Skip to main content

EDPB sets out priorities for 2024-2027 and clarifies implementation DPF redress mechanisms

1 day 4 hours ago

Brussels, 18 April - During its latest plenary, the EDPB adopted its strategy for 2024-2027. The strategy sets out the EDPB’s priorities, grouped around four pillars, as well as key actions per pillar to help achieve these objectives. These four pillars are:

  • Pillar 1 – Enhancing harmonisation and promoting compliance  
  • Pillar 2 – Reinforcing a common enforcement culture and effective cooperation      
  • Pillar 3 – Safeguarding data protection in the developing digital and cross-regulatory landscape      
  • Pillar 4 – Contributing to the global dialogue on data protection

EDPB Chair Anu Talus said: “The new strategy takes the existing vision in a new direction in order to respond to the data protection needs of today, and the ever evolving digital landscape. The strategy is the result of a collaborative effort, involving all EU data protection authorities (DPAs) and sets out common priorities for the years to come. ”

In the next four years, the EDPB will continue to promote compliance with data protection law by developing clear, concise and practical guidance on important topics, and by developing materials for a wider audience. In addition, enforcement cooperation will remain an important priority for the EDPB. The Board will continue building on the vision set out in its so-called Vienna Statement, and further develop EDPB initiatives in this area, such as the coordinated enforcement actions.

A new aspect of the strategy is the focus on the interplay with the new regulatory digital framework. New digital laws, such as the DMA or the DSA, have an impact on data protection and privacy. The EDPB will work to enhance cooperation with other regulatory authorities, with a view to embedding the right to data protection in the overall regulatory architecture. Furthermore, the EDPB will continue to pay special attention to challenges raised by new technologies, such as AI.

The strategy will be complemented by two work programmes, which will contain details about its implementation.

In addition, regarding the EU-US Data Privacy Framework (DPF), the EDPB adopted Rules of Procedure, a public information note and template complaint forms to facilitate the implementation of the redress mechanisms under the DPF.

The EDPB documents relate to two DPF redress mechanisms created to handle complaints by EU individuals. The redress mechanisms deal only with complaints concerning their respective competence - national security or commercial purposes - and only for data transmitted after 10 July 2023.

EDPB

EDPB: ‘Consent or Pay’ models should offer real choice

2 days 4 hours ago

Brussels, 17 April - During its latest plenary, the EDPB adopted an Opinion following an Art. 64(2) GDPR request by the Dutch, Norwegian & Hamburg Data Protection Authorities (DPA). The Opinion addresses the validity of consent to process personal data for the purposes of behavioural advertising in the context of ‘consent or pay’ models deployed by large online platforms

EDPB Chair Anu Talus said: “Online platforms should give users a real choice when employing ‘consent or pay’ models. The models we have today usually require individuals to either give away all their data or to pay. As a result most users consent to the processing in order to use a service, and they do not understand the full implications of their choices.”

As regards ‘consent or pay’ models implemented by large online platforms, the EDPB considers that, in most cases, it will not be possible for them to comply with the requirements for valid consent, if they confront users only with a choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee.

The EDPB considers that offering only a paid alternative to services which involve the processing of personal data for behavioural advertising purposes should not be the default way forward for controllers. When developing alternatives, large online platforms should consider providing individuals with an ‘equivalent alternative’ that does not entail the payment of a fee. If controllers do opt to charge a fee for access to the ‘equivalent alternative’, they should give significant consideration to offering an additional alternative. This free alternative should be without behavioural advertising, e.g. with a form of advertising involving the processing of less or no personal data. This is a particularly important factor in the assessment of valid consent under the GDPR.

The EDPB stresses that obtaining consent does not absolve the controller from adhering to all the principles outlined in Art. 5 GDPR, such as purpose limitation, data minimisation and fairness. In addition, large online platforms should also consider compliance with the principles of necessity and proportionality, and they are responsible for demonstrating that their processing is generally in line with the GDPR. 

As regards the need for consent to be free, the following criteria should be taken into account: conditionality, detriment, imbalance of power and granularity. For instance, the EDPB points out that any fee charged cannot make individuals feel compelled to consent. Controllers should assess, on a case-by-case basis, both whether a fee is appropriate at all and what amount is appropriate in the given circumstances. Large online platforms should also consider whether the decision not to consent may lead the individual to suffer negative consequences, such as exclusion from a prominent service, lack of access to professional networks, or risk of losing content or connections.  The EDPB notes that negative consequences are likely to occur when large online platforms use a ‘consent or pay’ model to obtain consent for the processing.

Controllers also need to evaluate, on a case-by-case basis, whether there is an imbalance of power between the individual and the controller. The factors to be assessed include the position of the large online platforms in the market, the extent to which the individual relies on the service and the main audience of the service. 

Furthermore, the EDPB provides elements to assess the criteria of informed, specific and unambiguous consent that large online platforms should take into account when implementing ‘consent or pay’ models.

EDPB Chair, Anu Talus added: “Controllers should take care at all times to avoid transforming the fundamental right to data protection into a feature that individuals have to pay to enjoy. Individuals should be made fully aware of the value and the consequences of their choices.” 

In addition to this Art. 64(2) Opinion, the EDPB will also develop guidelines on ‘consent or pay’ models with a broader scope and will engage with stakeholders on these upcoming guidelines.

EDPB

CSC elects 2nd Deputy Coordinator

1 week 2 days ago

The Coordinated Supervision Committee (CSC) has elected Matej Sironic from the Slovenian Data Protection Authority (DPA) as its Deputy Coordinator for a term of two years. Sironic will be the second Deputy Coordinator, and will work along with Sebastian Hümmeler from the Federal German DPA. A second Deputy was elected in order to keep up with the CSC’s expanding mandate. Together with CSC Coordinator, Clara Guerra, they will lead the work of the Committee.

The CSC ensures the coordinated supervision of the large EU Information Systems and of EU bodies, offices and agencies in accordance with Article 62 of Regulation 2018/1725 or with the EU legal act establishing the large scale IT system or EU body, office or agency. It was created within the framework of the European Data Protection Board (EDPB) and brings together the EU data protection authorities (DPAs) and the European Data Protection Supervisor (EDPS), as well as the data protection authorities of the Non-EU Schengen Member States, when foreseen under EU law.

The CSC currently covers the Internal Market Information system (IMI), Eurojust, the European Public Prosecutor’s Office (EPPO), Europol and the Schengen Information System (SIS). Gradually, the Committee will also cover other IT systems, bodies, offices and agencies in the fields of Border, Asylum and Migration (EES, Eurodac, ETIAS, VIS, and their interoperability), Police and Justice Cooperation (ECRIS-TCN) and the next generation Prüm. You can find more information on the Committee here 

During its March meeting, the CSC also adopted recommendations for IMI actors on their data protection transparency obligations towards individuals. The recommendations aim to assist the IMI competent authorities in Member States, as data controllers, to better comply with their legal obligations. The recommendations will be disseminated to the national IMI coordinators by the relevant national DPAs. 

EDPB

CEF 2024: Launch of coordinated enforcement on the right of access

1 month 2 weeks ago

Brussels, 28 February - The European Data Protection Board has kicked off its Coordinated Enforcement Framework (CEF) action for 2024. Throughout the year, 31 Data Protection Authorities (DPAs), including 7 German State-level DPAs, across the EEA will take part in this initiative on the implementation of the right of access.

During its October 2023 plenary, the EDPB selected the right of access for its third coordinated enforcement action, as it is at the heart of data protection and one of the most frequently exercised data protection rights, and one which DPAs receive many complaints about. In particular, it enables individuals to check whether their personal data is processed in a compliant manner by organisations. In addition, it often enables the exercise of the other data protection rights, such as the right to rectification and erasure.

In 2023, the EDPB adopted Guidelines on data subject rights - Right of access to help organisations respond to data access requests from individuals in line with the requirements set out in the GDPR. To gauge how organisations are complying with the right of access in practice, participating DPAs will implement the CEF in a number of ways:

  • organisations will be sent questionnaires to aid fact-finding exercises or to identify if a formal investigation is warranted;
  • commencement of a formal investigation; and/or
  • follow-up of ongoing formal investigations.

The results of the joint initiative will be analysed in a coordinated manner and the DPAs will decide on possible further supervision and enforcement actions. In addition, all results will be aggregated, generating deeper insight into the topic and allowing targeted follow-up at EU level. The EDPB will publish a report on the outcome of this analysis once the actions are concluded.

This series of actions is the third initiative under the Coordinated Enforcement Framework (CEF), which aims to streamline enforcement and cooperation among DPAs.

Previous coordinated actions looked into the use of cloud services by the public sector, in 2022, and the designation and position of Data Protection Officers, in 2023.

 

For further information:

 

EDPB

January plenary - adopted documents

1 month 3 weeks ago
EDPB

EDPB clarifies notion of main establishment and calls on EU legislators to make sure CSAM Regulation respects rights to privacy and data protection

2 months ago

Brussels, 14 February - During its latest plenary, the EDPB adopted an Opinion on the notion of main establishmentand on the criteria for the application of the One-Stop-Shop mechanismfollowing an Art. 64(2) GDPR request by the French Data Protection Authority (DPA). The Opinion clarifies the notion of a controller’s “main establishment” in the EU, in particular for cases where decisions regarding the processing are taken outside the EU. 

EDPB Chair Anu Talus said: “The notion of main establishment is one of the cornerstones of the One-Stop-Shop. It is key in determining which, if any, DPA is the lead supervisory authority in cross-border data protection cases. The EDPB Opinion sheds further light on the conditions for controllers to access the One-Stop-Shop and provides further guidance for DPAs when determining which DPA is in the lead.” 

In its Opinion, the EDPB considers that a controller’s “place of central administration” in the EU can be considered as a main establishment under Art. 4(16)(a) GDPR only if it takes the decisions on the purposes and means of the processing of personal data and if it has the power to have such decisions implemented. The EDPB further explains that the One-Stop-Shop mechanism can only apply if there is evidence that one of the establishments of the controller in the Union takes decisions on the purposes and means for the relevant processing operations and has the power to have these decisions implemented. This means that, when the decisions on the purposes and means of the processing are taken outside of the EU, there should be no main establishment of the controller in the Union, and therefore the One-Stop-Shop should not apply.

This Opinion is the latest in a series of concrete actions taken by the EDPB following its Vienna Statement on cross-border enforcement, aiming to streamline enforcement and cooperation among DPAs. 

Next, the EDPB adopted a Statement on the legislative developments regarding the Proposal for a Regulation laying down rules to prevent and combat child sexual abuse. The Statement follows the EDPB-EDPS Joint Opinion on the European Commission’s Proposal for a Regulation and focuses on the latest legislative developments, in particular the position of the European Parliament of November 2023. 

The EDPB welcomes the many improvements proposed by the Parliament, such as exempting end-to-end encrypted communications from detection orders. However, the EDPB regrets that the text proposed by the Parliament does not seem to fully resolve important issues flagged by the EDPB and the EDPS related to general and indiscriminate monitoring of private communications in particular in relation to the issuing of detection orders. 

EDPB Chair Anu Talus said: “Child sexual abuse is a particularly heinous crime and requires effective solutions. It is important that any new legal instrument is unambiguous and respects the fundamental rights to privacy and data protection. An excessive level of access to online communications would undermine those important principles and may itself have negative impacts on the rights, and the safety, of both adults and children alike; we must be very careful of actions which ultimately do more harm than good. The EDPB is of the opinion that the wording proposed by the Parliament should provide appropriate guarantees that detection orders will be sufficiently targeted, to ensure that it can protect victims without disproportionally affecting the rights and freedoms protected by EU law.”

The EDPB stresses the importance to further limit the risk that those orders could affect persons who are unlikely to be involved in child sexual abuse-related crimes. Furthermore, the EDPB regrets that detection orders are not limited to child sexual abuse materials (CSAM) that are already known to authorities, despite the fact that the technologies used to detect new CSAM have proven in the past to have significant error rates.

During the plenary, the EDPB also discussed the scope of the guidance related to the Consent or Pay model. In addition to the upcoming Art. 64 (2) Opinion, which will address the Consent or Pay model in the context of large online platforms, it was agreed that there is a need to consecutively develop Guidelines with a broader scope.

Finally, the EDPB nominated several representatives to take part in, respectively, the European Commission’s Data Privacy Framework review team, Digital Markets Act High-Level Subgroup on Art. 5.2 DMA, and Digital Services Act taskforce on age verification

EDPB

EDPB launches website auditing tool

2 months 3 weeks ago

The EDPB has launched a website auditing tool that can be used to help analyse whether websites are compliant with the law. The tool was developed in the context of the EDPB Support Pool of Experts (SPE) and can be used by both legal and technical auditors at data protection authorities (DPAs), as well as by controllers and processors who wish to test their own websites. The tool is a Free and Open Source Software under the EUPL 1.2 Licence and is available for download on code.europa.eu. The source code is available here

The new tool allows preparing, carrying out and evaluating audits directly in the tool by a simple visit to the website in question. The tool is also compatible with other tools, such as the EDPS website evidence collector, and allows auditors to import and evaluate the results of audits carried out on those tools. Finally, the tool can generate reports. 

While several website auditing tools already exist, these usually require technical expertise. Therefore, the EDPB decided to develop a solution that would be easy to use in order to facilitate enforcement by national DPAs and compliance checks by controllers. 
The software was developed by an SPE expert under the supervision of the EDPB Secretariat. It was presented to auditors from DPAs at the first EDPB Bootcamp in June 2023. Following positive feedback from the participants, it was decided to consolidate the software and publish it as Free and Open Source Software. A second version with new features is planned for later this year. 

The Support Pool of Experts was developed as part of the EDPB 2021-2023 Strategy to help DPAs increase their capacity to enforce by developing common tools and giving them access to a wide pool of experts.

EDPB

This Data Protection Day, meet the EDPB Chair!

2 months 3 weeks ago

On the occasion of Data Protection Day, we invite you to meet EDPB Chair Anu Talus, who was appointed in May 2023 for a mandate of 5 years. 

Check out the video below to learn all about how the Chair combines her work at the EDPB with her work as Finnish Data Protection Ombudsman and how both roles complement and enrich each other. 

Happy Data Protection Day from all of us at the EDPB! 

Hyvää tietosuojapäivää meiltä kaikilta EDPB:ssä!

 

Sorry, your browser doesn't support embedded videos.

EDPB

EDPB publishes OSS case digest on Security of Processing and Data Breach Notification

3 months ago

The EDPB has published a thematic one-stop-shop case digest on Security of Processing (Art. 32 GDPR) and Data Breach Notification (Art. 33 & 34 GDPR).

Since the entry into force of the GDPR, data protection authorities (DPAs) have closely cooperated to adopt a growing number of one-stop-shop decisions on data security and data breaches.

The case digest offers valuable insights on how DPAs have interpreted and applied GDPR provisions in diverse scenarios, such as hacking, ransomware, or accidental data disclosure.

Case handlers working within DPAs now have a rich pool of analyses of security incidents, along with the corresponding security measures found to be appropriate or not in the specific context.

The summary and analysis of these decisions are useful for organisations (both controllers and processors) when assessing whether their security measures are appropriate, both before and following a data breach.

This is the second instalment of the EDPB’s case digests, which look at a selection of one-stop-shop decisions taken from the EDPB’s public register. The one-stop-shop case digest are produced within the framework of the EDPB Support Pool of Experts, a strategic initiative that helps DPAs increase their capacity to supervise and enforce. 
 

EDPB

EDPB identifies areas of improvement to promote the role and recognition of DPOs

3 months ago

Brussels, 17 January - During its latest plenary, the EDPB adopted a report on the findings of its second coordinated enforcement action, which focused on the designation and position of Data Protection Officers (DPOs). The report is the result of an EU-wide coordinated investigation and lists the obstacles currently faced by DPOs, along with a series of recommendations to further strengthen their role. 

Anu Talus, EDPB Chair said: “The Coordinated Enforcement Framework (CEF) enables data protection authorities (DPAs) to cooperate more closely on selected topics in order to achieve better efficiency and more consistency. DPOs play an important part in contributing to compliance with data protection law and promoting effective protection of data subject rights. Through the CEF, DPAs investigated whether DPOs have the means to fulfil their tasks, as required by the GDPR. The report provides an analysis of the challenges faced by DPOs, along with points of attention and recommendations to address these challenges.”

In the course of 2023, 25 DPAs across the European Economic Area (EEA) (including the EDPS) launched coordinated investigations into this topic. Various organisations, as well as DPOs were contacted across the EEA, covering a wide range of sectors (both public and private entities), and more than 17,000 replies were received and analysed. Extensive data was collected offering valuable insights into the profile, position and work of DPOs 5 years after the entry into application of the GDPR. 

Despite some concerns and challenges faced by some DPOs  (such as the lack of designation of a DPO, even if mandatory; insufficient resources or expert knowledge for the DPO; DPOs not being fully entrusted with the tasks required under data protection law; lack of independence or of reporting to the highest management), the results are encouraging. The majority of the DPOs interrogated declare that they have the necessary skills and knowledge to do their work and receive regular trainings; they have clearly defined tasks in line with the GDPR and do not receive instructions on how to exercise their duties. In addition, they indicate that they are consulted in most cases, and provided with sufficient information to fulfil their tasks, and their opinions are followed quite well. Moreover, most consider that they have the means to do their job. However, there are still too many DPOs who are not in such a position. 

In order to address the challenges identified, the report lists some recommendations for organisations, DPOs and DPAs to strengthen DPOs’ independence and to guarantee that they have the necessary resources to carry out their tasks. Among others, the report encourages DPAs to carry out more awareness-raising activities, information and enforcement actions. The report also encourages organisations to ensure that DPOs have sufficient opportunities, time and resources to refresh their knowledge and learn about the latest developments.

The report is accompanied by two appendices: the statistics gathered during this action and the national reports of each participating DPA.

The CEF is a key action of the EDPB under its 2021-2023 Strategy, aimed at streamlining enforcement and cooperation among DPAs. The CEF 2024 action will be on the implementation of the right of access by data controllers.

 

Further information on national designation and position of DPO:

EDPB
Checked:
40 minutes 1 second ago
Subscribe to EDPB feed