The Coordinated Supervision Committee (CSC) has re-elected Sebastian Hümmeler from the German Federal data protection authority as its Deputy Coordinator for a term of two years.
The CSC ensures the coordinated supervision of the large EU Information Systems and of EU bodies, offices and agencies in accordance with Article 62 of Regulation 2018/1725 or with the EU legal act establishing the large scale IT system or EU body, office or agency. It was created within the framework of the European Data Protection Board (EDPB) and brings together the EU data protection authorities (DPAs) and the European Data Protection Supervisor (EDPS), as well as the data protection authorities of the Non-EU Schengen Member States, when foreseen under EU law.
The CSC currently covers the Internal Market Information system (IMI), Eurojust, the European Public Prosecutor’s Office (EPPO) and Europol and the Schengen Information System (SIS). Gradually, the Committee will also cover other IT systems, bodies, offices and agencies in the fields of Border, Asylum and Migration (EES, Eurodac, ETIAS, VIS, and their interoperability), Police and Justice Cooperation (SIS, ECRIS-TCN) and the next generation Prüm. You can find more information on the Committee here: https://edpb.europa.eu/csc/about-csc/who-we-are-coordinated-supervision-committee_en
Join us on 25 January 2024 in Brussels at the Computers, Privacy, Data Protection conference organised by the EDPS, the Privacy Salon, CPDP colleagues, and the Council of Europe to mark Data Protection Day. More information on the topics to be discussed and registration details here: cpdp-dataprotectionday.eu.0
Episode 2 of our podcast TechDispatch Talks is now available! Delve into the world of AI: how do these systems operate, make decisions, use data. Learn about Explainable AI: its benefits and its challenges.0
New TechDispatch is delving into the intricacies of Explainable Artificial Intelligence, unraveling the complexities to make AI understandable and transparent.1 Read more
Brussels, 15 November - The EDPB adopted Guidelines on the technical scope of Art. 5 (3) of the ePrivacy Directive. The Guidelines aim to clarify which technical operations, in particular new and emerging tracking techniques, are covered by the Directive, and to provide greater legal certainty to data controllers and individuals.
EDPB Chair Anu Talus said: “It is no secret that tracking the activities of users online can seriously harm people’s privacy. The ambiguities regarding the scope of application of Art. 5(3) ePrivacy Directive and the emergence of new techniques, in addition to or as an alternative to traditional cookies, have given rise to new privacy risks. These guidelines discuss solutions, such as tracking links and pixels, local processing, and unique identifiers, to ensure that the consent obligations set out by the article are not circumvented.”
In order to clarify the scope of the article, the Guidelines analyse the key notions referred to in this article, such as 'information', 'terminal equipment of a subscriber or user', 'electronic communications network', 'gaining access' and 'stored information/storage'. The Guidelines also include a set of practical use cases featuring common tracking techniques.
The Guidelines only address the scope of the application of Art. 5(3) ePrivacy Directive. They do not address how consent should be collected, or the exemptions set out in the article.
The Guidelines will be submitted for public consultation for a period of six weeks.
Today the EDPS publishes the summary report of the EDPS Seminar on the CSAM Proposal: “The Point of No Return?”
EDPS publishes the “Study on the essence of fundamental rights to privacy and to protection of personal data”.
Listen to our latest episode of the Newsletter Digest Podcast!0
In this issue, CSAM: the point of no return? EDPS actions on Artificial Intelligence, the digital euro, how to be smarter than a hacker? And more diverse topics to read now.0
On 27 October, the EDPB adopted an urgent binding decision instructing the Irish (IE) DPA as lead supervisory authority (LSA) to take, within two weeks, final measures regarding Meta Ireland Limited (Meta IE) and to impose a ban on the processing of personal data for behavioural advertising on the legal bases of contract and legitimate interest across the entire European Economic Area (EEA).
The urgent binding decision followed a request from the Norwegian Data Protection Authority (NO DPA) to take final measures in this matter that would have effect in the entire European Economic Area (EEA).
The ban on processing will become effective one week after the notification of the final measures by the IE SA to the controller.
The Irish DPC has notified Meta on 31/10 about the EDPB Urgent Binding Decision.
The EDPB takes note of Meta's proposal to rely on a consent based approach as legal basis, as it was reported on 30/10. The Irish DPC is currently evaluating this together with the Concerned Supervisory Authorities (CSAs).
EDPB Chair Anu Talus said: “After careful consideration, the EDPB considered it necessary to instruct the IE SA to impose an EEA-wide processing ban, addressed to Meta IE. Already in December 2022, the EDPB Binding Decisions clarified that contract is not a suitable legal basis for the processing of personal data carried out by Meta for behavioural advertising. In addition, Meta has been found by the IE SA to not have demonstrated compliance with the orders imposed at the end of last year. It is high time for Meta to bring its processing into compliance and to stop unlawful processing.”
Each year, the EDPS co-organises the International Organisations Workshop. Read Wojciech Wiewiórowski's blogpost on the importance of this event.0 Read more
Read our comic to learn about pretexting, a social engineering technique that Finley, a cybecriminal, uses on their victim, Amari, to steal their #PersonalData and access their organisation’s systems.0
With Artificial Intelligence (AI), the digital landscape is evolving. As the data protection authority of the EU institutions and bodies, the EDPS aims to ensure that AI is integrated into day-to-day lives in a human-centered and sustainable way, respecting privacy and data protection principles.
- Read EDPS Press Release on its Final Recommendations for the AI Act
- Read EDPS Final Recommendation for the AI Act in full
- Read the Resolution on Generative Artificial Intelligence sponsored by the EDPS at the 45th Global Privacy Assembly
- Check our Factsheet on our initiatives permeating AI and data protection
- Watch Wojciech Wiewiórowski's video address in which he highlights the EDPS' work on AI
Brussels, 18 October - The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a Joint Opinion on the proposed Regulation on the digital euro as a central bank digital currency. The digital euro aims to provide individuals with the possibility to make payments electronically, both online and offline, as an additional means of payment alongside cash.
The EDPB and the EDPS acknowledge that the proposed Regulation addresses many data protection aspects of the digital euro, notably by addressing an offline modality to minimise the processing of personal data. In particular, the EDPB and the EDPS strongly welcome that digital euro users will always have the choice to pay in digital euros or in cash. At the same time, the EDPB and the EDPS make several recommendations to better ensure the highest standards of personal data protection and privacy for the future digital euro.
EDPS Supervisor Wojciech Wiewiórowski said: “We welcome and support the commitment in the proposed Regulation to ensure high levels of data privacy for the use of the online digital euro, and an even higher level of protection for the use of the offline digital euro. In our Joint Opinion, we suggest further improvements to ensure that the rights to privacy and to the protection of personal data are effectively preserved. In particular, we make recommendations to ensure that only the necessary personal data of users of the digital euro is processed, and to avoid excessive centralisation of personal data by the European Central Bank (ECB) or national central banks.”
EDPB Deputy Chair Irene Loizidou Nicolaidou said: “A high standard of privacy and data protection is instrumental in gaining citizens’ trust in this new digital currency. With this Joint Opinion, we aim to ensure that data protection is embedded early on in the design phase of the digital euro when used both online and offline and that the data protection responsibilities of each of the actors taking part in the issuance of digital euro are clearly specified in the Regulation.”
According to the proposed Regulation, the ECB and national central banks may establish a single access point to verify that the amount of digital euros held by each user does not exceed the maximum amount allowed, known as the holding limit. The EDPB and the EDPS understand that this verification will be done by processing identifiers of the digital euro users and their related holding limits. In their Joint Opinion, the EDPB and the EDPS call for clarifications on the processing of these identifiers. Furthermore, the EDPB and the EDPS advise assessing whether the single access point is necessary and proportionate, underscoring that technical measures allowing for a decentralised storage of these identifiers are feasible, as an alternative.
Addressing the fraud detection and prevention mechanism (FDPM) included in the proposed Regulation, the EDPB and the EDPS consider that it lacks foreseeability. In their view, the processing of personal data within the FDPM by the ECB and payment service providers (PSPs) is not clearly defined. The EDPB and the EDPS recommend to further demonstrate the FDPM’s necessity. In the absence of such demonstration, the EDPB and the EDPS recommend considering less intrusive measures from a data protection perspective. In addition, the EDPB and the EDPS recommend to define the role and tasks of the ECB, national central banks and PSPs in this context, according to key data protection principles.
In addition, the EDPB and the EDPS strongly recommend to introduce a ‘privacy threshold’ for online transactions, under which neither offline nor online low-value transactions are traced for purposes of anti-money laundering (AML) and for combatting the financing of terrorism (CFT). To reduce the AML/CFT risk profile of low-value online digital euro transactions, the EDPB and the EDPS recommend including an obligation to implement appropriate technical measures during the design phase of the digital euro.
Finally, the EDPB and the EDPS highlight that the proposed Regulation should further clarify the data protection responsibilities of the ECB and of the PSPs. This includes the legal bases the ECB and PSP should rely upon, and the types of personal data they should process for the issuance, distribution and use of the digital euro.
The EDPB and the EDPS will continue to monitor and provide guidance on the developments of this proposed Regulation according to their respective responsibilities.
During its October plenary, the EDPB selected the topic for its third coordinated enforcement action, which will concern the implementation of the right of access by controllers. Further work will now be carried out to specify the details in the upcoming months and the action itself will be launched in 2024.
In a coordinated action, the EDPB prioritises a certain topic for data protection authorities (DPAs) to work on at the national level. The results of these national actions are then bundled and analysed, generating deeper insight into the topic and allowing for targeted follow-up on both the national and the EU level. Last year, the EDPB selected the designation and position of data protection officers (DPOs). The report on the outcome of the 2023 coordinated action will be adopted in the coming months.
Earlier this year, the EDPB published the report on the outcome of its first coordinated action on the use of cloud-based services by the public sector.
This new coordinated action follows the EDPB’s decision to set up a Coordinated Enforcement Framework (CEF) in October 2020. The CEF is a key action of the EDPB under its 2021-2023 Strategy, together with the creation of a Support Pool of Experts (SPE). The two initiatives aim to streamline enforcement and cooperation among DPAs.
The EDPS issued an own-initiative Opinion on two proposed directives on liability for defective products and on adapting non-contractual civil liability rules to artificial intelligence.