HomeInsightsEuropean Data Protection Board adopts final Guidelines on Codes of Conduct and letter to European Commission on Artificial Intelligence liability

At its 61st meeting on 22 February 2022, the EDPB adopted a letter in response to the European Parliament’s Civil Liberties, Justice and Home Affairs Committee on the Second Additional Protocol to the Cybercrime Convention. In the letter, the EDPB states that the level of protection of personal data transferred to third countries resulting from the Protocol must be equivalent to the EU level of protection. The EDPB also refers to the EDPS Opinion on the Commission proposals, highlighting some of its crucial points. The EDPB welcomes the safeguards set out in the Protocol, such as the provisions on judicial oversight. However, the EDPB regrets that the Protocol does not ensure that, as a general rule, information to individuals related to access is provided free of charge. The EDPB recommends that Member States reserve the right not to apply the direct cooperation provision enabling third country authorities to directly request EU service providers to disclose certain types of data (access numbers). This would help to ensure the involvement of EU judicial or other independent authorities in the review of such requests.

The EDPB also adopted the final version of its Guidelines on Codes of Conduct as a tool for transfers, taking into consideration the feedback received from stakeholders in consultation. The main purpose of the guidelines is to clarify the application of Articles 40(3) and 46(2)(e) of the GDPR, which stipulate that, once approved by a competent Supervisory Authority (SA) and after having been granted general validity within the European Economic Area (EEA) by the European Commission, a Code can be used by controllers and processors in a third country to provide appropriate safeguards to transfers of data outside of the EEA.

The EDPB also adopted a letter to the European Commission on Artificial Intelligence liability, welcoming the European Commission’s initiative to adapt liability rules to the digital age and AI in the light of the evaluation of the Product Liability Directive. The EDPB considers it necessary to strengthen the liability regime of providers of AI systems, so that processors and controllers can rely on those systems. In addition, AI systems should be explainable by design and providers of AI systems should embed security by design throughout the entire lifecycle of the AI. To read the EDPB’s press release in full and for a link to the letter to LIBE, click here. To access the Guidelines on Codes of Conduct, click here. To access the letter on AI, click here.