The EDPS and EU Research and Technological Development
Policy paper
Brussels, 28 April 2008
Postal address: rue Wiertz 60 - B-1047 Brussels
Offices: rue Montoyer 63
E-mail : xxxx@xxxx.xxxxxx.xx - Website: www.edps.europa.eu
Tel.: 02-283 19 00 - Fax : 02-283 19 50
link to page 2
The EDPS and EU Research and Technological Development
1. Introduction
Regulation (EC) No. 45/2001
1 of the European Parliament and of the Council provides a
general framework for the tasks of the European Data Protection Supervisor (EDPS), also
with regard to EU research and technological development (RTD) projects.
According to Article 41 of Regulation 45/2001, the EDPS shall be responsible for ensuring
that the fundamental rights and freedoms of natural persons, and in particular their right to
privacy, are respected by the Community institutions and bodies, with respect to the
processing of personal data. Article 41 specifies that the EDPS shall be responsible for
monitoring and ensuring compliance as to the processing of personal data by Community
institutions and bodies, and for advising Community institutions and bodies and data subjects,
on all matters concerning the processing of personal data. This means that the EDPS has a
general mission of promoting a data protection culture and respect for data protection
principles in all Community policies.
Article 46 sub (e) also mentions specifically that the EDPS shall monitor relevant
developments, insofar as they have an impact on the protection of personal data, in particular
the development of information and communication technologies. Following new
technological developments that may impact on data protection, is therefore part of the EDPS’
mission, as stated in the Annual Report 2006.
Privacy and data protection requirements need to be highlighted and applied as soon as
possible in the life cycle of new technological developments in order to contribute to a better
implementation of the data protection legal framework. The European RTD efforts constitute
a very good opportunity to accomplish these goals and the EDPS considers that the principle
of ‘
privacy by design’ should represent an inherent part of these RTD initiatives.
At the end of 2006, the Commission announced and launched the
Seventh Framework
Programme for research and technological development (FP7), which is the European Union's
chief instrument for funding research over the period 2007-2013. A major part of FP7 is
devoted to stimulating the development and uptake of Information and Communication
Technologies (ICT) for the advancement of a free, open and inclusive European Information
Society.
In order to follow the Seventh Framework Programme closely, the EDPS decided to take an
active part in the FP7 launching event, the Information Society Technologies (IST) 2006
Conference held in Helsinki, by having a stand. The aims of that action were the following:
• identify at an early stage, the emerging trends which will drive these ambitious RTD
efforts;
• establish fruitful contacts with forthcoming research projects;
• raise awareness among the main stakeholders for the possible data protection aspects
of their future research project;
1 Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the
protection of individuals with regard to the processing of personal data by the Community institutions and bodies
and on the free movement of such data, OJ L 8, 12.1.2001, p. 1 (hereinafter Regulation 45/2001).
2
• provide advice on the way to include data protection concerns in future proposals and
research activities.
On the basis of this experience, the EDPS decided to develop several possible models of
contribution to targeted research projects of the ongoing FP7 as well as future Framework
Programmes for research and technological development. The aim of these contribution
models is to advise the Commission and/or project developers in their efforts to use privacy
and data protection friendly RTD methodologies and of course to develop technologies and
processes that will promote and reinforce the effectiveness of the EU data protection legal
framework. This paper sets out the main elements of the EDPS policy in this area.
2. Role of the EDPS
It has to be borne in mind that the EDPS is an independent authority, established by
Regulation 45/2001, and its role in research projects will therefore have to preserve this very
characteristic. In this respect, the participation of the EDPS as partner of a consortium can not
be envisaged.
Any RTD project of specific interest to the EDPS must directly or indirectly involve a subject
within the material scope of application of Regulation 45/2001 – or more generally: Directive
95/46/EC and other related Community legislation – that is the "processing of personal data".
3. EDPS's contributions to EU research and technological development
The EDPS provides focused contributions at various steps of a research Framework
Programme, from the definition and design of its main lines of research, during the life cycle
of targeted projects, and to the final deliverables of these RTD efforts.
3.1 Framework Programme and call for proposals
The EDPS may participate in workshops and conferences aiming at identifying future
challenges which can be relevant for the EU RTD policy. The EDPS includes as well in his
annual report a part identifying emerging technological trends expected to have a determinant
impact on the EU data protection framework.
The EDPS may, furthermore, contribute to research advisory boards launched by the
Commission in connection with the Framework programme. Participating as an observer, he
currently provides opinions on data protection matters to the Advisory Board on Research and
Innovation for Security, Privacy and Trustworthiness in the Information Society (RISEPTIS),
a high-level reflection group created by DG INFSO of the Commission. This group provides
recommendations on the policy environment and the research agenda in the field of security
and trust in the Information Society.
The EDPS is also available to assist the Commission in the evaluation process of proposals.
This support may consist in reading proposals which have already reached all thresholds and
in providing targeted advice about possible data protection issues these proposals might
trigger.
3
3.2 RTD projects
The EDPS may also give an opinion - or might consider any other involvement - in relation to
individual RTD projects. This may happen in two ways:
(a) A consortium of a project can request an opinion from the EDPS. Although the EDPS will
not contribute to a proposal for a project, the proposal can envisage to ask for an EDPS
opinion during the life cycle of the project in the case it is awarded. In this case, the EDPS has
to be informed and has to give his agreement for introducing a reference to a future EDPS
opinion before the submission of the answer to the call for proposals. The consortium will
have to clarify in the submitted documents relating to its proposal that the EDPS opinion will
be given in his role as an independent authority. The moment for issuing the opinion
(according to the schedule of the project) will be decided by the EDPS in consultation with
the consortium of the project.
(b) The EDPS can also decide at his own initiative to look into an RTD project, but only in
special cases raising important data protection issues not yet addressed in other ways.
The
criteria for the EDPS contribution will be based mainly on:
(a) The relevance of the project to ‘data protection issues’. This relevance can be due to the
development of new capabilities or technologies which might have a critical impact - either
positive or negative - on the protection of personal data. The project can also be relevant from
the EDPS' point of view because sensitive processing of personal data might take place within
the research activities themselves.
(b) The EDPS priorities: each year, the EDPS establishes a list of priorities which are
published in his Annual Report.
In any case, the EDPS will decide, at his own discretion, which projects to accept for
consideration according to available resources and priorities.
Although most of the RTD projects dealing with or raising data protection issues will belong
to the ICT Theme of a Framework Programme, the EDPS does not exclude the possibility to
select projects from other Themes, such as Security Research, Health, Transport or others.
The contributions of the EDPS could take different
forms, for instance:
(a) Opinions on the methodologies implemented or on the results obtained. This kind of
opinions could be triggered at different stages of the project:
• at the beginning of the project, but in any case after it has been awarded
• at important milestones of the project
• at the end of the project and therefore mainly focused on its results and its possible
follow-up.
Any such opinion will normally be published on the EDPS website and mentioned in the
relevant annual report. A draft of the opinion will in any case be submitted to the consortium
for comments before its final adoption. The final text of the opinion will be sent to the
corresponding programme management unit of the Commission for their information.
(b) Since research projects of an EU Framework Programme usually have the obligation to
involve partners from several Member States, the EDPS could also, in this case, contribute to
4
and facilitate the cooperation between the corresponding Member States or third country data
protection authorities which might be involved.
The overall objective of these contributions is for the EDPS to promote and reinforce the
application of the principle of ‘
privacy by design’ to European RTD projects and to facilitate
therefore the implementation of the EU data protection regulatory framework.
5