88th Plenary meeting

Brussels, 15 December - During its latest plenary, the EDPB adopted its contribution to the European Commission’s report on the application of the GDPR. The EDPB considers that the application of the GDPR in the first 5 and a half years has been successful. While a number of important challenges lie ahead, the EDPB considers it premature to revise the GDPR at this point in time and calls on the co-legislators to swiftly adopt the new Regulation laying down additional procedural rules relating to the cross-border enforcement of the GDPR. In addition, the EDPB stresses that the DPAs and the EDPB need sufficient resources to continue carrying out their tasks.

EDPB Chair Anu Talus said: “The GDPR has strengthened, modernised and harmonised data protection principles across the EU. The EDPB guidance played a key role in making individuals and businesses aware of their rights and responsibilities under the GDPR. We will keep on supporting the implementation of the GDPR in particular by SMEs, and more generally raising awareness of the GDPR. In addition, cooperation among DPAs and enforcement of the GDPR has gained momentum. More than ever, the EDPB is committed to ensure effective and consistent enforcement of the GDPR.”

The EDPB has consolidated its position as the EU body in charge of ensuring the consistent application of the GDPR, making use of the full set of instruments at its disposal. It has built a comprehensive library of guidance documents to help promote compliance among controllers and processors and consistent enforcement by DPAs. In addition, it has supplied a framework for the practical application of compliance tools such as codes of conduct and certification mechanisms, which has enabled them to become operational in a consistent manner across the EU. Furthermore, the EDPB has aptly played its unique role in settling disputes in cross-border cases, thereby ensuring the consistent application of the GDPR.

Regarding enforcement, the EDPB is convinced that effective and efficient cooperation between DPAs leads to a common data protection culture. The existing tools in the GDPR have the potential to achieve this goal, provided that they are used in a sufficiently harmonised way.

The EDPB  and  the  DPAs  will  continue  their  efforts  to further enhance enforcement  cooperation and to  achieve  more  efficient  and  consistent results within the current legal framework.

Given the importance of streamlining national procedural rules, the EDPB submitted in October 2022 a ‘wish list’ to the European Commission, on procedural aspects that could be harmonised at EU level. The EDPB-EDPS joint opinion of 19 September 2023 on the Proposal for a Regulation laying down additional procedural rules relating to the enforcement of the GDPR, welcomed that the proposal aims to foster effective enforcement of data protection rules and intends to give effect to many of the suggestions contained in the ‘EDPB wish list’; it also made a number of recommendations to ensure the greatest possible efficiency of this upcoming Regulation.

Moreover, the EDPB calls on Member States to make sure that all DPAs have the necessary resources to carry out their tasks effectively, as there are considerable challenges ahead. First and foremost, the continuously evolving technological landscape presents new data protection challenges every day. New legislation is also considered or has been introduced, providing additional rules to create a safer digital space and to establish a level playing field for businesses in the digital economy, such as the DMA, the DSA, the DGA or the proposal for an AI Act. These new legislations may place additional responsibilities on DPAs or the EDPB with regard to enforcement and supervision. However, there is a discrepancy between this increasing workload, and the available resources. In addition, both the EDPB’s and DPAs’ tasks under the GDPR continue at an increased intensity. Moreover, increased enforcement cooperation among DPAs, which in turn leads to higher involvement of the EDPB, has had a significant impact on the workload. The success in the performance of these tasks relies largely on the resources available to the DPAs and to the EDPB, including via its Secretariat. It is therefore essential to ensure that the EDPB Secretariat is provided with the necessary resources, as it plays a key role in the preparation and execution of many of the tasks entrusted to the EDPB.

Regarding international transfers, the EDPB underlines the importance of continuing to develop adequacy decisions with third countries and international organisations, and expects the Commission to finalise  its  work  on  the  review  of  the  adequacy  decisions  adopted under  Directive  95/46/EC.

In addition, the EDPB encourages the Commission to continue developing international cooperation and stresses the importance of effective enforcement cooperation with third countries.

During the plenary, the EDPB also held a general discussion on the ‘pay or ok’ model. It was decided that a request for mandate for guidelines on this topic will be prepared.

During its latest plenary, the EDPB adopted a letter in response to the European Commission regarding the cookie pledge voluntary initiative. The EDPB welcomes the Commission’s initiative, which aims to help protect the fundamental rights and freedoms of users, to empower them to make effective choices, and to increase transparency towards users

The cookie pledge initiative was developed by the European Commission in response to concerns regarding the so-called “cookie fatigue” phenomenon and consists of a voluntary business pledge to simplify the management of cookies and personalised advertising choices by consumers. On 10 October 2023, the European Commission asked the EDPB to consider whether any of the draft pledge principles would be contrary to the GDPR and the ePrivacy Directive.

The draft pledging principles would ensure that users receive concrete information on how their data is processed, as well as on the consequences of accepting different types of cookies. Users would therefore have greater control over the processing of their data. In addition, with the draft principles, consent should not be asked again for a year once it has been refused, this is an important step towards reducing cookie fatigue. 

Furthermore, the EDPB flags that adherence to the cookie pledge principles by organisations does not equal compliance with the GDPR or ePrivacy Directive. The data protection authorities remain competent to exercise their powers when necessary.