WIXLIB

This innovative thinking relates to both the EUDigital Agenda and data protection principles.We do not need to reinvent these principles,but we do need to ‘go digital’. We need to makeexisting principles more effective in practice in ourtechnology‑driven society and integrate them withsome new principles specifically derived from thedigital age and the big data driven economy.THE INTERNATIONAL DIMENSIONData protection laws are national, but personalinformation is not. As a result, the internationaldimension of data protection has, for years, beenthe subject of much debate. We have discussedintensively how we can better engage and achievegreater convergence on a global scale. Thesediscussions have intensified over the last two years,since the first disclosures of mass surveillance.There has been a lot of good substance in thesetalks, but little practical action.Data protection has to be taken into account acrossthe broadest sweep of EU policies. It is a top policypriority. In cooperation with non‑EU countries,Europe needs to be at the forefront in shapinga global, digital standard for privacy and dataprotection.This standard should be centred on individuals,their rights and freedoms, and their personalidentity and security.In such a global scenario, a clear and modern,future‑oriented set of rules is also the key to solvingEurope’s digital challenge.The EDPS aims to help the EU to lead by example asa beacon of respect for fundamental rights.We can turn the risks into an opportunity, to makethe EU principles and best practices robust enoughto effectively address the challenges of the big dataworld we will increasingly inhabit.The EDPS Strategy - Leading by example9

BIG DATA BIG ACCOUNTABILITYThe popularity of the internet can largely beattributed to the way it has tapped into oursocial nature. Whether or not new products andtechnologies appeal to us, together with our desireto stay safe and not appear foolish, determineswhether they will have mass appeal.But the widespread collection of massive amountsof personal information is taking control ofpersonal information away from individuals andlimiting their ability to engage freely in the digitalworld.Big data challenges regulators and independentauthorities to ensure that our principles onprofiling, identifiability, data quality, purposelimitation, and data minimisation and retentionperiods are effectively applied in practice.Big data that deals with large volumes of personalinformation implies greater accountability towardsthe individuals whose data are being processed.People want to understand how algorithms cancreate correlations and assumptions about them,and how their combined personal informationcan turn into intrusive predictions about theirbehaviour.10This means giving clear information to them about: who is responsible for collecting and using theinformation; the purpose for doing so; what information is processed, whether it isknowingly volunteered by the individual, orwhether it is observed and inferred without theindividual’s knowledge; how information is processed, includingthe logic used by algorithms to determineassumptions and predictions about individuals; how long the information will be stored andwith whom it will be shared.

Digital technologies need to be developedaccording to data protection principles, givingmore say to individuals on how and why theirinformation can be used, with more informed choicewhere relevant. Data analytics are increasinglypowerful but they remain prone to mistakes inthe assumptions and biases they can make aboutindividuals. Individuals must be able to challengesuch biases, and they must be properly informedon how and why their information can be used.This means we must put an end to opaque privacypolicies, which encourage people to tick a box andsign away their rights.The future is inspiring and filled with untappedpotential. Powerful online companies are servingup great opportunities, seemingly for free, for usein our day‑to‑day lives. But there is a cost. Digitaltechnology is increasingly determining the way welive, placing sophisticated, pervasive, predictiveand real‑time software in the hands of a fewpowerful companies.Our values and our fundamental rights are not forsale. The new technologies should not dictate ourvalues, and we should be able to benefit both fromnew technologies and our fundamental rights.Such concerns are not new: the first computerswere greeted with a similar degree of apprehension.But with the perceived ubiquity of data, the globalphenomena of cloud computing, big data analytics,the internet of things and techniques for electronicmass surveillance, these concerns have becomemore urgent than ever.One solution is to assess the ethical dimensionbeyond the application of the data protectionrules. Organisations, companies and publicauthorities that handle personal information areresponsible for how that information is collected,exchanged and stored, irrespective of whetherthese decisions are taken by humans or algorithms.An ethical approach to data processing recognisesthat feasible, useful or profitable does not equalsustainable. It stresses accountability overmechanical compliance with the letter of the law.We want to encourage a better informedconversation on what big data and the internet ofthings will mean for our digital rights. These are notonly European issues but global concerns.The EDPS Strategy - Leading by example11

FORGING GLOBAL PARTNERSHIPSAccountability in handling personal information isa global challenge.An ethical dimension to data protection involvesreaching out beyond the community of EU officials,lawyers and IT specialists towards thinkers whoare equipped to judge the medium to long‑termimplications of technological change andregulatory responses.We will work closely with our national colleaguesto reinforce cooperation and encourage the EU tospeak with one voice in the global fora on privacyand data protection matters.As a data protection authority, we are able todraw on our experience of advising EU bodies oninternational transfers, on the design and operationof e‑government services and on the supervision oflarge‑scale IT systems.12We will invest in dialogue with IT experts, withindustry and civil society to explore how to improveinternational cooperation, including arrangementsfor existing and future data‑flows, in the interestsof the individual.We will also invest in global partnerships withfellow experts, non‑EU countries, authoritiesand international organisations to work towardsbuilding a social consensus on principles that caninform binding laws and the design of businessoperations and technologies and the scopefor interoperability of different data protectionsystems.

A NEW CHAPTER FOR EU DATAPROTECTIONThe EU currently occupies a privileged positionas the point of reference for much of the worldon privacy and data protection. But for the EU tocontinue being a credible leader in the digital age,it must act on its own fundamental principles ofprivacy and data protection, and it must act quickly.After many years of talk, the reform of the EU dataprotection rules is more urgent than ever. Societyand technology will not wait for Europe to catchup with developments. The longer it takes to adopta new set of rules, the greater the risk that they willbe obsolete on implementation.The reform should not slow down innovation, butequally it should ensure that our fundamentalrights are safeguarded in a modern manner andmade effective in practice, to rebuild the trust inthe digital society that has been eroded not leastby covert and disproportionate surveillance.It is vital to make data protection easier, clearer andless bureaucratic, so that it will underpin the digitalworld now and into the future.Though the current EU rules on handling personalinformation have served Europeans relativelywell, the fragmented national approach to dataprotection is not sustainable. When EU DataProtection Directives were agreed in the 1990s,the internet was in its infancy and we had littleidea of the impact it would have on society and theeconomy. A similar paradigm shift is about to takeplace now. Technologies will continue to developin a manner that is unpredictable even for theirdesigners.Individuals, public authorities, companies andresearchers now need a rulebook which isunambiguous, comprehensive and robust enoughto last two decades and that can be enforced asrequired by the European and national courtsas well as by truly independent data protectionauthorities. It needs to uphold the rights of theonline generation growing up today.The EDPS will be a more proactive partner in thediscussions between the European Commission,Parliament and Council on the data protectionreform, in particular in the final trilogue.We willThe EDPS Strategy - Leading by example13

look for practical and workable solutions that avoidred tape and are flexible enough to accommodatetechnological innovation and cross‑border dataflows.We will help legislators find pragmatic solutions tostrengthen the roles of individuals and supervisoryauthorities, and the accountability of controllers,while simplifying existing formal requirementswhere necessary. Data protection needs to be moredynamic and less bureaucratic.Judging by current trends, we may expecta century’s worth of technological changes tooccur between now and 2030, the likely duration ofthe reform. If the devil is in the detail, it is in someunnecessarily rigid details of certain provisionsof the Reform. There is a risk that some of theseprovisions will become ineffective or obsoletebefore the full package is reviewed again. Theseprovisions can be better tailored without loweringthe level of the relevant safeguards, providingflexibility without ambiguity. The scalability ofa certain number of obligations is also an issue.In a modernised regulatory framework for thedigital economy of the future, big data protectioncan be a driver for sustainable growth. A solid EUDigital Agenda can build on a solid foundation ofmodern data protection.The EU should lead the way in applying principlesto the new and emerging realities of how peoplecommunicate and do business.Europe has 12% of the world’s population, yetrepresents over 26% of the world’s internet users.At the same time, only a fraction of the leadingtechnology companies are European and themarket for privacy‑enhancing technologies isdwarfed by the market for data analytics.The way Europe responds to the challenges it faceswill serve as an example for other countries andregions around the world grappling with the sameissues.14ACCOUNTABILITY OF EU BODIESEU bodies, including the EDPS, must be fullyaccountable for how they process personalinformation, because to demonstrate exemplaryleadership we must be beyond reproach.Our aim is to leverage our expertise as a dynamicsupervisory authority in advising the EU institutionson the reform of current rules to meet these globalchallenges. We want to raise the awareness of therelevance of data protection rules and principlesand how to apply them in specific sectors, inpractice and in policymaking.We will strive for even better interaction with theEU institutions and bodies we monitor, with a viewto becoming increasingly effective.We aim to be more selective, intervening onlywhere there are important interests at stakeor interventions that can clearly lead to animproved data protection culture and encourageaccountability within EU institutions, embedded asa part of their day to day good administration, notas a separate discipline.We will continue to use our enforcement powerswith discretion, seeking in the first place to ensurecompliance by persuasion and example rather thanby diktat, following the principle of accountabilityand encouraging the commitment of seniormanagement in the EU institutions.On the basis of our experience in implementingthe data protection rules for EU institutions,as laid down in Regulation 45/2001, we will beproactive in our cooperation with the EU legislatorto modernise them in parallel with the DataProtection Reform.

TIME FOR AN ENTIRELY NEWCONVERSATION ON SECURITY ANDPRIVACYPublic security and combating crime and terrorismare important public objectives. However,unnecessary, disproportionate or even excessivesurveillance by or on behalf of governments sowsmistrust and undermines the efforts of lawmakersto address common security concerns.The EU has struggled in recent years to identifyeffective measures in this policy area that do notexcessively interfere with the fundamental rightsto privacy and data protection; measures that arenecessary, effective and proportionate. We knowthat threats to the security of our lifestyle andfreedoms are real and may evolve. But how canwe avoid the majority becoming the innocentvictims? The priority should be a coherent andsystematic mechanism for tracking the behaviourand movements of known criminal and terroristsuspects, not the indiscriminate collection ofpersonal data.Scrutiny of the necessity and proportionality ofspecific measures to fight crime and terrorismwarrants a broad debate. These are principlesenshrined in the Charter of Fundamental Rightsas applied in the case law of the Court of Justiceof the EU; high‑level legal requirements of EUlaw that the EDPS is tasked with safeguarding.As an independent authority, the EDPS is notautomatically for or against any measure; we arefully committed to our mission of advising the EUinstitutions on the implications of policies whichhave a serious impact on these fundamentalrights. We are ready to work more closely with thelegislator to find innovative legal and technologicalsolutions.We have to establish a clear and comprehensive setof principles and criteria which law enforcementand national security must respect when theyinterfere with our fundamental rights. We must dothis by considering the Data Protection Reform asa package and by thinking about how existing andfuture bilateral and international agreements canwork in a more balanced way.The EDPS Strategy - Leading by example15

OUR COMMITMENTOur vision is for the EU to lead by example as a beacon of respect for data protectionand privacy and to speak with a single, credible and informed voice on fundamentalrights in the digital world.An important part of our role is to explain the European approach to data protectionsimply and clearly and to ensure that its relevance is maintained amid rapidtechnological change.In our supervision of EU institutions, we will act through education, persuasion andexample, preserving our powers of enforcement as a last resort.This strategy is a challenging and ambitious agenda for a small professional organisation.But we know we can rely on the skills of our experienced and motivated staff. With theirsupport, we know we can achieve much more.We are acutely aware that our effectiveness depends on constructive and activepartnership, on common endeavour with our partner national data protectionauthorities and the Article 29 Working Party. When the European Data Protection Boardis established, we will play the role established by the legislators effectively, facilitatingand supporting informed dialogue among national authorities.This strategy is our public commitment to achieving this vision over the next five years.It is a commitment to transparency, accountability and selectiveness in what we do.We now have a unique chance to shape a global, digital standard for the respect ofprivacy and the protection of personal information.It’s time for data protection to go digital, because society has already done so.16

THE ACTION PLANIn addressing these issues, we have identified three strategic objectives and 10 priority actions tohelp us make the EU an exemplary leader in the digital age.1.  DATA PROTECTION GOES DIGITALACTION 1ACTION 2Promoting technologiesto enhance privacyand data protectionIdentifying cross‑disciplinarypolicy solutions Work with communities of IT developersand designers to encourage the applicationof privacy by design and privacy by defaultthrough privacy engineering; Promote the development of building blocksand tools for privacy‑friendly applicationsand services, such as libraries, designpatterns, snippets, algorithms, methods andpractices, which can be easily used in real‑lifecases; Expand the Internet Privacy EngineeringNetwork (IPEN) to work with an even morediverse range of skill groups to integratedata protection and privacy into all phasesof development of systems, services andapplications; Initiate and support a Europe‑wide dialogueamongst EU bodies and regulators, academics,industry, the IT community, consumer protectionorganisations and others, on big data, theinternet of things and fundamental rights in thepublic and private sector; Work across disciplinary boundaries to addresspolicy issues with a privacy and data protectiondimension; Initiate a discussion on broad themes whichintegrates insights from other fields, andcoordinate training efforts to familiarise staffwith these related disciplines. Provide creative guidance on applyingdata protection principles to technologicaldevelopment and product design; Highlight that data protection complianceis a driver for consumer trust and moreefficient economic interaction, and hence canencourage business growth; Work with academia and researchers inthe public and private sectors focusing oninnovative fields of technical developmentsthat affect the protection of personal data, inorder to inform our technology monitoringactivities.

So big data will need equally big data protection. Europe needs to be at the forefront of shaping a global standard for privacy and data protection, a standard centred on the rights and the dignity of the individual. The EU has a window of opportunity to adopt the future-oriented standards that we need, standards that inspire others at global .