2018 - An Overview

In the EDPS Strategy 2015-2019, we outline a vision of an EU that leads by example in the global dialogue on data protection and privacy in the digital age. We set ourselves a challenging and ambitious agenda, which we have sought to carry out over the course of the current mandate.

We made great strides towards achieving these goals in 2018, a year which could be considered pivotal both in the history of data protection and in the history of the EDPS.

New legislation for a new era

One of the three objectives set out in our Strategy was to open a new chapter for EU data protection. Technological development is moving at a rapid pace and the way in which we live, as individuals and as a society, is also changing rapidly to accommodate this. Logically, the EU’s data protection rules also required an update, not aimed at slowing down innovation, but at ensuring that individuals’ fundamental rights are protected in the digital era.

On 25 May 2018, new data protection legislation became fully applicable to all companies and organisations operating in the EU Member States. The General Data Protection Regulation (GDPR) marked the first step towards ensuring comprehensive and effective protection of personal data and privacy for all individuals in the EU.

With this new legislation came the establishment of the European Data Protection Board (EDPB). Made up of the 28 EU Member State data protection authorities (DPAs) and the EDPS, this new body is entrusted with ensuring the consistent implementation of the GDPR across the EU. Charged with providing the secretariat for this new EU body, a significant amount of our time and effort in early 2018 went into ensuring that the Board would be prepared to deal with its heavy workload from day one of the new Regulation. We have continued to support the EDPB secretariat administratively throughout the year, as well as participating fully as a member of the Board itself.

We moved yet another step closer to achieving a comprehensive framework for data protection with the adoption of new rules for the EU institutions and bodies. Regulation 2018/1725 came into force on 11 December 2018, bringing the rules for the EU institutions in line with the rules set out in the GDPR.

As the supervisory authority for data protection in the EU institutions and bodies, we faced the significant challenge of ensuring that they were all prepared for these new rules. In 2017, we embarked on a campaign of visits, training sessions and meetings (see EDPS Training 2018), which intensified over the course of 2018. These were aimed at raising awareness and about the new rules and helping to ensure that the EU institutions had the knowledge and tools to put them into practice.

A specific focus of these activities was on encouraging the development of a culture of accountability within the EU institutions. We wanted to ensure that they not only comply with data protection rules, but that they can demonstrate this compliance. Integral to this was creating awareness that the processing of personal data, even when done lawfully, can put the rights and freedoms of individuals at risk. These activities will continue into 2019, as we endeavour to ensure that the EU institutions lead the way in the application of new data protection rules.

The misuse of personal data for tracking and profiling purposes and the role of technology in our society was a topic of significant public debate in 2018. The EDPS and the data protection community in general were at the forefront of this debate, with the EDPS contributing on two main fronts: through our Opinion on online manipulation and personal data and our Opinion on Privacy by Design.

While the former focused on the need to extend the scope of protection afforded to individuals’ interests in today’s digital society, the latter looked to address the new challenges resulting from technological and legal developments. On the legal side, the new generation of data protection rules laid down in the GDPR, Directive 2016/680 and Regulation 2018/1725 on the processing of personal data by EU institutions requires that controllers take account of the state of the art in technical and organisational measures to implement data protection principles and safeguards. This also requires that supervisory authorities are aware of the state of the art in this domain and that they follow its development. Cooperation in this field is of crucial importance in order to ensure that these principles are applied consistently. The Opinion also built on our work with the Internet Privacy Engineering Network (IPEN) to encourage dialogue between policymakers, regulators, industry, academia and civil society on how new technologies can be designed to benefit the individual and society.

The new data protection rules also introduce the principle of accountability. All controllers, including the EU institutions and bodies, must ensure that they are able to demonstrate compliance with the new rules. This also applies to the management and governance of their IT infrastructure and systems. To help with this, we extended our catalogue of specific guidelines to include, among others, Guidelines on the use of cloud computing services by the EU administration and further guidance on IT management and IT governance. In 2018, we also began a systematic programme aimed at verifying EU bodies’ compliance with EDPS guidelines.

Finding a balance between security and privacy

1 May 2018 marked one year since the EDPS took over responsibility for supervising the processing of personal data for operational activities at the EU’s law enforcement agency, Europol. One of the action points set out in our Strategy as integral to opening a new chapter for data protection in the EU is to promote a mature conversation on security and privacy. As an EU agency charged with ensuring the security of the EU while protecting the fundamental rights to privacy and data protection, Europol is a great example of the progress we are making in this area.

We continue to maintain a strong relationship with Europol’s Data Protection Officer (DPO) and Data Protection Function (DPF) Unit, which allows us to ensure that we are able to anticipate any possible problems and plan future activities. We carried out our second inspection of data processing activities at the agency in May 2018 and continued to provide advice and deal with complaints where required.

The security of EU borders remains a hot topic and the EU legislator put forward several new proposals in 2018 aimed at increasing security and improving border management. While we recognise the need for greater EU security, this should not come at the expense of data protection and privacy.

Facilitating responsible and informed policymaking is another of the action points required in order to open a new chapter in EU data protection. With this in mind we issued several Opinions on proposed EU border policy in 2018. One of these focused on the future of information sharing in the EU, addressing Proposals for two Regulations which would establish a framework for interoperability between EU large-scale information systems. As the implications of this Proposal for data protection and other fundamental rights and freedoms are uncertain, we will launch a debate on this issue in early 2019 to ensure they are explored in detail.

We also continued our close cooperation with DPAs to ensure effective and coordinated supervision of the EU’s large-scale IT databases, used to support EU policies on asylum, border management, police cooperation and migration.

Developing partnerships

Facilitating responsible and informed policymaking is far from limited to the field of EU security and border policy, however. In 2018, the EDPS issued 11 Opinions, including two upon request from the Council, on matters ranging from jurisdiction in matrimonial matters to the interoperability of EU large-scale information systems.

We also issued 14 sets of formal comments. These are equivalent to Opinions, but typically shorter and more technical. Some of our comments were expressly requested by the European Parliament, or one of its Committees, and concerned not the initial legislative proposals, but draft amendments and outcomes of negotiations between the co-legislators.

Taking into account that we also dealt with over 30 informal consultations on draft proposals by the Commission, these numbers clearly demonstrate the increased need for, and relevance of, independent expert advice on the data protection implications of EU initiatives, as well as growing interest from EU institutional stakeholders. We look forward to continuing this mutually beneficial cooperation in the coming years in the context of strengthened legislative consultation powers under the new Regulation 2018/1725.

We also continued our efforts to ensure that activities within the EU institutions are carried out in accordance with the relevant data protection laws, issuing prior-check Opinions, investigating complaints and monitoring compliance through the various tools available to us.

The Strategy commits the EDPS to forging partnerships in pursuit of greater data protection convergence globally. While data flows internationally, across borders, data protection rules are decided on a largely national, and at best regional, basis.

With this in mind, we continue to work with our regional and international partners to mainstream data protection into international agreements and ensure consistent protection of personal data worldwide.

We are also involved in discussions on adequacy findings. These agreements are made by the European Commission on behalf of the EU Member States, and provide for the transfer of data from EU countries to non-EU countries whose data protection rules are deemed to provide adequate protection. Specifically, in 2018, we contributed to the second joint review of the EU-US Privacy Shield and the EDPB Opinion on a proposed adequacy agreement with Japan.

Digital Ethics and the International Conference

We launched the EDPS Ethics Initiative back in 2015, as part of our commitment to forging global partnerships. We wanted to generate a global discussion on how our fundamental rights and values can be upheld in the digital era.

Three years on and digital ethics is now very much on the international agenda.

We began 2018 with the publication of the Ethics Advisory Group Report. The Report is a useful tool in helping us to understand how the digital revolution has changed the way we live our lives, both as individuals and as a society. It also outlines the changes and challenges this implies for data protection. From here, we were able to expand our enquiry to reach a much larger audience, through a public consultation launched in early summer 2018. The results of the consultation revealed the importance of ethics moving forward and called for DPAs to play a proactive role in this.

However, it was the International Conference of Data Protection and Privacy Commissioners, dubbed the Olympic Games of Data Protection by EDPS Giovanni Buttarelli, that really launched the discussion on digital ethics onto the international agenda.

The public session of the International Conference focused on Debating Ethics: Dignity and Respect in Data Driven Life. With over 1000 people from a variety of different backgrounds, nationalities and professions in attendance, high-profile speakers and considerable media coverage, the event served to foster debate on the issue and put new ethical and legal questions high on the agenda of DPAs and others across the world. The EDPS is now seen as a leader in this area and will work hard to progress the debate.

Internal administration

With our role and responsibilities expanding, good internal administration has been more important than ever in ensuring that we are able to achieve our goals.

The EDPS Human Resources, Budget and Administration (HRBA) Unit tackled two particularly big preparatory tasks in 2018. Work on preparations for the new EDPB secretariat intensified significantly in order to ensure that the Board was administratively and logistically prepared to start work on 25 May 2018. Among other things, this involved ensuring that all EDPB staff members were subject to the same rules as those working for the EDPS and able to benefit from the same rights.

Ahead of the new data protection Regulation for the EU institutions, we also had to ensure that all EDPS HR decisions complied with the new rules. We therefore undertook a full review of all EDPS HR data processing activities and revised our approach as needed.

In addition to a number of initiatives aimed at improving our HR policies, we launched a new open competition to create a pool of highly qualified data protection experts to satisfy our future recruitment needs. As we move into 2019, our main aim is to ensure an efficient and pleasant work environment for all those who work at the EDPS.

Communicating data protection

The importance of EDPS communication activities has increased considerably over the past few years. Effective communication is essential in ensuring that we are able to achieve the goals set out in our Strategy. If our work is not visible, it cannot have the impact required.

In addition to consolidating our efforts to improve and increase the impact of our online presence, we launched and executed two communication campaigns. Our communication efforts for the 2018 International Conference not only helped to ensure that the conference itself was a success, but that the debate on digital ethics reached the widest possible audience.

In December 2018, we turned our attention to the new data protection Regulation for the EU institutions. Our communication campaign was designed to complement and reinforce ongoing awareness-raising activities. It was aimed not only at EU staff members, but also at ensuring that people outside the EU institutions were aware of the new rules and how they might affect them.

With the global presence and influence of the EDPS only set to increase, we anticipate another busy year ahead in 2019.

Key Performance Indicators 2018

We use a number of key performance indicators (KPIs) to help us monitor our performance. This ensures that we are able to adjust our activities, if required, to increase the impact of our work and the efficiency of our use of resources. These KPIs reflect the strategic objectives and action plan defined in our Strategy 2015-2019.

The KPI scoreboard below contains a brief description of each KPI and the results on 31 December 2018. In most cases, these results are measured against initial targets.

In 2018, we met or surpassed, in some cases significantly, the targets set in the majority of our KPIs. This shows that implementation of the relevant strategic objectives is well on track and no corrective measures are needed.

In two cases we do not have monitoring results. In the case of KPI 6, in the course of 2018 we opted to monitor and prioritise our policy activities in relation to the relevant priority actions outlined in our Strategy, instead of publishing a list of priorities. We took this decision because we felt that this was a more efficient way of ensuring that we meet the targets set out in the EDPS Strategy.

In the case of KPI 7, we are not currently able to accurately measure the number of visitors to the EDPS website, due to a change in the cookie and tracking policy on our website. This change is aimed at ensuring that users of our website will be able to consciously opt-in to having their online activity tracked on the EDPS website. It will therefore ensure that the website is as data protection friendly as possible. For this reason the results for KPI 7 are not complete.

The target for KPI 4 is readjusted yearly, in accordance with the legislative cycle.

KEY PERFORMANCE INDICATORS		RESULTS AT 31.12.2018	TARGET 2018
Objective 1 - Data Protection goes digital
KPI 1 Internal indicator	Number of initiatives promoting technologies to enhance privacy and data protection organised or co-organised by EDPS	9	9 initiatives
KPI 2 Internal & External Indicator	Number of activities focused on cross-disciplinary policy solutions (internal & external)	8	8 activities
Objective 2 - Forging global partnerships
KPI 3 Internal Indicator	Number of cases dealt with at international level (EDPB, CoE, OECD, GPEN, International Conferences) for which EDPS has provided a substantial written contribution	31	10 cases
Objective 3 – Opening a new chapter for EU Data Protection
KPI 4 External Indicator	Level of interest of stakeholders (COM, EP, Council, DPAs, etc.)	15	10 consultations
KPI 5 External Indicator	Level of satisfaction of DPO’s/DPC’s/controllers on cooperation with EDPS and guidance, including satisfaction of data subjects as to training	95%	70%
KPI 6 Internal Indicator	Rate of implementation of cases in the EDPS priority list (as regularly updated) in form of informal comments and formal opinions	N/A	N/A
Enablers – Communication and management of resources
KPI 7	Number of visits to the EDPS website	N/A	Reach 195715 (2015 results) visits
Composite External Indicator	Number of followers on the EDPS Twitter account	14,000	9407 followers (2017 results) + 10%
KPI 8 Internal Indicator	Level of staff satisfaction	75%	75%
KPI9 Internal Indicator	Budget implementation	93.8%	90%

Main Objectives for 2019

The following objectives have been selected for 2019 within the overall Strategy for 2015-2019. We will report on the results in the 2019 Annual Report.

Ensuring the correct application of Regulation 2018/1725

The new data protection rules for the EU institutions and bodies became fully applicable on 11 December 2018. In 2019, we will continue our campaign to ensure that both those who work for the EU institutions and those who do not are able to develop a better understanding of the requirements of the new Regulation and greater awareness of the risks associated with the processing of personal data.

Within the EU institutions, we will continue our focus on encouraging the development of a culture of accountability. This involves providing Data Protection Officers (DPOs), management and EU staff members with the knowledge and tools to go beyond simple compliance, to ensure that they are also able to demonstrate this compliance.

A new legal basis for policy and consultation activities

Regulation 2018/1725 strengthens the role of the EDPS in our policy and consultation activities. The European Commission is now explicitly required to consult the EDPS in specific cases and we must provide them with advice within eight weeks of receiving their request. The new legislation also allows for the possibility of issuing joint opinions with the European Data Protection Board (EDPB).

In 2019, we will work with the Commission and the EDPB to ensure that appropriate procedures are put in place to support these new provisions and we will review and update our internal rules and other relevant guidance documents. We will also remain at the disposal of the European Commission, European Parliament and the Council to provide formal or informal advice at any point in the decision-making process.

Providing guidance on necessity and proportionality

In 2019, we will complete our work on providing a methodology for the EU legislator to follow when assessing the necessity and proportionality of legislative measures with an impact on the fundamental rights to privacy and data protection. Specifically, we will develop Guidelines on proportionality, completing the work we started with the publication of our Necessity Toolkit in April 2017. In doing so, we aim to provide the EU institutions with a framework that will help them to take a proactive approach to implementing data protection safeguards into EU policy.

Facilitating wider debate on interoperability

In our 2018 Opinion on interoperability between the EU’s large-scale IT systems we called for wider debate on the future of these systems, their governance and on how to safeguard fundamental rights in this area. We will launch this debate in 2019, with a high-level panel on the topic at the annual Computers, Privacy and Data Protection Conference (CPDP), taking place in Brussels from 30 January-1 February 2019.

The new Regulation 2018/1725 provides for a single model of coordinated supervision for the EU’s large-scale IT systems and EU bodies, offices and agencies, to be carried out by the EDPS and national supervisory authorities. Alongside our partners in the national DPAs, we will reflect on the future of coordinated supervision over the course of 2019.

Securing information

The new Regulation for data protection in the EU institutions introduces new concepts that emphasise the importance of information security. These include mandatory data breach notifications and the use of pseudonymisation as a recognised security measure.

To account for this, we will need to increase our capacity and competence to supervise and assess the measures taken by the EU institutions to achieve compliance. We must also be able to react quickly to notifications of data breaches and other security incidents, to ensure that any negative effect on the fundamental rights of individuals is limited. We will continue to conduct inspections focused on technological aspects, in particular those relating to large-scale IT systems and in the area of security and law enforcement.

Managing the transition to Eurojust supervision

With our supervisory role at Europol now well established, in 2019 the EDPS will take on the task of supervising personal data processing at another EU agency working in the field of justice and home affairs: Eurojust.

A new legal framework for Eurojust, which includes new data protection rules specific to the agency’s activities, was adopted on 6 November 2018. It provides for a supervisory role to be performed by the EDPS. To prepare for our new role, EDPS staff will organise internal and external training sessions related to Eurojust supervision, all aimed at ensuring that we are ready to take on our new role at the end of 2019.

Implementing data protection by design and by default in the EU institutions

Under the new data protection rules, EU institutions have an obligation to implement the principles of data protection by design and by default when developing and operating data processing systems. We will therefore increase our efforts to identify and promote practical technological solutions in 2019. This will involve regularly monitoring ICT developments in order to provide guidance and training on the technical implementation of data protection.

Guidance on technology and data protection

In 2018, we issued Guidelines on the protection of personal data in IT governance and management, cloud computing and data breach notifications. In 2019, we will issue updated guidance aimed at improving accountability in IT, and provide policy advice on specific technologies or methodologies, with a special focus on security.

In order to ensure consistency with the advice and practice of other data protection authorities (DPAs), we will follow the EDPB’s guidance on these topics and contribute to their work on harmonised guidance.

We will also continue to cooperate with our international partners on technology and data protection, including the International Conference of Data Protection and Privacy Commissioners (ICDPPC) and its Working Groups and the International Working Party on Data Protection and Telecommunications (IWGDPT, known as the Berlin Group).

Through carrying out inspections and investigations, we will continue our efforts to assess data protection compliance within the EU institutions. Where possible, we will endeavour to carry these out remotely, from the EDPS lab.

Supporting the Internet Privacy Engineering Network (IPEN)

As a network of technology and privacy experts from DPAs, industry, academia and civil society, IPEN will play an important role in translating data protection principles into engineering requirements. We will support the network in intensifying its efforts to promote privacy friendly technology and privacy-aware engineering techniques. In particular, we will concentrate our efforts on translating the principle of privacy by design into engineering requirements and on facilitating an exchange between engineers and privacy experts on technical solutions for privacy issues, through workshops and presentations at public events.

The new legal obligation to apply the principle of data protection by design and by default in the design and operation of IT systems used for the processing of personal data has increased the importance of the work in this domain, in particular with respect to determining the state of the art and its development as a benchmark for supervision and enforcement activities.

Continued cooperation with EU and international partners

With new EU legislation now fully applicable, cooperation with our data protection partners within and outside the EU is more important than ever. Cooperation with the Member State DPAs will continue on many levels and within the EDPB in particular, where our focus will be on continued active involvement with the work of the Key Provisions subgroup and as a member of the drafting team tasked with elaborating amendments to the EDPB Rules of Procedure.

Continuing our work with international organisations, we will organise a workshop in mid-2019, which will take place in Paris. Our efforts to promote a dialogue at international level with authorities, organisations and other groups from outside the EU will also remain a priority.

Maintaining momentum for the Ethics Initiative

After the success of the 2018 International Conference of Data Protection and Privacy Commissioners, our challenge now is to ensure that this momentum continues. At an event to be held as part of the Computers, Privacy and Data Protection (CPDP) Conference at the beginning of 2019, we will launch several new activities aimed at doing just this. These will include:

• a series of public conversations in the format of conference calls, web-streamed discussions or podcasts, with experts from various fields, including DPAs;
• opinion pieces from thought-leaders on the topic of digital ethics, which will be posted online;
• a new EDPS Opinion on Ethics, building on our 2015 Opinion and the Ethics Advisory Group Report.
• a side event on ethics which will take place during the 2019 International Conference of Data Protection and Privacy Commissioners.

Through these activities, we hope to make continued progress towards achieving an international consensus on digital ethics.

GETTING IN TOUCH WITH THE EU

In person
All over the European Union there are hundreds of Europe Direct information centres. You can find the address of the centre nearest you at: https://europa.eu/european-union/contact_en

On the phone or by email
Europe Direct is a service that answers your questions about the European Union. You can contact this service:

• by freephone: 00 800 6 7 8 9 10 11 (certain operators may charge for these calls),
• at the following standard number: +32 22999696 or
• by email via: https://europa.eu/european-union/contact_en

FINDING INFORMATION ABOUT THE EU

Online
Information about the European Union in all the official languages of the EU is available on the Europa website at: https://europa.eu/european-union/index_en

EU publications
You can download or order free and priced EU publications at: https://publications.europa.eu/en/publications. Multiple copies of free publications may be obtained by contacting Europe Direct or your local information centre (see https://europa.eu/european-union/contact_en).

EU law and related documents
For access to legal information from the EU, including all EU law since 1952 in all the official language versions, go to EUR-Lex at: http://eur-lex.europa.eu

Open data from the EU
The EU Open Data Portal (http://data.europa.eu/euodp/en) provides access to datasets from the EU. Data can be downloaded and reused for free, both for commercial and non-commercial purposes.

Contact

Further details about the EDPS can be found on our website at http://www.edps.europa.eu.

The website also details a subscription feature to our newsletter.

 

www.edps.europa.eu
EU_EDPS
EDPS
European Data Protection Supervisor

 

Luxembourg: Publications Office of the European Union, 2019

© Photos: iStockphoto/EDPS & European Union

© European Data Protection Supervisor, 2019

Reproduction is authorised provided the source is acknowledged.

Print	ISBN 978-92-9242-290-5	ISSN 1831-0494	doi:10.2804/36758	QT-AB-19-001-EN-C
PDF	ISBN 978-92-9242-333-9	ISSN 1977-8333	doi:10.2804/596525	QT-AB-19-001-EN-N
HTML	ISBN 978-92-9242-324-7	ISSN 1977-8333	doi:10.2804/108539	QT-AB-19-001-EN-Q