43rd EDPB Meeting

December 17th, 2020 | Posted by Claude-Etienne Armingaud in Europe | Privacy - (0 Comments)
  1. Adoption of the minutes and of the agenda, Information given by the Chair
    1. Minutes of the 42nd EDPB meeting
    2. Draft agenda of the 43rd EDPB meeting
  2. Consistency mechanism, Guidelines and EDPB
    1. Key Provision ESG
      1. Guidelines on restrictions under Article 23 GDPR
    2. Financial Matters ESG
      1. Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR (after public consultation)
    3. International Transfer ESG
      1. Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies (after public consultation)
  3. Current Focus of the EDPB Members
    1. Data Governance Act COM (2020) 767 proposal – presentation by European Commission
    2. Information about the European Commission request for a joint EDPS-EDPB opinion regarding the Data Governance Act
    3. EDPB Strategy
    4. Support Pool of Experts
    5. Request for information from the European Commission regarding Brexit state of play (end of transitional period as well as the impact on EU-UK data flows and further information on possible adequacy decisions)
    6. Information note on data transfers under the GDPR to the United Kingdom after the Brexit transition period
  4. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. Cooperation ESG
      1. [BREXIT] Involvement of the UK SA in cooperation and consistency mechanisms
      2. Review of the internal documents on local cases
      3. Handling cross border complaints against public bodies or authorities – request for mandate
      4. Guidelines on handling complaints: revision of the mandate – request for mandate
    2. Compliance, e-Government and Health ESG
      1. Guidelines on certification criteria assessment – request for mandate
    3. Financial Matters ESG
      1. Statement on the protection of personal data processed in relation with the prevention of money laundering and terrorist financing
    4. International Transfers ESG
      1. Art. 64 GDPR Opinion on the draft decision of the Dutch Supervisory Authority regarding the Controller Binding Corporate Rules of Equinix
    5. Compliance, e-Government and Health ESG
      1. Stakeholder event on processing of data for medical and scientific research purposes – request for mandate
    6. Technology ESG
      1. Guidelines on anonymisation / pseudonymisation – request for mandate
    7. EDPB Secretariat
      1. 2021 February plenary
      2. Survey future meetings post COVID
  5. Any other business

42nd EDPB Meeting

November 19th, 2020 | Posted by Claude-Etienne Armingaud in Europe | Privacy - (0 Comments)
  1. Adoption of the minutes and of the agenda, Information given by the Chair
    1. Minutes of the 41st EDPB meeting
    2. Draft agenda of the 42nd EDPB meeting
    3. Publication of minutes of 40th Plenary meeting
    4. Request to extend the deadline for public consultation re recommendation 01/2020 on sup. measures
  2. Current Focus of the EDPB Members
    1. Presentation by the European Commission of the new (updated) two sets of SCCs
  3. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. Technology ESG
      1. Statement on eprivacy regulation
      2. Letter to News Media Europe and others regarding cookie walls
    2. International Transfer ESG
      1. Template for BCR approval decision by a supervisory authority
  4. Any other business
  1. Adoption of the minutes and of the agenda, Information given by the Chair
    1. Minutes of the 40th EDPB meeting
    2. Draft agenda of the 41st EDPB meeting
  2. Current Focus of the EDPB Members
    1. Art. 65 ongoing procedure
    2. Draft Art. 65 Decision
  3. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. Recommendation on measures that supplement transfer instruments to ensure compliance with the EU level of protection of personal data
    2. Update of the European Essential Guarantees recommendations

With the Brexit transition period ending on 31 December 2020, and no deal in sight, the future of cross-border data transfers between the European Economic Area (the EEA) and the United Kingdom remains unclear. On 1 January 2021, the United Kingdom will be considered as a “third country” and, unless a Brexit deal is proposed dealing with data protection and how data transfers between the EEA and the United Kingdom are to be treated, it could be significantly more difficult for European Union (EU)-based entities to transfer personal data to the United Kingdom.

(more…)

The European Data Protection Board (EDPB) published two sets of new guidelines on 2 September 2020, on the concepts of controller and processor (Guidelines 07/2020, the Guidelines) and on the targeting of social media users (Guidelines 08/2020 – see our Alert here). The earlier aims to replace the previous opinion by EDPB’s predecessor, the WP29, on these concepts by clarifying the main concepts of “controller”, “joint-controllers” and “processor” and by specifying the consequences attached to these notions.

(more…)

With close to one billion active users on social media, platforms and businesses are constantly rolling out new features, upgrading their ad tools and creating new ways to engage with users, moving away from traditional marketing strategies. Those emerging practices are also extensively relying on data analyses to gain insights and enhance more targeted opportunities, therefore shifting platforms and businesses’ focus on revenue.

The evolution towards increasingly personalized marketing practices occurs in parallel with end-users’ awareness of data protection frameworks, which may lead to a rift between transparency expectations towards complex advertising solutions based not only on personal data provided by the users themselves, but also in conjunction with other data collected by social media providers or third parties. Recent headlines about the roles played by social media targeting on democratic decision-making and electoral processes reinforce such perceptions.

(more…)

Link to official PDF version.

The European Data Protection Board

Having regard to Article 70(1)(e) of Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

HAS ADOPTED THE FOLLOWING GUIDELINES

(more…)

EXECUTIVE SUMMARY

The concepts of controller, joint controller and processor play a crucial role in the application of the General Data Protection Regulation 2016/679 (GDPR), since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice. The precise meaning of these concepts and the criteria for their correct interpretation must be sufficiently clear and consistent throughout the European Economic Area (EEA).

The concepts of controller, joint controller and processor are functional concepts in that they aim to allocate responsibilities according to the actual roles of the parties and autonomous concepts in the sense that they should be interpreted mainly according to EU data protection law.

(more…)

The long awaited Schrems II decision was published by the Court of Justice of the European Union (CJEU) on 16 July 2020 (Court of Justice of the European Union – Grand Chamber – 16 July 2020 – C-311/18 – Schrems II) and while it has already been summarized as the death blow to the Privacy Shield framework and the confirmation of the validity of the Standard Contractual Clauses (SCCs) by many, it may only be a Pyrrhic victory for the latter, as far as transfers to the US are concerned.

(more…)

With the recent decision from the Court of Justice of the European Union (CJEU) invalidating the Privacy Shield framework (Court of Justice of the European Union – Grand Chamber – 16 July 2020 – C-311/18 – Schrems II – see our alert here) and subjecting the Standard Contractual Clauses (SCCs) to higher standard of enforcement, global companies with the need to transfer data across the world, and especially across the Atlantic, are now required to re-assess their data transfer mechanisms.

While both Privacy Shield and the SCCs predates the General Data Protection Regulation 2016/79 dated 27 April 2016, which enter into force on 25 May 2018 (GDPR) , the new regulation aimed at providing stakeholders with additional tools to self-regulate and safeguard the privacy of individuals in the European Union

Among them, and while still confidential, the implementation of codes of conduct is encouraged under Art. 40 GDPR and by the dedicated Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/79 dated 04 June 2019 of the European Data Protection Board (EDPB). As a matter of fact, the advantages of such codes of conducts go beyond the mere facilitation of data transfers, and provide data controllers and data processors alike with a complete sectorial framework for GDPR compliance.

(more…)