Fifteenth Plenary session: Privacy Shield Review, Guidelines on Territorial Scope, Guidelines on Data Protection by Design & Default, Art. 64 Opinion on Exxon Mobil BCRs, Response letter to LIBE, Additional Protocol Budapest Convention

14 November 2019

Brussels, 14 November - On November 12th and 13th, the EEA Data Protection Authorities and the European Data Protection Supervisor, assembled in the European Data Protection Board, met for their fifteenth plenary session. During the plenary a wide range of topics was discussed.
Third Annual Privacy Shield Review
The EDPB adopted its report on the third Annual Joint Review of the EU-US Privacy Shield. In the report, the EDPB welcomes the efforts made by the U.S. authorities to implement the Privacy Shield, especially regarding ex officio oversight and enforcement actions on the commercial aspects, as well as the appointments of the last missing members of the Privacy and Civil Liberties Oversight Board (PCLOB) and of a permanent Ombudsperson.

However, a number of concerns still need to be addressed. The Board points out that substantial compliance checks with the substance of the Privacy Shield’s principles remain concerning. Other areas that require further attention are the application of the Privacy Shield requirements regarding onward transfers, HR data and processors, as well as the recertification process. More generally, the members of the Review Team would benefit from broader access to non-public information, concerning commercial aspects and ongoing investigations.

As regards the collection of data by public authorities, the EDPB encourages the PCLOB to issue and publish further reports, among others to provide an independent assessment of surveillance programmes conducted outside the US territory, while data are undergoing transfer from the EU to the US. The Board reiterates that its security-cleared experts remain ready to review further documents and discuss additional classified elements.

While the EDPB welcomes the new elements provided during this year’s review, the EDPB still cannot conclude that the Ombudsperson is vested with sufficient powers to access information and remedy non-compliance.

Guidelines on Territorial Scope
The EDPB adopted a final version of the Guidelines on Territorial Scope following public consultation. The guidelines aim to provide a common interpretation of the GDPR for EEA Data Protection Authorities when assessing whether a particular processing by a controller or a processor falls within the territorial scope of the legal framework, as per Art. 3 GDPR. The Guidelines provide further clarification on the application of the GDPR in various situations, for example, where the data controller or processor is established outside the EEA, including on the designation and role of a representative under Art. 27 GDPR.

The final guidelines integrate updated wording and further legal reasoning in order to address comments and feedback received during the public consultation, while maintaining the overall interpretation and methodology presented in the first version of the guidelines.

Guidelines on Data Protection by Design & Default
The EDPB adopted Guidelines on Data Protection by Design & Default. The guidelines focus on the obligation of Data Protection by Design and by Default (DPbDD) as set forth in Art. 25 GDPR. The core obligation here is the effective implementation of the data protection principles and data subjects’ rights and freedoms by design and by default. This requires that controllers implement appropriate technical and organisational measures and the necessary safeguards, designed to ascertain data protection principles in an effective manner and to protect the rights and freedoms of data subjects. In addition, controllers must be able to demonstrate that the implemented measures are effective. The guidelines will be submitted for public consultation.

Article 64 Opinion on ExxonMobil BCRs
The EDPB adopted its opinion on the draft decision regarding ExxonMobil’s Binding Corporate Rules (BCRs), submitted to the Board by the Belgian Supervisory Authority. The EDPB is of the opinion that the draft controller BCRs provide sufficient safeguards in the meaning of Art. 46(2)(b) and comply with Art. 47 GDPR.

Response letter to LIBE on EU Information Systems
The EDPB adopted its response to the European Parliament’s committee for Civil Liberties’ request for a legal assessment on the European Commission’s proposals for the Regulation establishing the conditions for accessing the other EU information systems and the Regulation establishing the conditions for accessing other EU information systems for ETIAS purposes. In the letter, the EDPB argues that the proposals should be seen as part of a bigger picture, i.e. as implementing parts of the Interoperability Framework and recalls the concerns previously expressed by the Article 29 Working Party. Additionally, the letter points out there are concerns regarding fundamental data protection principles, such as transparency, data protection by design and by default, and purpose limitation.

Additional protocol to the Budapest Convention on Cybercrime
The EDPB has adopted a contribution to the draft second additional protocol to the Council of Europe Convention on Cybercrime (Budapest Convention), to be considered within the framework of consultations held by the Council of Europe Cybercrime Convention Committee (T-CY). The EDPB recalls that the protection of personal data and legal certainty must be guaranteed, thus contributing to the objective of establishing sustainable arrangements for the sharing of personal data with third countries for law enforcement purposes, which are fully compatible with the EU Treaties and the Charter of Fundamental Rights.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.