{"id":72226,"date":"2021-03-25T22:00:01","date_gmt":"2021-03-25T21:00:01","guid":{"rendered":"https:\/\/www.lexxion.eu\/dpi\/data-protection-insider-issue-43\/"},"modified":"2021-03-25T22:00:01","modified_gmt":"2021-03-25T21:00:01","slug":"data-protection-insider-issue-43","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-43\/","title":{"rendered":"Data Protection Insider, Issue 43"},"content":{"rendered":"
\n

– <\/span>EDPS Releases Opinion on the Draft Europol Regulation <\/span><\/strong><\/a>–<\/a>
\n<\/strong><\/span><\/p>\n

On 8th<\/sup> March the EDPS issued an Opinion on the draft proposals for amending the Europol Regulation.<\/a> We presented the main features of the proposals in DPI #38. The EDPS Opinion focuses on the following six main points:<\/span><\/p>\n

(1) Cooperation with private parties, both within and outside the EU. The EDPS points out that in the course of such cooperation Europol might share data with these parties, as requested by the national authorities, and that the safeguard that such transfers should not be \u2018systematic, massive or structural\u2019 should apply also to data sharing in the EU, not just internationally. In addition, Europol\u2019s responsibilities as a processor vis-\u00e0-vis the national authorities should be regulated by a binding agreement.<\/span><\/p>\n

(2) Processing of Biag Data for the purposes of \u2018pre-analysis\u2019, i.e. to determine whether the available data may fall within Europol\u2019s scope. The EDPS recommends that such \u2018pre-analysis\u2019 should occur only where there exists \u2018an objective necessity\u2019 and that extending the maximum period for this analysis should be based on objective criteria, which are currently missing.<\/span><\/p>\n

(3) Providing operational support, i.e. analysis of big data, to Member States in criminal investigations. The EDPS emphasizes that this change would be most impactful in terms of data protection as it will give Europol the power to process additional categories of personal data. In order to make sure that such a processing should remain the exception, \u2018\u2026 the amended Regulation should lay down certain conditions and\/or thresholds, such as scale, complexity, type or importance of the investigations.\u2019<\/strong><\/span><\/p>\n

(4) Europol\u2019s participation in R&D projects. The EDPS recommends that the scope of this participation should be restricted only to Europol\u2019s tasks and welcomes the obligation to carry out a DPIA assessing the risks to all rights and freedoms. Furthermore, Europol, as a stakeholder in setting up the European Security Data Space, should take into account the EDPS\u2019s comments to the European Strategy for Data and its AI Strategy into account.<\/span><\/p>\n

(5) Transfers to third countries. The EDPS notes that the proposals seek to authorize Europol\u2019s Executive Director to authorise \u2018categories of transfers\u2019, which is an unclear terms, and should be specified.<\/span><\/p>\n

(6) The upcoming applicability of Regulation 2018\/1725 to Europol. The EDPS recommends that the current provisions in the Europol Regulation on supervision by the EDPS should be deleted, so that it is unambiguous that the ones in Regulation 2018\/1725 are applicable, as they give the EDPS more supervisory and enforcement powers. He welcomes the upcoming applicability of the coordinated supervision provisions of Regulation 2018\/1725. The EDPS, however, emphasizes that he needs more human and technical resources to live up to the proposed extended supervisory tasks, such as assessing the necessity and proportionality of data received by Europol from Third Countries.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

– <\/span><\/span><\/strong>EDPS Releases Opinion on the Cybersecurity Strategy and the NIS 2.0 Directive<\/span><\/strong>–<\/span><\/span><\/strong><\/a><\/p>\n

On 11th<\/sup> March the EDPS issued an Opinion concerning (1) the Union\u2019s Cybersecurity Strategy and (2) the proposal amending the NIS Directive. The EDPS in principle supports the proposed cybersecurity measures, as cybersecurity is also essential for personal data security, as provided for in the GDPR. In his Opinion he advocates for integrating the privacy and data protection aspect into the cybersecurity measures as this \u2018will ensure a\u00a0\u00a0 holistic\u00a0\u00a0 approach\u00a0\u00a0 and\u00a0\u00a0 enable\u00a0\u00a0 synergies to public and private organisations when managing cybersecurity and protecting the information they process without useless multiplication of efforts.\u2019<\/a> At the same time he notes that some of the proposed cybersecurity measures could interfere with individual rights and freedoms. Thus, data protection by design and by default measures should be taken, \u2018which will assist in integrating the appropriate safeguards such as pseudonymisation, encryption, data accuracy, data minimization, in the design and use of these technologies and systems.\u2019 He then makes specific recommendations to the proposal, seeking to make the envisaged personal data processing more in line with the necessity and proportionality requirement, of which the following seven deserve special mention: (1) the need to clarify that the EU data protection framework (GDPR and ePrivacy Directive) applies to any personal data processing performed in the framework of the proposal; (2) the need to clarify whether the proposal focuses on \u2018cybersecurity\u2019 or \u2018security\u00a0 of\u00a0 network\u00a0 and\u00a0 information systems\u2019; (3) the need to clarify what data from the \u2018WHOIS data\u2019 might be disclosed and by what authorities data held in the TLD registers might be accessed, i.e. whether also by authorities outside the EEA, and what the criteria for granting access should be; (4) the need to clarify in more narrow terms what kind of proactive scanning CSIRTs may be requested to perform and which personal data this may involve; (5) he reminds that outsourcing cybersecurity should comply with the GDPR, especially with the provisions on data transfers when it is outsourced to a Third Country; (6) he criticizes the possibility for weakening end-to-end encryption through different solutions, including \u2018backdoors\u2019; and (7) recommends including measures to ensure the effective supervision by the data protection supervisory authorities as established by the GDPR.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

– <\/span>EDPB-EDPS Issue Joint Opinion on the Data Governance Act –<\/span><\/span><\/strong><\/a><\/p>\n

The EDBP and EDPS have now jointly published the \u2018EDPB-EDPS Joint Opinion 03\/2021 on the Proposal for a regulation of the European Parliament and of the Council on European data governance (Data Governance Act)\u2019. In principle, the EDPB and EDPS recognise the legitimacy of the aim of the proposed Act: \u2018The EDPB and the EDPS acknowledge the legitimate objective of fostering the availability of data for use by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU\u2019. In relation to the substance of the proposed Act, however, they offer the more negative comment that: \u2018\u2026 the Proposal, also having regard to the Impact Assessment accompanying it, does not duly take into account the need to ensure and guarantee the level of protection of personal data provided under EU law. The EDPB and the EDPS consider that this policy trend toward a data-driven economy framework without a sufficient consideration of personal data protection aspects raises serious concerns from a fundamental rights viewpoint\u2019.<\/a> In this regard, they offer critique in relation to numerous aspects of the proposed Act, amongst which the following five: (1) \u2018the relationship of the Proposal with Union law in the field of personal data protection\u2019 \u2013 including observations on the need to make definitions generally consistent between the Act and other relevant data protection law; (2) \u2018Requirements applicable to data sharing service providers\u2019 \u2013 including comments as to potential issues of transparency in relation to sharing provisions; (3) \u2018Data altruism\u2019 \u2013 including comments on the relationship between consent in the proposed Act and in the GDPR; (4) \u2018International transfers of data\u2019 \u2013 including comments on the scope of the Commission\u2019s implementing powers regarding the conditions of international transfers; and (5) on \u2018horizontal provisions on institutional settings[,] complaints[,] European Data Innovation Board (EDIB) expert group[,] delegated acts[,] penalties[,] evaluation and review[,] amendments to the single digital gateway regulation[,] transitional measures and entry into force\u2019 \u2013 including comments concerning the role of DPAs as competent authorities in relation to the Act. This is a lengthy and detailed opinion and is worth reading for anyone interested in the development of the European data economy and data protection.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

–\u00a0<\/span>EDPB Adopts Documents During 42nd<\/sup> and 43rd<\/sup> Plenary Sessions <\/span>–<\/span><\/strong><\/a><\/p>\n

The EDPB held its 46th<\/sup> Plenary Session on 9th<\/sup> March. During the sessions the EDPB adopted the following documents:<\/a><\/span><\/p>\n