European Data Protection Board discusses UK adequacy and issues opinion on a potential Data Governance Act

March 11, 2021

The European Data Protection Board has held it’s 46th Plenary session at which it discussed the draft UK adequacy decisions, which were recently issued by the European Commission. The EDPB will thoroughly review the draft decisions, taking into account the importance of guaranteeing the continuity and high level of protection for data transfers from the EU. 

During the same session, the Board adopted:

  • its two-year work program for 2021-2022 which follows the priorities set out in the EDPB 2021-2023 Strategy and will put the Board’s strategic objectives into practice. 
  • a statement on the draft ePrivacy Regulation. In its statement, the EDPB welcomes the agreement on the negotiation mandate by the Council as a positive step in the finalisation of the Regulation. The EDPB notes that national authorities responsible for enforcement of the GDPR should be entrusted with the oversight of the privacy provisions to ensure a harmonised interpretation and enforcement of the new Regulation across the EU and to guarantee a level playing field in the Digital Single Market.
  • Guidelines on Virtual Voice Assistants. The Guidelines aim to identify some of the most relevant compliance challenges for Virtual Voice Assistants and to provide recommendations on how to address those challenges. The EDPB will consult on the guidelines for six weeks.
  • a final version of the Guidelines on Connected Vehicles following a consultation. The Guidelines focus on the processing of personal data in relation to the non-professional use of connected vehicles by data subjects. The final version integrates updated wording, and further clarifications to address comments and feedback received during the public consultation.

Also adopted was a joint EDPB-EDPS opinion on the Data Governance Act. The DGA aims to foster the availability of data by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU. In particular, the DGA intends to promote the availability of public sector data for reuse, sharing of data among businesses and allowing personal data to be used with the help of a ‘personal data-sharing intermediary’. The DGA also seeks to enable the use of data for altruistic purposes.

The EDPB and the EDPS acknowledge the legitimate objective of the DGA to improve the conditions for data sharing in the internal market. At the same time, they say that protection of personal data is an essential and integral element for trust in the digital economy. The EDPB and the EDPS say that legislators must ensure that the future DGA is fully in line with the EU personal data protection legislation to foster trust in the digital economy and upholding the level of protection provided by EU law under the supervision of the EU member states’ supervisory authorities.  The EDPB and EDPS consider that the wording of the DGA must clearly and unambiguously state that the legislation will neither affect the level of protection of individuals’ personal data, nor alter any rights and obligations set out in the data protection legislation.

Concerning the reuse of personal data held by public sector bodies, the EDPB and EDPS recommend aligning the DGA with the existing rules on the protection of personal data set out in the GDPR, and with the Open Data Directive. Furthermore, it should be clarified that the reuse of personal data held by public sector bodies may only be allowed if it is supported by EU or national law. Such laws should include a list of clear compatible purposes for which further processing may be lawfully authorised or constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives in Article 23 of the GDPR. 

On data sharing service providers, the joint opinion highlights the need to ensure prior information and controls for individuals, taking into account the principles of data protection by design and by default, transparency and purpose limitation.  

Regarding the data altruism section, the EDPB and the EDPS recommend that the DGA should better define the purposes of general interest of such “data altruism”. Data altruism should be organised in such a way that it allows individuals to easily give, but also, withdraw their consent. 

In light of the possible risks for data subjects when their personal data might be processed by data sharing service providers or data altruism organisations, the EDPB and EDPS consider that the declaratory registration regimes for these entities, as set out in the DGA, do not provide for a sufficiently stringent vetting procedure for such services. Therefore, the EDPB and EDPS recommend exploring alternative procedures that foresee a more systematic inclusion of accountability tools, in particular the adherence to a code of conduct or certification mechanism.

The joint opinion also includes recommendations on the designation of the supervisory authorities as main competent authorities for the control of the compliance with the DGA provisions, in consultation with other relevant sectorial authorities.