Today, the European Data Protection Board (EDPB) presented its Annual Report 2020. The report provides a detailed overview of the work carried out by the EDPB in a year marked by the worldwide pandemic.
EDPB Chair, Andrea Jelinek said: “2020 and the COVID-19 pandemic significantly altered how we live and work. Given the increasing presence of data-driven technologies in addressing the pandemic, the awareness of data protection rights among individuals and organisations has never been more critical. It is important to note that the 2020 lockdowns in all our countries did not mean a slowdown of the EDPB’s activities. 2020 was marked by many major developments in the EU data protection legal sphere, requiring the EDPB’s expertise and guidance.”
During the COVID-19 pandemic, EEA Member States began taking measures to monitor, contain and mitigate the spread of the virus. The EDPB issued guidance on, amongst others, location and contact-tracing apps; processing health data for scientific research; restrictions on data subject rights in a state of emergency and data processing in the context of reopening borders.
The Court of Justice of the European Union’s ruling in Schrems II had significant implications for EEA-based entities that transfer data to the U.S. and other third countries. The EDPB issued an FAQ document, followed later by Recommendations for Supplementary Measures when using International transfer tools, to ensure compliance with the level of protection required under EU law, and Recommendations on European Essential Guarantees contributing to the assessment of surveillance measures allowing access to personal data by public authorities in third countries. The Recommendations for Supplementary Measures were subject to a public consultation. The EDPB received over 200 contributions from various stakeholders, which it is currently analysing.
During 2020, the EDPB defined its Strategy for 2021-2023, which covers four main pillars with strategic objectives:
Advancing harmonisation and facilitating compliance;
supporting effective enforcement and efficient cooperation between national supervisory authorities;
a fundamental rights approach to new technologies and
the global dimension. For each of the pillars, a set of key actions are defined to help achieve these objectives. In early 2021, the EDPB adopted its two-year work programme for 2021-2022. The work programme follows the priorities set out in the EDPB 2021-2023 Strategy and will put the EDPB’s strategic objectives into practice.
In 2020, the EDPB adopted 10 Guidelines on topics such as the concepts of controller and processor; and targeting of social media users, as well as three Guidelines in their final, post-consultation versions (on video devices, the right to be forgotten and data protection by design and default).
In addition to providing guidance, ensuring consistency in enforcement and cooperation between national authorities is a key task of the EDPB. In 2020, the EDPB issued 32 Opinions under Art. 64 GDPR. Most of these Opinions concern draft accreditation requirements for a code of conduct monitoring body or a certification body, as well as Controller Binding Corporate Rules for various companies.
On 9 November 2020, the EDPB adopted its first dispute resolution decision on the basis of Art. 65 GDPR. The binding decision addressed the dispute that arose after the Irish SA, acting as Lead SA, issued a draft decision regarding Twitter International Company and the subsequent relevant and reasoned objections expressed by a few Concerned SAs.
The GDPR requires the EEA SAs to cooperate closely to ensure the consistent application of the GDPR and protection of individuals’ data protection rights across the EEA.
Between 1 January and 31 December 2020, there were 628 cross-border cases out of which 461 originated from a complaint, while 167 had other origins, such as investigations, legal obligations and/or media reports.
The One-Stop-Shop mechanism demands cooperation between the LSA and the CSAs. The LSA leads the investigation and plays a key role in the process of reaching consensus between the CSAs, in addition to working towards reaching a coordinated decision about the data controller or processor. Between 1 January 2020 and 31 December 2020, there were 203 draft decisions, of which 93 resulted in final decisions.
The mutual assistance procedure allows SAs to ask for information from other SAs or to request other measures for effective cooperation, such as prior authorisations or investigations. Between 1 January 2020 and 31 December 2020, SAs initiated 246 formal mutual assistance procedures. They initiated 2,258 informal mutual assistance procedures. Mutual assistance is also used by the SAs requesting the competent SA to handle complaints they received which do not relate to cross-border processing as defined by the GDPR.
To read the EDPB Annual Report 2020, click here.
Note to editors:
The European Data Protection Board (EDPB) is an independent European body, established by the General Data Protection Regulation (GDPR), which aims to ensure the consistent application of data protection rules across the European Economic Area (EEA). It achieves this aim by promoting cooperation between national Supervisory Authorities (SAs) and issuing general, EEA-wide guidance regarding the interpretation and application of data protection rules.
The EDPB comprises the Heads of the EU SAs and the European Data Protection Supervisor (EDPS). The European Commission has the right to participate in the activities and meetings of the EDPB without voting rights. The SAs of the EEA countries (Iceland, Liechtenstein and Norway) are also members of the EDPB, although they do not hold the right to vote.