Tag Archives: EDPS

A Conversation with Giovanni Buttarelli about The Future of Data Protection: setting the stage for an EU Digital Regulator

The nature of the digital economy is as such that it will force the creation of multi-competent supervisory authorities sooner rather than later. What if the European Data Protection Board would become in the next 10 to 15 years an EU Digital Regulator, looking at matters concerning data protection, consumer protection and competition law, having “personal data” as common thread? This is the vision Giovanni Buttarelli, the European Data Protection Supervisor, laid out last week in a conversation we had at the IAPP Data Protection Congress in Brussels.

The conversation was a one hour session in front of an over-crowded room in The Arc, a cozy amphitheater-like venue inducing bold ideas being expressed in a stimulating exchange.

To begin with, I reminded the Supervisor that at the very beginning of his mandate, in early 2015, he published the 5-year strategy of the EDPS. At that time the GDPR wasn’t adopted yet and the Internet of Things was taking off. Big Data had been a big thing for a while and questions about the feasibility and effectiveness of a legal regime that is centered around each data item that can be traced back to an individual were popping up. The Supervisor wrote in his Strategy that the benefits brought by new technologies should not happen at the expense of the fundamental rights of individuals and their dignity in the digital society.

Big data will need equally  big data protection, he wrote then, suggesting thus that the answer to Big Data is not less data protection, but enhanced data protection.

I asked the Supervisor if he thinks that the GDPR is the “big data protection” he was expecting or whether we need something more than what the GDPR provides for. And the answer was that “the GDPR is only one piece of the puzzle”. Another piece of the puzzle will be the ePrivacy reform, and another one will be the reform of the regulation that provides data protection rules for the EU institutions and that creates the legal basis for the functioning of the EDPS. I also understood from our exchange that a big part of the puzzle will be effective enforcement of these rules.

The curious fate of the European Data Protection Board

One centerpiece of enforcement is the future European Data Protection Board, which is currently being set up in Brussels so as to be functional on 25 May 2018, when the GDPR becomes applicable. The European Data Protection Board will be a unique EU body, as it will have a European nature, being funded by the EU budget, but it will be composed of commissioners from national data protection authorities who will adopt decisions, that will rely for the day-to-day activity on a European Secretariat. The Secretariat of the Board will be ensured by dedicated staff of the European Data Protection Supervisor.

The Supervisor told the audience that he either already hired or plans to hire a total of “17 geeks” adding to his staff, most of whom will be part of the European Data Protection Board Secretariat. The EDPB will be functional from Day 1 and, apparently, there are plans for some sort of inauguration of the EDPB celebrated at midnight on the 24th to the 25th of May next year.

These are my thoughts here: the nature of the EDPB is as unique as the nature of the EU (those of you who studied EU Law certainly remember from the law school days how we were told that the EU is a sui generis type of economical and political organisation). In fact, the EDPB may very well serve as test model for ensuring supervision and enforcement of other EU policy areas. The European Commission could test the waters to see whether such a mixt national/European enforcement mechanism is feasible.

There is a lot of pressure on effective enforcement when it comes to the GDPR. We dwelled on enforcement, and one question that inevitably appeared was about the trend that starts to shape up in Europe, of having competition authorities and consumer protection authorities engaging in investigations together with, or in parallel with data protection authorities (see herehere and here).

It’s time for a big change, and time for the EU to have a global approach, the Supervisor said. And a change that will require some legislative action. “I’m not saying we will need an European FTC (US Federal Trade Commission – n), but we will need a Digital EU Regulator“, he added. This Digital Regulator would have the powers to also look into competition and consumer protection issues raised by processing of personal data (so, therefore, in addition to data protection issues). Acknowledging that these days there is a legislative fatigue in Brussels surrounding privacy and data protection, the Supervisor said he will not bring this idea to the attention of the EU legislator right now. But he certainly plans to do so, maybe even as soon as next year. The Supervisor thinks that the EDPB could morph into this kind of Digital Regulator sometime in the future.

The interplay among these three fields of law has been on the Supervisor’s mind for some time now. The EDPS issued four Opinions already that set the stage for this proposal – See Preliminary Opinion on “Privacy and competitiveness in the age of Big Data: the interplay between data protection, competition law and consumer protection in the digital economy“, Opinion 4/2015 “Towards a new digital ethics“, Opinion 7/2015 “Meeting the Challenges of Big Data“, and finally Opinion 8/2016 on “coherent enforcement of fundamental rights in the age of Big Data“. So this is certainly something the data protection bubble should keep their eyes on.

Enhanced global enforcement initiatives

Another question that had to be asked on enforcement was whether we should expect more concentrated and coordinated action of privacy commissioners on a global scale, in GPEN-like structures. The Supervisor revealed that the privacy commissioners that meet for the annual International Conference are “trying to complete an exercise about our future”. They are currently analyzing the idea of creating an entity with legal personality that will look into global enforcement cases.

Ethics comes on top of legal compliance

Another topic the conversation went to was “ethics”. The EDPS has been on the forefront of including the ethics approach in privacy and data protection law debates, by creating the Ethics Advisory Group at the beginning of 2016. I asked the Supervisor whether there is a danger that, by bringing such a volatile concept into the realm of data protection, companies would look at this as an opportunity to circumvent strict compliance and rely on sufficient self-assessments that their uses of data are ethical.

“Ethics comes on top of data protection law implementation”, the Supervisor explained. According to my understanding, ethics is brought into the data protection realm only after a controller or processor is already compliant with the law and, if they have to take equally legal decisions, they should rely on ethics to take the right decision.

We did discuss about other things during this session, including the 2018 International Conference of Privacy Commissioners that will take place in Brussels, and the Supervisor received some interesting questions from the public at the end, including about the Privacy Shield. But a blog can only be this long.

 

Note: The Supervisor’s quotes are so short in this blog because, as the moderator, I did my best to follow the discussion and steer it rather than take notes. So the quotes come from the brief notes I managed to take during this conversion.

Advertisements

Fresh EU data protection compliance guidance for mobile apps, from the EDPS

The European Data Protection Supervisor adopted this week “Guidelines on the protection of personal data processed by mobile applications provided by European Union institutions”.

While the guidelines are addressed to the EU bodies that provide mobile apps to interact with citizens (considering the mandate of the EDPS is to supervise how EU bodies process data), the guidance is just as valuable to all controllers processing data via mobile apps.

The Guidelines acknowledge that “mobile applications use the specific functions of smart mobile devices like portability, variety of sensors (camera, microphone, location detector…) and increase their functionality to provide great value to their users. However, their use entails specific data protection risks due to the easiness of collecting great quantities of personal data and a potential lack of data protection safeguards.”

Managing consent

One of the most difficult data protection issues that controllers of processing operations through mobile apps face is complying with the consent requirements. The Guidelines provide valuable guidance on how to obtain valid consent (see paragraphs 25 to 29).

  • Adequately inform users and obtain their consent before installing any application on user’s smart mobile device
  • Users have to be given the option to change their wishes and revoke their decision at any time.
  • Consent needs to be collected before any reading or storing of information from/onto the smart mobile device is done.
  • An essential element of consent is the information provided to the user. The type and accuracy of the information provided needs to be such as to put users in control of the data on their smart mobile device to protect their own privacy.
  • The consent should be specific (highlighting the type of data collected), expressed through active choicefreely given (users should be given the opportunity to make a real choice).
  • The apps must provide users with real choices on personal data processing: the mobile application must ask for granular consent for every category of personal data it processes and every relevant use. If the OS does not allow a granular choice, the mobile application itself must implement this.
  • The mobile application must feature functionalities to revoke users’ consent for each category of personal data processed and each relevant use. The mobile application must also provide functionalities to delete users’ personal data where appropriate.

The Guidelines invite controllers to “analyse the compliance of its intended processing before implementing the mobile application during the feasibility check, business case design or an equivalent early definition stage of the project”. The controller “should take decisions on the design and operation of the planned mobile application based on an information security risk assessment”.

Other recommendations concern:

  • data minimisation – “the mobile application must collect only those data that are strictly necessary to perform the lawful functionalities as identified and planned”.
  • third party components or services – “Assess the data processing features of a third party component or of a third party service before integrating it into a mobile application”.
  • security of processing – “Apply appropriate information security risk management to the development, distribution and operation of mobile applications” (paragraphs 38 to 41).
  • secure development, operation and testing – “The EU institution should have documented secure development policies and processes for mobile applications, including operation and security testing procedures following best practices”.
  • vulnerability management – “Adopt and implement a vulnerability management process appropriate to the development and distribution of mobile applications” (paragraphs 47 to 51).
  • protection of personal data in transit and at rest – “Personal data needs to be protected when stored in the smart mobile device, e.g. through effective encryption of the personal data”.

 

***

Find what you’re reading useful? Consider supporting pdpecho.

 

 

Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter

AG Mengozzi delivered his Opinion in the EU-Canada PNR case (Opinion 1/15) on 8 September 2016. While his conclusions clearly indicate that, in part, the current form of the agreement between Canada and the EU “on the transfer and processing of Passenger Name Record data” is not compliant with EU primary law – and in particular with Articles 7, 8 and 52(1) of the Charter[1] and Article 16(2) TFEU[2], the AG seems to accept that PNR schemes in general (involving indiscriminate targeting, profiling, preemptive policing) are compatible with fundamental rights in the EU.

In summary, it seems to me that the AG’s message is: “if you do it unambiguously and transparently, under independent supervision, and without sensitive data, you can process PNR data of all travellers, creating profiles and targeting persons matching patterns of suspicious behaviour”.

This is problematic for the effectiveness of the right to the protection of personal data and the right to respect for private life. Even though the AG agrees that the scrutiny of an international agreement such as the EU-Canada PNR Agreement should not be looser than that of an ordinary adequacy decision or that of an EU Directive, and considers that both Schrems and Digital Rights Ireland should apply in this case, he doesn’t apply in all instances the rigorous scrutiny the Court uses in those two landmark judgments. One significant way in which he is doing this is by enriching the ‘strict necessity test’ so that it comprises a “fair balance” criterion and an “equivalent effectiveness” threshold (See Section 5).

On another hand, AG Mengozzi is quite strict with the safeguards he sees as essential in order to make PNR agreements such as the one in this case compatible with fundamental rights in the EU.

Data protection authorities have warned time and again that PNR schemes are not strictly necessary to fight terrorism, serious and transnational crimes – they are too invasive and their effectiveness has not yet been proven. The European Data Protection Supervisor – the independent advisor of the EU institutions on all legislation concerning processing of personal data, has issued a long series of Opinions on PNR schemes – be it in the form of international agreements on data transfers, adequacy decisions or EU legislation, always questioning their necessity and proportionality[3]. In the latest Opinion from this series, on the EU PNR Directive, the EDPS clearly states that the non-targeted and bulk collection and processing of data of the PNR scheme amount to a measure of general surveillance” (§63) and in the lack of appropriate and unambiguous evidence that such a scheme is necessary, the PNR scheme is not compliant with Articles 7, 8 and 52 of the Charter, Article 16 TFEU and Article 8 ECHR (§64).

The Article 29 Working Party also has a long tradition in questioning the idea itself of a PNR system. A good reflection of this is Opinion 7/2010, where the WP states that “the usefulness of large-scale profiling on the basis of passenger data must be questioned thoroughly, based on both scientific elements and recent studies” (p. 4) and declares that it is not satisfied with the evidence for the necessity of such systems.

The European Parliament suspended the procedure to conclude the Agreement and decided to use one of its new powers granted by the Treaty of Lisbon and asked the CJEU to issue an Opinion on the compliance of the Agreement with EU primary law (TFEU and the Charter).

Having the CJEU finally look at PNR schemes is a matter of great interest for all EU travellers, and not only them. Especially at a time like this, when it feels like surveillance is served to the people by states all over the world – from liberal democracies to authoritarian states, as an acceptable social norm.

General remarks: first-timers and wide implications

The AG acknowledges in the introductory part of the Opinion that the questions this case brought before the Court are “unprecedented and delicate” (§5). In fact, the AG observes later on in the Opinion that the “methods” applied to PNR data, once transferred, in order to identify individuals on the basis of patterns of behavior of concern are not at all provided for in the agreement and “seem to be entirely at the discretion of the Canadian authorities” (§164). This is why the AG states that one of the greatest difficulties of this case is that it “entails ascertaining … not merely what the agreement envisaged makes provision for, but also, and above all, what it has failed to make provision for” (§164).

The AG also makes it clear in the beginning of the Opinion that the outcome of this case has implications on the other “PNR” international agreements the EU concluded with Australia and the US and on the EU PNR Directive (§4). A straightforward example of a possible impact on these other international agreements, beyond analyzing their content, is the finding that the legal basis on which they were adopted is incomplete (they must be also based on Article 16 TFEU) and wrong (Article 82(1)(d) TFEU on judicial cooperation is incompatible as legal basis with PNR agreements).

The implications are even wider than the AG acknowledged. For instance, a legal instrument that could be impacted is the EU-US Umbrella Agreement – another international agreement on transfers of personal data from the EU to the US in the law enforcement area, which has both similarities and differences compared to the PNR agreements. In addition, an immediately affected legal process will be the negotiations that the European Commission is currently undertaking with Mexico for a PNR Agreement.

Even if it is not an international agreement, the adequacy decision based on the EU-US Privacy Shield deal could be impacted as well, especially with regard to the findings on the independence of the supervisory authority in the third country where data are transferred (See Section 6 for more on this topic).

Finally, the AG also mentions that this case allows the Court to “break the ice” in two matters:

  • It will examine for the first time the scope of Article 16(2) TFEU (§6) and
  • rule for the first time on the compatibility of a draft international agreement with the fundamental rights enshrined in the Charter, and more particularly with those in Article 7 and Article 8 (§7).

Therefore, the complexity and novelty of this case are considerable. And they are also a good opportunity for the CJEU to create solid precedents in such delicate matters.

I structured this post around the main ideas I found notable to look at and summarize, after reading the 328-paragraphs long Opinion. In order to make it easier to read, I’ve split it into 6 Sections, which you can find following the links below.

  1. De-mystifying Article 16 TFEU: yes, it is an appropriate legal basis for international agreements on transfers of personal data
  2. A look at the surface: it is not an adequacy decision, but it establishes adequacy
  3. An interference of “a not insignificant gravity”: systematic, transforming all passengers into potential suspects and amounting to preemptive policing
  4. Innovative thinking: Article 8(2) + Article 52(1) = conditions for justification of interference with Article 8(1)
  5. The awkward two level necessity test that convinced the AG the PNR scheme is acceptable
  6. The list of reasons why the Agreement is incompatible with the Charter and the Treaty

……………………………………………………….

[1] Article 7 – the right to respect for private life, Article 8 – the right to the protection of personal data, Article 52(1) – limitations of the exercise of fundamental rights.

[2] With regard to the obligation to have independent supervision of processing of personal data.

[3] See the latest one, Opinion 5/2015 on the EU PNR Directive and see the Opinion on the EU-Canada draft agreement.

***

Find what you’re reading useful? Consider supporting pdpecho.

EDPS issues guidelines on how to ensure confidentiality of whistleblowers

The European Data Protection Supervisor issued today (18 July 2016) Guidelines addressed to the EU institutions and bodies on how to deal with whistleblowers in a way that is compliant with the data protection requirements in Regulation 45/2001.

The first thing you need to know is that the EU Staff Regulations contain an obligation for staff members and other persons working for the EU institutions and bodies to report in writing any reasonable suspicion of illegal activities to the hierarchy or to the European Anti-Fraud Office (“OLAF”) directly.

EU institutions are required to manage whistleblowing reports and ensure the protection of personal information of the whistleblowers, the alleged wrongdoers, the witnesses and the other persons appearing in the report.

According to the EDPS, “the most effective way to encourage staff to report concerns is to ensure them that their identity will be protected. Therefore, clearly defined channels for internal and external reporting and the protection of the information received should be in place. The identity of the whistleblower who reports serious wrongdoings or irregularities in good faith should be treated with the utmost confidentiality as they should be protected against any retaliation”.

Here is a list with the main recommendations from the Guidelines:

1. Implement defined channels for internal and external reporting and specific rules where the purpose is clearly specified.

2. Ensure confidentiality of the information received and protect the whistleblowers’ identity and all other persons involved.

3. Apply the principle of data minimisation: only process personal information, which are adequate, relevant and necessary, for the particular case.

4. Identify what personal information means in this context and which are the affected individuals to determine their right of information, access and rectification. Restrictions to these rights are allowed, as long as the EU institutions are able to provide documented reasons before taking such a decision.

5. Apply the two-step procedure to inform each category of individuals concerned about how their data will be processed.

6. Ensure when responding to right of access requests that personal information of other parties is not revealed.

7. Assess the appropriate competence of the recipient (internal or external) and then limit the transfer of personal information only when necessary for the legitimate performance of tasks covered by the competence of the recipient.

8. Define proportionate conservation periods for the personal information processed within the scope of the whistleblowing procedure depending on the outcome of each case .

9. Implement both organisational and technical security measures based on a risk assessment analysis of the whistleblowing procedure in order to guarantee a lawful and secure processing of personal information.

Peter Hustinx expressed “serious concerns” in a letter to EU officials regarding the appointment of the new EDPS

The mandate of Peter Hustinx as European Data Protection Supervisor will end on January 16. Mr. Hustinx will thus finish his second five year term as EDPS, leaving behind a strong legacy. The question is: who will further take care of this legacy?

In a letter sent to EU officials and published on January 7, Mr. Hustinx expresses “serious concerns about the procedure for the selection and appointment of a new European Data Protection Supervisor and Assistant Supervisor”, because “at this stage, it is highly unlikely that the appointment of a new Supervisor and Assistant Supervisor will take place either before or shortly after this date (January 16)”.

According to Article 42(1) of Regulation 45/2001, “The European Parliament and the Council shall appoint by common accord the European Data Protection Supervisor for a term of five years, on the basis of a list drawn up by the Commission following a public call for candidates“.

Article 42(2) of the Regulation states that “The European Data Protection Supervisor shall be chosen from persons whose independence is beyond doubt and who are acknowledged as having the experience and skills required to perform the duties of European Data Protection Supervisor, for example because they belong or have belonged to the supervisory authorities referred to in Article 28 of Directive 95/46/EC“.

According to Pcworld.com, although the call for candidates went out last year, Commission spokesman Antony Gravili said that “the selection panel concluded that none of the candidates had the qualities that are needed for the job.”

Mr. Hustinx considers that this fact “opens the perspective of a period of uncertainty as to when the new team of Supervisors will be appointed”. 

He continues with the view that “This uncertainty and the possibly long delays that may be involved, as well as their different consequences, are likely to harm the effectiveness and the authority of the EDPS over the coming months. The EU is presently in a critical period for the fundamental rights of privacy and data protection, and a strong mandate is required to provide the authority to ensure that these fundamental rights are fully taken into account at EU level. In this respect, I would recall that the operation of a fully effective independent control authority is an essential feature of that right, as set out in Article 8 of the Charter and Article 16 of the Treaty”.

In this context, Mr. Hustinx sent the letter to Mr. Maros Sefcovic, vice-president of the European Commission, Mr. Juan Fernando Aguilar, Chairman of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs and to Ambassador Theodors N. Sotiropoulos, Permanent Representative of Greece (as Greece recently took over the 6 months presidency of the European Council), asking them “to take all the steps necessary to ensure that a new Supervisor and Assistant Supervisor will be appointed as soon as possible”.

 

See also

IAPP’s Angelique Carson published an informative piece about Mr. Hustinx’s legacy in December on privacyassociation.org, which I invite you to read HERE.

 

The EDPS, “impressed” by the Albrecht report

The European Data Protection Supervisor released an opinion on the European Parliament’s report containing amendments for the data protection legislative package, made public last week (important note: the report has not yet been adopted by the PE).

In its Opinion, the EDPS points out that it is “impressed about the huge amount of the work” it contains.

We are grateful to them since we’re impressed by the huge efforts aimed to make  a proper balance of the various –sometimes conflicting- concerns of different stakeholders in the private and public sectors. Many of the EDPS (and Working Party 29) recommendations have been fully or partly considered.

according to Giovanni Buttarelli, Assistant European Data Protection Supervisor, who attended a meeting of the Committee on Civil Liberties, Justice and Home Affairs of the European Union.

He added that:

On the same Regulation, I could find within the amendments many improvements. Being extremely selective, I would only mention that we appreciated, among others, the efforts aimed to clarify: 

1) some provisions on the rights of the individuals and the transparency of the
processing;

2) the notion of lead authority, which should be seen not as an exclusive
competence, but as a structured way of cooperation with other competent
supervisory authorities;

3) the consistency mechanism and the selective conditions which will trigger the
mechanism, with a view to prevent that the mechanism will be overburdened;

4) the necessary flexibility and the more realistic deadlines necessary for the
adoption of the EDPB opinions;

5) the more selective powers of the Commission in the consistency mechanism,
which should be limited to triggering the seizure of the EDPB and the power to
submit valuable opinions without overruling decisions in individual cases;

6) the more selective approach on delegated and implementing acts;

7) the necessary margin of appreciation with regard to the application of
administrative sanctions, to better ensure that they will always be effective and
proportional to the infringement. We also find it important to point at remedial
sanctions, which can be very effective as well;

8) the way in which the purpose limitation principle is to be respected;
9) the reduction where appropriate of administrative burdens, by focusing on what is
crucial for a substantive and effective protection of fundamental rights.

 

You can find the entire document HERE.

VIDEO. EDPS Peter Hustinx on Data Protection Reform

European Data Protection Supervisor, Peter Hustinx, is spoke at a March 27 event organized by American Chamber of Commerce in France and sponsored by Hogan Lovells.

The main ideas of his speech:

  • Main reasons for the need of a new data protection regulation:

1. there is a need to update the current framework

2. the current framework have given rise to increasing diversity, complexity and we have ended up with 27 versions of same basic principles and that is simply too much

3. a new constitutional institutional framework, the Lisbon Treaty, that entered into force with a strong emphasis among fundamental rights, among them the right to data protection

  • The new regulation is stronger, more effective, more consistent and more comprehensive.
  • The exchange of data from private to public sectors is increasing, and will have some practical consequences [this is why the EDPS criticizes the new Directive destined for the judicial collection of data].
  • Ideas about the Regulation:

1. in spite of all the innovations, there is a lot of continuity; all the basic concepts will continue to exist.

2. innovation comes mainly in making it work in practice, by strengthening the role of the people.

3. data subject’s rights have been confirmed and extended; there is more emphasis in transparency.

4. the biggest emphasis is on the responsibility of big organizations

5. Legal security has been enhanced. There is an enormous amount of simplification.

6. The international dimensions of this regulation: The scope of the regulation has been clarified and extended. This provisions apply when from outside, a third country, services are delivered on the European market or when the behavior of Europeans is monitored. I think this is a realistic approach.

  • Overall, it is very welcomed proposal. The criticism I issued relates more to the directive.

 

The EDPS considers that the EU Data Protection reform is… weak

The European Data Protection Supervisor issued today its Opinion on the data protection reform package proposed by the European Commission on January 25.

You can read it HERE.

The EDPS “welcomes the proposed Regulation as it constitutes a huge step forward for data protection in Europe” and “is particularly pleased to see that the instrument of a regulation is proposed for the general rules on data protection”.

However The EDPS is “seriously disappointed with the proposed Directive for data protection in the law enforcement area. The EDPS regrets that the Commission has chosen to regulate this matter in a self-standing legal instrument which provides for an inadequate level of protection, which is greatly inferior to the proposed Regulation”. That is an interesting point of view.

The greatest weakness is considered to be the perpetuation of “the lack of comprehensiveness of the EU data protection rules”. The EDPS considers the reform package “leaves many EU data protection instruments unaffected such as the data protection rules for the EU institutions and bodies, but also all specific instruments adopted in the area of police and judicial cooperation in criminal matters such as the Prüm Decision and the rules on Europol and Eurojust.

Furthermore, the proposed instruments taken together do not fully address factual situations which fall under both policy areas, such as the use of PNR or telecommunication data for law enforcement purposes”.

What Do Individuals Complain About in Relation to PDP Law Breaches?

That’s a good question. And I will address it related to EU privacy and data protection law. I had the opportunity to look into the European Data Protection Supervisor’s Report for 2010 (which was published this past June) and I was particularly curious what is to be found in the complaints filed to EDPS.

I should mention beforehand that my PhD thesis will look exactly into data protection law as contributing to the enhancement of civil law and civil liabilities (somehow trying to define a new kind of tort). I will therefore look into distancing myself from an administrative point of view upon data protection law. Nevertheless, the administrative complaints filed to EDPS can be a very fruitful lead towards the framework of newfound civil liabilities regarding data protection, as they give me an idea of what can possibly people complain about regarding the protection of their personal data.

I will reveal in this post some interesting information from the EDPS 2010 report. And in my next post I will detail some of the complaints for a further understanding of this issue.

How many complaints?

According to the abovementioned report, the number of complaints received in 2010 decreased, while the complexity of the complaints increased: “In 2010, EDPS received 94 complaints (a decrease of 15 percent compared to 2009). Of these 69 complaints were inadmissible, the majority relating to processing at national level as opposed to processing by an EU institution or body. The remaining 25 complaints required more in-depth inquiries (a decrease of 41 percent compared to 2009). In addition, 18 admissible complaints, submitted in previous years (16 in 2009 and two in 2008), were still in the inquiry or review phase during 2010”.

Nature of complaints

Of the 94 complaints received, 17 complaints (18%) were submitted by members of staff of EU institutions or bodies, including former staff members and candidates for employment. For the remaining 77 complaints, the complainant did not appear to have an employment relationship with the EU administration.

Types of violation alleged

The violations of data protection rules alleged by the complainants in 2010 mainly relate to:

A breach of data subjects’ rights, such as access to and rectification of data (36%) or objection and deletion (12%);

Unlawful use (16%), excessive collection of personal data (12%), violation of confidentiality (8%).

Other violations less frequently alleged relate to data security (4%), ID thefts (4%), leaks (4%), data quality and information to data subjects (4%).

Institutions concerned by complaints

Of the admissible complaints submitted in 2010, the majority (80%) were directed against the European Commission, including OLAF and EPSO. This is to be expected since the Commission conducts more processing of personal data than other EU institutions and bodies. The relatively high number of complaints related to OLAF and EPSO may be explained by the nature of the activities undertaken by those bodies.

Tomorrow, in my next post, I will detail some of the complaints, as they are quite interesting.