The European Data Protection Board has held its latest Plenary meeting. EU Commissioner for Justice Didier Reynders participated in the Plenary meeting, presenting the draft adequacy decision for the EU-US Data Privacy Framework to the Board. The Board is currently working on its opinion on the draft decision, and said that it will be finalised in the coming weeks.
The EDPB has also adopted a report on the findings of its first coordinated enforcement action, which focused on the use of cloud-based services by the public sector. The EDPB emphasises the need for public bodies to act in full compliance with the GDPR and the report includes recommendations for public sector organisations when using cloud-based products or services. In addition, it has made available a list of actions already taken by data protection authorities in the field of cloud computing.
In 2022, 22 data protection authorities launched coordinated investigations into the use of cloud-based services by the public sector. The investigations considered around 100 public bodies across the EEA, including European institutions, covering a wide range of sectors (for example, health, finance, tax, education, buyers and providers of IT services).
The Coordinated Enforcement Framework is a key action of the EDPB under its 2021-2023 Strategy, aimed at streamlining enforcement and cooperation among data protection authorities. The Coordinated Enforcement Framework 2023 action will be on the designation and role of the Data Protection Officer.
In addition, the EDPB adopted a report on the work undertaken by the Cookie Banner Task Force, which was established in September 2021 to coordinate the response to complaints concerning cookie banners filled with several EEA data protection authorities by NGO NOYB. The Task Force aimed to promote cooperation, information sharing and best practices between the data protection authorities, which was instrumental in ensuring a consistent approach to cookie banners across the EEA. In the report, the data protection authorities agreed upon a common denominator in their interpretation of the applicable provisions in the ePrivacy Directive and the GDPR, on issues such as reject buttons, pre-ticked boxes, banner design, or withdraw icons.