Looking at recent history, April could be labeled “Data Retention Month” in the unofficial EU privacy calendar. Let’s rewind: April 2014, the Court of Justice of the European Union invalidated the EU Data Retention Directive primarily because of a lack of proportionality; April 2021, France's highest administrative court, the Council of State, ruled national security concerns justify the retention of data for law enforcement investigations; April 2022, a legal opinion — commissioned by Patrick Breyer, a Member of the European Parliament, and funded by the Greens/EFA political group to which he belongs and authored by former CJEU Judge Vilenas Vadapalas — argued the current French data retention legal regime is noncompliant with the CJEU decision. This is a reminder that Brussels has yet to find an EU-level landing zone on data retention that would meet the CJEU requirements regarding fundamental rights as well as provide legal grounds for Member States’ missions of public security and fight against terrorism.

Elsewhere:

EDPS: Supervisor Wojciech Wiewiorowski presented the European Data Protection Supervisor’s 2021 annual report at the European Parliament Committee on Civil Liberties, Justice and Home Affairs. The increase of activity was clear throughout Wiewiorowski’s remarks as he laid out the various achievements of the EU institutions’ internal data protection authority. The EDPS took an active role in informing the EU policy agenda, issuing 88 opinions on flagship proposals such as the Digital Service Act, Digital Markets Act and the AI Act. Going forward, his focus will be on enforcing a high level of compliance to data protection rules by EU institutions, highlighting the steep increase of corrective measures taken in the past year. Wiewiorowski mentioned EDPS’ TechSonar initiative which aims to bridge the gap between emerging technology and legal implications (read the last report for foreseen trends).

The EDPS will host a conference on “The Future of Data Protection: Effective Enforcement in the Digital World,” on 16-17 June in Brussels. Registration is open.

Europol. The European Commission is launching an assessment of Europol’s older cooperation agreements to determine to which extent existing data protection safeguards are included in these agreements. The EC is looking for stakeholders’ input here. By 1 May 2017, Europol had concluded agreements with 18 third countries and international organizations such as Interpol. The EU’s law enforcement agency was recently in the crosshairs of the EDPS for its data retention practices which, after investigation, were deemed inconsistent with its obligations under EU law. This new evaluation exercise will inform whether it is necessary to revise and align the existing agreements with current EU data protection law, in particular, to match the requirement of essential equivalence. If that is the case, there is an entire process that involves a Council decision authorizing the opening of negotiations for international agreements, so this would not happen overnight.

And if you feel like hanging out with privacy pros in The Hague, you are in luck! Registration for our next IAPP Data Protection Intensive: Nederland 2022 is open. Events dates: 8-9 June. More info here.

Photo by Yannis Papanastasopoulos on Unsplash