Data protection: how can we safeguard this fundamental right best in a digital world?
In the European Union data protection — and particularly personal data protection — is clearly embedded in the Charter of Fundamental rights of the EU (article 8). The digitalisation and thereby ‘datafication’ of our society has only accelerated the need for clear data protection rules, and for organisations monitoring compliance with these rules. While there are several non-governmental organisations active in this area, in 2001 the EU created a supervisory authority, whose duties, powers and institutional independence were further developed in an EU regulation adopted in 2018. Since 5 December 2019, Wojciech Wiewiórowski has been the European Data Protection Supervisor, heading an organisation that cooperates intensively with the data protection officers that each EU institution has. Below he elaborates on the new challenges digitalisation and the new technologies pose from a data protection point of view, and the pioneer role the European Union can and should fulfil to protect the fundamental rights that underpin the European ideal.
By Wojciech Wiewiórowski, European Data Protection Supervisor (EDPS)
Data protection and EU policy
The biggest challenges of the coming years include the development and deployment of AI systems, biometrics and facial recognition, blockchain and quantum computing and encryption techniques — for all of which data protection rules can and should provide important guidance.
This is a statement I made during my hearing at the European Parliament on 25 November when discussing data protection issues on the occasion of my hearing as a candidate for the EDPS post.
Data protection affects almost every EU policy area. It also plays a key role in legitimising and increasing trust in EU policies. Europe is the world’s leading proponent for the protection of fundamental rights and human dignity; it is therefore vital that the EU plays a leading role in shaping a global standard for privacy and data protection, centred on these values.
Box 1 — the European Data Protection Supervisor — EDPS
The European Data Protection Supervisor (EDPS) is the European Union’s (EU) independent data protection authority. Its general mission is to: monitor and ensure the protection of personal data and privacy when EU institutions and bodies process the personal information of individuals; advise EU institutions and bodies on all matters relating to the processing of personal data, on request or on our own initiative. In particular, we are consulted by the European Commission on proposals for legislation, international agreements, as well as implementing and delegated acts with impact on data protection and privacy; monitor new technology that may affect the protection of personal information; intervene before the Court of Justice of the EU to provide expert advice on interpreting data protection law; cooperate with national supervisory authorities and other supervisory bodies to improve consistency in protecting personal information.
Regulation (EU) 2018/1725 lays down the rules for data protection in the EU institutions. It also lays down the duties and powers of the EDPS as well as its institutional independence.
It is the role of the European Data Protection Supervisor (EDPS) to ensure that the European Union’s institutions, offices, bodies and agencies respect the fundamental rights to privacy and data protection. This includes when they process personal data or when they are involved in developing new policies that may require the processing of personal data.
Regulation (EU) 2018/1725 sets out the data protection rules that the EU institutions must follow, as well as the role and powers of the EDPS in enforcing these rules. However, the strong set of powers conferred upon me as the EDPS should also be used to engage and educate EU bodies in responsible data practices in the spirit of accountability — accountability being one of our keywords in this new era of digital data protection practice. At the same time, as EDPS I recognises that, in an ever-changing technological landscape, legislation on data protection can only be effective up to a certain point. We need to remember that the principal aim of data protection is not to protect personal data itself, but to protect the individuals connected to this data.
With this in mind, we have recently focused specific attention on the development of Digital Ethics. We need to question the way in which we use new technologies, to assess the impact they have on our rights and values and determine how to address them. Our aim is to foster a continuous, global debate on what is ethical in the digital sphere. We have invested considerable effort in this endeavour, with the aim of launching a global debate on how we can ensure the protection of human rights and fundamental values in the digital age. We hope that this will provide us with the foundation to confront the challenges presented by the digital revolution, which threatens the traditional frameworks used to ensure respect for our rights to data protection and privacy.
Addressing the challenges of new technologies
Our technological capabilities are developing at an increasingly rapid pace. Yet, while new technologies have profoundly changed the way we live, determining how best to regulate the development of these technologies is not an easy task. Over the past five years, one of the main priorities of the EDPS has therefore been to help ensure that data protection goes digital, and with technological development unlikely to slow down any time soon, it will continue to be a focus of our work in the years to come.
One of the ways in which I endeavour to do this is through the promotion of technologies to enhance privacy and data protection. Under the General Data Protection Regulation (GDPR) and Regulation 2018/1725, controllers are required to respect the principles of data protection by design and by default. For technology developers and manufacturers, this means that there is a need to build privacy and data protection into the design and development of technological solutions. To help prepare for these new requirements, my office has set up the Internet Privacy Engineering Network (IPEN).
Launched in 2014, IPEN brings together experts from a range of different areas to encourage the development of engineering solutions to privacy problems. Through supporting projects that build privacy into new and existing digital tools, the Network aims to promote and advance state of the art practices in privacy engineering. With new EU rules on data protection now fully applicable, IPEN’s focus is on establishing a more specific and practical understanding of privacy-friendly technological development.
Ensuring effective data protection without technological expertise is now impossible; the digital revolution has forced Data Protection Authorities and other regulators to develop skills in this area, with my office consistently aiming to lead this trend. One of the ways in which we promote dialogue on modern technologies is through the publication of our TechDispatch newsletter, launched earlier this year. Each issue aims to explain a different emerging technology, providing information on the technology itself, a preliminary assessment of the possible impact it could have on privacy and the protection of personal data and links to further reading on the topic.
Another initiative aimed at fostering technological expertise is the EDPS Website Inspection Software, a software tool designed to support the work of data protection professionals. Originally developed to carry out inspections of EU institutions’ websites, it allows technical amateurs to collect automated evidence of personal data processing.
Through publishing information and tools such as this, we aim to contribute to a shared pool of knowledge that all Data Protection Authorities (DPAs) and other interested parties can benefit from.
Working together with a common aim
The coherent enforcement of fundamental rights in the age of big data presents a significant challenge for regulators across the board. There is mounting concern about the concentration of market power and personal data in fewer and fewer hands. With this in mind, we identified a need for authorities to work together more closely to protect the rights and interests of individuals, such as the right to privacy, to freedom of expression and non-discrimination. The Digital Clearinghouse is one of our collaborative initiatives, set up to facilitate this cooperation.
Data protection, consumer and competition law each in theory serve common goals, but in reality, these sectors tend to work independently. We believe that each branch of the law has its own role to play, but that they would be more effective if they worked in tandem. The Clearinghouse meets twice a year and acts as a forum for cooperation between competition, consumer and data protection authorities, willing to share information and ideas on how to make sure web-based service providers are more accountable for their conduct. We hope that, through working together, regulators in these fields will be better able to address the challenges posed by the digital economy and coherently enforce EU rules relating to fundamental rights in the digital world.
There is a pressing need to increase transparency, user control and accountability in big data processing. Having control over our personal data means being able to determine what data are being used, for what purpose and by whom. It also means being fully capable of exercising individual data protection rights. While this might seem simple in theory, the automated and complex processing of personal data, the use of algorithms to make decisions and the sheer quantity of personal data that is collected, supplemented and shared freely by numerous actors in the modern economy — particularly online — has made this process considerably harder.
As the supervisory authority for the EU institutions, I am dedicated to ensuring that the EU institutions are able to lead by example in increasing the accountability and transparency of their work. By providing training and guidance and working in close cooperation with the data protection officers (DPOs) of the EU institutions, we aim to provide them with the tools to do this, but we also monitor the activities of EU institutions and bodies closely and, in 2019, we launched two high-profile investigations. These were aimed at ensuring that the EU institutions uphold the highest levels of data protection compliance, thus ensuring the highest levels of protection for all individuals living in the EU.
Through our work with the EU institutions, we hope not only to improve their data protection practices, but also to contribute to efforts to improve data protection across the EU and globally. We want to do this by increasing awareness of data protection principles, as well as possible issues and concerns — especially in relation to new technologies — many of which are reliant on the processing of big data.
Auditors, and in particular the European Court of Auditors, can — and must — play an important part in this digital environment too. The ECA review on EU cybersecurity policy, issued on 19 March 2019, is one example of this. Another could be the protection of personal data. When examining the programmes, operations, management systems and procedures of bodies and institutions that manage EU funds to assess whether they are achieving economy, efficiency and effectiveness in the use of those resources, auditors might also come across issues related to personal data protection, such as non-compliance with the legal obligations of data protection by design in IT-systems. In order to improve the EU’s accountability in data protection matters, these issues should be reported to the EDPS.
Looking to the future
In early 2015, the EDPS set out its vision of an EU that leads by example in the global dialogue on data protection and privacy in the digital age. With the priorities of the new European Commission now beginning to take shape, it is clear that developing an EU that is fit for the digital age will also be a priority for EU policy in the years to come.
This aligns with my vision for the mandate I received as EDPS, which began in December 2019. The EU administration should be smart and innovative. It should be able to adapt new technologies and business models and use them also to make data protection smarter and modern. In the same way, the office of the EDPS itself should also be smarter: making full use of the latest technologies, listening to a broad range of stakeholders from industry, civil society and academia on the ‘best and worst in class’ when it comes to using personal data.
However, as the EDPS initiatives described above demonstrate, meeting the challenges of big data is not something that can be done by data protection authorities alone; there is a real and urgent need for cooperation across all disciplines and among all regulatory bodies, including between the EU’s bodies and institutions.
The digital revolution is relentless in producing unprecedented challenges in the realm of data protection and other areas. New EU proposals on artificial intelligence, a Digital Services Act and competition policy, for example, are ambitious and necessary aims, but in the age of big data we must make sure that we do not lose sight of the fundamental rights which underpin the European ideal. As the European Data Protection Supervisor I will keep human dignity at the centre of our work when assessing how to navigate this unchartered terrain.
This article was first published on the 1/2020 issue of the ECA Journal. The contents of the interviews and the articles are the sole responsibility of the interviewees and authors and do not necessarily reflect the opinion of the European Court of Auditors.
