On June 16th we joined civil society organizations like Privacy International, the European Digital Rights association EDRi and various others for a half-day civil society summit organized by the European Data Protection Supervisor (EDPS). On the agenda were a brief overview of the “Big Issues in Privacy and Data Protection in 2016” by Joe MCNamee of EDRi followed by three one-hour sessions on “Implementation of the GDPR, consistency, flexibility, guidelines” introduced by Anna Fielder (Privacy International); “Reform of e-Privacy Directive: What’s at stake?” introduced by Prof. Ian Brown (Oxford Internet Institute); and “Necessity and proportionality and data protection” introduced by Ralf Bendrath (German Working Group on Data Retention and Digitale Gesellschaft).
On the issue of “implementation of the GDPR”, the main points raised by Anna Fielder were:
- Concerns about the clause on the use of sensitive data for research purposes, which was lobbied for by the medical research community, but risks being abused to support commercial research.
- The risk of dis-harmonization among the implementations of the GDPR by EU state due to more than 50 cases of ‘flexibility’ in the GDPR and the inclusion of Article 21 that allows countries to introduce legal exceptions based on a loosely defined “general public interest”.
- Collective redress, such as ‘class action’ law suits filed by civil society organizations on behalf of citizens, is only possible in countries where provisions for collective redress exist in national legislation, meaning that some people may end more equal than others and opening possibilities for forum shopping for companies.
In response Giovanni Buttarelli of the EDPS promised that the EDPS will closely follow the implementation of the GPR in the member states with special focus on checking that there is consistency across countries. There was a strong sentiment that the European Commission should play a role in closely monitoring that no short cuts are taken in the GDPR implementation in EU countries. Furthermore, the monitoring of consistent application of the GDPR throughout the EU will be one of the primary tasks of the European Data Protection Board (EDPB). The newly created EDPB replaces the previous Article 29 Working Party, which consisted of representatives from EU Member State supervisory authorities together with the Commission and the EDPS.
On the issue of “necessity and proportionality”, Ralf Bendrath introduced a toolkit that is being developed by the EDPS for “assessing the necessity of measures that interfere with fundamental rights”. The preliminary ‘for consultation’ version of this toolkit was sent to participants beforehand. The aim of the toolkit is to ‘facilitate responsible and informed policy-making’ by better equipping EU policy-makers and legislators for preparing and scrutinising measures that involve processing of personal data and which are likely to interfere with the rights to privacy and to data protection and with other rights and freedoms laid down in the Charter of Fundamental Rights of the EU.
In order to better establish the necessity of any proposed measure that would infringe on fundamental rights, the toolkit set out a check-list of six points that should be answered:
- Factual description of the measure proposed
- What is the purpose of the measure?
- Why is this specific measure needed?
- Describe the measure.
- Fundamental rights and freedoms affected
- Does the measure proposed involve in anyway the use of personal information?
- Which are the fundamental rights and freedoms affected?
- How are the fundamental rights and freedoms affected?
- Objectives: Legitimate aims, pressing social need
- What is the problem to be addressed?
- In the problem pressing, critical for the functioning of the society?
- What is the purpose of the measure?
- Relevant and objective justification
- Why is this measure being proposed?
- What is the objective evidence justifying the need for the measure?
- Is the evidence relevant and sufficient?
- Effectiveness: a look at existing measures + link between measure and the aim pursued
- Is the measure essential for satisfying the need to be addressed?
- Are there existing measures that could achieve the same purpose if they were effectively applied and enforced?
- Do the benefits of the measure outweigh the detrimental effects?
- Appropriate safeguards concerning the circumstances surrounding the measure
- What is the proposed measure?
- What practical obligations are created and for whom?
- Who will be affected by the measure?
- What kind of information is going to be used and how?
- Are there any differentiations or exceptions being made with regard to the individuals affected, the means used to process data and the information being used?
- Who has access to the information?
- For how long is the information going to be used?
The following are the video recordings that were made of the civil-society summit: