Accessibility Tools

Data Protection for Digital Communication

Data protection for digital communication

7 November 2016, by Wojciech Wiewiórowski

In October, the European Court of Justice ruled that, in many cases, the data collected by web servers, such as the IP addresses of users, is personal data. The decision underlined the need to put in place adequate safeguards to protect personal data when operating websites and other online services.

The EU institutions, and many other organisations, rely increasingly on online tools to communicate and interact with citizens. At the same time, the online transactions involved are becoming more complex. The implementation of effective data protection policies for the processing of all personal data used by web-based services is essential if we are to protect the rights of users. In particular, we need to address the use of cookies, online tracking, security and personal data transfers.

One of the roles of the EDPS is to act as an advisor to the other EU institutions and bodies. We provide guidance on how to ensure compliance with Regulation 45/2001, the data protection legislation applicable to their activities. Our Guidelines are one way in which we do this. They build on years of practical experience, which we have gained through our supervision work, on previous EDPS decisions and opinions (on administrative consultations, prior checks and complaints), and on the work done by the Article 29 Working Party.

Our most recent EDPS Guidelines, published today, provide practical advice on how to integrate data protection principles into the development and management of web-based services and mobile applications. Though they are targeted at the EU institutions, any organisation or individual interested in the subject might find them useful.

Guidelines can be particularly valuable when dealing with new technologies. Mobile applications, for example, present a particular challenge for the protection of personal data. Many apps take advantage of the portability of smart mobile devices and make use of tools associated with them, such as cameras, microphones and location detectors. However, though these tools increase the value of an app for users, their use also enables the collection of great quantities of personal data.

In addition to the expertise of the staff at the EDPS, particularly our IT Policy team, we also recognise the importance of consulting experts in the field. Our Guidelines on web-based services and mobile applications include input from IT managers and IT security specialists from the EU institutions and agencies. They also incorporate feedback from the data protection officers (DPOs) of the EU institutions, who are responsible for ensuring that their respective organisations comply with data protection rules. As well as providing guidance, our Guidelines serve as a reference document, against which the institutions can measure their activities. It is essential that they are legally robust, but also practical to implement.

Our interaction with the other EU institutions and bodies does not stop here, however. Twice every year, we meet with the DPO network, made up of around 60 DPOs from the EU institutions and bodies. These meetings are an opportunity to share experiences and gain feedback on the implementation of data protection policies.

At the most recent meeting, which took place at the end of October, we presented and discussed our Guidelines on web services and mobile applications. The meeting was also a chance for us to update DPOs on our activities regarding IT policy, including our work on Data Protection Impact Assessments (DPIAs), and to answer their questions. Our interactive approach to these meetings ensures that DPOs are able to engage fully with the topics discussed. In turn, we can learn from them, through better understanding how our advice works in practice. 

Our Guidelines on web services and mobile applications follow the publication, in late 2015, of Guidelines on mobile devices in the workplace and on eCommunications, as well as our guidance on Information Security Risk Management, published in March of this year. While they are based on the current legal framework for data protection, they will remain relevant when the new framework comes into force, particularly because of their emphasis on accountability, the ability of organisations to demonstrate compliance with their data protection obligations.

All blogposts

  • 25 March 2017

    60th anniversary of the Rome Treaties. Giovanni Buttarelli to participate in the meeting of the 27 EU heads of state and heads of European Union institutions in Rome, Italy.

  • 15 March 2017

    Data Protection and the EU institutions. Read the latest blogpost by Giovanni Buttarelli and the EDPS Opinion.

  • 15 March 2017

    EDPS sees opportunity for stronger consumer and data protection. Read the EDPS Opinion and the press release.

  • 13 March 2017

    2018 International Conference of Data Protection and Privacy Commissioners to be hosted in Brussels. Read the press statement.

  • 07 March 2017

    EDPS calls for consistent improvements in the approach to EU border policy. Read the EDPS Opinion and the press release.

  • 28 March 2017

    Giovanni Buttarelli meeting with Greg Nojeim, Senior Counsel and Director, Freedom, Security and Technology Project, Center for Democracy & Technology (CDT), Brussels, Belgium

  • 28 March 2017

    Giovanni Buttarelli meeting with Cornelia Ernst, MEP, Brussels, Belgium

  • 27 March 2017

    Processing of personal data  by the Union institutions, bodies, offices and agencies, Study group meeting, EESC, Participation of Giovanni Buttarelli, Brussels Belgium

  • 25 March 2017

    60th anniversary of the Rome Treaties, Participation of Giovanni Buttarelli in the meeting of the 27 EU heads of state and heads of European Union institutions, Rome, Italy

  • 23 March 2017

    Forum on International Privacy Law, Participation of Wojciech Wiewiórowski, Königstein, Germany

  • 23 March 2017

    Participation of Giovanni Buttarelli in DAPIX, Brussels, Belgium

  • 23 March 2017

    Concurrences Review, Law & Economics Workshop: Big Data, Speech by Giovanni Buttarelli, Brussels, Belgium

  • 13 March 2017

    Regulating Privacy through Ethical Standards and Accountability Principles in the era of Big Data, Keynote speech of Wojciech Wiewiórowski: Towards a new digital ethics – data, dignity and technology: How to ensure accountability in personal data management?, Brussels, Belgium