The European Data Protection Board (EDPB) has published its Annual Report covering the period from 25 May – 31 December 2018. It provides an overview of the EDPB’s activities last year, and discusses the areas it intends to focus on in 2019-2020.
We have set out below a summary of the key statistics from the Annual Report:
Cross-Border Cooperation: 574 procedures were initiated to identify the Lead Supervisory Authority (SA) and the Concerned SAs in cross-border cases. Of these 574 procedures, 274 were closed in 2018. No dispute on the selection of the Lead SA occurred.
Cross-Border Cases: 255 cases with a cross-border component were registered in the IMI system (the IT platform set up to support the cooperation and consistency procedures under the GDPR). Most of the cases derived from complaints by individuals (176 cases). The rest (79 cases) originated from other sources, such as an investigation, an SA initiative, a legal obligation or a media report. The three main topics of these cases related to data subjects’ rights, consumer rights, and data breaches.
One-Stop-Shop (OSS) procedures: 43 OSS procedures were initiated by SAs from 14 different EEA countries. At the end of the 2018, the procedures were at different stages: 20 were at the informal consultation level, 20 were at draft decision level and two were final decisions.
Mutual Assistance: 397 mutual assistance requests, both formal and informal, were triggered. 89% of the requests were replied to within 23 days. The mutual assistance procedure allows for SAs to ask for information from other SAs, but also to request other measures for effective cooperation, such as prior authorisations or investigations. Mutual assistance can be used for cross-border cases subject to the OSS procedure, either as part of the preliminary phase, to gather the necessary information before drafting a decision, or for national cases with a cross-border component.
Joint Operations: The GDPR allows for SAs to carry out joint investigations and joint enforcement measures. Similar to the mutual assistance procedure, joint operations can be used in the context of cross-border cases subject to the OSS procedure or for national cases with a cross-border component. No statistics were provided in regard to joint operations.
Consistency Opinions: 26 Consistency Opinions on the national lists of processing operations subject to a DPIA were adopted by the EDPB. The purpose of the exercise was to ensure consistency across all national lists. EEA national SAs must request an Opinion from the EDPB before adopting any decision on subjects specified by the GDPR having cross-border implications. This applies when a national SA:
- intends to adopt a list of the processing operations subject to the requirement for a data protection impact assessment (DPIA);
- intends to adopt a draft code of conduct relating to processing activities;
- aims to approve the criteria for accreditation of a certification body;
- aims to adopt standard data protection clauses or contractual clauses;
- aims to approve binding corporate rules.
The competent Supervisory Authority has to take utmost account of the opinion.
Binding Decisions: No dispute resolution procedures were initiated by the EDPB in 2018, due to SAs being able to reach consensus on all cross-border cases. The EDPB may adopt binding decisions in the following cases:
- a dispute takes place within the OSS mechanism (a concerned SA raises a relevant and reasoned objection which is not followed by the Lead SA);
- a disagreement occurs relating to which authority should take on the role of Lead SA;
- an SA does not request, or does not follow, a Consistency Opinion issued by the EDPB.
National cases: The SAs of the 31 EEA countries reported over a hundred thousand cases at national level. The majority of cases were either related to complaints or were initiated on the basis of data breach notifications from controllers.
Guidelines & Expert Sub-Groups: The Annex to the Report contain links to the 20 Guidelines endorsed and adopted by the EDPB in 2018. Guidelines adopted since then are available on the EDPB’s website. The Annex also sets out a list of the 13 EDPB subgroups which have been set up to assist the EDPB in the performance of its tasks, and the scope of their respective mandates.
Main Objectives for 2019-2020
At the beginning of 2019, the EDPB adopted a two-year work programme for 2019-2020 (previously discussed here). The EDPB will adopt further Guidelines to ensure consistent interpretation of the GDPR across the EU. The Annual Report identifies three areas of particular interest for the coming two years include:
- data subjects’ rights;
- the concept of the controller and processor;
- legitimate interest.
The EDPB will also consider technologies such as connected vehicles, blockchain, artificial intelligence and digital assistants, video surveillance, search engine delisting and data protection by design and by default.