Greetings from Brussels!

This week the EDPS published a new necessity toolkit as part of their ongoing support of and commitment to facilitating responsible and informed policymaking, in the broadest sense. The EDPS states the toolkit is designed to assist policy- and law-makers in identifying the impact of new laws on the fundamental right to data protection and help determine the cases in which the limitation of this right is truly necessary and justified.

EDPS Giovanni Buttarelli has this to say: “The EU Charter of Fundamental Rights guarantees the right of every [European] individual to data protection. Using an evidence-based approach, policymakers must be able to demonstrate that any planned limitation of this right, and any other rights that might be affected by the processing of personal data, including the right to privacy, is ‘absolutely necessary,’ either to achieve an objective of general interest to all concerned or to protect the rights and freedoms of others. We believe the EDPS necessity toolkit will assist policymakers in doing this and therefore better ensure that the legislator remains accountable for its actions.”

It is a fair assumption that almost all EU policy proposals, now and in the future, will invoke or indirectly reflect some form of personal data processing provision. Couple this with the increasingly quick turnarounds placed on policymakers to align and respond to modern-day challenges, ranging from public security to developments in international and digital trade, the need for EU policy proposals to respect fundamental rights is ever greater as protected under the law. The toolkit works to focus the mind in this regard, with a stress test-type approach to assessment with a practical step-by-step checklist. As for supporting references, the toolkit is based on decisions issued by the Court of Justice and the European Court of Human Rights, as well as on opinions published by both the EDPS and the WP29. It also incorporates feedback gathered on an EDPS background paper on the topic, published in June 2016 — in short, it's substantial.

In other news, this week, the WP29 has mostly thrown its support behind the recent European Commission proposal for tighter online privacy rules through the reform of the ePrivacy Directive. The WP29 adopted a generally positive opinion in the April plenary of last week, and praised the fact that it provided a legal instrument that complemented the GDPR, enforcing additional consistency.

In summary, the WP29 is in favor of plans to extend the rules originally destined for telecom providers to OTT — including Facebook, Google & Apple — service providers, particularly concerning the confidentiality of communications, and also supports the update to rules on online tracking. However, the member state regulators expressed concerns to the European Commission on four particular issues. They would like to see stronger rules on obtaining user consent for Wi-Fi device tracking, stricter controls on the processing of user metadata, a ban on the use of "cookie walls" that block access to a website if a cookie is not accepted, and greater support for privacy by design in devices, so users can always change their privacy settings, without relying on cookies or third-party software.

In other issues addressed at the meeting, the group said it has written to the U.S. intelligence chief for more information on how Yahoo may have collaborated in unauthorized surveillance of Europeans. This is part of an ongoing investigation of Yahoo. In addition, the regulators discussed progress in implementation of Privacy Shield with the U.S., and decided to start publishing on their websites forms for Europeans applying to the American ombudsman for access to their data handled by U.S. national security agencies.

In was a busy time last week for the WP29. In addition to their plenary, the second GDPR Fablab — organized by the WP29 — also took place in Brussels. The interactive workshop was an opportunity for DPAs and implicated stakeholders (civil society and European federations) to discuss and receive feedback on the WP29’s priorities of consent, profiling and data breach notifications. The outcomes of this session together with the results of national consultations initiated in some member states will help DPAs prepare guidelines on these topics by the end of the year. So, keep an eye out for those releases.