The EDPB adopted a letter in reply to the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE) regarding the Second Additional Protocol to the Cybercrime Convention, and in view of the two European Commission Proposals for Council Decisions authorising Member States to sign and ratify the Protocol.
In its reply, the EDPB recalls that the level of protection of personal data transferred to third countries resulting from the Protocol must be essentially equivalent to the EU level of protection. The EDPB also refers to the EDPS Opinion on the Commission proposals and highlights some of its crucial points.
The EDPB welcomes the safeguards included in the Protocol, such as the provisions on oversight. However, the EDPB regrets that the Protocol does not ensure that, as a general rule, information to individuals related to access is provided free of charge.
The EDPB recommends that Member States reserve the right not to apply the direct cooperation provision enabling third country authorities to directly request EU service providers to disclose certain types of data (access numbers). This would help to ensure a more substantial involvement of EU judicial or other independent authorities in the review of such requests.
Following public consultation, the EDPB adopted a final version of the Guidelines on Codes of Conduct as a tool for transfers, taking into consideration the feedback received from stakeholders. The main purpose of the guidelines is to clarify the application of articles 40 (3) and 46 (2) (e) GDPR. These provisions stipulate that, once approved by a competent Supervisory Authority (SA) and after having been granted general validity within the European Economic Area (EEA) by the European Commission, a code may also be adhered to and used by controllers and processors in a third country to provide appropriate safeguards to transfers of data outside of the EEA.
The EDPB adopted a letter on AI liability. In its letter, the EDPB welcomes the European Commission’s initiative to adapt liability rules to the digital age and artificial intelligence (AI), in light of the evaluation of the Product Liability Directive. Among others, the EDPB considers it relevant to strengthen the liability regime of providers of AI systems, so that processors and controllers can trustfully rely on those systems. In addition, AI systems should be explainable by design and providers of AI systems should embed security by design throughout the entire lifecycle of the AI.
Finally, the EDPB designated Georgia Panagopoulou (EL SA) as representative and Konstantinos Limniotis (EL SA) as substitute to take part in ENISA’s newly formed Stakeholder Cybersecurity Certification Group (SCCG). The SCCG will advise ENISA and the European Commission on strategic issues regarding cybersecurity certification.
Note to editors:
All documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.