On January 7, 2016, the European Data Protection Supervisor ("EDPS") published its priorities for 2016. The EDPS is an independent supervisory authority at EU level whose primary objective is to ensure that European institutions and bodies respect the peoples' right to privacy. Its activities comprise the supervision of data protection compliance, the consultation on policies and legislation that affect privacy and the cooperation with similar authorities to ensure consistent data protection.
Shortly thereafter, on February 2, 2016, the Article 29 Working Party ("Working Party") adopted and published its Work Programme for 2016 – 2018. The Working Party was set up under Article 29 of the Directive 95/46/EC ("Directive") and represents Data Protection Authorities ("DPAs") across all EU Member States. Its tasks are to: examine the application of the national measures adopted under the Directive; give the European Commission ("Commission") an opinion on the level of protection in the EU and in third countries; advise the Commission on any proposed amendment of the Directive, any additional or specific measures to safeguard the rights and freedoms of natural persons with regard to the processing of personal data and any other proposed Community measures affecting such rights and freedoms; and give an opinion on codes of conduct drawn up at Community level.
EDPS Priorities 2016
The EDPS priorities list those proposals of the Commission which most likely have impact on the fundamental rights to privacy and the protection of personal data. To be able to respond to upcoming developments, the EDPS will adjust its priorities throughout the year. In accordance with the priorities identified in the EDPS Strategy 2015-2019, the EDPS sets focus on the following areas of strategic importance:
Completing the new legal framework for data protection
The negotiations on the data protection reform package, containing the General Data Protection Regulation ("GDPR") and the Directive for Data Protection in the Police and Justice Sectors ("Police and Justice Directive") (together, "Reform Package"), are now drawing to a close. In this regard, the EDPS will fulfil its responsibility by:
- supporting the European institutions towards completing a coherent legal framework for data protection in Europe by pursuing its supervisory approach (as detailed in its Opinions 3/2015 and 6/2015);
- advising the Commission in the revision of Regulation (EC) No. 45/2001 to ensure that the principles contained in the GDPR are also applicable to European institutions, bodies, offices and agencies;
- contributing to the review of the ePrivacy Directive 2002/58/EC ("ePrivacy Directive"); and
- ensuring that the legal framework for data protection is completed with full respect for its core values.
Ensuring adequate protection in international data transfers
The EU-U.S. transatlantic dialogue and especially the necessity of creating a legal framework which will ensure cross-border flows of data in the "Post Safe Harbor" context, will be one of the main focuses of the EDPS. Regarding this, the EDPS will provide comments on any Commission implementing decision for a new arrangement for transatlantic data transfers (i.e., the envisaged "EU-U.S. Privacy Shield") as well as on proposals of the Commission following the judgment of the Court in Case C-362/14 to replace the limitation of powers of the DPAs in all existing adequacy decisions.
Further, the EDPS is watching closely the negotiations about an international agreement between the EU and the U.S. on the protection of personal data when transferred and processed for the purpose of preventing, investigating, detecting or prosecuting criminal offences, including terrorism, in the framework of police cooperation and judicial cooperation in criminal matters ("Umbrella Agreement"). The EDPS will advise the EU legislator before signing the agreement by highlighting essential data protection requirements and may also publish an opinion on it.
The EDPS will monitor closely the negotiation process for possible passenger name record (PNR) agreements with third countries (such as Mexico and Russia). Regarding the EU PNR scheme, the EDPS has criticized lately the unjustified and massive collection of passenger data.
Protecting EU borders and enhancing security
Additionally to the measures already announced in the Commission Work Program 2016, the EDPS takes note of the conclusions of the meeting within the Council on Counter-Terrorism, requesting the adoption of several proposals with an anti-terrorism component. Understandably influenced by the recent terrorist attacks, focus is thereby set on strengthening controls of external borders, in particular through:
- upgrade of the Schengen Member States border control system;
- systematic registration and systematic security checks of third country nationals illegally entering the Schengen area;
- targeted revision of the Schengen Borders Code regarding systematic controls of EU nationals; and
- update of the Frontex Regulation (Regulation (EC) 2007/2004).
The EDPS emphasizes that all measures in this field must ensure compliance with fundamental rights to privacy and the protection of personal data and that all limitations to fundamental rights must respect the strict test of proportionality (Article 52 of the Charter). For this purpose, the EDPS will assist EU co-legislators in elaborating balanced and efficient legislative and policy proposals.
Initiatives listed in the Commission's Work Program for 2016
Finally, the EDPS will provide advice on several initiatives listed in the Commission's Work Program 2016 which have been identified as warranting particular attention of the EDPS:
- the implementation of the Digital Single Market ("DSM") Strategy, and in particular proposals related to cross-border portability of online content services, proposal to establish free flow of data within the DSM, and modernization of the EU copyright framework;
- a follow-up to the DSM Strategy;
- embedding data protection in international agreements (such as TTIP or TISA); and
- commenting on measures to be expected as part of the Border Management Package.
Article 29 Working Party Work Programme 2016 – 2018
Much like the EDPS, the Working Party focusses on the GDPR and the Police and Justice Directive, and acknowledges that the next two years will a transitional period from the current Directive to this Reform Package, with the Working Party itself having to use this period to become and act as the European Data Protection Board ("EDPB"). In addition, the Working Party states that it will both continue to analyse and provide its opinion on relevant subject matters under the current Directive and work on increasing its interaction with international data protection authorities and other organisations and stakeholders, both within the EU and outside.
The activities of all subgroups of the Working Party will take into account this transitional period and, given the large amount of work needed, the Working Party emphasizes the requirement for an important involvement of all subgroups and an efficient coordination between them. Several subgroups will consider whether previous Working Party opinions need to be updated in light of the Reform Package.
Specific activities of the respective subgroups will be as follows:
- Future of Privacy: This subgroup will be primarily in charge of piloting, managing and monitoring an action plan for the Reform Package.
- Key Provisions: This subgroup will consider the interpretation of key concepts of the Reform Package.
- Technology: This subgroup will continue its work on: Do not Track standard, data portability, Wi-Fi location analytics and bluetooth beacons, minimum technical specifications, e-voting, electronic monitoring of employees, consent by way of smart devices, the e-Privacy Directive, DSM Strategy for Europe, smart meters and smart grids, data protection impact assessments and data breach impact assessment. It will also deal with the new topics under the GDPR (e.g., certification).
- International Transfers: This subgroup will: analyse the consequence of the judgment of the Court ruling in Case C-362/14 on transfers' tools (e.g., Standard Contractual Clauses, BCR, ad-hoc clauses, other adequacy decisions) and on derogations for transfers; analyse and deliver an opinion on the EU-U.S. Privacy Shield.In addition, the subgroup will examine the impact of the GDPR on existing transfers' tools and the current cooperation procedure; and continue its work on the possible «interoperability» with Convention 108, the OECD Guidelines and on the BCR-CBPR project with APEC Borders.
- Travel and Law Enforcement: This subgroup will continue its work on: the Police and Justice Directive, PNR Terrorist Finance Tracking Program, data retention, Transatlantic Cable Interception (together with the international transfers subgroup), the Cybercrime Convention, the proposals following the Commission's European Agenda on Security and the consequences of the judgment of the Court ruling in Case C-362/14, including the analysis of relevant EU and US surveillance law. It will also analyse the following legislative proposals: the revised Smart Borders package, the Umbrella Agreement, the proposal for a European Police Record Index System, the new counter-terrorism proposals and the European agenda on migration and the Electronic Criminal Record Information System ("ECRIS") for third country nationals and stateless people ("TCN").
- E-government: This subgroup will continue its work on: the implementing acts for the Regulation on electronic identification and trust services for electronic transactions in the internal market ("EIDAS"), apps used in the public sector, the cloud services for e-Government services, the Research and Education Network Code of Conduct, the online publication of personal data of government officials, the E-Voting and the DSM Strategy for Europe. This subgroup will work on the topic linked to E-health network.
- Financial matters: This subgroup will: continue its work on: automatic exchange of data for tax purposes, OECD Common Reporting Standards, FATCA, the implications on data protection of International Organisation of Securities Commissions and Multilateral Memorandum of Understanding concerning consultation and cooperation and the exchange of Information, and the implications on data protection of Directive 2014/65/EU (so-called "MIFID 2") and Regulation (EU) 600/2014 (so-called "MAR"); and analyse: Account aggregators, the vast use by banks of data related to their clients for commercial profiling and the draft Regulation of the European Central Bank concerning the collection of granular credit and credit risk.
- Cooperation: This subgroup will: organise workshops on practical issues and tools of common interest, continue its work on the improvement of the Working Party website, on the follow up of the preparations of the International Conference and of the Spring Conference (focus on the question of enforcement cooperation). It will elaborate a data protection vocabulary, examine the list of activities of the DPAs; be involved in the analysis of the consequences of the judgment of the Court ruling in Case C-362/14, including on coordinated actions to handle complaints and to organize enforcement operations if needed; and work on common tools and standard forms to implement the GDPR in a consistent manner (e.g., templates for designating a lead DPA and complaints forms).
Against this background, the EDPS and the Article 29 Working Party are expected have significant influence on European data protection developments over the next few years. It will in particular be interesting to follow each organisation's respective position on the consequences of the judgment of the Court ruling in Case C-362/14, the EU-U.S. Privacy Shield, the GDPR and their impact on international data transfers' tools.