Monitoring Report — 26 / 10/ 2018 Week in Review efamro efamro comments: The 40th International Conference of Data Protection and Privacy Commissioners (ICDPPC) was a focal point for EU data protection practitioners this week. The ICDPPC is a global forum of data protection and privacy authorities, encompassing more than 120 members across all continents working on global data protection policy issues. Apple CEO Tim Cook delivered a keynote at the Conference praising Europe's new rules and calling for comprehensive federal data privacy regulation in the U.S. The conference also adopted several resolutions including ethics and data protection in Artificial Intelligence. The Declaration on Ethics and Protection in Artificial Intelligence, endorsed several guiding principles as “core values” to protect human rights as the development of artificial intelligence continues apace. In line with this the ICDPPC has established a permanent working group on Ethics and Data Protection in Artificial Intelligence. The UK Information Commissioner, Elizabeth Denham, has been elected as Chair of the ICDPPC. On the enforcement front, the European Data Protection Board (EDPB) is dealing with 162 cross border cases but no fines have yet been issued. Facebook has been issued with a maximum £500,000 fine by ICO for serious breaches of data protection law (under pre-GDPR protection law). The European Parliament has also called for a full audit of Facebook in the wake of the data breaches. Stakeholder interest is also high on the ePrivacy dossier as the Council recommenced discussions on the proposed ePrivacy Regulation. 1 ePrivacy Regulation - Stakeholder Statements Please see below recent stakeholder statements on proposal for ePrivacy Regulation: • EDRi https://edri.org/eprivacv-public-benefit-or-private-surveillance/ • Energy Coalition https : //www.euractiv.com/wp- content/uploads/sites/2/2018/10/20181024-Open-Coalition-Letter-on-the-Future-of-the- ePrivacv-Regulation.pdf • Business Europe https : / / www.businesseurope.eu /publications/eprivacv-proposal-letter- markus-i-bevrer-nikolaus-marschik-ambassador-austria-eu International Data Protection - 40th International Conference of Data Protection and Privacy Commissioners, Brussels - Speeches by EDPS Giovanni Buttarelli and Apple CEO Tim Cook Please click here to access the speech by Giovanni Buttarelli at the Public Session of the International Conference of Data Protection and Privacy Commissioners 2018, Debating Ethics: Dignity and Respect in Data Driven Life , Brussels. Please click here to access the speech by Tim Cook, Apple CEO, at the Public Session. International Data Protection - 40th International Conference of Data Protection and Privacy Commissioners, Brussels - Adopted Resolutions Now in its fortieth year, the ICDPPC is the leading global forum of data protection and privacy authorities, encompassing more than 120 members across all continents. The ICDPPC works throughout the year on global data protection policy issues, adopts resolutions and statements addressed to governments and policymakers, and arranges a highly successful annual conference. The theme of this year's conference is "Debating Ethics: Dignity and Respect in Data Driven Life". Adopted Resolutions can be accessed by following the links below: • Resolution on e-learning platforms • Declaration on Ethics and Data Protection in Artificial Intelligence • Resolution to amend the ICDPPC rules and procedures • Resolution on a roadmap on the Future of the International Conference • Resolution on Collaboration between Data Protection Authorities and Consumer Protection • Resolution on the Conference Census [ FR] 2 The opening speech of the closed session of the Conference, by Isabelle Falque-Pierrotin, President of the Executive Committee of the ICDPPC, can also be accessed here International Data Protection - UK Information Commissioner elected chair of the International Conference of Data Protection and Privacy Commissioners Elizabeth Denham, the UK’s Information Commissioner, has today been elected Chair of the International Conference of Data Protection and Privacy Commissioners (ICDPPC). Now in its fortieth year, the ICDPPC is the leading global forum of data protection and privacy authorities, encompassing more than 120 members across all continents. The ICDPPC works throughout the year on global data protection policy issues, adopts resolutions and statements addressed to governments and policymakers, and arranges a highly successful annual conference. On accepting her post, Elizabeth Denham said: In the age of borderless data flows, there has never been a more important time for global coherence in data protection and privacy. My vision for the ICDPPC is to lead a decade of global data protection. A decade when data protection and privacy by design become mainstream aspects of the digital economy, safeguarding democratic governance and ensuring protection for society’s vulnerable groups, including young people. The ICDPPC is a truly unique global forum, championing strong and independent authorities. Key to this is ensuring that authorities can share cutting edge policy and enforcement experience. I am keen to ensure that ICDPPC can continue to support our member authorities with experiences, strategies and best practice that are inclusive of diverse legal frameworks and cultural backgrounds." EU Data Protection Regulation - EDPB Cross Border Cases Privacy Laws and Business reports that the Board’s Chair Andrea Jellinek announced that the European Data Protection Board (EDPB) has by now 162 cross-border cases on its case register. She would not confirm when the first large fines would be issued - ‘we are investigating’ she said. When asked about a public register of fines, she said this would not be possible unless the details were anonymised. Under her native Austrian DP law, the authority has to anonymise any details if they publicise details of fines. Jellinek said that the first five months of the GDPR have been busy for the authorities. Some 80,000 breach notifications have been received by the 25 EU DPAs which have issued their statistics, and 15 One Stop Shop procedures have been started at the Board. In addition, there have been 233 procedures relating to Mutual Assistance between the DPAs. 3 Source: Privacy Laws and Business EU Data Protection - UK Information Commissioner’s Office (ICO) fines Facebook The Information Commissioner's Office (ICO) has fined Facebook £500,000 for serious breaches of data protection law. In July, the ICO issued a Notice of Intent to fine Facebook as part of a wide ranging investigation into the use of data analytics for political purposes. After considering representations from the company, the ICO has issued the fine to Facebook and confirmed that the amount - the maximum allowable under the laws which applied at the time the incidents occurred - will remain unchanged. The full penalty notice can be read here . The ICO's investigation found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply 'friends’ with people who had. Facebook also failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform. These failings meant one developer, Dr Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge. A subset of this data was later shared with other organisations, including SCL Group, the parent company of Cambridge Analytica who were involved in political campaigning in the US. Even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. In the case of SCL Group, Facebook did not suspend the company from its platform until 2018. The ICO found that the personal information of at least one million UK users was among the harvested data and consequently put at risk of further misuse. Elizabeth Denham, Information Commissioner, said: "Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better." This fine was served under the Data Protection Act 1998. It was replaced in May by the new Data Protection Act 2018, alongside the EU's General Data Protection Regulation . These provide a range of new enforcement tools for the ICO, including maximum fines of £17 million or 4% of global turnover. Ms Denham added:"We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under 4 the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people's personal data. "Our work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based." Watch Elizabeth Denham talk about the fine here. A further update on the ICO investigation into data analytics for political purposes will be on Tuesday 6 November, when Ms Denham will give evidence to the Department for Digital, Culture, Media and Sport (DCMS) Select Committee. In July, the ICO published an interim progress update on its investigation and also published a partner report, Democracy Disrupted? Personal information and political influence looking at the broader policy issues identified during the investigation along with findings and the Information Commissioner's recommendations for future action. EU Data Protection- The use ofFacebook users' data by Cambridge Analytica On October 23, the European Parliament held a debate in Plenary on the LIBE Motion for a Resolution to wind up the debate on the statement by the Commission on the use of Facebook users' data by Cambridge Analytica and the impact on data protection. During the debate, the importance of ensuring algorithmic accountability, of upholding principles such as transparency, traceability and accountability, and of ensuring the integrity of European electoral and democratic processes were emphasised. The key role - and responsibility - of online platforms in tackling online disinformation was also underlined and Commissioner Julian King recalled that the Commission will analyse the first results of the Code of Practice by the end of this year. If sufficient progress is not achieved on a voluntary basis, the Commission reserves the right to consider other options, the Commissioner remarked. Documents: Agenda / Motion for a Resolution / Oeil 5 Upcoming Events November 2018 European Big Data Value Forum 2018 - Expert meeting — Focus on data driven artificial intelligence 12 -14 November 2018, Vienna The European Big Data Value Forum 2018 (EBDVF2018) takes place in the framework of the Austrian Presidency of the Council of the European Union and with the active participation of the host country Austria, the European Commission and representatives of the industry. On the first day, introductory statements will be given by Federal Minister Norbert Hofer, Director Gail Kent (European Commission) and Mark Shuttleworth (founder of Ubuntu). The first two days will take place in the Austria Center Vienna, where concrete examples of technical implementation in various areas of application will be discussed, as well as current developments regarding regulation on a European level and framework conditions for future research promotion. On the third day of the event, workshops will be organised in Siemens City, Vienna, on the topics networking and data ecosystems, amongst others. Link: Programme of the European Big Data Value Forum 2018 More information about this event can be found on the event page #ThinkDigital20i8 - Unleashing the Potential of Digitalisation 22 November 2018, Egmont Palace, Brussels ThinkDigital Summit is a platform for industry to discuss game changers facing the emergence of a Digital Single Market. Now in its 3rd year, the ThinkDigital Summit will look at the following topics: • Realising The Potential Of Health Data • Ethical And Social Implications Of Artificial Intelligence • Fostering Trust in the Digital Era • How Digital Industry Can Achieve The Sustainable Development Goals? Registration 6 January 2019 CPPD 2019 Data Protection and Democracy 30 January to 1st February 2019, Brussels, Belgium CPDP is an annual three-day conference devoted to privacy and data protection. The overarching theme of the 2019 edition is “Data Protection and Democracy”. The entwinement between data analytics and democratic processes has been on the spotlight for the better part of the past two years. URL: https://www.cpdpconferences.org/call-for-papers 7