To mark the Data Protection Day, the EDPS, Council of Europe, and CPDP Conferences are joining forces to host a one-day event: “CPDP – Data Protection Day: A New Mandate for Data Protection.”
•    When: 28 January 2025
•    Where: European Commission’s Charlemagne, Brussels
•    Format: In-person and online

This year’s conference comes at a crucial time as new EU political mandates begin shaping the policy landscape. Discussion will focus on the evolving mandate of data protection, particularly its essential role as safeguard of our democratic society against excessive intrusions in the citizens’ privacy by public or private actors.

•    Event page 
•    Programme 
•    Registrer here

Brussels, 18 December - The European Data Protection Board (EDPB) has adopted an opinion* on the use of personal data for the development and deployment of AI models. This opinion looks at 1) when and how AI models can be considered anonymous, 2) whether and how legitimate interest can be used as a legal basis for developing or using AI models, and 3) what happens if an AI model is developed using personal data that was processed unlawfully. It also considers the use of first and third party data.

The opinion was requested by the Irish Data Protection Authority (DPA) with a view to seeking Europe-wide regulatory harmonisation. To gather input for this opinion, which deals with fast-moving technologies that have an important impact on society, the EDPB organised a stakeholders’ event and had an exchange with the EU AI Office.

EDPB Chair Talus said: “AI technologies may bring many opportunities and benefits to different industries and areas of life. We need to ensure these innovations are done ethically, safely, and in a way that benefits everyone. The EDPB wants to support responsible AI innovation by ensuring personal data are protected and in full respect of the General Data Protection Regulation (GDPR).”

Regarding anonymity, the opinion says that whether an AI model is anonymous should be assessed  on a case by case basis by the DPAs. For a model to be anonymous, it should be very unlikely (1) to directly or indirectly identify individuals whose data was used to create the model, and (2) to extract such personal data from the model through queries. The opinion provides a non-prescriptive and non-exhaustive list of methods to demonstrate anonymity.

With respect to legitimate interest, the opinion provides general considerations that DPAs should take into account when they assess if legitimate interest is an appropriate legal basis for processing personal data for the development and the deployment of AI models.

A three-step test helps assess the use of legitimate interest as a legal basis. The EDPB gives the examples of a conversational agent to assist users, and the use of AI to improve cybersecurity. These services can be beneficial for individuals and can rely on legitimate interest as a legal basis, but only if the processing is shown to be strictly necessary and the balancing of rights is respected.

The opinion also includes a number of criteria to help DPAs assess if individuals may reasonably expect certain uses of their personal data. These criteria include: whether or not the personal data was publicly available, the nature of the relationship between the individual and the controller, the nature of the service, the context in which the personal data was collected, the source from which the data was collected, the potential further uses of the model, and whether individuals are actually aware that their personal data is online.

If the balancing test shows that the processing should not take place because of the negative impact on individuals, mitigating measures may limit this negative impact. The opinion includes a non-exhaustive list of examples of such mitigating measures, which can be technical in nature, or make it easier for individuals to exercise their rights or increase transparency.

Finally, when an AI model was developed with unlawfully processed personal data, this could have an impact on the lawfulness of its deployment, unless the model has been duly anonymised.

Considering the scope of the request from the Irish DPA, the vast diversity of AI models and their rapid evolution, the opinion aims to give guidance on various elements that can be used for conducting a case by case analysis.

In addition, the EDPB is currently developing guidelines covering more specific questions, such as web scraping.

Note to editors:
*An Article 64(2) opinion addresses a matter of general application or produces effects in more than one Member State.

The event, hosted at the EDPS premises in Brussels, aimed to raise awareness among staff from European Union Institutions, Bodies, and Agencies (EUIs) on managing personal data breaches.

In 2024, the European Data Protection Supervisor (EDPS) launched a dedicated campaign to raise awareness of personal data breaches, one of 20 initiatives organised to mark the institution’s 20th Anniversary. The campaign ran from March to October 2024, 

Carissa Véliz is an Associate Professor at the University of Oxford. Prof Véliz graduated in philosophy from the University of Salamanca, completed a master's degree in philosophy at the CUNY graduate centre in New York, and received a doctorate in philosophy from the University of Oxford, where she currently works at the Faculty of Philosophy and the Institute on Ethics of Artificial Intelligence.

In this issue, learn about our global efforts to elevate data protection standards, our work on artificial intelligence and more!

Read last newsletter of 2024. 

Join us as we speak with leading experts who witnessed the evolution of data protection globally first-hand.  

Today, we welcome Jan Philipp Albrecht. Jan is a co-President of the Heinrich Böll Foundation who shares his expertise on data protection, privacy, and digital rights. 

The European Data Protection Supervisor (EDPS) is examining the European Commission’s compliance with its decision of 8 March 2024 regarding the use of Microsoft 365. Following its investigation, the EDPS had found that the European Commission infringed several provisions of Regulation (EU) 2018/1725, the EU’s data protection law for EU institutions, bodies, offices and agencies (EUIs), including those on transfers of personal data outside the EU/European Economic Area (EEA).

Read Press Release

Brussels, 04 December - During its December 2024 plenary, the European Data Protection Board (EDPB) adopted a statement on the second report of the European Commission on the application of the General Data Protection Regulation (GDPR).*

In its statement, the EDPB welcomes the reports from the European Commission and the Fundamental Rights Agency**. Importantly, the EDPB underlines the importance of legal certainty and coherence of digital legislation with the GDPR, and recalls some of its ongoing initiatives to clarify the enforcement interplay of the GDPR with the AI Act, the EU Data Strategy and the Digital Services Package.

In addition, the EDPB announces it will step up the production of content for non-experts, small and medium-sized enterprises (SMEs) and other groups.

Finally, the Board highlights the genuine need for additional financial and human resources to help  DPAs and the EDPB deal with increasingly complex challenges and additional competences.

Note to editors

* In July 2024, the European Commission published its second report on the application of the GDPR, adopted under Art. 97 GDPR.

** In June 2024, the Fundamental Rights Agency (FRA) published a report on the experiences of DPAs when implementing the GDPR. The findings  of this report complement the European Commission's evaluation of the GDPR.
 

Brussels, 03 December - During its latest plenary, the European Data Protection Board (EDPB) published guidelines on Art.48 GDPR about data transfers to third country authorities and  approved a new European Data Protection Seal.

EDPB helps organisations assess data transfer requests by third country authorities

In a highly interconnected world, organisations receive requests from public authorities in other countries to share personal data. The sharing of data can, for instance, be of help to collect evidence in the case of crime, to check financial transactions or approve new medications.

When a European organisation receives a request for a transfer of data from a ‘third country’ (i.e. non-European countries) authority, it must comply with the General Data Protection Regulation (GDPR). In its guidelines, the EDPB zooms in on Art. 48 GDPR and clarifies how organisations can best assess under which conditions they can lawfully respond to such requests. In this way, the guidelines help organisations to make a decision on whether they can lawfully transfer personal data to third country authorities when asked to do so.

Judgements or decisions from third countries authorities cannot automatically be recognised or enforced in Europe. If an organisation replies to a request for personal data from a third country authority, this data flow constitutes a transfer and the GDPR applies. An international agreement may provide for both a legal basis and a ground for transfer. In case there is no international agreement, or if the agreement does not provide for an appropriate legal basis or safeguards, other legal bases or other grounds for transfer could be considered, in exceptional circumstances and on a case by case basis.*

The guidelines are subject to public consultation until 27 January 2025.

Approval of EU Data Protection Seal

During the plenary meeting, the Board also adopted an opinion approving the Brand Compliance certification criteria concerning processing activities by controllers or processors. In September 2023, the Board already adopted an opinion on the approval of the Brand Compliance national certification criteria, making them officially recognised certification criteria in the Netherlands for data processing by organisations. The approval of the new opinion means that these criteria will now be applicable across Europe and as a European Data Protection Seal.

GDPR certification helps organisations demonstrate their compliance with data protection law. This transparency helps people trust the product, service, process or system for which organisations process their personal data.

Note to editors:

* The transfer must comply with Art.6 GDPR and the provisions of Chapter V.

An international agreement may provide for both a legal basis under Art. 6(1) (c) or 6(1) (e) GDPR and a ground for transfer under Art. 46(2) (a) GDPR.

The post Europrivacy Public Webinar appeared first on Europrivacy Community.

What does it take to shape the privacy landscape of Europe and beyond? In this episode, we sit down with Peter Hustinx who has been a true pioneer in data protection. 

Eliška is a legal expert and digital rights advocate known for her work in internet governance and online freedom of expression. Together we discuss freedom of expression, democracy, privacy and digital rights in the context of a "super election year".

Join us as we speak with leading experts who witnessed the evolution of data protection globally first-hand. The second episode features Peter Hustinx and focuses on the work that led to the Council of Europe’s Convention 108. 

The EDPS and the Data Protection Officers (DPO) network of the EU institutions, bodies, offices and agencies (EUIs) met for the second time this year on 27 November 2024, at the Court of Justice of the European Union, in Luxembourg. This is the 55th meeting held since its creation.

Read blogpost by Leonardo Cervera Navas. 

The post Europrivacy take-aways from IAPP appeared first on Europrivacy Community.

In this episode, we welcome Ségolène Martin. Mrs Martin is a cofounder of Kantify, a pioneer in AI-driven health solutions. Dive deep with us to explore how Artificial Intelligence - so called Sapian- to improve drug discovery in healthcare. 

Our special Talk is out! Today we welcome Ms Katherine Race Brin who was interviewed by Supervisor. Watch with us on our anniversary website.

On 18th - 19th November 2024, the EDPS co-hosted the 74th Meeting of the International Working Group on Data Protection in Technology.  Read about the event in the Supervisor's blogpost.