EDPS 2018 Annual Report highlights the power and limitation of data protection

No. 3, 25 March 2019 Issue

In February 2019, the European Data Protection Supervisor (EDPS), Giovanni Buttarelli, published his first Annual Report. For those working on or interested in data protection, this 73-page (plus Annexes) report is well worth reading in full. It contains a comprehensive account of the EDPS office’s activities across the remit of its mandate and provides a useful guide as to where 2019 interests and priorities lie.

The EDPS office was impressively active in 2018; the report details a full programme of operations which post-May included extensive work around getting the EU up-to-speed following the regime changes brought in by GDPR.

GDPR seems to have had a generally positive impact on the work of the EDPS, particularly in empowering individual complaints and enabling the office to push more strongly for data protection accountability in the EU institutions. Oddly, however, the report opens with the less-than-optimistic statement that “2018 demonstrated the power and the limitations of data protection.” There’s a striking discord between the report’s substantive content, which details confidently the action taken to prepare, train and equip EU institutions and bodies to comply with the new data protection regime, and the despondency expressed in the foreword that this same regime is insufficient to adequately protect privacy.

The foreword’s attitude towards GDPR contrasts starkly with the privacy and data protection improvements the EDPS celebrates having made through its activities. It also sits oddly alongside a stated 2019 objective to develop a framework for the EU institutions to proactively implement data protection safeguards into EU policy. Buttarelli lauds the leading role the EU institutions take in their implementation of GDPR rules but in the same breath fatalistically comments that this system of data protection is inherently susceptible to both data breaches and political manipulation.

When launching the report, Buttarelli’s press release said; “Public awareness about the value of online privacy is at an all time high, while concern about the abuse of personal data by online service providers remains a topic of enquiry for governments around the world” (bold in original). Misuse of personal data for commercial and political purposes was the issue which dominated data protection discourse in 2018. The EDPS Opinion on online manipulation and personal data – one of 11 published during the year – concluded that regulators including competition authorities and election monitors urgently needed to collaborate to tackle localised and structural abuses. Perhaps Buttarelli’s rather negative commentary stems from this point – although the Opinion was drafted in March 2018, GDPR seems to have had little impact on resolving this “worsening” issue.

Despite his comments, it is clear that as Buttarelli concludes his mandate in 2019 he is full of energy to do more. One thing that stands out in the report is how particularly proud he is of his actions in driving digital ethics onto the global agenda: the report comments multiple times on this workstream and details prominently the content and impact of the October 2018 International Conference of Data Protection and Privacy Commissioners. With clear momentum building, this is a topic on which the EDPS will focus heavily during 2019.

GDPR also infuses the other issues on the EDPS’s 2019 agenda. The report mentions the forthcoming ePrivacy Regulation several times, and strongly urges its passing before the end of the current Parliamentary mandate. It indicates plans to conduct more investigation into data privacy issues around blockchain, press forward with an agenda of ‘digital privacy by design’ and reflect in a June 2019 report on the future of data protection within the EU and globally. These are all things to watch: given that the EDPS office sits at the heart of and directs the EU institutions’ data protection decisions, its actions and statements will have a major influence on how GDPR will continue to develop and apply.



Who is the EDPS?

The EDPS is the EU’s independent data protection authority, tasked with ensuring that the EU institutions and bodies respect and comply with their data protection obligations, both in processing personal data and by integrating data protection into all new legislation, policy and international agreements.

What does the EDPS do?

The EDPS supervises and enforces EU-level compliance with data protection. Its activities include giving substantive advice to the EU institutions and bodies in relation to risky personal data processing operations, handling complaints, monitoring compliance through visits and inspections, issuing formal Opinions, Comments and Guidance, providing training and running events and communications.

Under GDPR, the EDPS also acts as secretariat to the European Data Protection Board (EDPB), which works to ensure the consistent application of the GDPR across the EU.

The EDPS takes an active role in monitoring technological developments and their impact on data protection and privacy. It promotes privacy engineering and cooperates with national data protection authorities to develop common options for data protection by design. In 2018, it issued a formal Opinion on Privacy by Design.


By Amy Shepherd, Legal & Policy Officer, Open Rights Group