Skip to content

EDPB Annual Report 2021

The House of Data Imperiali bulletins are excerpts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email: segreteria@imperialida.com

EDPB Annual Report 2021

Around May-June of each year the supervisory authorities release their annual report for their activities carried out in the previous year: this has already been done by the CNIL (press version), among others, and likewise by the EDPB, while the Italian Garante’s report is expected soon.

The European Board (EDPB), in pursuit of its mission of deepening the discipline and ensuring consistency of approach between national supervisory authorities, has a significant documentation output, represented by guidelines, recommendations, as well as individual and joint opinions with EDPS.

The annual report, among other things, provides an opportunity for a summary overview of everything produced by the EDPB during the reporting year, while also having under track the state of completion of the documentation released, which often undergoes the public consultation process before the final version is published. In this bulletin we will trace the activities outlined in the report and will try to offer an update summary, to be used as an observatory of the progress of work.

Major topics of 2021

The following slide offers an overview of the main EDPB’s 2021 Guidelines and documentation.

EDPB_Report_annuale_2021_principali_documenti

The EDPB dwelt in 2021 on the following topics: 

  1. The international (i.e., outside the EU/EEA) transfer of personal data 
  2. The impact resulting from the European Digital Strategy.  
  3. The legal framework of the Police Directive [Dir. (EU) 2016/680 also called “LED” from the English acronym “Law Enforcement Directive”]  
  4. In-depth guidelines on specific topics of the regulation  
  5. Enforcement Application of the GDPR.

 

International transfer of personal data

The CJEU decision in the Schrems II case prompted the EDPB to adopt the final version of the Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.

Along with its opinion on the UK’s draft adequacy decision and its joint opinion with EDPS on the Standard Contractual Clauses (SCCs) issued by the European Commission for the transfer of personal data to controllers and processors established outside the EEA, EDPB adopted the Guidelines on Codes of Conduct as Tools for Transfers. In this perspective, the Board has taken care to ensure consistency between the new SCCs and the Recommendations on Supplementary Measures.

Opinions on proposed adequacy decisions UK

The EDPB has issued two opinions on the European Commission’s draft decisions on the adequacy of personal data protection in the United Kingdom: 

  • Opinion 14/2021 “is based on the GDPR and assesses both general data protection aspects and government access to personal data transferred from the EEA for the purposes of law enforcement and national security included in the draft adequacy decision” (adopted on 4/13/2021) 
  • Opinion 15/2021 adopted on (4/13/2021) is based on the Law Enforcement Directive (LED) and analyses the draft adequacy decision in the light of Recommendations 01/2021 on the adequacy referential under the LED (adopted on 2/2/2021). Reference was also made to relevant case law reflected in Recommendations 02/2020 on the European Essential Guarantees for surveillance measures.

Guidelines and opinions following Schrems II

Following the CJEU decision on the Schrems II case on personal data transfers outside the EU/EEA area, the EDPB released a number of documents in 2021:

  • Version 2.0 of the Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (adopted on 6/18/2021) 
  • The EDPS-EDPB Joint Opinion 02/2021 on standard contractual clauses for the transfer of personal data to third countries in accordance with Art. 46(1)(c) GDPR

EU digital strategy

The EDPB, together with the EDPS, issued opinions on a number of European legislative initiatives under the European data strategy.  

This includes a joint opinion on the proposed Data Governance Act (DGA) and the proposed Artificial Intelligence Act as well as a statement on the digital services package and the data strategy.

Statement 05/2021 on Data Governance Act

In addition to EDPB/EDPS Joint Opinion 03/2021 on the Data Governance Act (DGA) dated March 10, 2021, EDPB issued Statement 05/2021 on the same topic, adopted on May 19, 2021.

EDPB/EDPS Joint Opinion 05/2021 on AIA

The proposed regulation on artificial intelligence submitted on April 21, 2021, was the subject of the joint EDPB/EDPS Opinion 05/2021, adopted on June 18, 2021. The document highlighted some critical issues of the proposal regarding its compatibility with the GDPR.

Statement on the Digital Services Package and Data Strategy

The “Statement on the Digital Services Package and Data Strategywas adopted by the EDPB on November 18, 2021.