Open evilaliv3 opened 1 year ago
Your interpretation of the EDPS guidelines, while interesting, seems to me to mix issues that are different albeit connected. § 9 (that you are mentioning) refers to deleting the whole whistleblowing report while here we are discussing issues pertaining to deleting personal information that is not relevant to the allegations which may be contained in the report, but is not the report as such. §9 deals, for example, with a process where the platform is just a gateway and reports are then forwarded to the relevant institutions/department for investigation so according to EDPS there is no need to keep the report in the WB platform (" An EU institution has received several whistleblowing reports through the whistleblowing channel. One report concerns alleged harassment and is therefore directly referred to the unit dealing with these cases. Two other reports are likely to concern fraud and therefore transferred to OLAF which starts an investigation in one of the cases. The institution applies a conservation period of 5 years on the case that OLAF does not investigate. In this situation the EDPS considers that a period of 5 years is excessive and that the report should be deleted as soon as possible.")
Art 17 of the Directive (see §4 of the EDPS guidelines as it also referred to in §9) requires deletion with unduly delay. In the light of GDPR "non permanent deletion" (whatever this may mean and however it may be achieved) may not be deletion and is still data processing unless further measures are adopted. I agree that some information may be ascertained as irrelevant only at the outcome of the investigation but if you look at the example itself in §4 there may be personal information which are self evident as irrelevant in the context of the case (again, a health condition of the wrongdoer may or may not be relevant, though the latter is IMHO more likely). Setting a hard delay preventing deletion might, strictly speaking, be in breach of the provision of art. 17 given, however, that it might be argued that 2 months from the filing of the report (in the directive there is not such a thing as a "preliminary assessment") are not an "undue delay"
Then, please also note that rather than addressing the EDPS you should address the EDPB.
We agree that it should be interpreted as a requirement to be able to delete certain parts of reports, or at the minimum redact it (so that other recipients of the report e.g. do not need to see the "unnecessary" personal information.
However interpretation, we believe redaction/deletion of certain parts needs to be made available for admins to enable for users/recipients, so that the organisation is given the possibility to delete/redact if they would need to.
By examining the purpose of deleting/redacting certain parts of reports (such as unnecessary personal information), it is probably pretty clear that the purpose is not to be able to keep all data received e.g. in a whistleblowing report, if such would be unnecessary.
Theoretically, it's always a possibility for recipients to "hide" or even delete reports with malicious intent and this part would be no different but eventually, it all comes down to trusting that the recipient will do the right thing. And if they don't, there are failsafe mechanisms such as external reporting.
It would clearly never be legal nor correct to try to hide or delete entire or certain parts of reports so we therefore believe that the same principles regarding deletion of the entire report should be applied to deletion of certain parts of reports, if that makes sense?
Proposal
In ticket https://github.com/globaleaks/GlobaLeaks/issues/3420 we have analyzed a proposal to make it possible to to redact (hide) parts of reports (such as unnecessary personal info) and we limited the proposal to a simple not destructive operation.
This ticket is dedicated to the analysis of the specific need of making it possible to permanently delete (distruct) parts of the report without impacting the possibility for whistleblowers to prove they performed a report and to prove what the report contained that in adherence to the Directive (EU) 2019/1937 of the European Parliament that is a fundamental need that would enable the whistleblower to benefit of protections in case of retaliation. I point out that the original is also necessary up to the directive for "the person who took the detrimental action, who should then be required to demonstrate that the action taken was not linked in any way to the reporting or the public disclosure".
At the moment in our analysis we consider that even if GDPR and the Directive enforce to delete personal information when it is clear that they are non-relevant or not-necessary and without undue delay, the term of permanently deletion could be fully postponed to the moment in which informed decision could be made and probably not before the full handling of the case and definitely not before the first term for the organization to provide feedback to the whistleblower (3 months).
Such an interpretation seems to be supported as well by the European Data Protection Supervisor (EDPS) with their Guidelines on processing personal information within a whistleblowing procedure where while clarifying about Article 17 states: "If following an initial assessment it is clear that the case should not be referred to OLAF or is not within the scope of the whistleblowing procedure, the report should be deleted as soon as possible (or referred to the right channel if for example it concerns alleged harassment). In any case, personal information should be deleted promptly and usually within two months of completion of the preliminary assessment, since it would be excessive to retain such sensitive information." The reference used by the EDPS to support this statement is Article 29 Working Party Opinion 1/2006, WP 117, pg. 12.
If we read this well, EDPS is stating that the personal information could be deleted in full compatibility with the directive after 2 months since the completion of the preliminary assessment and based on this evaluation we could probably agree that we could design a safe feature of deletion in full compatibility with the GDPR and the directive if we prevent to fully redact reports for cases that are in status OPEN and for which 2 months have not passed since the preliminary assessment.
I consider that there is of course need for an official clarification by the EDPS on this matter and i point out that this would not be the first case in which the regulator would probably need to set an exception "intended to preserve evidence by preventing its destruction or alteration"; I'm quoting here an expression for example already used by the regulator on this matter included in Article 29 Working Party Opinion 1/2006.
\cc @susannaferro @giorgiofraschini @gianlucagilardi @rglauco @visslan
Motivation and context
Feature idea based on requirements of: