EDPB clarifies notion of main establishment and calls on EU legislators to make sure CSAM Regulation respects rights to privacy and data protection

14 February 2024

Brussels, 14 February - During its latest plenary, the EDPB adopted an Opinion on the notion of main establishmentand on the criteria for the application of the One-Stop-Shop mechanismfollowing an Art. 64(2) GDPR request by the French Data Protection Authority (DPA). The Opinion clarifies the notion of a controller’s “main establishment” in the EU, in particular for cases where decisions regarding the processing are taken outside the EU. 

EDPB Chair Anu Talus said: “The notion of main establishment is one of the cornerstones of the One-Stop-Shop. It is key in determining which, if any, DPA is the lead supervisory authority in cross-border data protection cases. The EDPB Opinion sheds further light on the conditions for controllers to access the One-Stop-Shop and provides further guidance for DPAs when determining which DPA is in the lead.” 

In its Opinion, the EDPB considers that a controller’s “place of central administration” in the EU can be considered as a main establishment under Art. 4(16)(a) GDPR only if it takes the decisions on the purposes and means of the processing of personal data and if it has the power to have such decisions implemented. The EDPB further explains that the One-Stop-Shop mechanism can only apply if there is evidence that one of the establishments of the controller in the Union takes decisions on the purposes and means for the relevant processing operations and has the power to have these decisions implemented. This means that, when the decisions on the purposes and means of the processing are taken outside of the EU, there should be no main establishment of the controller in the Union, and therefore the One-Stop-Shop should not apply.

This Opinion is the latest in a series of concrete actions taken by the EDPB following its Vienna Statement on cross-border enforcement, aiming to streamline enforcement and cooperation among DPAs. 

Next, the EDPB adopted a Statement on the legislative developments regarding the Proposal for a Regulation laying down rules to prevent and combat child sexual abuse. The Statement follows the EDPB-EDPS Joint Opinion on the European Commission’s Proposal for a Regulation and focuses on the latest legislative developments, in particular the position of the European Parliament of November 2023. 

The EDPB welcomes the many improvements proposed by the Parliament, such as exempting end-to-end encrypted communications from detection orders. However, the EDPB regrets that the text proposed by the Parliament does not seem to fully resolve important issues flagged by the EDPB and the EDPS related to general and indiscriminate monitoring of private communications in particular in relation to the issuing of detection orders. 

EDPB Chair Anu Talus said: “Child sexual abuse is a particularly heinous crime and requires effective solutions. It is important that any new legal instrument is unambiguous and respects the fundamental rights to privacy and data protection. An excessive level of access to online communications would undermine those important principles and may itself have negative impacts on the rights, and the safety, of both adults and children alike; we must be very careful of actions which ultimately do more harm than good. The EDPB is of the opinion that the wording proposed by the Parliament should provide appropriate guarantees that detection orders will be sufficiently targeted, to ensure that it can protect victims without disproportionally affecting the rights and freedoms protected by EU law.”

The EDPB stresses the importance to further limit the risk that those orders could affect persons who are unlikely to be involved in child sexual abuse-related crimes. Furthermore, the EDPB regrets that detection orders are not limited to child sexual abuse materials (CSAM) that are already known to authorities, despite the fact that the technologies used to detect new CSAM have proven in the past to have significant error rates.

During the plenary, the EDPB also discussed the scope of the guidance related to the Consent or Pay model. In addition to the upcoming Art. 64 (2) Opinion, which will address the Consent or Pay model in the context of large online platforms, it was agreed that there is a need to consecutively develop Guidelines with a broader scope.

Finally, the EDPB nominated several representatives to take part in, respectively, the European Commission’s Data Privacy Framework review team, Digital Markets Act High-Level Subgroup on Art. 5.2 DMA, and Digital Services Act taskforce on age verification