Around May-June of each year the supervisory authorities release their annual report for their activities carried out in the previous year: this has already been done by the CNIL (press version), among others, and likewise by the EDPB, while the Italian Garante’s report is expected soon.
The European Board (EDPB), in pursuit of its mission of deepening the discipline and ensuring consistency of approach between national supervisory authorities, has a significant documentation output, represented by guidelines, recommendations, as well as individual and joint opinions with EDPS.
The annual report, among other things, provides an opportunity for a summary overview of everything produced by the EDPB during the reporting year, while also having under track the state of completion of the documentation released, which often undergoes the public consultation process before the final version is published. In this bulletin we will trace the activities outlined in the report and will try to offer an update summary, to be used as an observatory of the progress of work.
Major topics of 2021
The following slide offers an overview of the main EDPB’s 2021 Guidelines and documentation.
The EDPB dwelt in 2021 on the following topics:
- The international (i.e., outside the EU/EEA) transfer of personal data
- The impact resulting from the European Digital Strategy.
- The legal framework of the Police Directive [Dir. (EU) 2016/680 also called “LED” from the English acronym “Law Enforcement Directive”]
- In-depth guidelines on specific topics of the regulation
- Enforcement Application of the GDPR.
International transfer of personal data
The CJEU decision in the Schrems II case prompted the EDPB to adopt the final version of the Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.
Along with its opinion on the UK’s draft adequacy decision and its joint opinion with EDPS on the Standard Contractual Clauses (SCCs) issued by the European Commission for the transfer of personal data to controllers and processors established outside the EEA, EDPB adopted the Guidelines on Codes of Conduct as Tools for Transfers. In this perspective, the Board has taken care to ensure consistency between the new SCCs and the Recommendations on Supplementary Measures.
Opinions on proposed adequacy decisions UK
The EDPB has issued two opinions on the European Commission’s draft decisions on the adequacy of personal data protection in the United Kingdom:
- Opinion 14/2021 “is based on the GDPR and assesses both general data protection aspects and government access to personal data transferred from the EEA for the purposes of law enforcement and national security included in the draft adequacy decision” (adopted on 4/13/2021)
- Opinion 15/2021 adopted on (4/13/2021) is based on the Law Enforcement Directive (LED) and analyses the draft adequacy decision in the light of Recommendations 01/2021 on the adequacy referential under the LED (adopted on 2/2/2021). Reference was also made to relevant case law reflected in Recommendations 02/2020 on the European Essential Guarantees for surveillance measures.
Guidelines and opinions following Schrems II
Following the CJEU decision on the Schrems II case on personal data transfers outside the EU/EEA area, the EDPB released a number of documents in 2021:
- Version 2.0 of the Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (adopted on 6/18/2021)
- The EDPS-EDPB Joint Opinion 02/2021 on standard contractual clauses for the transfer of personal data to third countries in accordance with Art. 46(1)(c) GDPR
EU digital strategy
The EDPB, together with the EDPS, issued opinions on a number of European legislative initiatives under the European data strategy.
This includes a joint opinion on the proposed Data Governance Act (DGA) and the proposed Artificial Intelligence Act as well as a statement on the digital services package and the data strategy.
Statement 05/2021 on Data Governance Act
EDPB/EDPS Joint Opinion 05/2021 on AIA
The proposed regulation on artificial intelligence submitted on April 21, 2021, was the subject of the joint EDPB/EDPS Opinion 05/2021, adopted on June 18, 2021. The document highlighted some critical issues of the proposal regarding its compatibility with the GDPR.
Statement on the Digital Services Package and Data Strategy
The “Statement on the Digital Services Package and Data Strategy” was adopted by the EDPB on November 18, 2021.