On 20th April 2022, the European Data Protection Supervisor, Wojciech Wiewiorowski presented the European Data Protection Supervisor (EDPS) Annual Report at the European Parliament Committee on Civil Liberties, Justice and Home Affairs. The report, drafted on behalf of the EDPS by Trilateral Research and Vrije Universiteit Brussel, provides a summary of the activity of the EDPS over the last year; including investigations, supervisory actions, opinions and cases put before the Court of Justice. It gives an indication of EDPS’ direction; to keep up with (and ideally be, one step ahead of) the increasingly fast pace of technological advancement (e.g., AI and machine learning). The message from the EDPS is that data generated in Europe should be processed according to European values and thus ensuring a safe digital future. This article provides a summary of the key takeaways.
The EDPS launched two investigations in order to comply with the judgement of ‘Schrems II’ which expressed concerns about the US Privacy Shield and invalidated the adequacy decision which was previously relied upon for data transfers from the EU to the US (for an in-depth insight on this see our article here). One investigation centred on the use of cloud services provided by Amazon Web Services and Microsoft under Cloud II contracts by EUIs, and the other, on the use of Microsoft Office 365 by the European Commission. The investigations are still ongoing at the time this is written but these indicate that cross-border transfers and cloud services will be a key area of focus for 2022.
The EDPS also took a proactive approach in making decisions on EUI transfers, and whether the tools they used to transfer the personal data fell outside of the ‘essential equivalent level of protection’ criteria.
The report highlighted EDPS’ supervision activities, detailing the work on Europol, Eurojust, European Public Prosecutor’s Office (EPPO) and Frontex. Perhaps the most significant of the supervisory action being on Europol and their use of machine learning tools, as well as their processing of large data sets. In the case of machine learning tools, the EDPS’ opinion shows the need for EUIs considering the use of any innovative technology to take a careful look at and assess the risks posed to data subjects and their rights and freedoms. In the case of Europol’s use of large data datasets, the EDPS used their corrective powers to request that Europol delete data concerning individuals with no established link to criminal activity. The decision follows on from EDPS’ criticism of Europol in September 2020 for their continued storage of large volumes of data with no Data Subject Categorisation (due to its unjust impact to fundamental rights). The Europol example draws attention to the importance of institutional processes that govern lawful data retention, and data deletion to ensure that data is not held indefinitely.
As the report shows 2021 was a busy year for the EDPS and saw them taking an active role in guiding EUIs towards better data protection practises and using corrective actions where appropriate. Transfers of personal data appear to be key areas of focus, as well considerations around cloud infrastructure and use of data for AI and machine learning. The report shows EDPS’ awareness and willingness to address the core challenges that lie ahead, namely, the rapid advancement of digital and scientific technology, and the need to consider the risk that this unchartered territory may bring.
If you wish to talk more about the issues discussed in this article or any other matter concerning Data Protection, please visit the Trilateral Data Governance page and do not hesitate to contact a member of Trilateral Research’s DPO team who will be happy to assist you in full.