Category Archives: EDPS

European Data Protection Supervisor (EDPS)

EDPS issues a preliminary Opinion on the Review of the ePrivacy Directive

On July 22nd, 2016, the EDPS presented a Preliminary Opinion on the Review of the e-Privacy Directive (2002/58/EC). For the EDPS, a new proposal on e-Privacy should “guarantee confidentiality of communications, offer clarity and complement the General Data Protection Regulation (GDPR)”. In short, the rules should be “smarter, clearer, stronger”.

Background information

The revision of the e-Privacy Directive is part of the Digital Single Market Strategy, announced by the European Commission (EC) on May 2015. The EC started the review of the Directive in 2015 by requesting a study about the transposition and effectiveness of the privacy related articles of the e-Privacy Directive as well as about the relationship between the Directive and the GDPR. A report[1] was published in June 2015. The EC launched in April 2016 a public consultation, open to citizens, legal entities and public authorities. The Commission consulted stakeholders on both the retrospective evaluation and the possible changes to the current e-Privacy Directive. The Opinion of the EDPS responds to this call. The EC intends to use the feedback provided from the consultation to prepare a new legislative proposal which is expected by the end of 2016.

European Data Protection Supervisor (EDPS)

Publication by EDPS of Security Risk Management Guidance for EU Institutions

On March 21 2016, the European Data Protection Supervisor (EDPS) issued a Guidance on Security Measures for Personal Data Processing. The purpose of the guidance is to explain Article 22 of Regulation 45/2001 and provide information on the main practical steps EU institutions and bodies should take in order to conform to it. The document does not only recall the security obligations outlined in EU law but also builds upon accepted best-practice recommendations in respect of information security risk management (ISRM). Instead of prescribing particular safety measures to be imperatively implemented to mitigate risk, the EDPS notes that “state of the art” risk assessment and management must be applied at all times. For the EDPS, a specific tool to manage and monitor risk on an on-going bases is of utmost importance and the adoption of an ISRM framework responds to this practical need. The Guidance unfolds precisely how this framework ought be applied. The indicated procedures should prove a valuable instrument for any organization looking to rationalize and focus its ISRM processes.

The Guidance describes an ISRM process with the subsequent steps:

 “1. Context Establishment: Relevant facts are gathered, risk evaluation criteria are established, roles and responsibilities are assigned, and the scope and objectives of the process are defined.

2.   Risk Assessment

a. Risk Identification: Relevant risks to the organization are identified.

b. Risk Analysis: Identified risks are analyzed to determine the probability and consequences of each one.

c. Risk Evaluation: Risks are evaluated using the criteria established in the Context Establishment stage and prioritized accordingly.

3. Risk Treatment: The organization decides whether to reduce, avoid, or share each risk; residual risks are calculated.

4. Risk Acceptance: The organization either accepts each residual risk or engages in additional risk treatment to attain an acceptable level of residual risk.

5. Risk Communication and Consultation: Risk-related information is communicated to relevant stakeholders to obtain buy-in.

6. Risk Monitoring and Review: Risks are consistently monitored to ensure the organization’s management of each one is appropriately adjusted in response to changes in the risks.  For instance, the guidance states: “Since threats, technologies, processes and other factors relevant for the risk assessment evolve constantly, it is necessary for EU institutions to regularly review their risk assessment and the selection of security measures.”

European Data Protection Supervisor (EDPS)

The transfer of personal data to third countries and international organisations by EU institutions and bodies

On 14 July 2014 the European Data Protection Supervisor (EDPS) issued a position paper providing guidance to EU institutions and bodies on the transfer of personal data to third countries, in light of the provisions laid down in Regulation (EC) No 45/2001. The position paper represents a useful tool on how to interpret some of those provisions when personal information is transferred outside the EU or to bodies not subject to EU law. The position paper is complemented by a practical checklist which allows EU institutions and bodies to follow a certain course of action before international transfer(s) take place and in order to ensure compliance with EU law.

European Data Protection Supervisor (EDPS)

Opinion 7/2015 – Meeting the challenges of big data. A call for transparency, user control, data protection by design and accountability

On 19 November 2015 the European Data Protection Supervisor issued Opinion 7/2015 entitled “Meeting the challenges of big data”. It deals with how big data can bring benefits and represent opportunities for the society as a whole if companies comply with data protection laws and find innovative ways to do so. The opinion outlines the strategy of the European Data Protection Supervisor to reach that goal, also in light of the ongoing data protection reform.

European Data Protection Supervisor (EDPS)

Opinion 3/2015 – Europe’s big opportunity. EDPS recommendations on the EU’s options for data protection reform

Further to the European Commission’s proposal on the EU data protection reform (January 2012), the resolution of the European Parliament (12 March 2014) and the vote of the Council of the EU on the General Data Protection Regulation (GDPR) (15 June 2015), these three EU institutions entered the so-called “trialogue” on 24 June 2015. The EDPS opinion 3/2015 provides recommendations on the EU data protection reform and in particular on the GDPR, and suggests amendments to the proposed text. Moreover, apart from illustrating the position of the EDPS on the proposed GDPR and its provisions, opinion 3/2015 presents possible solutions towards the best possible compromise on the reform, and so on the best possible text of the GDPR.