Data Protection Impact Assessment (DPIA) related to the software and services solution developed for the preparatory phase of the European Elections 2019 (2)

La demande est partiellement réussie.

Dear European Parliament,

Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am requesting documents which contain the following information:

- All the versions of the Data Protection Impact Assessment (DPIA) related to the software and services solution developed for the preparatory phase of the European Elections 2019;
- All the correspondence between the European Parliament and NationBuilder following the request to permanently delete all personal data owned by the European Parliament from all means, including backup storage(s) and platforms, including those managed by all subcontractors.

I formulated a first request to that end on 9 August 2019 (A(2019)10012), which was eventually refused by the European Parliament on 23 September 2019. I filed a confirmatory application on 10 October 2019 (A(2019)10012C), which was also dismissed on 21 November 2019. Given the above, I submitted a complaint before the European Ombudsman (684/2020/MIG), following which the Ombudsman shared the view that "the documents should be disclosed, if not in their entirety then at least in part". The Ombudsman also highlighted that, at the time the European Parliament took a decision on my confirmatory application, "the EDPS investigation which focused – among other things – on the measures adopted by Parliament to address the risks identified in the DPIA" was still ongoing. In light of the above, the Ombudsman suggested to file another request for public access now that the EDPS investigation has been finalised. Here it is.

I would also like discuss some of the observations put forward by the European Parliament in its letter to the European Ombudsman of 29 September 2020, in which the European Parliament makes use of the opportunity to set out its position and to reply to the European Ombudsman complaint.

First, the Parliament “considers that it has explained in sufficient detail”, in answer to my confirmatory application (A(2019)10012C), “the reasons why public access to the requested documents was denied on the basis of the third indent of Article 4(2) of Regulation (EC) No 1049/2001”. I would like to point out that the European Parliament has limited its argumentation to repeating that the disclosure of the DPIA at stake would “undermine its own purpose, that is to allow the Institution to assess in detail the impact of envisaged processing operations and adopt measures addressing the risks, and therefore to protect the personal data collected and held by Parliament in connection with the software and services solution developed for the preparatory phase of the European Elections 2019". The European Parliament has not, in any way, responded to the argument put forward in both my original request (A(2019)10012) and confirmatory application (A(2019)10012C) – and reiterated in my complaint before the European Ombudsman (684/2020/MIG) – according to which this line of reasoning only holds true if the DPIA contains very specific security measures the disclosure of which would actually weaken the countermeasures implemented by the controller.

As emphasised in my confirmatory application (A(2019)10012C), such a reasoning is based on a deceptively narrow conception of what a DPIA should consist of. Rather than a mere inventory of technical mitigation strategies, a comprehensive DPIA should document how the controller has addressed all the risks to data subject's rights and freedoms raised by the processing operations. This goes far beyond a mere catalogue of security countermeasures, but also encompasses a description of the personal data processing operations at stake, the identification of all the risks related to such processing – security risks only being a subset of those issues – and the appropriate countermeasures implemented to mitigate them. A DPIA should, for instance, document how the controller has ensured compliance with the general principles governing the processing of personal data such as lawfulness, purpose limitation and data minimisation, and how it has substantiated obligations such as transparency and data protection by design. It is also worth highlighting that, in cases where such publication would actually weaken the level of protection of the personal data at stake, the EDPS nonetheless encourages EU bodies to – at the very least – publish a shortened version of the report by removing technical details on, for instance, the security measures implemented. This fosters trust and shows that EU institutions lead by example when it comes to complying with fundamental rights (see EDPS, ‘Accountability of the ground Part II: Data Protection Impact Assessments & Prior Consultation’). In light of the above, I consider that the European Parliament still hasn’t provided a convincing explanation as to why the publication of that information would undermine its very objective.

Second, the European Parliament justifies its decision to refuse access to the DPIA following my confirmatory application (A(2019)10012C) by invoking the – at the time – ongoing investigation of the EDPS into the data processing activities carried out in the context of the campaign thistimeimvoting.eu. Releasing the said document “while the measures adopted by the European Parliament during the investigation, including the measures taken in the implementation of the DPIA to stop personal data from being processed by third parties, had not been validated by the EDPS” would, according to the European Parliament, actually have undermined its very purpose.

This calls for three comments. First, it suggests the existence of several versions of the DPIA – at least the initial version and the version modified following the investigation of the EDPS. The present request has, compared to my original complaint (A(2019)10012), therefore been extended to include all those different iterations, should they exist. Second, it also implies that the first iteration of the DPIA, in which the appropriate measures such as the ones requested by the EDPS following its investigation (e.g. the termination of the contract and the erasure of the related personal data) had not yet been identified nor implemented, was flawed. Third, and most importantly, this means that, while it could have been argued at the time that releasing the DPIA might have undermined its very purpose – although I do not agree, as explained above – this position is certainly not defendable today anymore. The initial version of the DPIA, on the one hand, has been amended and does not reflect the current state of the processing activities. A fortiori, its release should not reveal any exploitable risk for data subject’s rights and freedoms. The amended version of the DPIA, on the other, reflects the changes suggested by the EDPS following its investigation and led to the termination of the contract and the deletion of all personal data from NationBuilder’s premises. As such, its release should not pose any threat to the protection of personal data either. That is the reason why I have also extended my initial request to include the relating correspondence.

Speaking of versioning, I would also like to mention the fact that, while the initial version of the record of processing activities required by Art. 31 Regulation 2018/1725 relating to the thistimeimvoting.eu campaign (record 410) mentioned the existence of the DPIA, this is not the case with the current version available at: https://www.europarl.europa.eu/data-prot.... Using the keyword ‘DPIA’ to query the database still returns record 410, though, which indicates that such mention was initially present in the said record. There is no way to retrieve the previous version of the record.

Third, the European Parliament argues that there is no overriding public interest within the meaning of Article 4(2) Regulation 1049/2001 in disclosing the DPIA. According to the European Parliament, “the interest of the public in being informed about data protection measures could not outweigh the interest in protecting the purpose of the DPIAs, which is to secure the personal data that are held by the Institution”. As pointed out in my complaint before the European Ombudsman (684/2020/MIG), it is only necessary to invoke and substantiate such an interest when the disclosure of the document is refused because it would undermine “the protection of (...) the purpose of inspections, investigations and audits” (Art. 4(2) Regulation 1049/2001). As developed above for both the initial and the amended version, the publication of the said DPIA should not be considered – even less today – as undermining its very purpose. As such, the balancing exercise discretionary performed by the European Parliament – and that contradicts the outcome of the assessment performed by the European Ombudsman – is superfluous. Besides, the arguments put forward by the European Parliament to dismiss the existence of an overriding public interest is entirely based on the premise that disclosing the said DPIA would actually be detrimental to the protection of the personal data at stake which, again, should not be the case. As a result, the outcome of the comparison used by the European Parliament between the interest of the public to be informed on the one hand, and the its interest to protect the personal data at stake on the other – which, as underlined above, is the only argument put forward to refuse access to the DPIA – leads to a circular, inherently flawed reasoning.

Regardless of those formal considerations, I would argue that there is, in any case, a substantial interest for the public to know how the European Parliament has been processing EU citizens' personal data during the 2019 elections. In that sense, it is important to highlight that the Directorate-General for Communication of the European Parliament has collected and further processed EU citizens' personal data in a very sensitive context, i.e. the institutional communication strategy for the European Elections 2019. According to both the record of personal data processing made following Art. 31 Regulation 2018/1725 (record 410) and the privacy policy of the platform at stake, the personal data included basic information such as the name, surname, email address and country of residence, but also information about the actions undertaken on the platform (e.g. polls answer, calls to actions, RSVP, participation at events, singing up to a newsletter) and the social media activities (e.g. Shares, Likes, Comments, Retweets and Posts). As indicated in the privacy policy, the above-mentioned data were used, among other purposes, to provide data subjects with information pertinent to their interests (i.e. profiling). In light of the processing operations and categories of personal data at stake, in conjunction with the sensitive electoral context, I would strongly advocate for the existence of such an overriding public interest.

Yours faithfully,

Pierre Dewitte

AccesDocs, Parlement européen

1 Attachment

Dear Mr Dewitte,

The European Parliament hereby acknowledges receipt of your application
for public access to documents, which was registered on 09/11/2020, under
the reference A(2020)12419.

 

All requests for public access to documents are treated in compliance with
Regulation (EC) No 1049/2001 of 30 May 2001 regarding public access to
European Parliament, Council and Commission documents.

 

In accordance with the above-mentioned Regulation, your application will
be handled within 15 working days upon registration of your request.

 

Your personal data will be processed in accordance with Regulation (EU)
2018/1725 of 23 October 2018 on the protection of natural persons with
regard to the processing of personal data by the Union institutions,
bodies, offices and agencies and on the free movement of such data.

 

The European Parliament reserves the right to ask for additional
information regarding your identity in order to verify compliance with
Regulation (EC) No 1049/2001 and the European Parliament’s implementing
measures.

 

Your attention is drawn to the fact that you have lodged your application
via the AsktheEU.org website, which is a private website not officially
related to the European Parliament. Therefore, the European Parliament
cannot be held accountable for any technical issues or problems linked to
the use of this system.

 

In addition, please note that any personal data that you provide by using
AsktheEU.org website may be disclosed to the general public and visible on
this private website. The European Parliament cannot be held responsible
for such disclosure. Should you need to communicate directly to Parliament
any personal data and would like to avoid public disclosure, you may do so
from your private email address by using the following functional mailbox
address: AccesDocs(at)europarl.europa.eu  

 

Kind regards,

 

 

[1]cid:image001.png@01D69BF7.F4F36EB0 TRANSPARENCY UNIT

 
European Parliament
Directorate-General for the
Presidency
Directorate for Interinstitutional
Affairs and Legislative Coordination
[2][European Parliament request email]
[3]www.europarl.europa.eu/RegistreWeb

 

 

References

Visible links
2. mailto:[European Parliament request email]
3. http://www.europarl.europa.eu/RegistreWeb

AccesDocs, Parlement européen

1 Attachment

Dear Mr Dewitte,

 

The time-limit for responding to your application concerning public access
to documents which was registered 9 November 2020 under reference number
A(2020)12419 would expire today 30 November 2020.

 

However, due to the fact that the inter-institutional consultation with
regard to the detailed analysis of all legal aspects of your application
has not yet been completed and due to the coronavirus pandemic and
containment measures adopted by the European Parliament affecting the
timely handling of your application, Parliament is obliged to
exceptionally extend the time-limit provided for in Article 7(1) of
Regulation (EC) No 1049/2001 by 15 working days, in accordance with
Article 7(3) of that Regulation.

 

Thank you for your attention.

 

Kind regards,

 

 

[1]cid:image001.png@01D69BF7.F4F36EB0 TRANSPARENCY UNIT

 
European Parliament
Directorate-General for the
Presidency
Directorate for Interinstitutional
Affairs and Legislative Coordination
[2][European Parliament request email]
[3]www.europarl.europa.eu/RegistreWeb

 

 

References

Visible links
2. mailto:[European Parliament request email]
3. http://www.europarl.europa.eu/RegistreWeb