European Data Protection Board holds latest plenary session

December 17, 2021

The EDPB has held its latest plenary session, during which it adopted several documents.

Review of Law Enforcement Directive

The EDPB and the individual Supervisory Authorities (SAs) contributed to the evaluation and review of the Data Protection Law Enforcement Directive (LED), carried out by the European Commission in accordance with Article 62 of the LED. The LED aims to provide a harmonised level of data protection for individuals in the area of law enforcement across the EU.

The past four years have been characterised primarily by the national processes to transpose the Directive. Because of its recent implementation, there is limited experience and empirical data on some parts of the LED. Therefore, the EDPB believes that it is too early to draw conclusions on the effectiveness of the LED or to consider its revision. The EDPB strongly urges those EU member states still in the phase of the implementation to invest all means possible to ensure that the transposition is fully compliant with the LED without any further delays. In its contribution, the EDPB reaffirms its commitment to continue providing guidance on the interpretation of the LED. In addition, the EDPB remains committed to providing independent assessments of future draft adequacy decisions, with regard to the requirements of the LED, especially enforceable rights, effective redress and safeguards concerning onward transfers. The EDPB stresses that the effective implementation of the tasks under the LED requires the availability of the necessary resources, both human and technical, and calls on the member states to ensure that the resources of SAs increase in proportion to their workload.

Support Pool of Experts project plan agreed

As part of the implementation of the EDPB 2021-2023 strategy and following the establishment of a Support Pool of Experts (SPE), the EDPB has now agreed on the SPE’s project plan. The SPE aims to provide material support to EDPB members in the form of expertise that is useful for investigations and enforcement activities and to enhance cooperation and solidarity between EDPB members by sharing, reinforcing and complementing strengths, and addressing operational needs.

Reply on Pegasus

The EDPB adopted a response to concerns raised by an MEP about the hacking spyware Pegasus. In its reply, the EDPB highlights that the Board and its members pay, and will continue to pay, particular attention to the current developments related to the interferences with the fundamental rights to privacy and data protection through surveillance measures. The EDPB adds that protection of journalists and their sources is a cornerstone of the freedom of the press. The EDPB has competency to provide an opinion about the alleged use of the Pegasus software to the extent that it is deployed for purposes under the GDPR and the LED. However, it notes that under EU law, it does not have the same competences, tasks and powers as national SAs, and that in this case, the Hungarian National Authority for Data Protection and Freedom of Information has competency to carry out the investigation procedure regarding the alleged use of spyware by Hungarian authorities.

Guidelines adopted on examples regarding data breach notifications

Following consultation, the EDPB has adopted the final version of the Guidelines on examples regarding data breach notifications. These guidelines complement the Article 29 Working Party guidance on data breach notification by introducing more practice orientated guidance and recommendations. They aim to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessment.