EDPB adopts Contribution to evaluation of Law Enforcement Directive, SPE project plan, response to MEP Ujhelyi on Pegasus, final version of Guidelines on examples regarding data breach notifications

Dec 15, 2021

Source: European Data Protection Board

The EDPB and the individual Supervisory Authorities (SAs) contributed to the evaluation and review of the Data Protection Law Enforcement Directive (LED), carried out by the European Commission in accordance with Art. 62 LED. The LED aims to provide a harmonised level of data protection for individuals in the area of law enforcement across the EU.

The past four years have been characterised primarily by the national processes to transpose the Directive. Because of its recent implementation, there is limited experience and empirical data on some parts of the LED. Therefore, the EDPB is of the opinion that it is too early to draw conclusions on the effectiveness of the LED or to consider its revision.
The EDPB strongly urges those Member States still in the phase of the implementation to invest all means possible to ensure that the transposition is fully compliant with the LED without any further delays.

In its contribution, the EDPB reaffirms its commitment to continue providing guidance on the interpretation of the LED. In addition, the EDPB remains committed to providing independent assessments of future draft adequacy decisions, elaborated by the European Commission, with regard to the requirements of LED, especially enforceable rights, effective redress and safeguards concerning onward transfers.

The EDPB stresses that the effective implementation of the tasks under the LED requires the availability of the necessary resources, both human and technical, and calls on the Member States to ensure that the resources of SAs increase in proportion to their workload.

As part of the implementation of the EDPB 2021-2023 strategy and following the establishment of a Support Pool of Experts (SPE), the EDPB has now agreed on the SPE’s project plan. The SPE aims to provide material support to EDPB Members in the form of expertise that is useful for investigations and enforcement activities and to enhance cooperation and solidarity between EDPB Members by sharing, reinforcing and complementing strengths, and addressing operational needs.

The EDPB adopted a reply to MEP Ujhelyi on hacking spyware Pegasus. In its reply, the EDPB highlights that the Board and its Members pay, and will continue to pay, particular attention to the current developments related to the interferences with the fundamental rights to privacy and data protection through surveillance measures. The EDPB adds that protection of journalists and their sources is a cornerstone of the freedom of the press. The EDPB is competent in the matter of the alleged use of the Pegasus software mainly if and as far as it is deployed for purposes under the GDPR and the LED. The EDPB, however, notes that according to the applicable Union law, it does not have the same competences, tasks and powers as national SAs, and that concerning the particular case at stake, the Hungarian National Authority for Data Protection and Freedom of Information has competency to carry out the investigation procedure regarding the alleged use of spyware by Hungarian authorities. The EDPB remains ready to support all members of the EDPB in such matters.
Following public consultation, the EDPB adopted a final version of the Guidelines on examples regarding data breach notifications. These guidelines complement the Article 29 Working Party guidance on data breach notification by introducing more practice orientated guidance and recommendations. They aim to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessment. Following public consultation, the Guidelines were updated to reflect comments received.

Note to editors:
All documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

 

Recent news

Dutch DPA fines Transavia for poor personal data security

Background information Date of final decision: 23 September 2021 Cross-border case or national case: cross-border case If cross-border, LSA: Netherlands and CSAs: Ireland, France, Belgium, Denmark, Poland, Cyprus, Italy, Baden-Württemberg, Austria, Finland, Sweden,...

read more