Privacy & Information Security Law Blog

On May 18, 2020, the European Data Protection Board (“EDPB”) released its Annual Report (the “Report”) providing details of the EDPB’s work in 2019. This included publication of guidelines, binding decisions and general guidance on the interpretation of EU data protection law.

The EDPB adopted five new guidelines in 2019, providing clarification on the law. These related to codes of conduct and establishment of monitoring bodies under the EU General Data Protection Regulation (“GDPR”), reliance on the contractual necessity legal basis in the context of providing online services, processing of personal data through video devices, the principle of Data Protection by Design and by Default, and the right to be forgotten by search engines. The final two sets of guidance remained open to public consultation into 2020, and will likely be adopted in final form later this year.

Separately, three sets of guidelines that were adopted in draft form in 2018, covering certification and identifying certification criteria, accreditation and certification bodies, and territorial scope, were also finalized and formally adopted in 2019, following public consultation.

The EDPB adopted 16 Consistency Opinions in 2019, a number of them regarding the draft lists on processing operations triggering the requirement for a data protection impact assessment under the GDPR. Member State data protection authorities (“DPAs”) are required to share any draft decisions that have cross border effects under the GDPR with the EDPB before they are implemented, in order for the EDPB to issue an opinion on them.

The EDPB further referred to its participation in joint reviews of the EU-U.S. Privacy Shield adequacy decision, and its adoption of a statement on the use of personal data in the course of political campaigns.

The EDPB acknowledged issues that have been encountered by national regulators when invoking the GDPR’s cooperation and consistency mechanism to ensure that individuals’ data protection rights are consistently protected. These challenges were primarily due to differences in national procedural laws (such as differences in complaint handling procedures between Member States) and differing levels of resources available to regulators. Despite these challenges, the EDPB stated that it is convinced that cooperation between DPAs will result in a common data protection culture and consistent monitoring practices. It will continue, through its Secretariat, to provide logistical support to some types of DPA coordination.

Finally, the Report sets out the EDPB’s key objectives for 2020, including its intention to provide guidance on data controllers and processors, data subject rights and the concept of the legitimate interest legal basis for processing. The EDPB also intends to publish guidance on the implications for data protection in the context of fighting COVID-19 (having already published guidance on specific COVID-related topics such as the use of contact tracing tools and the processing of health data for scientific research), and set out its intention to “intensify its work in the context of advanced technologies, such as connected vehicles, blockchain, artificial intelligence, and digital assistants.”

Read the full report.