The EDPB met for its 43rd plenary session. During the plenary, a wide range of topics was discussed.
Firstly, the EDPB adopted its Strategy 2021-2023, which sets out the Board’s strategic objectives, with four key points:
- advancing harmonisation and facilitating compliance;
- supporting effective enforcement and efficient cooperation between national supervisory authorities;
- a fundamental rights approach to new technologies and;
- the global dimension.
The Strategy will also be implemented through a Work Programme, which will provide further detail about the EDPB’s action plan. The Work Programme will be adopted in early 2021.
The EDPB issued a statement on the end of the Brexit transition period in which it describes the main implications of the end of the transition period for data controllers and processors. In particular, the EDPB emphasised the issue of data transfers to a third country as well as the consequences in the area of regulatory oversight and the One-Stop-Shop mechanism. The Brexit transition period, during which the ICO is still involved in the EDPB’s administrative cooperation, expires at the end of 2020. Additionally, the EDPB adopted an information note on data transfers under the GDPR after the Brexit transition period ends.
The EDPB also adopted Guidelines on restrictions of data subject rights under Article 23 GDPR. The guidelines highlight the conditions surrounding the use of such restrictions in light of the Charter of Fundamental Rights and the GDPR. They analyse the criteria to apply restrictions, the assessments that need to be observed, how data subjects can exercise their rights after the restrictions are lifted, and the consequences of infringements of Article 23 GDPR. The EDPB notes that any restriction needs to respect the essence of the right that is being restricted and that restrictions that are extensive and intrusive to the extent that they void the fundamental right to the protection of personal data of its basic content cannot be justified. Additionally, the guidelines analyse how the legislative measures setting out the restrictions need to meet the foreseeability requirement and examine the grounds for the restrictions listed by Article 23(1) GDPR and the obligations and rights which may be restricted. An explanation of the “necessity and proportionality” test that restrictions need to pass based on Article 23(1) GDPR is also included. The guidelines are open for consultation until 12 February 2021.
Following public consultation, the EDPB has adopted a final version of the Guidelines on the interplay of the Second Payment Services Directive (PSD2) and the GDPR. The guidelines aim to provide further guidance on the data protection aspects in the context of the PSD2, in particular on the relationship between relevant provisions in the GDPR and the PSD2. Following the consultation, a section on fraud prevention was included.
Also following public consultation, the EDPB adopted a final version of the Guidelines on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies. These articles address transfers of personal data from EEA public authorities or bodies to public bodies in third countries, where these transfers are not covered by an adequacy decision. The final version of the guidelines integrates updated wording, and legal reasoning in order to address comments and feedback received during the public consultation, as well as necessary changes following the Schrems II ruling.
The EDPB also adopted a statement on the protection of personal data processed to prevent the use of the financial system for money laundering and terrorist financing. The EDPB considers it a matter of the utmost importance that the anti-money laundering measures are compatible with the rights to privacy and data protection in Articles 7 and 8 of the Charter of Fundamental Rights of the EU, the principles of necessity of such measures in a democratic society and their proportionality, and the case law of the CJEU. Therefore, the EDPB calls on the European Commission to be involved in the drafting process of any new anti-money laundering legislation from the early stages and states its readiness to contribute to discussions within the Council and the European Parliament, as well as to be consulted in a timely manner by any European or international regulatory body.
Finally, the EDPB adopted an Art. 64 opinion on the draft decision regarding Equinix’s Controller Binding Corporate Rules (BCRs), submitted by the Dutch data protection authority. The EDPB says that the Article 29 WP 256/257 referentials are currently being revised and that BCR holders will be required to modify their BCRs and incorporate any additional commitments that may need to be included in the BCRs in accordance with such updated referentials.