67th Plenary meeting

Brussels, 14 July - Following the commitments set out in its Vienna Statement on Enforcement Cooperation, the EDPB adopted a set of criteria to assess whether a cross-border case may qualify as a case of “strategic importance” for closer cooperation. The Board also adopted a procedure detailing the steps to be taken following identification of a strategic case. In addition, the EDPB selected the very first pilot cases to test this project.

EDPB Chair Andrea Jelinek said: “The criteria for strategic cases are an important piece of the puzzle we’re laying to step up enforcement cooperation. At the EDPS conference in June, several scenarios were discussed to overcome current shortcomings and we want to take advantage of the general momentum for the path taken by the EDPB in Vienna: greater harmonisation of procedural laws and intensifying cooperation. This will help Supervisory Authorities (SAs) enforce the GDPR more efficiently, ultimately benefiting and empowering individuals to exercise their data protection rights.”

Cases of strategic importance are primarily one-stop-shop cases which are likely to entail a high risk to the rights and freedoms of data subjects in several EEA Member States. In order to identify a case of strategic importance, one or more of the following criteria should be taken into account:

• a structural or recurring problem in several Member States, in particular where the case concerns a general legal issue with regards to the interpretation, application or enforcement of the GDPR;
• a case related to the intersection of data protection and other legal fields;
• and a case which affects a large number of data subjects in several Member States;
• a case involving a large number of complaints in several Member States;
• a  case concerning a fundamental  issue  falling  within  the  scope  of  the  EDPB strategy;
• a  case  where  the  GDPR  implies  that  a  high  risk  can  be assumed, such as:
  • the  processing  of  special  categories  of  data;
  • processing regarding vulnerable people such as minors;
  • Situations where a data protection impact assessment (DPIA) is required.

Within the framework of the EDPB, SAs can propose any case that meets at least one of the criteria to other SAs. The Members of the Board will then decide which of the proposed cases will be identified as a case of strategic importance at European level.

Following identification, cooperation will be prioritised and supported by the EDPB. Participation is voluntary and all SAs are allowed to submit proposals. In particular, SAs will exchange information and cooperate closely at an early stage. The handling of cases of strategic importance will also take place in accordance with the procedures and instruments for achieving cooperation and consistency between SAs, as laid down in Chapter VII of the GDPR. In line with the criteria outlined above, the EDPB agreed on three pilot cases to kick-start the project.

Note to editors:

At a high level meeting in Vienna in May 2022, EDPB members agreed to further enhance cooperation on strategic cases, and to diversify the range of cooperation methods used. In particular, it was decided that EDPB members will collectively identify cross-border cases of strategic importance in different Member States on a regular basis, for which cooperation will be prioritised and supported by the EDPB. More information can be found in the EDPB’s Statement on Enforcement Cooperation. 

Brussels, 14 July - The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted their Joint Opinion on the European Commission’s Proposal for the European Health Data Space (EHDS). The Proposal aims to facilitate the creation of a European Health Union and to enable the EU to make full use of the potential offered by a safe and secure exchange, use and reuse of health data.

The EDPB and the EDPS welcome the idea of strengthening the control of individuals over their personal health data. However, they draw the co-legislators’ attention to a number of overarching concerns and urge them to take decisive action. In particular, the EDPB and the EDPS acknowledge that Chapter IV of the Proposal, which aims to facilitate the secondary use of electronic health data, may generate benefits for the public good. At the same time, the EDPB and the EPDS consider that these further processing activities are not without risks for the rights and freedoms of individuals.

EDPB Chair Andrea Jelinek said: “The EU Health Data Space will involve the processing of large quantities of data which are of a highly sensitive nature. Therefore, it is of the utmost importance that the rights of the European Economic Area’s (EEA) individuals are by no means undermined by this Proposal. The description of the rights in the Proposal is not consistent with the GDPR and there is a substantial risk of legal uncertainty for individuals who may not be able to distinguish between the two types of rights. We strongly urge the Commission to clarify the interplay of the different rights between the Proposal and the GDPR.”

EDPS Supervisor Wojciech Wiewiórowski said: “Health data generated by wellness applications and other digital health applications are not of the same quality as those generated by medical devices. Moreover, these applications generate an enormous amount of data, can be highly invasive and may reveal particularly sensitive information, such as religious orientation. Wellness applications and other digital health applications should therefore be excluded from being made available for secondary use.”

While the EDPB and EDPS acknowledge the Commission’s efforts to align the Proposal with the GDPR provisions when personal data is involved, they note that this Proposal will add yet another layer to the already complex collection of provisions on the processing of health data. As such, they stress the need to clarify the relationship between the provisions in this Proposal, the ones in the GDPR and Member State law and also with ongoing European initiatives.

In addition, the EDPB and EDPS acknowledge that the infrastructure for the exchange of electronic health data foreseen in this EHDS Proposal aims at facilitating the exchange of health data. However, due to the large quantity of electronic health data that would be processed, their highly sensitive nature, the risk of unlawful access and the necessity to fully ensure effective supervision by independent data protection authorities, the EDPB and the EDPS call on the European Parliament and on the Council to add to the Proposal a requirement to store the electronic health data in the EEA, without prejudice to further transfers in compliance with Chapter V of the GDPR.

As to the purposes for secondary use of health data, the EDPB and the EDPS are of the view that the Proposal lacks a proper delineation of the purposes for which electronic health data may be further processed. In order to achieve a balance that adequately takes into account the objectives pursued by the Proposal and the protection of personal data of the individuals affected by the processing, the co-legislators should further delineate these purposes and circumscribe when there is a sufficient connection with public health and/or social security.

Finally, regarding  the  governance  model  introduced  by  the  Proposal,  the  tasks  and competences of the new public bodies need to be carefully tailored, particularly taking into account the tasks and competences of national supervisory authorities, the EDPB and the EDPS, when processing of health data is involved. The EDPB and the EDPS underline that data protection authorities are the only competent authorities responsible for data protection issues and should remain the only point of contact for individuals with regard to those issues. Overlap of competences should be avoided and fields of and requirements for cooperation should be specified.