On December 15th, the EDPB met for its 43rd plenary session. During the plenary, a wide range of topics was discussed.
The EDPB adopted its Strategy 2021-2023, which sets out the Board’s strategic objectives, grouped around four pillars, as well as three key actions per pillar to help achieve these objectives. The four main pillars of the EDPB Strategy are:
• advancing harmonisation and facilitating compliance;
• supporting effective enforcement and efficient cooperation between national supervisory authorities;
• a fundamental rights approach to new technologies and;
• the global dimension.
The Strategy will also be implemented through a Work Programme, which will further detail the EDPB’s actions. This Work Programme will be adopted in early 2021.
As part of its 2021-2023 Strategy, the EDPB decided to establish a Support Pool of Experts (SPE) on the basis of a pilot project. The goal is to provide material support to EDPB Members in the form of expertise that is useful for investigations and enforcement activities and to enhance cooperation and solidarity between EDPB Members by sharing, reinforcing and complementing strengths and addressing operational needs.
The EDPB issued a statement on the end of the Brexit transition period in which it describes the main implications of the end of this period for data controllers and processors. In particular, the EDPB underlined the issue of data transfers to a third country as well as the consequences in the area of regulatory oversight and the One-Stop-Shop (OSS) mechanism. The Brexit transition period, during which the UK Supervisory Authority is still involved in the EDPB’s administrative cooperation, expires at the end of 2020. Additionally, the EDPB adopted an information note on data transfers under the GDPR after the Brexit transition period ends.
The EDPB adopted Guidelines on restrictions of data subject rights under Article 23 GDPR. The guidelines aim to recall the conditions surrounding the use of such restrictions in light of the Charter of Fundamental Rights and the GDPR. They provide a thorough analysis of the criteria to apply restrictions, the assessments that need to be observed, how data subjects can exercise their rights after the restrictions are lifted, and the consequences of infringements of Art. 23 GDPR. The EDPB recalls that any restriction needs to respect the essence of the right that is being restricted and that restrictions that are extensive and intrusive to the extent that they void the fundamental right to the protection of personal data of its basic content cannot be justified. Additionally, the guidelines analyse how the legislative measures setting out the restrictions need to meet the foreseeability requirement and examine the grounds for the restrictions listed by Article 23(1) GDPR and the obligations and rights which may be restricted. An explanation of the "necessity and proportionality" test that restrictions need to pass based on Article 23(1) GDPR is also provided. The guidelines will be submitted for public consultation for a period of 8 weeks.
Following public consultation, the EDPB adopted a final version of the Guidelines on the interplay of the Second Payment Services Directive (PSD2) and the GDPR. The guidelines aim to provide further guidance on the data protection aspects in the context of the PSD2, in particular on the relationship between relevant provisions in the GDPR and the PSD2. To address comments received during the public consultation, among others, a section on fraud prevention was included.
Also following public consultation, the EDPB adopted a final version of the Guidelines on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies. These articles address transfers of personal data from EEA public authorities or bodies to public bodies in third countries, where these transfers are not covered by an adequacy decision. The final version of the guidelines integrates updated wording, and legal reasoning in order to address comments and feedback received during the public consultation, as well as necessary changes following the Schrems II ruling.
The EDPB also adopted a statement on the protection of personal data processed in relation with the prevention of the use of the financial system for the purposes of money laundering and terrorist financing. The EDPB considers it a matter of the utmost importance that the anti-money laundering measures are compatible with the rights to privacy and data protection enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, the principles of necessity of such measures in a democratic society and their proportionality, and the case law of the CJEU. Therefore, the EDPB calls on the European Commission to be involved in the drafting process of any new anti-money laundering legislation from the early stages and states its readiness to contribute to discussions within the Council and the European Parliament, as well as to be consulted in a timely manner by any European or international regulatory body.
Finally, the EDPB adopted an Art. 64 opinion on the draft decision regarding Equinix’s Controller Binding Corporate Rules (BCRs), submitted to the Board by the Dutch SA. The EDPB would like to recall that the Article 29 WP 256/257 referentials* are currently being revised and that BCR holders will be required to modify their BCRs and incorporate any additional commitments that may need to be included in the BCRs in accordance with such updated referentials.