Insight: “European Data Protection Supervisor’s Strategy for 2020-2024” by Anjum Shabbir
After postponing publication of its Strategy for the next few years in order to take stock of the COVID-19 crisis, the European Data Protection Supervisor (EDPS) last week finally released it – implementing ‘substantial changes’ due to the resultant leap in the importance of the digital economy and digital transformation. It is entitled: ‘Shaping a Safer Digital Future: a new Strategy for a new decade‘, covering the years 2020-2024, though the EDPS qualifies it as dynamic and subject to change.
EDPS’s Tasks and Powers
In order to understand the Strategy, it is necessary to be clear what the EDPS’s mandate, tasks and powers are, upon which it builds.
The EDPS is mandated with a main and significant task: to monitor the EU Institutions’ data processing (for EU activities) under Article 1(3) – which must in turn cooperate with the EDPS (Article 32) -, in particular for compliance with fundamental rights and data protection rights (Article 52(2)). This is especially pertinent given that data subjects can complain directly to the EDPS, considering that it has investigatory powers, and because it can, as a last resort, sanction the EU institutions through its power to impose administrative fines for non-compliance with the Regulation.
Its mandate is however more extensive than that, and includes:
- providing advice on the processing of data by the EU Institutions (Article 52(3);
- dealing with data protection breaches that must be reported to it (Article 34);
- being consulted when impact assessments show there may be a risk to fundamental rights (Article 34);
- being consulted by the European Commission when the latter makes legislative proposals and recommendations (Article 42); and
- being consulted on a mandatory basis when the Commission is issuing legislative, delegated or implementing acts (recital 60).
Consider, as examples of the above in the last few months, the EDPS’s Opinion on the Commission’s White Paper on Artificial Intelligence (in June), its Opinion on the Commission’s Data Strategy (also in June), its assessment of the EU’s proposed measures for contact tracing technologies as a COVID-19 mitigation measure (in May), and its statement about protecting fundamental rights (in April).
Strategy for 2020-2024
Turning to the Strategy itself, it is divided into three core pillars: ‘foresight’, ‘action’ and ‘solidarity’.
1. Foresight – monitoring
The EDPS sets out a monitoring strategy as its first core pillar, and the proposed approach includes:
First, with reference to its existing right to intervene in cases before the Court of Justice, one part of the Strategy is to carefully monitor jurisprudence in line with that right, and produce case law digests concerning data protection and privacy under EU rules. Some of the cases in which the EDPS has intervened before the Court of Justice include Privacy International (C-623/17, Quadrature du Net (C-511/18 and C-512/18), Ordre des barreaux (C-520/18), Schrems (C-362/14) Client Earth and Pan Europe (C-615/13 P), Commission v Hungary (C-288/12), Digital Rights Ireland (C-293/12 and C-594/12), and Commission v Austria (C-614/10).
Second, there is reiteration of its additional roles (mentioned above) in terms of monitoring, to provide advice regarding compliance with Charter and data protection principles when the Commission proposes measures that have data protection implications.
Third, the Strategy includes keeping track of COVID-19 measures taken by the EU Institutions to ensure they are only in place for as long as necessary. It also aims to facilitate closer cooperation between the public health field, through experts and research, driven by the unexpected COVID-19 pandemic.
Other than that, worth mentioning in the monitoring part of the Strategy is: the proposal to make training the EDPS will provide for new EU Institutional staff compulsory; the promise to set up organised discussions on new technologies, such as eHealth, quantum computing, edge computing, blockchain – and biometric technologies and automatic recognition systems (recognising that they will have a profound impact on privacy and anonymity, as well as a chilling effect on lawful political protests and activism); and (iii) systematically explaining new technologies to be deployed by EUIs for the impact and risks they may cause.
2. Action – strengthening advisory, supervision and enforcement roles
Many elements stand out in the second core pillar of the Strategy.
First, the EDPS proposes that the use of artificial intelligence, specifically automated recognition in public spaces of human features, not only facial recognition but also of gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioural signals, should not be rolled out yet so that an informed and democratic debate can take place (including presumably on predictive policing). It should be kept track of whether this advice will be taken into account by the European Commission and other EU Institutions: the EDPS is consulted where proposed and new legislation and related measures are issued, and has powers of enforcement for breaches of the Regulation, but in this respect its advice can only be of an influential nature.
Second is the aim for minimisation of reliance on monopoly providers of communications and software services, by calling for a review of external contracts on digital products, software services, and technology, and to reinforce the role of the ‘controller’ in EU Institutions (see for example findings from the EDPS’s Microsoft investigation on the EU Institutions’ need to improve the limited control it had, which has caused a stir in the media). This is worth exploring further, as the EDPS is essentially stating that the EU Institutions need to improve their independence vis-a-vis multinationals in order to comply with the European Data Protection Regulation. That investigation appears to stop short of suggesting a breach of the European Data Protection Regulation has occurred.
Third is the EDPS referring to a strategy of publishing standardised information about personal data breaches that are notified to it (Article 34), including the types of organisations involved and the number of people affected. This is a notable move towards transparency.
Fourth, it also presents a novel kind of aligned approach between the European Data Protection Regulation for which it oversees the data processing of EU Institutions, and the General Data Protection Regulation for which it provides the secretariat to the European Data Protection Board (EDPB). In this action pillar it proposes building the capacity of the EDPB through its secretariat, and for greater European solidarity and burden sharing by supporting a pool of experts within the EDPB, pointing out that the aims and objectives of both Regulations are the same.
Fifth, the EDPS further proposes to contribute to the review of Regulation 2018/1725, which as referred to above establishes the EDPS, in order to address gaps and discrepancies. It should be noted that ‘contributing to reviewing’ that Regulation should not exceed the EDPS’s mandate of advising and consulting (as set out in the list of its tasks above), particularly as the Regulation regulates the EDPS itself.
Finally, the EDPS also proposes: to promote data protection by design and by default in technologies; develop oversight mechanisms; provide guidance on personal data processing using automated decision making systems and AI; explore free and open source software and solutions; review previous authorisations for data transfer to third countries and adopt standard data protection clauses, check compliance of EU websites and mobile apps with EU law; closely monitor the process that makes EU systems interoperable, and more.
3. Solidarity – sustainable data processing, inclusive protection, collaboration with EU Institutions
The third core pillar of the Strategy takes into account collaboration with other EU Institutions, protection of the environment, independence, the rule of law, fundamental rights – in particular with regard to vulnerable categories, and includes the aim to provide guidance to EUI on policies and measures (such as the Digital Services Act) that hold private companies accountable for manipulation and amplification serving private gain, but to avoid blanket monitoring and censorship of speech that inevitably interferes with the rights to privacy and data protection.
Much of the European Data Protection Supervisor’s output this year has, as is expected of it, and in line with Articles 1 and 52 of the Regulation, been true to its mantra ‘Big Data means Big Responsibility’, including the Strategy it has just published, through emphasis on the need to protect fundamental rights as set out in the Charter of Fundamental Rights and by EU data protection (and consumer) rights. (See also the Memorandum of Understanding it has recently agreed with the Fundamental Rights Agency).
It has also demonstrated its independence (Article 55) by openly discussing in the Strategy (i) that the fact of powerful multinationals dominating global information flows needs to be addressed (a sign perhaps, that it is less influenced by lobbying of the EU Institutions that is publicly known to have taken place by Facebook and Google, for example), (ii) by clearly noting that technologies enable authoritarian states to strengthen and export their self-serving model of surveillance, repression and censorship, and (iii) referring, like the Council’s brief mention in its observations on EU digital policy, to the impact of technologies on the environment, though the EDPS more unequivocally acknowledges that digital technologies have a large and increasing negative impact on natural resources, at the risk of becoming unsustainable at a time of growing environmental crisis.
In conclusion, the European Data Protection Supervisor’s Strategy, as adapted to take into account the problems arising from COVID-19 related measures, cannot be criticised for ambition and reach. It focuses on a very wide range of monitoring, role-strengthening and collaborative actions related as far as possible to its mandate, and is up to date: it includes the changes in the wind arising from the relationship between data and public health, technology and privacy in the context of COVID-19 emerging technologies, regulation of online platforms, sustainability and environmental concerns and much more. This is necessary, given that the EU’s digital policy agenda (for a digital economy, digital transformation, digital workforce, greater connectivity, the internet of things, e-Health and more) is extensive and far-reaching, and as more legislative movement – requiring the EDPS’s input and oversight – can be expected.
Read the Strategy here.
Anjum Shabbir is an Assistant Editor at EU Law Live