The EDPS Strategy 2015-2019, “Leading by example” – adopted at the beginning of the current EDPS mandate in 2015 – sets out how we seek to promote a new culture of data protection in the European institutions and bodies. Our vision is to help the EU lead the global dialogue on data protection and privacy in the digital age, identifying cross-disciplinary policy solutions and realising the need for a consensus on the ethics of developing and deploying digital technologies.
In accordance with Art. 13 of its Rules of Procedure, the EDPS establishes each year an Annual Management Plan (AMP), translating our strategy into specific objectives and actions.
The 2019 Annual Management Plan is the most important of the current EDPS term.
The entry into force of a revised general data protection regulation for the EU institutions, Regulation 2018/1725, presents us with the challenge and opportunity to consolidate our work to date and to be transparent about where we need to change.
The new Regulation aligns with the General Data Protection Regulation (GDPR, Regulation 2016/679), bringing the EU administration and the EDPS as supervisor closer than ever the EU’s Member States and national supervisory authorities.
Our plan for 2019 is a recognition of the need for a new culture of data protection, de-bureaucratising wherever possible, arguing against useless procedures but reinforcing meaningful safeguards for the individuals affected by personal data processing. This new approach to supervision and enforcement will be scalable, calibrated according to the risks assessed to be associated with personal data processing. It means equipping Data Protection Officers (DPOs), management and EU staff members with the knowledge and tools to go beyond simple compliance so that data protection is fully embedded in the administrative and managerial culture of the EU institutions and bodies. Our own DPO team will intensify its engagement with the DPOs of other EU institutions, and it will work within the EDPS to finalise our programme of work begun in 2017 to ensure accountability under the new legal framework.
Regulation 2018/1725 has confirmed the role of the EDPS as main advisor of the EU institutions. In 2019, we will work with the European Commission and the European Data Protection Board (EDPB) to ensure that appropriate procedures are put in place to support these new provisions, and we will review and update our internal rules and other relevant guidance documents. We will maintain an active role, if necessary by adopting opinions ex-officio, and remain available to provide formal or informal advice at the request of the European Commission, the European Parliament and the Council at any point in the decision-making process.
2019 also includes milestones on the third track of the long-term project of data protection reform, initiated by the Commission in 2012 with the GDPR and continued with the reform of data protection within the EU institutions: the supervision of the broad ‘ecosystem’ of judicial and police cooperation. This is not limited to transitional arrangements for reforms like the creation of the European Public Prosecutors Office, or the Europol and Eurojust Regulations, but signifies a ‘new deal’ for coordinated supervision between independent authorities and alongside the structures of the EDPB. We will consider how to optimise governance and set out a vision for the future of coordinated supervision by the EDPS and national supervisory authorities of large-scale information systems and of Union bodies, offices and agencies. Our analysis will assist the Commission in implementing this indispensable third track.
However, an important piece of the data protection reform package is still missing: an e-Privacy regulation to complement and reinforce the GDPR and to make operational the Right to Privacy for the digital age. We will continue to follow-up developments and remain ready to intervene where needed.
The EDPS has demonstrated leadership on ethics, bringing this debate to the data protection community and far beyond, and we will continue to promote these discussions, interacting with experts, publishing a new opinions on Digital Ethics, and fostering the dialogue at international level within the ICDPPC in 2019.
We will continue to work to make the different regulatory bodies responsible for digital markets more effective in the EU and around the world, to safeguard the rights and interests of individuals in the digital society, for example through the Digital Clearinghouse initiative.
As the public debate on the use and exploitation of data for political campaign and decision and on the risks to fundamental rights created by few big players acting as effective gatekeepers of online information grows, it becomes clear that data protection is essential not only for individual freedom but for democracy itself. 2019 will be a critical year in this respect, with important elections at European and national level. We will continue our work in this area, following up on our Opinion on online manipulation (3/2018), and take initiatives to allow the different actors involved to identify roles, responsibilities and vulnerabilities and to establish new networks for cooperation.
Along the way we will monitor technology more closely than ever, with particular efforts to identify and promote privacy friendly technology. With the obligation in the EU’s data protection regulatory framework to observe the principles of data protection by design and by default, the field of privacy engineering becomes increasingly important. The Internet Privacy Engineering Network (IPEN) will continue to play an important role in translating data protection principles into engineering requirements, as a network of technology and privacy experts from data protection authorities (DPAs), industry, academia and civil society.
As we enter the last year of the current EDPS mandate, we will work on consolidating the institution and ensuring it is well equipped for its future challenges, with adequate resources, infrastructure, and up-to-date internal rules and procedures.
By the end of 2019, the EDPS should expect to be an institution that is bigger, more mature, and more present in the most important policy discussions than ever before.
Source: European Data Protection Supervisor, https://edps.europa.eu/