Read Blogpost by EDPS Secretary-General retracing the 53rd bi-annual EDPS-DPO networking meeting
0Join us on 25 January 2024 in Brussels at the Computers, Privacy, Data Protection conference organised by the EDPS, the Privacy Salon, CPDP colleagues, and the Council of Europe to mark Data Protection Day. More information on the topics to be discussed and registration details here: cpdp-dataprotectionday.eu.
0Episode 2 of our podcast TechDispatch Talks is now available! Delve into the world of AI: how do these systems operate, make decisions, use data. Learn about Explainable AI: its benefits and its challenges.
0New TechDispatch is delving into the intricacies of Explainable Artificial Intelligence, unraveling the complexities to make AI understandable and transparent.
1 Read moreToday the EDPS publishes the summary report of the EDPS Seminar on the CSAM Proposal: “The Point of No Return?”
0
EDPS publishes the “Study on the essence of fundamental rights to privacy and to protection of personal data”.
0The European Data Protection Supervisor and the UK Information Commissioner sign Memorandum of Understanding.
0Listen to our latest episode of the Newsletter Digest Podcast!
0In this issue, CSAM: the point of no return? EDPS actions on Artificial Intelligence, the digital euro, how to be smarter than a hacker? And more diverse topics to read now.
0Each year, the EDPS co-organises the International Organisations Workshop. Read Wojciech Wiewiórowski's blogpost on the importance of this event.
0 Read moreRead our comic to learn about pretexting, a social engineering technique that Finley, a cybecriminal, uses on their victim, Amari, to steal their #PersonalData and access their organisation’s systems.
0With Artificial Intelligence (AI), the digital landscape is evolving. As the data protection authority of the EU institutions and bodies, the EDPS aims to ensure that AI is integrated into day-to-day lives in a human-centered and sustainable way, respecting privacy and data protection principles.
EDPS and EDPB issue Joint Opinion on the proposed Regulation on the digital euro.
0
The EDPS issued an own-initiative Opinion on two proposed directives on liability for defective products and on adapting non-contractual civil liability rules to artificial intelligence.
0How can you protect yourself against phishing attempts? What should you do if you have been phished? Stay informed, stay alert.
Read our factsheet on phishing and how to prevent to be a victim of cyberattacks.
0On 23 October from 13:00 to 15:00 CET, the EDPS organises a seminar dedicated to the ongoing legislative works on the Commission’s Regulation Proposal on Child Sexual Abuse Material (CSAM).
1 Read More and RegisterListen to the Newsletter Digest podcast - episode #7 now on Spotify @EDPS On Air or on our website here.
0Newsletter #104 is out now! Stay informed with us about new updates in the digital regulatory landscape.
0Data Protection and Cybersecurity: a necessary and powerful duo.
Read how to protect yourself against ransomware attempts?
Read a factsheet on how can you protect yourself against phishing attempts
Read Blogpost by EDPS Supervisor Wojciech Wiewiórowski
Watch Video Wojciech Wiewiórowski European Parliament's Cyber Days.
0The Coordinated Supervision Committee (CSC) has re-elected Sebastian Hümmeler from the German Federal data protection authority as its Deputy Coordinator for a term of two years.
The CSC ensures the coordinated supervision of the large EU Information Systems and of EU bodies, offices and agencies in accordance with Article 62 of Regulation 2018/1725 or with the EU legal act establishing the large scale IT system or EU body, office or agency. It was created within the framework of the European Data Protection Board (EDPB) and brings together the EU data protection authorities (DPAs) and the European Data Protection Supervisor (EDPS), as well as the data protection authorities of the Non-EU Schengen Member States, when foreseen under EU law.
The CSC currently covers the Internal Market Information system (IMI), Eurojust, the European Public Prosecutor’s Office (EPPO) and Europol and the Schengen Information System (SIS). Gradually, the Committee will also cover other IT systems, bodies, offices and agencies in the fields of Border, Asylum and Migration (EES, Eurodac, ETIAS, VIS, and their interoperability), Police and Justice Cooperation (SIS, ECRIS-TCN) and the next generation Prüm. You can find more information on the Committee here: https://edpb.europa.eu/csc/about-csc/who-we-are-coordinated-supervision-committee_en
Brussels, 15 November - The EDPB adopted Guidelines on the technical scope of Art. 5 (3) of the ePrivacy Directive. The Guidelines aim to clarify which technical operations, in particular new and emerging tracking techniques, are covered by the Directive, and to provide greater legal certainty to data controllers and individuals.
EDPB Chair Anu Talus said: “It is no secret that tracking the activities of users online can seriously harm people’s privacy. The ambiguities regarding the scope of application of Art. 5(3) ePrivacy Directive and the emergence of new techniques, in addition to or as an alternative to traditional cookies, have given rise to new privacy risks. These guidelines discuss solutions, such as tracking links and pixels, local processing, and unique identifiers, to ensure that the consent obligations set out by the article are not circumvented.”
In order to clarify the scope of the article, the Guidelines analyse the key notions referred to in this article, such as 'information', 'terminal equipment of a subscriber or user', 'electronic communications network', 'gaining access' and 'stored information/storage'. The Guidelines also include a set of practical use cases featuring common tracking techniques.
The Guidelines only address the scope of the application of Art. 5(3) ePrivacy Directive. They do not address how consent should be collected, or the exemptions set out in the article.
The Guidelines will be submitted for public consultation for a period of six weeks.
On 27 October, the EDPB adopted an urgent binding decision instructing the Irish (IE) DPA as lead supervisory authority (LSA) to take, within two weeks, final measures regarding Meta Ireland Limited (Meta IE) and to impose a ban on the processing of personal data for behavioural advertising on the legal bases of contract and legitimate interest across the entire European Economic Area (EEA).
The urgent binding decision followed a request from the Norwegian Data Protection Authority (NO DPA) to take final measures in this matter that would have effect in the entire European Economic Area (EEA).
The ban on processing will become effective one week after the notification of the final measures by the IE SA to the controller.
The Irish DPC has notified Meta on 31/10 about the EDPB Urgent Binding Decision.
The EDPB takes note of Meta's proposal to rely on a consent based approach as legal basis, as it was reported on 30/10. The Irish DPC is currently evaluating this together with the Concerned Supervisory Authorities (CSAs).
EDPB Chair Anu Talus said: “After careful consideration, the EDPB considered it necessary to instruct the IE SA to impose an EEA-wide processing ban, addressed to Meta IE. Already in December 2022, the EDPB Binding Decisions clarified that contract is not a suitable legal basis for the processing of personal data carried out by Meta for behavioural advertising. In addition, Meta has been found by the IE SA to not have demonstrated compliance with the orders imposed at the end of last year. It is high time for Meta to bring its processing into compliance and to stop unlawful processing.”
Brussels, 18 October - The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a Joint Opinion on the proposed Regulation on the digital euro as a central bank digital currency. The digital euro aims to provide individuals with the possibility to make payments electronically, both online and offline, as an additional means of payment alongside cash.
The EDPB and the EDPS acknowledge that the proposed Regulation addresses many data protection aspects of the digital euro, notably by addressing an offline modality to minimise the processing of personal data. In particular, the EDPB and the EDPS strongly welcome that digital euro users will always have the choice to pay in digital euros or in cash. At the same time, the EDPB and the EDPS make several recommendations to better ensure the highest standards of personal data protection and privacy for the future digital euro.
EDPS Supervisor Wojciech Wiewiórowski said: “We welcome and support the commitment in the proposed Regulation to ensure high levels of data privacy for the use of the online digital euro, and an even higher level of protection for the use of the offline digital euro. In our Joint Opinion, we suggest further improvements to ensure that the rights to privacy and to the protection of personal data are effectively preserved. In particular, we make recommendations to ensure that only the necessary personal data of users of the digital euro is processed, and to avoid excessive centralisation of personal data by the European Central Bank (ECB) or national central banks.”
EDPB Deputy Chair Irene Loizidou Nicolaidou said: “A high standard of privacy and data protection is instrumental in gaining citizens’ trust in this new digital currency. With this Joint Opinion, we aim to ensure that data protection is embedded early on in the design phase of the digital euro when used both online and offline and that the data protection responsibilities of each of the actors taking part in the issuance of digital euro are clearly specified in the Regulation.”
According to the proposed Regulation, the ECB and national central banks may establish a single access point to verify that the amount of digital euros held by each user does not exceed the maximum amount allowed, known as the holding limit. The EDPB and the EDPS understand that this verification will be done by processing identifiers of the digital euro users and their related holding limits. In their Joint Opinion, the EDPB and the EDPS call for clarifications on the processing of these identifiers. Furthermore, the EDPB and the EDPS advise assessing whether the single access point is necessary and proportionate, underscoring that technical measures allowing for a decentralised storage of these identifiers are feasible, as an alternative.
Addressing the fraud detection and prevention mechanism (FDPM) included in the proposed Regulation, the EDPB and the EDPS consider that it lacks foreseeability. In their view, the processing of personal data within the FDPM by the ECB and payment service providers (PSPs) is not clearly defined. The EDPB and the EDPS recommend to further demonstrate the FDPM’s necessity. In the absence of such demonstration, the EDPB and the EDPS recommend considering less intrusive measures from a data protection perspective. In addition, the EDPB and the EDPS recommend to define the role and tasks of the ECB, national central banks and PSPs in this context, according to key data protection principles.
In addition, the EDPB and the EDPS strongly recommend to introduce a ‘privacy threshold’ for online transactions, under which neither offline nor online low-value transactions are traced for purposes of anti-money laundering (AML) and for combatting the financing of terrorism (CFT). To reduce the AML/CFT risk profile of low-value online digital euro transactions, the EDPB and the EDPS recommend including an obligation to implement appropriate technical measures during the design phase of the digital euro.
Finally, the EDPB and the EDPS highlight that the proposed Regulation should further clarify the data protection responsibilities of the ECB and of the PSPs. This includes the legal bases the ECB and PSP should rely upon, and the types of personal data they should process for the issuance, distribution and use of the digital euro.
The EDPB and the EDPS will continue to monitor and provide guidance on the developments of this proposed Regulation according to their respective responsibilities.
During its October plenary, the EDPB selected the topic for its third coordinated enforcement action, which will concern the implementation of the right of access by controllers. Further work will now be carried out to specify the details in the upcoming months and the action itself will be launched in 2024.
In a coordinated action, the EDPB prioritises a certain topic for data protection authorities (DPAs) to work on at the national level. The results of these national actions are then bundled and analysed, generating deeper insight into the topic and allowing for targeted follow-up on both the national and the EU level. Last year, the EDPB selected the designation and position of data protection officers (DPOs). The report on the outcome of the 2023 coordinated action will be adopted in the coming months.
Earlier this year, the EDPB published the report on the outcome of its first coordinated action on the use of cloud-based services by the public sector.
This new coordinated action follows the EDPB’s decision to set up a Coordinated Enforcement Framework (CEF) in October 2020. The CEF is a key action of the EDPB under its 2021-2023 Strategy, together with the creation of a Support Pool of Experts (SPE). The two initiatives aim to streamline enforcement and cooperation among DPAs.
During its September plenary, the EDPB adopted:
EDPB-EDPS Joint Opinion 01/2023 on the Proposal for a Regulation of the European Parliament and of the Council laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679 19 September 2023 Publication Type: English Download Joint EDPB-EDPS contribution to the public consultation on the draft template relating to the description of consumer profiling techniques (Art.15 DMA) 20 September 2023 Publication Type: Topics: Download Guidelines 01/2023 on Article 37 Law Enforcement Directive 27 September 2023 Publication Type: Topics: Public consultation Opinion 15/2023 on the draft decision of the Dutch Supervisory Authority regarding the Brand Compliance certification criteria 19 September 2023 Publication Type: Topics: Members: English Download EDPB response to MEP in't Veld on intergovernmental agreements implementing the US Foreign Account Tax Compliance Act 25 September 2023 Publication Type: Topics: English Download EDPB response to MEP in't Veld on amendments to Irish legislation 4 October 2023 Publication Type: Topics: Members: English Download
During its latest plenary, the EDPB adopted Guidelines on Art. 37 of the Law Enforcement Directive (LED). These Guidelines aim to provide practical guidance on the application of Art. 37 LED concerning transfers of personal data by competent authorities of EU countries to third country authorities or international organisations, competent in the field of law enforcement. In particular, these Guidelines aim to provide clarity on the legal standard for appropriate safeguards that competent authorities need to apply pursuant to Art.37(1)(a) and (b) LED and, accordingly, on the relevant factors for the assessment of whether such safeguards exist.
The Guidelines aim to serve as a reference for EU countries when they envisage concluding or amending the transfer instruments under Art. 37 (a) LED. In this respect, these guidelines also provide guidance to national data protection authorities (DPAs) in case they are consulted or otherwise involved in the negotiation of such instruments or where they subsequently review their implementation. Furthermore, these guidelines address the role of DPAs in the context of the data controller’s accountability obligations according to Art. 37(2) and (3) LED.
The Guidelines reiterate that any transfer of personal data requires an essentially equivalent level of protection in the recipient third country or international organisation and that transfers should by no means undermine the level of protection applicable in the EU. Furthermore, the Guidelines address the use of a legally binding instrument (Art. 37 (a) LED) compared to an assessment by a controller (Art. 37 (b) LED), and stress that the latter should only be relied on when this assessment is based on a careful analysis of the relevant legal framework and practices establishing that the transfer in question is subject to appropriate safeguards.
In addition, the Guidelines include practical guidance, such as a list of elements that should be addressed in a legally binding instrument as well as examples for categorising and assessing the circumstances of a transfer.
The Guidelines will be subject to public consultation until 8 November 2023.
Brussels, 21 September - The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted a Joint Opinion on the European Commission’s Proposal for a Regulation on additional procedural rules for the enforcement of the GDPR. This proposal aims to ensure the timely completion of investigations and the delivery of swift remedies for individuals in cross-border cases, by harmonising a number of procedural differences across the EU and streamlining the cross-border cooperation procedure. The proposal follows a wish list sent by the EDPB to the European Commission in October 2022.
EDPB Chair Anu Talus said: “We welcome the Commission’s swift response to our call for action and we are pleased to see that our wish list has now been transformed into a concrete legislative proposal, which will complement the GDPR. With this Joint Opinion, we aim to ensure that the new Regulation works for all parties involved. Given its high importance, we urge the co-legislators to swiftly adopt this new Regulation.”
EDPS Supervisor, Wojciech Wiewiórowski, said: “The Commission’s proposal is a welcome attempt to address some of the challenges identified by experts and practitioners related to the governance of the One-Stop-Shop mechanism. With our Joint Opinion, we hope to further improve the future legislation and, in particular, to foster timely resolution of cross-border cases, and to ensure that procedural rights of complainants are respected, keeping in mind constraints inherent in the GDPR enforcement model. Moreover, we call on the co-legislators to use this opportunity to address practical obstacles to efficient cooperation between national data protection authorities and the EDPS.”
The EDPB and EDPS welcome the Commission’s efforts to harmonise the information to be provided for a complaint to be considered admissible and they further call for an exhaustive harmonisation of admissibility requirements. They also positively note the clarifications concerning the right of access to an administrative file. In addition, the Commission’s proposal to boost consensus-finding early on in the cooperation procedure, is key to a more efficient and enhanced enforcement cooperation.
Amongst several other recommendations, the EDPB and EDPS consider that the consensus-finding proposals could be further improved by ensuring that concerned supervisory authorities (CSAs) are more involved in the different steps of the procedure, as this would avoid possible disputes at a later stage. In particular, the ‘preliminary findings’ addressed to the parties under investigation and the ‘preliminary view’ to reject the complaint should be shared with CSAs before they are submitted to the parties under investigation or to the complainant. Moreover, time limits, extendable in duly justified circumstances, should be defined for certain procedural steps to allow swift and efficient enforcement.
The EDPB and the EDPS stress that the Proposal should not unduly restrict CSAs' ability to raise relevant and reasoned objections on a draft decision, including on the scope of the investigation. They also urge the co-legislators not to change the current approach to the parties’ right to be heard in the dispute resolution procedure, which is triggered when data protection authorities (DPAs) fail to find a consensus on a case. The proposed change would require the Chair of the EDPB to provide the parties under investigation and the complainant with a ‘statement of reasonsʼ. This appears not to be in line with the architecture of the One-Stop-Shop system; it is also unnecessary in light of the current practice which allows the EDPB to duly take the views of the parties into account and reach a decision within the deadlines.
With regard to the urgency procedure under Art. 66(2) GDPR, the EDPB and the EDPS urge the co-legislators to specify that the final measures are adopted by the competent DPAs and, as appropriate, with a broader scope than the territory of the requesting DPA.
Finally, as underlined by the EDPS in his contribution on the Commission initiative, sent in April 2023 to the Commission, the existing practical obstacles to efficient cooperation between the national DPAs and the EDPS should be addressed. The EDPB and EDPS therefore recommend introducing a specific provision to this effect.
The EDPB and EDPS also adopted a joint contribution in response to the European Commission's public consultation on the template report for the description of consumer profiling techniques pursuant to Art. 15 of the Digital Markets Act (DMA). Under the DMA, designated gatekeepers will have to annually submit such reports to the European Commission. The draft template aims to specify what gatekeepers should include in the independently audited descriptions of their profiling techniques. These descriptions will be transmitted by the Commission to the EDPB and will inform enforcement actions by DPAs.
The EDPB and EDPS formulate several recommendations to clarify the scope of the information sought by the Commission which will be transmitted to the EDPB. They recommend that gatekeepers provide additional information concerning the categories of personal data processed and their sources, the lifecycle of the processing at stake, the legal basis relied on, the measures taken with regard to the rights of data subjects and a description of appropriate technical safeguards implemented by gatekeepers.
Brussels, 15 September – Following the EDPB’s binding dispute resolution decision, the Irish Data Protection Authority (IE DPA) has issued a final decision, finding, in particular, that TikTok Technology Limited (TikTok) infringed the GDPR's principle of fairness when processing personal data relating to children between the ages of 13 and 17. The EDPB's decision was issued on 2 August 2023 and covers TikTok's processing activities between 31 July and 31 December 2020.
Anu Talus, EDPB Chair, said: “Social media companies have a responsibility to avoid presenting choices to users, especially children, in an unfair manner – particularly if that presentation can nudge people into making decisions that violate their privacy interests. Options related to privacy should be provided in an objective and neutral way, avoiding any kind of deceptive or manipulative language or design. With this decision, the EDPB once again makes it clear that digital players have to be extra careful and take all necessary measures to safeguard children’s data protection rights.”
In its binding decision, the EDPB analysed the design practices implemented by TikTok in the context of two pop-up notifications that were shown to children aged 13-17: the Registration Pop-Up and the Video Posting Pop-Up. The analysis found that both pop-ups failed to present options to the user in an objective and neutral way.
In the Registration Pop-Up, children were nudged to opt for a public account by choosing the right-side button labelled “Skip”, which would then have a cascading effect on the child’s privacy on the platform, for example by making comments on video content created by children accessible.
In the Video Posting Pop-Up, children were nudged to click on “Post Now”, presented in a bold, darker text located on the right side, rather than on the lighter button to “cancel”. Users who wished to make their post private first needed to select “cancel” and then look for the privacy settings in order to switch to a “private account”. Therefore, users were encouraged to opt for public-by-default settings, with TikTok making it harder for them to make choices that favoured the protection of their personal data. Furthermore, the consequences of the different options were unclear, particularly to child users. The EDPB confirmed that controllers should not make it difficult for data subjects to adjust their privacy settings and limit the processing.
The EDPB also found that, as a result of the practices in question, TikTok infringed the principle of fairness under the GDPR. Consequently, the EDPB instructed the IE DPA to include, in its final decision, a finding of this additional infringement and to order TikTok to comply with the GDPR by eliminating such design practices.
The EDPB also assessed whether age verification measures implemented by TikTok between 31 July and 31 December 2020 complied with the requirements of data protection by design (Art. 25(1) GDPR). The EDPB expressed serious doubts regarding the effectiveness of the age verification measures put in place by TikTok during this period, particularly taking into account the severity of the risks for the high number of children affected. Among others, the EDPB found that the age gate deployed by TikTok to prevent child users under the age of 13 from accessing the platform could be easily circumvented and that the measures applied after users gained access to TikTok were not applied in a sufficiently systematic manner.
Based on the elements available in the context of this dispute resolution procedure, the EDPB concluded that it did not have sufficient information, in particular in relation to the state of the art, to conclusively assess TikTok’s compliance with Art. 25 (1) GDPR during this period. However, considering the serious doubts regarding the effectiveness of the measures chosen by TikTok, the EDPB required the IE DPA to reflect this in its final decision.
The IE DPA's final decision incorporates the legal assessment expressed by the EDPB in its binding decision. This decision was adopted on the basis of Art. 65(1)(a) GDPR after the IE DPA, as lead supervisory authority (LSA), triggered a dispute resolution procedure concerning the objections raised by some concerned supervisory authorities (CSAs). These objections outlined the scope of the EDPB’s decision, described above.
The IE DPA’s final decision also includes legal assessment that was not subject to objections by CSAs, such as the finding that the public by default settings were contrary to the principles of data protection by design and default, of data minimisation and transparency. In addition to a reprimand and a compliance order, the IE DPA imposed a fine of €345 Million.
The final decision taken by the IE DPA is available in the Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.
Editor’s note:
This current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties. EDPB Binding decisions only address disagreements on a draft decision, which are set out by CSAs in relevant and reasoned objections.