Today, Andrea Jelinek, Chair of the European Data Protection Board (EDPB) presented the EDPB Annual Report 2021. The report provides a detailed overview of the work carried out by the EDPB in the last year.
EDPB Chair, Andrea Jelinek said: “2021 was the EDPB’s fourth year of existence and the first year of implementation of the multiannual EDPB Strategy 2021-2023. It was a very productive year, in which we completed many key actions to reach the objectives set out in our Strategy. Although we continued working mostly remotely due to the continuing impact of the COVID-19 pandemic, we made significant progress on a number of important files. To make this possible, we held over 380 EDPB meetings, including plenaries and expert subgroup meetings.”
In early 2021, the EDPB adopted its two-year Work Programme for 2021-2022. The Work Programme follows the priorities set out in the Strategy for 2021-2023 and puts the EDPB’s strategic objectives into practice. The Work Programme and Strategy helped guide the EDPB’s work in 2021 and will continue to guide its work in the years to come.
Over the past year, the EDPB continued to pay a great deal of attention to international transfers of personal data. In 2021, the EDPB adopted its final version of the Recommendations on supplementary measures following the Schrems II ruling by the Court of Justice of the EU, taking on board the input received from stakeholders during public consultation. In addition, the EDPB adopted opinions on the UK draft adequacy decisions, under both the GDPR and the Law Enforcement Directive (LED), as well as its opinion on the draft adequacy decision for the Republic of Korea. The EDPB also adopted guidance documents on other international transfer tools, such as Codes of Conduct, and adopted joint opinions, together with the EDPS, on the new sets of Standard Contractual Clauses (SCCs) issued by the European Commission for the transfer of personal data to controllers and processors established outside the EEA.
A second area in which the EDPB carried out important work, was digital policy. Among others, the EDPB and EDPS adopted joint opinions on the proposal for a Data Governance Act (DGA) and the draft Artificial Intelligence Act. Furthermore, the Members of the Board adopted a statement on the Digital Service Package and Data Strategy.
Law Enforcement formed another priority area for the EDPB in 2021. Not only did the EDPB adopt its first opinion on an adequacy decision under the LED, the EDPB also adopted recommendations on the LED adequacy referential, aiming to standardise the adequacy procedure under the LED. In addition, the EDPB carried out an evaluation of the LED itself.
In 2021, the EDPB adopted 8 guidelines and recommendations on topics such as personal data breach notifications, connected vehicles and virtual voice assistants, as well as 6 guidelines and recommendations in their final version following public consultation.
Another key task of the EDPB is to ensure consistency in enforcement and cooperation between national authorities. In 2021, the EDPB adopted 35 Art. 64 GDPR consistency opinions. Most of these opinions concern binding corporate rules and accreditation requirements for certification bodies and code of conduct monitoring bodies.
In July 2021, the EDPB adopted its very first Art. 66 GDPR Urgent Binding Decision following a request from the Hamburg supervisory authority (SA), which had adopted provisional measures against Facebook Ireland ltd.
In the same month, the EDPB also adopted its second Art. 65 GDPR binding decision which sought to address the lack of consensus on certain aspects of a draft decision issued by the Irish SA, acting as lead SA, regarding WhatsApp Ireland Ltd. and the subsequent objections expressed by a number of concerned supervisory authorities.
The GDPR requires the EEA SAs to cooperate closely to ensure the consistent application of the GDPR and protection of individuals’ data protection rights across the EEA.
Between 1 January and 31 December 2021, there were 506* cross-border cases out of which 375 originated from a complaint, while 131 had other origins, such as investigations, legal obligations and/or media reports.
The One-Stop-Shop mechanism demands cooperation between the LSA and the CSAs. The LSA leads the investigation and plays a key role in the process of reaching consensus between the CSAs, in addition to working towards reaching a coordinated decision about the data controller or processor. Between 1 January 2021 and 31 December 2021, there were 209 draft decisions, of which 141 resulted in final decisions.
The mutual assistance procedure allows SAs to ask for information from other SAs or to request other measures for effective cooperation, such as prior authorisations or investigations. Between 1 January 2021 and 31 December 2021, SAs initiated 243 formal mutual assistance procedures. They initiated 2418 informal mutual assistance procedures. Mutual assistance is also used by the SAs requesting the competent SA to handle complaints they received which do not relate to cross-border processing as defined by the GDPR.
To read the EDPB Annual Report 2021, click here
Note to editors:
* References to case register entries in these statistics do not have a 1-to-1 correlation to the number of cross-border complaints handled per country as multiple complaints may be bundled in one case register entry which therefore can relate to multiple cross-border cases. Depending on the Member State legislation, supervisory authorities may have handled complaints outside of the Art. 60 procedure in accordance with their national law.
The European Data Protection Board (EDPB) is an independent European body, established by the General Data Protection Regulation (GDPR), which aims to ensure the consistent application of data protection rules across the European Economic Area (EEA). It achieves this aim by promoting cooperation between national Supervisory Authorities (SAs) and issuing general, EEA-wide guidance regarding the interpretation and application of data protection rules.
The EDPB comprises the Heads of the EU SAs and the European Data Protection Supervisor (EDPS). The European Commission has the right to participate in the activities and meetings of the EDPB without voting rights. The SAs of the EEA countries (Iceland, Liechtenstein and Norway) are also members of the EDPB, although they do not hold the right to vote.