The EDPB adopted a letter in reply to the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE) regarding the Second Additional Protocol to the Cybercrime Convention, and in view of the two European Commission Proposals for Council Decisions authorising Member States to sign and ratify the Protocol.
In its reply, the EDPB recalls that the level of protection of personal data transferred to third countries resulting from the Protocol must be essentially equivalent to the EU level of protection. The EDPB also refers to the EDPS Opinion on the Commission proposals and highlights some of its crucial points.
The EDPB welcomes the safeguards included in the Protocol, such as the provisions on oversight. However, the EDPB regrets that the Protocol does not ensure that, as a general rule, information to individuals related to access is provided free of charge.
The EDPB recommends that Member States reserve the right not to apply the direct cooperation provision enabling third country authorities to directly request EU service providers to disclose certain types of data (access numbers). This would help to ensure a more substantial involvement of EU judicial or other independent authorities in the review of such requests.
Following public consultation, the EDPB adopted a final version of the Guidelines on Codes of Conduct as a tool for transfers, taking into consideration the feedback received from stakeholders. The main purpose of the guidelines is to clarify the application of articles 40 (3) and 46 (2) (e) GDPR. These provisions stipulate that, once approved by a competent Supervisory Authority (SA) and after having been granted general validity within the European Economic Area (EEA) by the European Commission, a code may also be adhered to and used by controllers and processors in a third country to provide appropriate safeguards to transfers of data outside of the EEA.
The EDPB adopted a letter on AI liability. In its letter, the EDPB welcomes the European Commission’s initiative to adapt liability rules to the digital age and artificial intelligence (AI), in light of the evaluation of the Product Liability Directive. Among others, the EDPB considers it relevant to strengthen the liability regime of providers of AI systems, so that processors and controllers can trustfully rely on those systems. In addition, AI systems should be explainable by design and providers of AI systems should embed security by design throughout the entire lifecycle of the AI.
Finally, the EDPB designated Georgia Panagopoulou (EL SA) as representative and Konstantinos Limniotis (EL SA) as substitute to take part in ENISA’s newly formed Stakeholder Cybersecurity Certification Group (SCCG). The SCCG will advise ENISA and the European Commission on strategic issues regarding cybersecurity certification.
Note to editors:
All documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.
EDPB_Press Release_2022_03
The European Data Protection Board (EDPB) is looking for experts to cooperate with Supervisory Authorities around the European Economic Area (EEA), on different stages of their investigation and enforcement activities in the field of data protection law.
The EDPB is seeking to establish a Support Pool of Experts with qualified experts in areas such as IT auditing, website security, mobile OS and apps, IoT, cloud-computing, behavioural advertising, anonymization techniques, cryptology, AI, UX design, Fintech, Data science, digital law, etc.
The EDPB Support Pool of Experts is a key strategic initiative of the EDPB, that helps Supervisory Authorities increase their capacity to supervise and enforce the safeguarding of personal data.
The European Data Protection Board (EDPB) is an independent EU body established by the General Data Protection Regulation or GDPR, which contributes to the consistent application of data protection rules throughout the European Economic Area (EEA), and promotes cooperation between the EEA data protection authorities.
Send us your expression of interest and join the EDPB Support Pool of Experts
Learn how to submit your application
Brussels, 15 February - Today marks the kick-off of the first coordinated enforcement action of the European Data Protection Board. In the coming months, 22 supervisory authorities across the EEA (including EDPS) will launch investigations into the use of cloud-based services by the public sector.
This series of actions follows the EDPB’s decision to set up a Coordinated Enforcement Framework (CEF) in October 2020. The CEF is a key action of the EDPB under its 2021-2023 Strategy, together with the creation of a Support Pool of Experts (SPE). The two initiatives aim to streamline enforcement and cooperation among Supervisory Authorities (SAs).
According to EuroStat, the cloud uptake by enterprises doubled across the EU in the last 6 years. The COVID-19 pandemic has sparked a digital transformation of organisations, with many public sector organisations turning to cloud technology. However, in doing so, public bodies at national and EU level may face difficulties in obtaining Information and Communication Technology products and services that comply with EU data protection rules. Through coordinated guidance and action, the SAs aim to foster best practices and thereby ensure the adequate protection of personal data.
Over 80 public bodies in total will be addressed across the EEA, including EU institutions, covering a wide range of sectors (such as health, finance, tax, education, central buyers or providers of IT services). Building on common preparatory work by all participating SAs, the CEF will be implemented at national level in one or several of the following ways: fact-finding exercise; questionnaire to identify if a formal investigation is warranted; commencement of a formal investigation; follow-up of ongoing formal investigations. In particular, SAs will explore public bodies’ challenges with GDPR compliance when using cloud-based services, including the process and safeguards implemented when acquiring cloud services, challenges related to international transfers, and provisions governing the controller-processor relationship.
The results will be analysed in a coordinated manner and the SAs will decide on possible further national supervision and enforcement actions. In addition, results will be aggregated, generating deeper insight into the topic and allowing targeted follow-up at EU level. The EDPB will publish a report on the outcome of this analysis before the end of 2022.
EDPB_Press Release_statement_2022_01
Further information:
During its January 18th plenary session, the EDPB adopted the following documents:
During its February 1st plenary session, the EDPB adopted: