European data protection board strategy for 2021-2023

On December 15, the European Data Protection Board (EDPB) published its strategy for 2021-2023. The EDPB’s mission is to ensure the consistent application of European data protection rules and promote effective cooperation between supervisory authorities throughout the European Economic Area (EEA). The strategy aims to ensure the EDPB’s mission, applying the General Data Protection Regulation (GDPR), as well as Directive on data protection in the criminal sphere.

The EDPB’s strategy establishes four main pillars to improve compliance with these two regulations. It also includes a series of actions to achieve those targets.

First pillar: advancing harmonization and facilitating compliance

• The EDPB will provide practical, easy-to-understand and accessible guidelines on personal data protection regulations. It will also develop and promote tools that contribute to regulatory compliance by design and by default, using the practical experience acquired. The aim is to ensure consistent implementation of personal data protection rules in all Member States.
• Specific actions: (i) prepare guidelines to facilitate uniform interpretation of key notions, establishing the 2021-2022 work program, most notably including the forthcoming guidelines on legitimate interest or remuneration in exchange for personal data; (ii) develop and apply compliance mechanisms for data controllers and processors (codes of conduct and certifications); and (iii) develop tools for a general audience, collaborating on awareness and dissemination activities.

Second pillar: supporting effective enforcement and efficient cooperation between national supervisory authorities

• The EDPB will support cooperation between all national data protection authorities. As part of this, it will optimize internal processes and promote enhanced coordination, aiming to develop a genuine culture of enforcement among personal data protection authorities. The aim is to achieve a uniform supervision of the regulations.
• Specific actions: (i) promote and facilitate the use of cooperation and communication tools; (ii) implement a coordinated enforcement framework that, based on the 2021-2022 work program, will prioritize the one-stop-shop, mutual assistance or the calculation of administrative fines; and (iii) establish a pool of support experts.

Third pillar: a fundamental rights approach to new technologies

• The EDPB will constantly monitor new technologies and their impact on people’s fundamental rights and daily life. As part of this, it will pay particular attention to data processing activities that involve a risk for people’s rights and freedoms (e.g., to avoid discrimination). The aim is to shape technology in line with European values such as human dignity, autonomy and freedom.
• Specific actions: (i) assess new technologies such as artificial intelligence (AI), biometrics, preparing profiles, advertising technology, cloud services, blockchain, etc.; (ii) strengthen data protection by design and by default; (iii) intensify engagement and cooperation with other authorities (such as, for example, competition and consumer protection authorities); and (iv) publish guidelines in the context of new technologies: guidelines on blockchain, anonymization and pseudonymization, use of facial recognition in law enforcement, virtual voice assistants, notices of data leaks, social media platform interfaces, cloud computing, artificial intelligence, digital identity, data brokers and the internet of things are planned before 2022.

Fourth pillar: the global dimension

• The EDPB will promote the EU’s data protection model on a global scale to ensure the effective protection of personal data beyond its borders. As part of this, the Board plans to publish guidelines and recommendations on legal instruments for international transfers envisaged in Articles 45 and 48 of the GDPR.
• Specific actions: (i) promote the use of transfer tools ensuring an equivalent level of protection, which is the EDPB’s priority for 2021 and 2022 in terms of the fourth pillar; (ii) engage with the international community to offer leadership in data protection on a global level; and (iii) facilitate engagement in cases related to law enforcement affecting data controllers and processors located outside the EEA.

Ultimately, in 2023, the EDPB plans to (i) harmonize the implementation of personal data protection regulations as far as possible, (ii) facilitate coordinated supervision by the European personal data protection authorities, (iii) implement technologies that respect privacy by design and by default, and (iv) position the European Union as a global benchmark in privacy protection.

Taking into account the EDPB’s focus on enshrining and configuring the fundamental right to data protection, we will follow this strategy’s implementation closely in this blog.

Authors: Pedro Méndez de Vigo and Josu Andoni Eguiluz