination to make data protection part of the working culture of international organisations and to ensure that these organisations are held accountable. We have no doubt that the productive dialogues initiated at this workshop will lead to further collaboration between international organisations themselves as they continue to develop their approaches to data protection. The EDPS will lend our full support to this effort.

The Berlin Group

The EDPS has been an active member of the International Working Group on Data Protection and Telecommunications (IWGDPT, known as the Berlin Group) since its establishment. The group’s work is becoming more important with the increasing emphasis placed on the role of technology and its impact on fundamental rights, as well as the legal recognition of data protection by design as an obligation for controllers.

As a global cooperation body, the IWGDPT brings together actors from different parts of the world, not only from both sides of the Atlantic, but also from beyond the Pacific. All have different views and approaches to the rights of individuals and the models for their protection. Finding a common position reconciling the various backgrounds can be challenging, but this makes the results even more powerful and worthwhile.

IWGDPT Working Papers are based on an analysis of the technological features involved in the subject of the paper. They then proceed to define principles and recommendations aimed at achieving common objectives. In 2018, Working Papers concerned data processing and collection in connected vehicles. The group also worked on the privacy challenges of Artificial Intelligence.

The Ibero-American Conference

The sixteenth Ibero-American conference on data protection took place from 28-30 November 2018, in San Jose, Costa Rica. We had the privilege of attending the conference, which brought together representatives from South and Central American DPAs, big companies and civil society.

Among the topics discussed were relations between the EU and Latin America, the protection of the personal data of minors, new perspectives in the processing of health data, security versus privacy and the role of civil society in the protection of personal data. The EDPS contributed to the panel on transparency and data protection.

A closed session took place on the last day, allowing authorities from participating countries to provide one another with an update on their legislation in the field of data protection, including amendments, the signing of international conventions and the drafting of new legislation. The conference was an excellent opportunity for us to develop relations with our counterparts in Latin America.

Over the past two decades, we have witnessed a digital revolution that has changed our world in ways that were previously unimaginable. While numerous developments have brought benefits, we also need to confront a range of new problems and challenges. Many of these are linked to how data is collected and used in the age of digital technologies. To address this new reality, we committed to developing an ethical dimension to data protection in our Strategy 2015-2019.

Our work on ethics starts with the question of how fundamental values and rights can be upheld in the digital age and aims to promote awareness and understanding of the risks we face. We want to assess how data protection and privacy are linked to preserving human dignity in the digitised world and explore their meaning and importance, taking into account extensive tracking and profiling practices, the Internet of Things, big data, Artificial Intelligence (AI) and autonomous systems, robotics and biometrics.

Ethics is about defining right and wrong, both in theory and in practice, in specific circumstances. While it is not an alternative to law, it informs laws as they are being drafted, interpreted and revised. It can also help guide people and organisations in deciding whether or not to act in an area where the law appears to be silent. The EDPS Ethics Initiative aims to reach out beyond the immediate community of EU officials, lawyers and IT specialists and generate a global conversation about this.

2018 was a pivotal year for the Ethics Initiative. The year began with the publication of the Ethics Advisory Group Report and ended with a week of intense and productive discussion during the 2018 International Conference of Data Protection and Privacy Commissioners. After more than three years of hard work, digital ethics is now very much on the global agenda. It is vital that we now work to capitalise on this and move the debate forward.

4.6.1 The Ethics Advisory Group: Reporting on Digital Ethics

The Ethics Advisory Group (EAG) was launched by the EDPS at the annual Computers, Privacy and Data Protection (CPDP) conference in January 2016 as part of the EDPS Ethics Initiative. Made up of six experts with different backgrounds, its task was to explore the relationships between human rights, technology, markets and business models in the twenty-first century.

Over the course of two years, the group worked together to examine digital ethics from a variety of academic and professional perspectives with the aim of contributing to the wider debate on the digital environment and its ethical implications.

The EAG returned to the CPDP conference in 2018, as part of a panel organised by the EDPS, to present their final report and discuss the questions raised within it. The report focused on the consequences of the digital revolution and the impact that these consequences have had on the values we, as individuals and as a society, hold dear. It identified the main socio-cultural shifts that have taken place in tandem with the latest technological developments, examining the relationship between them, human values and ethical agency, and addressed why this requires a reassessment of the data protection ecosystem.

The aim of the report was not to produce definitive answers or articulate new norms, but to encourage proactive reflection on what is at stake.

4.6.2 Getting your views on Digital Ethics

On 15 June 2018, we launched a public consultation on digital ethics. The aim of the consultation was to build on the results of the EAG report, opening up the debate to contributions from individuals and organisations across all sections of society. In particular, we wanted to better understand how they were affected by the shift to digital, the specific challenges they were facing and to what extent they were addressing these challenges using an ethics-based approach.

We received 76 responses to the consultation, from a wide variety of sources located all over the world. These included health centres, kindergartens, universities, governments, NGOs, law firms and software developers, among others. The consultation consisted of 12 questions, the majority of which invited open answers, allowing us to collect vital qualitative information. From these answers we were able to reach one main conclusion: ethics was on the agenda of the majority of the organisations who participated in the consultation and was considered to be extremely relevant.

Contributors cited examples of some of the challenges we face and need to address. These included robots in healthcare and personal digital assistants, online voting, state nudging and the future of work. One contributor commented that privacy goes beyond compliance, mastering the privacy challenge enables sustainable digital opportunities. Another noted the importance of human rights and European values of liberty, equality, freedom, democracy, while a third acknowledged that the challenges are immense and difficult.

The results of the consultation were published on 25 September 2018 as part of a short summary.

4.6.3 Encouraging debate around the world

From 22-25 October 2018, more than 1000 people, representing a wide range of disciplines, nationalities and viewpoints, descended on the European Parliament in Brussels to debate digital ethics (see section 4.7). The 40th International Conference of Data Protection and Privacy Commissioners proved to be a watershed moment for the debate on digital ethics, building on the work produced through the EDPS Ethics Initiative to incite a global reaction to the challenges we face in the digital age.

While new laws, such as the GDPR, provide us with a comprehensive framework for data protection in the digital age, they are only a first step in ensuring that we are able to reap the benefits offered by new technologies, while still enjoying our fundamental rights.

We dedicated the conference to Debating Ethics: Dignity and Respect in Data Driven Life. Ethical deliberation is the process of societal self-reflection, upon which members of a society establish values and norms and enact legal systems. Simply put, ethics come before, during and after the law, helping us to ensure that our laws remain up to date. History has shown that ethical notions of good and bad must be debated and defined on a continuous basis, by means of open and democratic discussion. Ethics, therefore, can help us to find a path into an increasingly digital future that both reaffirms and protects long-standing rights and values.

The challenges posed by the digital revolution require a global response. Through the conference, we were able to generate the rich global and cross-disciplinary debate that can inspire this. Speakers included high-level EU representatives, renowned academics, pioneers of the online world, refuseniks, activists, human rights defenders and NGO representatives, Silicon Valley VIPs, legal experts, writers and journalists, thinkers and dreamers and, of course, representatives from data protection authorities from all over the world.

Through our communication efforts, the diverse issues raised at the conference reached a huge number of people, raising awareness and sparking reaction all over the world. With at least 1500 online articles published during the week of the conference, in addition to other media coverage, we were able to reach far beyond the 1400 people who attended the conference. This undoubtedly helped us to mobilise a wide range of people, beyond the data protection community and beyond Europe, and to make great strides towards our common goal of developing an ethical dimension to data protection.

A full report on the outcomes of the conference is available on the EDPS website (see section 4.7). In addition to this, as part of our continued work on the EDPS Ethics Initiative we will produce a new EDPS Ethics Opinion in 2019.

In 2018, the EDPS had the privilege of hosting the 40th International Conference of Data Protection and Privacy Commissioners, alongside our co-hosts, the Bulgarian Commission for Personal Data Protection (CPDP). This was the first time that this annual conference, which took place from 22 to 26 October 2018, had been held by an EU institution in collaboration with a national supervisory authority.

The Conference began with a two-day closed session, open only to conference accredited members. We then welcomed participants from all over the world to the public session of the Conference. Participants included representatives from government, civil society, regulators, industry, academics and the media, in addition to data protection authorities (DPAs). Forty side events on a wide range of privacy related issues also took place and additional privacy events were also organised by our co-host in Sofia.

The 40th International Conference of Data Protection and Privacy Commissioners was an event unlike any of its predecessors. It did not focus on privacy or data protection or specific laws like the General Data Protection Regulation (GDPR), or even on laws in general. Rather, through Debating Ethics: Dignity and Respect in Data Driven Life, we aimed to build on the work started by the EDPS Ethics Initiative and stimulate an honest and informed discussion about how we should shape the impact of digital technology on individuals and societies. As a result of our efforts in this area, the EDPS is now viewed as a leading authority on digital ethics.

A detailed report on the Conference can be found on the EDPS website.

4.7.1 The Closed Session - Ethics and Artificial Intelligence

The International Conference of Data Protection and Privacy Commissioners (ICDPPC) is a recognised international organisation. Throughout its 40 year history, the conference has met each year, bringing together DPAs from local, national and international levels to share knowledge and provide support.

The ICDPPC Executive Committee sets the agenda for the closed session. In 2018, for the first time, the central theme of the closed session was directly connected to the theme of the public session.

The closed session of the International Conference is open only to accredited members and observers of the ICDPPC. Bringing together a record number of 206 delegates from 76 countries, it took place at the prestigious Palais d’Egmont, in Brussels, from 22-23 October 2018. Ethics and Artificial Intelligence (AI) was this years’ topic of discussion.

Few authorities currently monitor the impact of new technologies on fundamental rights so closely and intensively as data protection and privacy commissioners. The 2018 conference continued the discussion on AI initiated two years previously at the conference in Marrakesh, which was based on a reflection paper produced by the EDPS.

Our discussions resulted in a declaration on ethics and data protection in artificial intelligence, spelling out six principles for the future development and use of AI and demanding concerted international efforts to implement these principles. Conference members will contribute to these efforts in different ways including through a public consultation and a new permanent working group on Ethics and Data Protection in Artificial Intelligence.

The closed session also adopted three other resolutions on e-learning platforms, on the Conference Census and on collaboration between Data Protection Authorities and Consumer Protection Authorities, in addition to a roadmap for the future of the International Conference.

We hope that the decisions taken in the closed session help the conference to grow in ways that will reinforce cooperation globally. As a community of regulators, the ICDPPC must now look to interact much more with partners from outside the world of data protection.

4.7.2 The Public Session - Debating Ethics

The public session of the 2018 International Conference took place from 24-25 October 2018, in the Hemicycle of the European Parliament in Brussels. In addition to guests, members and observers of the ICDPPC, we welcomed participants from diverse backgrounds and nationalities. These included representatives from the private and public sectors, academia, civil society and the media.

With the choice of topic for the public session at the discretion of the hosts, we chose to focus on Debating Ethics: Dignity and Respect in Data Driven Life. We wanted to inspire an inclusive, cross-disciplinary and interactive debate on the digital revolution and its impact on us, as individuals and as a society (see section 4.6).

Split into five sessions across two days, the conference drew on contributions from a diverse group of speakers. These included high-level EU representatives, renowned academics, pioneers of the online world, refuseniks, activists, human rights defenders and NGO representatives, Silicon Valley VIPs, legal experts, writers and journalists, thinkers and dreamers and, of course, representatives from DPAs from all over the world.

Session one - This Digital Life

The conference began with a discussion of the role of ethics in human society. Maria Farrell, a writer and consultant on technology, internet policy and community, began the conference with a call for collective action that set the tone for the discussions to come.

EDPS and host, Giovanni Buttarelli, officially opened the conference, setting out the strategic importance of defining a truly global digital ethics that safeguards dignity and respect for individuals and groups in the decades to come. Integral to this is the need for an objective assessment of how technologies are affecting our lives and how we can ensure a positive relationship with new technologies, which puts people and dignity at the centre.

He finished his speech by welcoming one of our keynote speakers, Tim Cook, to the stage. In a much-anticipated address, the Apple CEO made a powerful call for the development of a digital ethics and acknowledged the responsibility of Apple and other powerful developers in ensuring technology serves humankind.

Session two - Right versus Wrong

The second session looked to assess how the latest technological innovations impact our privacy, autonomy and self-determination. We wanted to explore how ethics interacts with the law, the role it has played in other fields and the role it plays in resolving public policy dilemmas.

Inventor of the World Wide Web Sir Tim Berners-Lee and Professor of Law and Philosophy at the University of Pennsylvania Anita Allen opened the discussion. While the former highlighted the role of technological development in shaping society, the latter encouraged us to view ethics as something which complements the law, rather than undermines it.

A panel discussion followed, featuring renowned ethicists and scholars who offered insights into the application of ethics in different fields.

Session three - The Digital Dividend

In the last session of the day, we looked at the wider social consequences of ethics. The aim was to explore the effect of new technology on the values and rights at stake for individuals and human interaction, society and the state

The CEOs of two of the world’s biggest technology companies, Facebook and Google, contributed to our discussion through video messages, while Former Chief Justice of India, Jagdish Singh Khehar, provided us with a real-life example of how ethics can be enforced.

After a panel discussion on the impact of emerging technologies on society and the economy, it fell to our co-host, Chairman of the Bulgarian Commission for Personal Data Protection Ventislav Karadjov, to summarise the day’s discussions.

We ended the day with computer philosophy writer Jaron Lanier’s call for a less manipulative alternative to the advertising business model which currently dominates the technology sector.

Session four - Towards a Digital Ethics

EU Commissioner for Justice Vera Jourová opened our second day of discussions, which focused on the idea of data protection beyond compliance. We attempted to determine what this concept means, who should speak about it and who needs to take action.

An important question in this debate concerns the role of DPAs in the governance of digital ethics. A panel discussion featuring privacy commissioners from every continent, as well as esteemed experts from government, civil society and industry, attempted to address this question.

Session five - Move Slower and Fix Things

Our final session aimed to draw conclusions from the preceding discussions, with a particular focus on how to move forward. It included a report on the outcomes of the Creative Café, a workshop session held in parallel to session four, which aimed to explore this question.

Speaking on behalf of the Creative Café, Assistant Supervisor Wojciech Wiewiórowski stressed the that the conference represented only the beginning of a much longer process.

EDPS Giovanni Buttarelli brought the conference to a close. He referenced the diversity of the voices heard throughout the sessions, from those who represented powerful interests, to those who spoke for the most disadvantaged, who are yet to truly benefit from the digital revolution.

Over 40 people took to the stage during the public session of the international conference, offering their diverse perspectives on the subject of digital ethics. Common to all of their contributions was a promise: to continue the collaboration instigated by the conference in pursuit of a sustainable digital ethics.

4.7.3 Side Events

In the tradition of past years, side events once again took place in the margins of the 2018 international conference. These focused not only on the conference theme of digital ethics, but also on a wide range of other topics relating to data protection practice. With over 40 events to choose from, all taking place on 23 and 25 October 2018, there was something for all interests.

Organised by a variety of different organisations and groups from all over the world, the side events that took place during the week of the international conference week provided a unique opportunity for participants to interact with colleagues from diverse nationalities and backgrounds and to learn from their differing perspectives on a range of data protection issues. The diversity of topics discussed is well illustrated by a selection of events.

In the year of the General Data Protection Regulation (GDPR) it is perhaps unsurprising that many of our side events focused on the topic. The EDPS and the European Data Protection Board (EDPB) jointly hosted one such event on 25 October 2018. Experts from data protection and other authorities across the EU and globally joined the heads of the EDPS and EDPB, Giovanni Buttarelli and Andrea Jelinek, for a discussion on the GDPR, five months after it became fully applicable. The event was honoured to welcome Koen Lenaerts, President of the Court of Justice of the European Union, and Catherine De Bolle, Europol’s Executive Director, as its keynote speakers.

Another event, organised by the Council of Europe, saw an impressive line up of data protection experts discuss their views on the modernisation of Convention 108, the world’s only international treaty safeguarding the right to data protection (see section 4.5.2). The event aimed to unpack the newly updated Convention 108, providing information about the new text, its value and benefits.

Public Voice Coalition, a broad coalition of civil society organisations, organised another event, focused on one of the hot topics in data protection at the moment: Artificial Intelligence. With clear connections to digital ethics, the event looked to explore the implications of AI for human rights, consumer protection and competition and the relationship between ethics and the law.

Side events were organised by eight different DPAs from around the globe, 18 NGOs and international organisations, six think tanks and research groups and eight private companies and law firms. Over 160 speakers were involved in what proved to be a very diverse selection of events.

4.7.4 Social Events

In order to offer a unique experience for delegates coming to Brussels from all around the world, we secured some of Brussels’ most striking and prestigious venues to host the conference. We wanted to give delegates a taste of what the Capital of Europe has to offer, including its impressive history and architecture.

The week started at Brussels’ Hôtel de Ville, an impressive Gothic building dating back to the fifteenth century. Delegates from over 80 countries were greeted with a Welcome Cocktail and a spectacular view of Brussels’ central square, the Grand Place.

From 22-23 October 2018, ICDPPC accredited members and observers gathered at the Palais d’Egmont, the venue for the closed session of the conference. Originally constructed in the sixteenth century, the Palais d’Egmont has played host to several members of the European royalty and nobility over the years, including Queen Christina of Sweden and Louis XV, as well as to prominent European philosophers and artists, such as Voltaire and Jean-Baptiste Rousseau. Now the property of the Belgian Ministry of Foreign Affairs, it hosts a range of important diplomatic events and has welcomed some of the world’s most influential and well-known heads of state.

The venue for the public session was equally impressive. The Hemicycle of the European Parliament usually hosts the world’s largest transnational parliament. From 24-25 October 2018, however, it played host to a debate between over 1000 people on the impact of the digital revolution.

Evening events were planned with the same attention to detail. The first day of discussions in the closed session concluded with dinner at the Concert Noble. This historic manor was built by King Leopold II in the nineteenth century to provide an appropriate backdrop for gatherings of aristocratic socialites to enjoy music and art.

A Welcome Cocktail was organised on 23 October 2018 at the inspiring Museum of Fine Arts, in Brussels’ Place Royale. The theme for the event was An Evening in Brussels and it was organised by the conference hosts in conjunction with the International Association of Privacy Professionals (IAPP). Taking place on the eve of the public session, it included a tour of the works of the famous surrealist painter René Magritte, as well as the chance to sample some typical Belgian beers from local breweries and the world-famous Belgian chocolate.

Following an intense first day of debate on digital ethics, we organised the traditional Gala Dinner, which took place at the spectacular Autoworld Museum. The museum is home to one of the biggest vehicle collections in the world and the event proved an excellent opportunity for networking.

As no visit to Brussels is complete without a visit to the Atomium, the final event of the week was organised in this atom-shaped museum, in collaboration with The Floow and Qwant. This Brussels landmark was originally constructed for the 1958 World Expo in Brussels.

4.7.5 Conference Communication

Encouraging debate on digital ethics around the world is one of the main aims of the Ethics Initiative, as outlined in the EDPS Strategy (see section 4.6.3). With this in mind, we put in place a comprehensive media strategy aimed at ensuring broad, international coverage of the conference, that would incite global debate.

We also wanted to ensure the participation of all those attending the conference. We therefore invited every participant to get involved in the conference discussion, most notably through our conference app.

Media campaign

Eighty-one media organisations from 23 different countries and all continents followed the four-day event, totalling 125 journalists. Broadcasters, news agencies and leading newspapers were all in attendance, including media outlets such as CNN, CNBC, Bloomberg, The Wall Street Journal and the Financial Times. While the most highly-represented nations were Belgium, the United States, Italy and the United Kingdom, we also welcomed journalists from Japan, China, the United Arab Emirates, Senegal, Kenya and elsewhere. Press coverage of the conference was truly global in scope.

This international media presence reflected global interest in both the topic of discussion and the speakers involved. Keynote speeches from Apple CEO Tim Cook and inventor of the World Wide Web Sir Tim Berners-Lee undoubtedly contributed to press interest in the conference and helped spread our message to a broader audience.

On 24 October 2018, the first day of the public session, we organised a press conference. Held in the European Parliament, it presented media professionals with an opportunity to directly address some of our speakers, including EDPS Giovanni Buttarelli, Sir Tim Berners Lee and UK Information Commissioner Elizabeth Denham, among others. We also published a press release.

Press coverage of the conference well exceeded our expectations, with over 1500 online articles published between 22 and 26 October 2018.

The website

A dedicated website for the international conference was launched on 19 March 2018. Our objective was to create a user-friendly website where people could easily find out more information about the conference theme, programme, speakers and venues. It provided for conference registration and offered participants the option to book a hotel through the website and contact us if they had any questions. ICDPPC members also had access to all meeting documents using their login details and password.

The website was available in two languages, English and French, and was updated regularly in both languages. Feedback received about the website was overwhelmingly positive and indicated that people were easily able to find the information they needed.

Throughout the conference, we aimed to keep the website up to date by promptly uploading documents, videos and news as soon as they were available to us.

Social media

To encourage participants and others to get involved in the wider online debate both before and during the conference, we launched dedicated Twitter and Instagram accounts. We were active on both of these channels, providing regular updates, information and coverage of the conference. We supported our activities on these channels using the EDPS social media accounts (see section 7.1.1).

We tweeted 128 times and our followers doubled over the course of the conference week. Our posts were retweeted over 1100 times and received 1400 likes. On Instagram, we posted 46 times and received 856 likes.

In parallel, the visibility of the EDPS Twitter, LinkedIn and YouTube accounts increased as a result of our efforts during the conference, allowing us to reach new people and significantly increase the impact of our social media accounts.

Our success on social media demonstrates both our increasing global influence as an authority on data protection and digital ethics and our ability to reach a wider audience.

The app

To encourage audience participation in the conference, we developed and launched a free conference app, which was available to download from 3 October 2018. The app reflected and complemented the website. All delegates were encouraged to download it for use during the public session of the 2018 international conference.

Participants could use the app to take notes, take part in polls, share their views and send questions to the host for speakers to answer on stage. 965 people downloaded the app and more than 50% connected to their personal account.

As the profile of data protection continues to grow, it is the job of the EDPS Information and Communication team to ensure that our messages and activities reflect and support the reputation of the EDPS as a leading authority in this area. This role is set out in the EDPS Strategy 2015-2019, which commits the EDPS to making technical issues more accessible for non-experts and to communicating in a transparent manner, appropriate for the relevant audiences.

2018 was a particularly busy year for the communications team, and the EDPS in general. Preparations for the European Data Protection Board (EDPB) and the General Data Protection Regulation (GDPR) came to a head in May 2018, while we also launched and executed communications campaigns on the 2018 International Conference of Data Protection and Privacy Commissioners (see section 4.7.5) and the new data protection rules for the EU institutions and bodies.

In addition to these activities, we continued our efforts to improve our established communication channels, building on the success of rebranding efforts over the past few years to reinforce the image of the EDPS as a respected global leader in the data protection field.

7.1.1 Online media

Website

Since the launch of our new website in 2017, we have continued to make improvements by adding new features and improving the design. These efforts are aimed at providing the best user experience possible and ensuring that all visitors to the website are easily able to find the information they need.

One of the improvements we introduced in 2018 was to add a Quick Links section to the homepage to provide users with a shortcut to some of the most frequently used pages on our website. Where possible, we have also moved from publishing documents in PDF format to producing them in HTML, ensuring an improved user experience on mobile phones and tablets. In the interest of transparency, we ensure that the Supervisors’ agenda is always up-to-date and clearly visible on our homepage and we regularly update our News section with important information on our work.

During the course of the year, we changed our approach to gathering statistics on the EDPS website. For this reason, we are unable to accurately report on the number of visitors to the EDPS website in 2018. Our new approach, however, is designed to ensure that the EDPS website is as data protection friendly as possible, by moving from opt-out tracking to an opt-in process.

Under the opt-out system, visitors to the EDPS website could follow the simple instructions provided in our cookie banner to opt out of having their activity on our website tracked. The new opt-in process, however, will ensure that we are only able to track visitors to our website if they explicitly provide us with consent to do so. The new system will be launched in January 2019. Until then, no tracking of any kind will take place on the EDPS website.

Social Media

Social media has become indispensable as a communications tool. With our presence on three influential social media channels now well established, we are able to use these tools to quickly and easily reach a global audience.

While Twitter (@EU_EDPS) remains our most influential social media tool, our presence on LinkedIn is growing rapidly and is now also a hugely influential tool for our communications activities. In addition to this, our communication efforts during the 2018 International Conference of Data Protection and Privacy Commissioners led to a significant increase in the number of followers on the EDPS YouTube channel, which we will look to build on over the coming months.

Our continued growth on social media is testament to our increasing global influence as an organisation, as well as our efforts to implement an effective social media strategy. This allows us to reach an increasingly diverse and global audience.

EDPS blog

We launched the EDPS blog back in April 2016. Since then, the blog has gone from strength to strength. It is a platform through which the EDPS and Assistant Supervisor are able to communicate on a more personal level about their thoughts, opinions and activities, as well as the work of the institution in general. The blog is easily found on the homepage of the website where a short extract from the most recent blogpost is always displayed.

In 2018 we published 14 blogposts on a range of different subjects. These included the 2018 International Conference, ePrivacy, the EDPS meetings with Data Protection Officers (DPOs) and the new Regulation for the EU institutions and bodies. All of our blogposts were promoted through our social media channels and many of them also received media attention.

7.1.2 Events and publications

The GDPR for EUI: the communication campaign

On 11 December 2018, the new data protection rules for the EU institutions and bodies became fully applicable. To complement our ongoing awareness-raising activities (see section 4.1.2), we launched a communication campaign. Though aimed principally at EU institution staff members, we also wanted to raise awareness among those outside the EU institutions about how the new rules might affect them and their rights.

We put together a Communications Kit to raise awareness about the new rules within the EU institutions and provide relevant and helpful information for all EU staff members. This kit was distributed to all EU institution DPOs in advance of 11 December 2018, to help them reach out to staff members working in their respective institutions.

The kit included a video on accountability, a poster for DPOs to print out and distribute in their buildings, artwork for use on their intranet or social media channels and webcam covers to be distributed among some EU staff members. It also included three factsheets, on data protection rights under the new rules, the implications of the new rules for EU employees and on ensuring accountability. Individual copies of the new rules were also prepared and distributed among DPOs at the EDPS-DPO meeting, which took place in Brussels on 12 December 2018 (see section 4.4.1).

To complement our collaboration with DPOs, we launched a press and social media campaign, aimed at raising awareness outside the EU institutions. This included using Twitter and LinkedIn to provide information about the new rules, their implications and the role and activities of the EDPS. In addition to issuing a press release on 11 December 2018, we contacted some media outlets directly to try and ensure coverage. An advertisement was also published in Politico on 13 December 2018, featuring an engaging cartoon.

Efforts were also made to bring our website and Wikipedia entry up-to-date, to reflect the changed legislation.

EU Open Day 2018

In celebration of Europe Day, on 5 May 2018 the EU institutions opened their doors to all members of the public. The annual EU Open Day is an opportunity for the EU institutions to increase the transparency of their work and to educate people on the EU’s activities. For the EDPS, it is a chance to increase general public awareness of our role and data protection in general.

This year, the EDPS stand was once again located in the European Commission’s Berlaymont building. EDPS employees were on hand from 10am onwards to answer questions from visitors and encourage them to take part in our data protection quiz. Facial detection software, which attempts to define a person’s gender, age and emotions, also proved popular and undoubtedly contributed to a record number of people participating in the quiz.

With public awareness about privacy and data protection at an all-time high, the increased interest in data protection and the work of the EDPS was both understandable and encouraging. We look forward to welcoming even more people to our stand in 2019.

Data Protection Day 2018

On 28 January each year, EU institutions, agencies and bodies, as well as the member states of the Council of Europe, celebrate Data Protection Day. This day marks the anniversary of the Council of Europe’s data protection convention, known as Convention 108, the first binding international law concerning individuals’ rights to the protection of their personal data.

This year, to mark the occasion, the EDPS trainees held a lunchtime conference on 12 February 2018, focused on data protection issues relating to modern-day dating apps. The EDPS and Assistant Supervisor provided the opening and closing remarks at the conference, which included panels on topics such as:

•  what personal data dating apps can process and how they use this data;

•  the rights of individuals to request access to the data held on them;

•  digital ethics in the context of dating apps;

•  privacy by design;

•  algorithms used to match app users.

Taking place just two days before Valentine’s Day, the conference theme proved successful in raising awareness about the risks and rights associated with widely-used apps, as well as in encouraging young people to engage in the data protection and privacy debate. The conference was webstreamed live on our website, ensuring that it was also accessible to a wider audience.

Newsletter

After the launch of our new-look version in mid-2017, the EDPS Newsletter is more popular than ever. The new format means that it is now more accessible and user-friendly on all digital platforms and by publishing more frequently we are able to ensure that our readers are kept up to date on our latest activities.

In 2018, we published nine editions of the EDPS Newsletter. These included our January special edition, in which we highlighted some of our less high-profile activities from 2017, and our special International Conference edition in September. Our mailing list continues to grow, with 3907 people now subscribed to our monthly updates. This serves as a constant reminder of the importance and relevance of the Newsletter as a communications tool.

7.1.3 External relations

Media relations

We issued ten press releases and statements in 2018. This is comparable with our efforts in 2017 and demonstrates the consistency of our current media relations approach, which also draws on social media and the blog to generate media coverage. All of our press releases were published on the EDPS website, distributed to our network of journalists and other interested parties and published on the EU Newsroom website.

We also received 104 formal requests from European and international press on a wide variety of topics.

Some of the topics on which we received significant press coverage during the year include the 2018 International Conference, the General Data Protection Regulation (GDPR) and fake news and the Cambridge Analytica/Facebook scandal. Media coverage was particularly notable in Italy, the home country of the EDPS, Giovanni Buttarelli.

Study visits

In 2018, we hosted 12 study visits to the EDPS. As the profile of data protection has increased, so has interest in our work. Though we would like to host every group that expresses an interest in the EDPS and what we are doing, with the high workload we faced in 2018 and the limited space available to host these visits, we were unfortunately forced to be a bit more selective.

Nevertheless, study visits comprise an important part of our communications strategy, allowing us to communicate directly with students, legal experts, privacy professionals and other influential groups to raise awareness about the work of the EDPS and the EU on data protection and privacy.

Information requests

The number of public requests for information received by the EDPS has been growing year on year, and 2018 was no exception. In fact, in 2018 we witnessed an enormous increase in requests. As in past years, the majority of these requests related to matters over which the EDPS has no competence.

One reason for such a significant increase in requests was the introduction of the GDPR in May 2018. We received a large number of requests relating to the implementation of these new rules, although we were not the relevant competent authority to answer them. The increased visibility of the EDPS, both as a result of the heightened profile of data protection and of our activities relating to the 2018 International Conference, also helps to explain this increase.

We reply to all requests with information relevant to the individual enquiry. This involves referring individuals to the relevant service if their request falls outside our competence, or providing them with the appropriate information to answer their query.

7.1.4 The EDPB

Preparations for the EDPB began well in advance of 25 May 2018 (see section 4.1.1), when the Board officially started its work as an EU body. Though the Board itself has its own communications team, the EDPS Information and Communication team acts in a support role, as and where required.

In the lead up to May 2018, the majority of this work focused on ensuring that the EDPB would be ready to start work from day one. To do so, they needed a website. We worked closely with colleagues from the EDPB to ensure that their website was ready and fully functional in time for the launch of the EDPB on 25 May 2018, also ensuring that EDPB staff members received training on how to use the website.

In addition to this, we provided a lot of graphic support, helping to design and produce publications and other graphic materials in line with the corporate identity of the EDPB.

Since the launch of the EDPB, we have continued to support their communications team in their activities and also participate in regular conference calls organised by the EDPB secretariat with communications representatives from the other EU data protection authorities (DPAs) which make up the EDPB. We hope that this productive relationship will continue.

The role of the Human Resources, Budget and Administration (HRBA) Unit is to provide support to the EDPS Management Board and operational teams and help them to achieve the goals set out in the EDPS Strategy 2015-2019.

The Unit carries out traditional HR tasks, but is also responsible for careful management of the institution´s budget and the implementation of new policies, which ensure that working life at the EDPS runs smoothly.

2018 was a busy year for the HRBA Unit and the EDPS in general. Among many other things, we welcomed the European Data Protection Board (EDPB) secretariat, launched a data protection competition to help us recruit new staff members, completed our preparations for the new data protection Regulation for the EU institutions and introduced some new HR initiatives.

7.2.1 Budget and finance

Budget

In 2018, the EDPS was allocated a budget of EUR 14 449 068. This represented an increase of 27.59% in comparison with the 2017 budget.

As in previous estimates, our budgetary proposal made a clear distinction between so-called current and new activities. For the current activities, we persisted with the policy of austerity recommended by the European Commission. Most budget lines therefore remained frozen at 0%, with an overall increase of 1.54%. This increase was lower than the predicted cost of living at the time of 1.8%, which was the ceiling proposed by the Commission.

With regard to new activities, the budget increase of 27.59% came mainly as a result of the establishment of the new EDPB. This covered our request for six additional full time employees, as well as the budget required for the Board’s operation and activities, which began on 25 May 2018.

The expected budget implementation rate for 2018 will be around 94%. This is quite high given the uncertainties related with establishing a new body such as the EDPB, and the budgetary impact this could have.

Finance

For the seventh consecutive year, the Statement of Assurance of the European Court of Auditors concerning the financial year 2017 (DAS 2017) did not contain any observations concerning the reliability of our annual accounts.

Procurement

In 2018, we began work on a new initiative named the Procurement Professionalisation Project. We will implement the new project over the course of 2019. It has three main objectives:

•  the appointment of specific Operational Initiating Agents in each operational unit and sector of the EDPS, who will receive specific training on procurement procedures;

•  the implementation of a paperless, electronic workflow;

•  a review of existing procurement procedures with the aim of improving our efficiency and simplifying the current procedures.

In 2018 we awarded three calls for tender with a value of over 15.000 EUR. These were:

•  CAMERON - Media training (60 000.00 EUR)

•  FORUM EUROPE - Organisation of the ICDPPC - Conference 2018 (134 900.00 EUR)

•  WEBER SHANDWICK - Communication agency (144 000.00 EUR)

Some major projects and contracts were also concluded through inter-institutional framework contracts. These were:

•  DIGIT/DI-07360-00 (SIDE)/European Commission

1. The renewal of our Case Management System (CMS), VDE/SAAS and Consultancy Services (Fabasoft)

2. Online media monitoring and international media database (Meltwater)

•  ITS14 (Lot 2 and 3)/European Parliament

1. Web Developers and Drupal Developers for the EDPS, EDPB and 2018 International Conference websites

2. IT Analyst and Development Specialist for the analysis and development of IT Tools

7.2.2 Preparing for the EDPB secretariat

The EDPB is an independent body, the secretariat of which is provided by the EDPS. While the secretariat itself is responsible for providing the Board with administrative, logistical and analytical support, we are responsible for ensuring that the EDPB receives adequate human and financial resources and for providing administrative support where needed (see section 4.1.1).

In March 2018 we welcomed the new EDPB secretariat to the first floor of the EDPS offices. However, many other administrative and logistical tasks also had to be completed before the EDPB officially began its work as an EU body on 25 May 2018.

Internal decisions

The EDPB started work on the same day that the new General Data Protection Regulation (GDPR) became fully enforceable. It was therefore essential to ensure that, as from 25 May 2018, all staff members transferred from the EDPS to the EDPB, as well as any new EDPB staff members, would still benefit from the same rights and be subject to the same rules as those working for the EDPS.

We therefore carried out a review of all existing decisions, guidelines and manuals and a general decision was signed by the EDPS Director. While some specific decisions still need to be updated to take into account particularities relating to the EDPB secretariat, the majority of the work has now been completed.

Updating service-level agreements

The EDPS has several service-level agreements (SLAs) with external providers which help individual staff members and the EDPS in general to perform their roles effectively and efficiently.

All SLAs which cover EDPS staff members apply automatically to staff members of the EDPB secretariat. However, some SLAs refer only to the provision of services. These needed to be updated to ensure that EDPB staff members could make use of these services.

During the first half of the year, several SLAs were therefore updated to include the EDPB. In other cases, new SLAs were signed directly between the EDPB secretariat and the service provider. This helped us to ensure business continuity and a smooth start for the EDPB secretariat.

A pilot programme for short secondments

The 28 EU data protection authorities (DPAs) and the EDPS make up the EDPB. Strong cooperation between all of these members is essential to achieving results. To be truly effective, this cooperation should extend beyond data protection experts, to human resources experts as well.

On 29 September 2018, we organised a meeting between the HR units of the EU DPAs to discuss a pilot programme of EDPB short secondments. We wanted to discuss the idea and exchange proposals, in order to develop a programme which could be of benefit to all DPAs.

The programme will provide a pool of experts in different areas willing to visit another DPA or the EDPB secretariat and exchange knowledge. We hope to launch the pilot programme at the beginning of 2019.

7.2.3 A competition for data protection specialists

To cover the recruitment needs of both the EDPS and the EDPB, we asked the European Personnel Selection Office (EPSO) to launch a new open competition for 30 Administrators in the field of data protection.

Both the EDPS and the EDPB have an increasing need for expert staff, not only to cover the usual staff turnover, but to help both organisations to fulfil their roles and responsibilities effectively. While the EDPB is a new and growing EU body, the EDPS must take on new staff to complete additional tasks assigned to us by the EU legislator, such as the supervision of Eurojust (see section 4.4.13). There is therefore a clear need for a pool of highly qualified data protection experts to satisfy our future recruitment needs.

This is the second data protection competition organised by the EDPS since 2015. We expect the new reserve list of candidates to be ready by mid-2019.

7.2.4 The GDPR for EUI: HR preparations

As an EU institution, the EDPS is not only responsible for supervising and enforcing the new data protection rules within the other EU institutions and bodies, we must also apply them to our own work and try to set an example for other institutions to follow (see sections 4.1.2 and 8.2).

The new Regulation affects numerous HR decisions. We therefore initiated a full review of our HR data processing activities. Working in close cooperation with the EDPS Supervision and Enforcement Unit, Data Protection Officer (DPO) and Assistant DPO, we drafted new data protection records and revised our data protection notices in order to ensure that we were ready for the new Regulation.

7.2.5 Improving HR policies

The Welcome Kit

To improve the welcome experience for new staff members, the HRBA team put together a Welcome Kit. The kit provides newcomers with practical information about working for the EDPS. This includes information on who we are and what we do, time management, learning and development, the medical service and security matters, among many other things.

We hope that by providing new staff members with all this information as part of one kit, we will help them to settle more quickly and easily into working life at the EDPS.

Mentorship Programme

The EDPS Mentorship Programme is aimed at all new staff members. Its objective is to facilitate the integration of newcomers into our institution. The rather unique nature of the EDPS as the EU’s smallest institution makes the Mentorship Programme useful even for those new staff members who join us from other EU institutions.

Though the Mentorship Programme has been in place since the EDPS itself was established, we found that many staff members were unaware of what being a mentor involves. To address this problem, we developed some guidelines for EDPS staff members, explaining the programme and the role of a mentor in more detail.

A mentor is able to provide support and guidance for a new member of staff, reducing the stress associated with starting a new job. It is also a relationship which can and should be consolidated over the course of the mentee’s employment at the EDPS. There are benefits for both sides. The mentee is able to turn to the mentor for help in resolving problems, integrating within the organisation, asserting their professional identity and learning new skills. The mentor benefits from the satisfaction of helping others and the opportunity to view the organisation from a different perspective, and might even learn new ways of approaching issues and tasks from the mentee.

Active seniors

The Active Senior initiative seeks to capitalise on the expertise of retired colleagues to ensure that their skills and knowledge are not lost. This is a new practice for the EDPS, launched on 29 May 2018.

The process is voluntary, both for the retired staff member and the EDPS unit or sector involved. While benefitting from the expertise of a former official may bring added value to our work, we also recognise that it must not replace the work of a current EDPS employee.

Through drawing on their voluntary assistance, we aim to put the expertise of those who have now retired from their work at the European institutions to good use, whatever their seniority level when they retired.

Making sure good work is always recognised

Our most recent EDPS staff survey showed that a good number of EDPS staff members feel motivated and willing to go the extra mile in their jobs. However, there is always room for improvement.

In 2018 we launched some guidelines aimed at helping managers and other relevant staff members to give better recognition for the work done by their teams. The guidelines explain how to identify what types of recognition are appreciated by different people and the best ways of providing this recognition.

There is no magic formula that works for everyone, so it is important that managers think carefully about this subject, to ensure that their teams receive adequate recognition for their work. This will help to increase motivation among staff members and ensure that they keep doing a great job.

The Business Continuity Plan

The Internal Audit Service (IAS) requested a thorough revision and update of our Business Continuity Plan (BCP). We completed this process in 2018 and the BCP is now available on the EDPS intranet.

Revision of the Plan involved reformulating a number of the articles in the original BCP. We also needed to complete the Plan’s annexes and carry out a Business Continuity management testing exercise, which we did on 14 November 2018. The report on the exercise was sent to the IAS, in compliance with their recommendations.

To follow up on the exercise, the BCP Desk Officer will present an action plan, with the intention of launching an awareness initiative that will help to create and consolidate a business continuity management culture among EDPS staff. It will also be used to carry out other useful testing exercises.

Learning and Development

The current EDPS Learning and Development (L&D) strategy was developed in 2015 and is put into practice every year. 2018 was no exception.

EDPS staff members were asked to reflect on the outcomes of their annual appraisal interviews with their respective line manager and produce a personal Learning and Development Plan for 2018-2019.

In addition to the catalogue of courses provided by the European Commission, we set up some in-house training sessions, including:

•  Lunchtime sessions on tools and procedures used at the EDPS and the EDPB, aimed at new staff members;

•  Training courses to prepare staff for the new Regulation for EU institutions and for the GDPR;

•  Management team training on sharing and implementing a vision for the future while building engaged teams;

•  Staff training sessions to raise awareness of unconscious biases, to help prevent burnout and stress and on finding the right balance between our professional and private lives.

We also organised a number of communication training courses throughout the year. These were aimed at supporting certain staff members and the Supervisors in their preparations for the 2018 International Conference of Data Protection and Privacy Commissioners (see section 4.7).

With the General Data Protection Regulation (GDPR) now a reality, we face the task of living up to the high expectations of EU citizens and others. Not only do they expect their personal data to be better protected, they expect regulators to keep their promises and demonstrate that they are up to the challenge of enforcing these new rules.

Yet even this is not enough. Regulators must lead by example. When they process personal data, entrusted to them by individuals, they must ensure that they uphold the highest of standards in ensuring the protection of individuals.

The compliance of EU institutions with data protection law was under public scrutiny even before the new rules outlined in Regulation 2018/1725, applicable to their activities, came into force on 11 December 2018 (see section 4.1.2). The EU cannot credibly call for organisations and businesses operating in the EU to comply with EU rules if its own institutions do not demonstrate that they, too, are compliant. Similarly, as the EU’s data protection authority, the EDPS cannot expect to be trusted and taken seriously as a supervisory authority if we are not able to demonstrate our own compliance.

With this in mind, the DPO office at the EDPS, with the support of the whole institution, set up a project to manage our transition process and ensure compliance with the new rules set out under Regulation 2018/1725. The protection of personal data can no longer be treated as a simple exercise in compliance. It requires a continuous effort from the whole institution, geared towards ensuring the accountable use of personal information, whether we are auditing EU institutions, managing complaints, responding to enquiries, or carrying out any other tasks required of us under EU law.

The transition project implemented at the EDPS included:

•  examining our data processing activities and identifying the risks they pose to individuals’ fundamental rights and freedoms;

•  preparing personal data records based on Article 31 of the new Regulation, as well as new data protection notices, which are required for increased transparency;

•  reviewing the way in which we manage enquiries from individuals who wish to exercise their data protection rights;

•  creating an internal procedure to manage possible breaches of the personal data we process;

•  drafting new DPO implementing rules and the necessary internal rules on restrictions to personal data rights based on Article 25 of the new Regulation;

•  examining all activities in which we act as joint controllers, relevant written agreements, our relationships with our processors and relevant contracts.

By 11 December 2018, when the new Regulation came into force, we had put in place all of the necessary groundwork for compliance. We will complete the remaining steps in the transition project in 2019.

Our efforts will not end here, however. We plan to set up a framework within the EDPS, supported by top management, that will enable us to provide what we have termed protection by design. This will mean fully integrating data protection accountability into the culture of our institution, providing the highest level of protection for the data entrusted to us. This is not an easy task, but we believe that we are more than up to the challenge.

Of course, our activities have not only focused on preparing for the future. Throughout the majority of the year, the EU institutions remained bound by the rules outlined in the previous Regulation, Regulation 45/2001.

As in the past, the EDPS DPO office provided advice on a number of processing operations and internal policies based on the rules set out in Regulation 45/2001. We dedicated particular attention to EDPS websites, focusing on the use of cookies for aggregated statistics, as well as on the finalisation of the new website and app for the 2018 International Conference of Data Protection and Privacy Commissioners. We also improved the way in which the collection and processing of personal data is carried out when organising meetings and events.

In 2018, we received 11 enquiries, of which nine concerned requests for access to an individual’s own personal data, processed by the EDPS, and two concerned requests for the erasure of personal data.

We also received two complaints. One concerned an event participant’s alleged unlawful use of contact details shared, based on consent, by other participants. We ensured that the situation was resolved and the data erased. Another complaint alleged a subcontractor’s unlawful use of personal data belonging to an event participant. We supported the complainant, in a situation where the subcontractor had used the data on their own initiative and not on instructions from the EDPS.

We are now receiving an increasing number of enquiries and complaints. This trend is likely to continue now that individuals have more and stronger rights under the new data protection rules and are also more aware of these rights.

The EDPS DPO welcomed many new staff members and trainees in 2018. Each new arrival at the EDPS meets the DPO for a short personal data protection induction meeting, targeted to the educational and professional background of each new staff member and their future role at the EDPS. Some of the topics covered include:

•  an introduction to basic data protection concepts and the applicable legal basis;

•  the role of the DPO at the EDPS and in the EU institutions;

•  preparations for the new data protection rules;

•  how the DPO can help staff to exercise their data protection rights.

Internal EDPS coordination and information meetings and the DPO sections on the EDPS intranet and website are also opportunities to reach out to EDPS staff members and external stakeholders and keep them up to date with our activities.

The biennial meetings of the DPOs of the EU institutions, bodies and agencies are a valuable opportunity for the EDPS DPO to discuss common issues and share experiences and best practices with other DPOs (see section 4.3.1).

This year, the EDPS organised the DPO network meeting which took place on 30 May 2018, in cooperation with the DPO of the European Parliament. The event, which proved to be the last meeting before the adoption of the new rules, was a great success. 120 DPOs and assistant DPOs took part, contributing to the presentation of case studies and discussions on the main issues encountered as part of their preparations for the new Regulation.

The EDPS DPO Office also participated in the first DPO network meeting of the new era, which took place on 11 December 2018, the day on which the new Regulation entered into force. All DPOs left the meeting with a heightened sense of responsibility, aware of the role we must play in championing personal data protection as project managers for accountability in the EU institutions.