March 25, 2019

On 12 and 13 March 2019, the EDPB met for its eighth plenary session. During the plenary a range of topics were discussed.

Interplay between ePrivacy Directive and GDPR

The EDPB said that its Opinion (see following story) seeks to provide an answer to the question of whether the fact that the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive, it limits the competences, tasks and powers of data protection authorities under the GDPR. The EDPB opined that data protection authorities are competent to enforce the GDPR. The mere fact that a subset of the processing falls within the scope of the ePrivacy directive does not limit the competence of data protection authorities under the GDPR.

However, the EDPB said that an infringement of the GDPR might at the same time constitute an infringement of national ePrivacy rules. Data protection authorities can take this into consideration when applying the GDPR (e.g. when assessing compliance with the lawfulness or fairness principles).

Statement on the future ePrivacy Regulation

The EDPB adopted a statement calling upon EU legislators to intensify efforts towards the adoption of the ePrivacy Regulation, which it says is essential to complete the EU’s framework for data protection and the confidentiality of electronic communications.

However, the EDPB said, the future ePrivacy Regulation should “under no circumstance” lower the level of protection offered by the current ePrivacy Directive and should complement the GDPR by providing additional strong guarantees for all types of electronic communications.

DPIA Lists

The EDPB adopted two opinions on the Data Protection Impact Assessment (DPIA) lists submitted to the Board by Spain and Iceland. The EDPB says that these lists form “an important tool for the consistent application of the GDPR across the EEA”. A DPIA is a process to help identify and mitigate data protection risks that could affect the rights and freedoms of individuals. While, in general, the data controller needs to assess if a DPIA is required before engaging in the processing activity, national supervisory authorities should establish and make a list of the types of processing operations that are subject to the requirement for a DPIA. The EDPB says that these two opinions follow the 28 opinions adopted during previous plenary meetings, and will further contribute to establishing common criteria for DPIA lists across the EEA.

Statement on the use of personal data in the course of political campaigns

In light of the upcoming European elections and other elections taking place across the EU and beyond in 2019, the EDPB adopted a statement on the use of personal data during election campaigns. Data processing techniques for political purposes can pose serious risks, it said, not just with regard to the rights to privacy and data protection, but also to the integrity of the democratic process. The EDPB highlighted a number of key points that need to be taken into consideration when political parties process personal data in the course of electoral activities. To read the EDPB press release in full, click here. For further information on each topic discussed, see below.