February 24, 2020

On 18 and 19 February 2020 the EDPB met for its eighteenth plenary session. During the plenary, a wide range of topics was discussed, including:

• Review of the GDPR: The EDPB is of the opinion that the application of the GDPR in the first 20 months has been successful. Although the need for sufficient resources for all Supervisory Authorities (SAs) is still a concern and some challenges remain, resulting, for example, from the patchwork of national procedures, the EDPB is convinced that the cooperation between SAs will result in a common data protection culture and consistent practice. The EDPB is examining possible solutions to overcome these challenges and to improve existing cooperation procedures. It also calls upon the European Commission to check if national procedures impact the effectiveness of the cooperation procedures and considers that, eventually, legislators may also have a role to play in ensuring further harmonisation. In its assessment, the EDPB also addresses issues such as international transfer tools, impact on SMEs, SA resources and development of new technologies. The EDPB concludes that it is premature to revise the GDPR at this point in time.
• Draft guidelines on transfers of personal data: Articles 46.2(a) and 46.3(b) of the GDPR cover transfers of personal data from EEA public authorities or bodies to public bodies in third countries or to international organisations, where such transfers are not covered by an adequacy decision. The EDPB adopted guidelines which recommend which safeguards to implement in legally binding instruments (Article 46.2(a)) or in administrative arrangements (Article 46.3(b)) to ensure that the level of protection of natural persons under the GDPR is met and not undermined. The guidelines will be submitted for public consultation.
• Statement on privacy implications of mergers: following the announcement of Google LLC’s intention to acquire Fitbit, the EDPB adopted a statement highlighting that the possible further combination and accumulation of sensitive personal data regarding people in Europe by a major tech company could entail a high level of risk to privacy and data protection. The EDPB reminds the parties to the proposed merger of their obligations under the GDPR and of the need to conduct a full assessment of the data protection requirements and privacy implications of the merger in a transparent way. The EDPB urges the parties to mitigate possible risks to the rights to privacy and data protection before notifying the merger to the European Commission. The EDPB will consider any implications for the protection of personal data in the EEA and stands ready to contribute its advice to the EC if so requested.

To read the EDPB’s press release in full, click here.