News, articles, legislation and analysis, all about data protection and cybersecurity technologies

EDPB: Interplay between the ePrivacy and the GDPR European Data Protection Board released Opinion 5/2019

Annual Report: 2018 was a busy year for the EDPS – First annual report of European Data Protection Supervisor

Overview: Nine months after GDPR entry – EDPB Releases Overview on the Implementation and Enforcement of the GDPR

Cookies: Dutch DPO released guidance for free access to webpages content unconditioned by cookies acceptance – Websites must remain accessible when refusing to track cookies

Research: 85% of organisations suffered phishing and social engineering attacks last year – according to an Accenture cybercrime study.


Infographic of the week – Secure by Design Infographic available in Press Quality for download:  

EDPB Opinion 5/ 2019

The interplay between the ePrivacy and the

In December 2018, the Belgian Data Protection Authority requested the European Data Protection Board to examine and issue an Opinion on the interplay between the GDPR and the ePrivacy Directive, in particular regarding the competence, tasks and powers of data protection authorities.

EDPB considers that these questions concern a matter of the general application of the GDPR, as there is a clear need for a consistent interpretation among data protection authorities on the boundaries of their competences, tasks and powers.

Clarification is particularly needed to ensure, amongst others, a consistent practice of mutual assistance in accordance with article 61 of the GDPR and joint operations in accordance with article 62 of the GDPR.


EDPS Annual Report

First annual report of the European Data Protection Supervisor

2018 was a busy year for the EDPS and a pivotal year for data protection in general. Under new data protection rules, the rights of every individual living in the EU are now better protected than ever, the European Data Protection Supervisor (EDPS) said today, as he presented his 2018 Annual Report to the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE).

Giovanni Buttarelli, EDPS, said: Data protection hit the headlines in 2018. Public awareness about the value of online privacy is at an all-time high, while concern about the abuse of personal data by online service providers remains a topic of enquiry for governments around the world. In the EU, new rules on data protection go a long way towards addressing concerns, but more is required. Agreement on a new ePrivacy Regulation is urgent, but in the digital world, we also need to look beyond rules and regulations. Through initiatives focused on digital ethics and greater regulatory cooperation, the EDPS is determined to play a decisive part in shaping the digital future in the EU and further afield.

The 2018 Annual Report provides an insight into all EDPS activities in 2018. Chief among these were our efforts to prepare for the new legislation. The General Data Protection Regulation (GDPR) became fully applicable across the EU on 25 May 2018 and new data protection rules for the EU institutions are also now in place. Working with the new European Data Protection Board (EDPB), the EDPS aims to ensure consistent protection of individuals’ rights, wherever they live in the EU. Key figures for 2018:

  • 30 training sessions provided for EU institutions and bodies
  • 90 prior check Opinions issued (80% relating to EU administrative procedures)
  • 5 inspections
  • 3 visits to EU institutions
  • 11 Opinions issued on legislative proposals
  • 13 Formal Comments issued on legislative proposals


EDPB Overview

Nine months after GDPR entry

On February 26, 2019, the European Data Protection Board (the “EDPB”) presented its first overview of the GDPR’s implementation and the roles and means of the national supervisory authorities to the European Parliament (the “Overview”).

Nine months after the entry into application of the GDPR, the members of the EDPB are of the opinion that”the GDPR cooperation and consistency mechanism works quite well in practice. The national supervisory authorities make daily efforts to facilitate this cooperation, which implies numerous exchanges (written and oral) between them. These cooperation duties lead to extra workloads, additional time dealing with cases and have an impact on the budget of the regulators.”

Cooperation Mechanism – The GDPR requires close cooperation between SAs of EEA (EU-28 + Iceland, Norway and Liechtenstein) in cases implying a cross-border component and supports this by using the following tools: ¾ the mutual assistance, ¾ the joint operation, ¾ the One-Stop-Shop cooperation mechanism, which introduces the obligatory intervention of a Lead Supervisory Authority for the cross-border cases. Here are a few statistics outlined on Hunton Privacy Blog ( ):

  • 642 procedures have been initiated to identify the lead DPA and concerned DPAs in cross-border cases. 306 of these procedures have concluded with the lead supervisory authority identified.
  • 30 different DPAs have registered a total of 281 cases with cross-border components in the Internal Market Information system– an IT system that provides a method of information sharing among supervisory authorities. The main topics of these cases relate to the exercise of individual rights, consumer rights and data breaches.
  • 45 one-stop-shop procedures were initiated by DPAs from 14 different EEA countries — 23 cases are currently at the informal consultation stage, 16 are at the draft decision stage and 6 cases have been finalized.
  • 444 mutual assistance requests, both formal and informal, have been triggered by DPAs from 18 different EEA countries.

Consistency Mechanism – One of the main tasks of the EDPB is to ensure the consistent application of the GDPR. One opportunity to ensure consistency is to provide general guidance on the interpretation of the GDPR, which will contribute to a common understanding and application of the provisions by the stakeholders, the supervisory authorities and the public in general. Since 25 May 2018, the EDPB has endorsed 16 guidelines prepared by the Article 29 Working Party (predecessor of the EDPB) and has adopted 5 additional guidelines. Another opportunity is to adopt consistency opinions and decisions. These decisions mainly address the national supervisory authorities and ensure a consistent application and enforcement of the GDPR.

  • The EDPB has adopted 28 consistency opinions regarding the national lists of processing subject to a data protection impact assessment.
  • The EDPB also has adopted a consistency opinion on a draft administrative arrangement for the transfer of personal data between financial supervisory authorities.
  • The EDPB is currently working on further consistency opinions and procedures relating to the interplay between the GDPR and the ePrivacy Directive, binding corporate rules and a draft standard contract between data controllers and data processors.

Budget and Human Resources

  • 23 DPAs reported an increase in their regulatory budgets for 2018-2019.
  • Three DPAs reported no increase in budget while two DPAs reported a decrease.
  • With respect to human resources, 17 DPAs reported an increase in headcount for 2018-2019, while eight reported no change and one DPA reported a decrease in personnel.

Implementation and Enforcement of the GDPR at National Level

  • The total number of cases reported by DPAs from 31 EEA countries totalled 206,326 with 94,622 of these comprising complaints and 64,684 initiated on the basis of data breach notification by controllers.
  • 52% of the above cases have concluded while 1% are being challenged before national courts.
  • DPAs from 11 EEA countries reported imposing administrative fines under the GDPR totalling €55,955,871.
  • The Overview concludes by noting that members of the EDPB view the GDPR as working well in practice and that the workload of DPAs is manageable due to thorough preparation for the GDPR over the past two years.



Dutch DPO released guidance for free access to webpages content unconditioned by cookies acceptance

One of the most important legal basis processing personal data under GDPR is the consent — which should be specific, informed and freely given in order for it to be valid under the law. Many websites are conditioning web pages browsing by implicit accept of Cookies policy, what is representing a serious lack of compliance with GDPR consent rules.

After receiving dozens of complaints from internet users who had had their access to websites blocked after refusing to accept tracking cookies, the Dutch data protection agency released a few days ago a Guidance related to this issue.

According to this guidance website that only give visitors access to their site if they agree to place so-called ‘tracking cookies’ or other similar ways of monitoring and recording behaviour through software or other digital methods, do not comply with the General Data Protection Regulation.

“The digital tracking and recording of Internet surfing behaviour via tracking software or other digital methods are one of the largest processing of personal data because virtually everyone is active on the internet. To protect privacy, it is therefore important that parties request permission from website visitors “, says Aleid Wolfsen, chairman of the Dutch DPA. “In this way, people can deliberately and appropriately use their right to the protection of personal data. If a website is asked for permission for tracking cookies and if it is not possible to access the website or service if they refuse access to the website or service, people under pressure will receive their personal data and that is unlawful. “

With so-called ‘cookie walls’ on websites (no permission means no access), the permission is not given freely, because website visitors do not get access to the website without giving permission. On the basis of the GDPR permission is not ‘free’ if someone has no real or free choice. Or if the person can not refuse giving permission without adverse consequences. With the announcement of this explanation of the standard, the organizations involved are instructed to adjust their practice where necessary. The DPA sent a letter to the organizations to which it received the most complaints with the standard explanation, announcing also that it will intensify the audit in the coming period to see whether the standard is applied correctly in the interest of protecting privacy.

“Cookie walls are non-compliant with the principles of consent of the GDPR. Which means that any party with a cookie wall on their website has to be compliant ASAP, whether or not we will check that in a couple of months, which we certainly will do.” stated a Dutch DPA member. According to a TechCrunch article named ”Cookie walls don’t comply with GDPR, says Dutch DPA”, even the cookie wall on the official European Internet organization site looks like a textbook example of what not to do — given the online ad industry association is bundling multiple cookie uses (site-functional cookies; site-analytical cookies; and third-party advertising cookies) under a single “I AGREE” option. 

The website does not offer visitors any opt-outs at all. If the user does not click “I  AGREE” they cannot gain access to the IAB’s website. So there’s no free choice here. You have to agree with imposed cookies or leave. The main problem here is a clear contradiction between GDPR consent spirit and former rules covered by the ePrivacy Directive from 2002, which is be expected to be released also as ePR EU Regulation. According to the Recital 25 from ePrivacy Directive: “Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device if it is used for a legitimate purpose.” But we don’t have to forget other GDPR consent golden rules as granularity and an opt-out option.

Many website cookies bar show a single box acceptance for all cookies categories, and the big majority didn’t offer an opt-out check-box alternative or simple button to close cookies windows… More clear explanations about this could be found on one of the official EU websites.  Here, on the EU Commission EU Internet Handbook, we can find an explanation about Cookies policy in Europe.

According to the site, „EUROPA websites must follow the Commission’s guidelines on privacy and data protection and inform users that cookies are not being used to gather information unnecessarily. The ePrivacy directive – more specifically Article 5(3) – requires prior informed consent for storage or for access to information stored on a user’s terminal equipment. In other words, you must ask users if they agree to most cookies and similar technologies (e.g. web beacons, Flash cookies, etc.) before the site starts to use them. For consent to be valid, it must be informed, specific, freely given and must constitute a real indication of the individual’s wishes.” Hmm. This seems to be more close to the GDPR free consent spirit. And the things become more serious reading the steps proposed for the cookies use in Europe: “The use of cookies on EUROPA is allowed under certain conditions. You should take the following steps.

  • Ask yourself whether the use of cookies is essential for a given functionality and if there is no other, non‑intrusive alternative.
  • If you think a cookie is essential, ask yourself how intrusive it is: what data does each cookie hold? Is it linked to other information held about the user? Is its lifespan appropriate to its purpose? What type of cookie is it? Is it a first or a third‑party setting the cookie? Who controls the data?
  • Evaluate for each cookie if informed consent is required or not:
  • first‑party session cookies DO NOT require informed consent.
  • first‑party persistent cookies DO require informed consent. Use only when strictly necessary. The expiry period must not exceed one year.
  • all third‑party session and persistent cookies require informed consent. These cookies should not be used on EUROPA sites, as the data collected may be transferred beyond the EU’s legal jurisdiction.
  • Before storing cookies, gain consent from the users (if required) by implementing the Cookie Consent Kit in all the pages of any website using cookies that require informed consent.
  • Inform users about the use of cookies in a plain, jargon‑free language in a dedicated “cookie notice” page linked from the service toolbar of the standard templates. This page should explain:
  • why cookies are being used, (to remember users’ actions, identify users, collect traffic information, etc.)
  • if the cookies are essential for the website or a given functionality to work or if they aim to enhance the performance of the website
  • the types of cookies used (e.g. session or permanent, first or third‑party)
  • who controls/accesses the cookie‑related information (website or third‑party)
  • that the cookie will not be used for any purpose other than the one stated
  • how users can withdraw consent

If the issues are not very clear yet, we have an example on the same website: a webpage capture with a three-point legend:

  • 1)    The cookie header banner displayed on all pages of a site using cookies that require informed consent.
  • 2)    A link to the specific cookie notice page is also available.
  • 3)    This element of the page will only display its content once the user chooses to accept the site’s cookies.



85% of organisations suffered phishing and social engineering attacks last year

Last year 85% of organisations experienced phishing and social engineering attacks and 76% suffered web-based attacks, according to the Ninth Annual Cost of Cybercrime Study, published by Accenture and Ponemon Institute.

Malware and web-based attacks were the most expensive at $2.6 million and $2.3 million respectively. Accenture says these two types of a cyber attack “represented a third of all cybercrime costs globally last year”.

However, the biggest jump in costs came from malicious insiders: last year, insider attacks cost each organisation $1.6 million on average, a 15% increase in 2017. Other key findings of the research are related to:

  • the average number of security breaches in the last year grew by 11 percent from 130 to 145.
  • the average cost of cybercrime for an organization increased US$1.4 million to US$13.0 million.
  • total value at risk of $US5.2 trillion globally over the next five years.