European Data Protection Board: February plenary session

February 26, 2022

The EDPB has held its February plenary session, where it discussed several topics of interest.

Second Additional Protocol to the Cybercrime Convention

It adopted a letter in reply to the European Parliament’s Civil Liberties, Justice and Home Affairs Committee regarding the Second Additional Protocol to the Cybercrime Convention, and in view of the two European Commission proposals for Council Decisions authorising member states to sign and ratify the Protocol. The EDPB said that the level of protection of personal data transferred to third countries resulting from the Protocol must be essentially equivalent to the EU level of protection. The EDPB also refers to the EDPS Opinion on the proposals and highlights some of its crucial points. The EDPB welcomes the safeguards included in the Protocol, such as the provisions on oversight. However, the EDPB regrets that the Protocol does not ensure that, as a general rule, information to individuals related to access is provided free of charge.

The EDPB recommends that member states reserve the right not to apply the direct cooperation provision enabling third country authorities to directly request EU service providers to disclose certain types of data (access numbers). This would help to ensure a more substantial involvement of EU judicial or other independent authorities in the review of such requests.

Guidelines on Codes of Conduct as a tool for transfers,

Following consultation, the EDPB has now adopted its final version of the Guidelines on Codes of Conduct as a tool for transfers, taking into consideration the feedback it received during the consultation. The main purpose of the guidelines is to clarify the application of articles 40(3) and 46(2)(e) of the GDPR. These provisions stipulate that, once approved by a competent supervisory authority and after it has been approved for use in the EEA by the European Commission, a code of conduct may also be adhered to and used by controllers and processors in a third country to provide appropriate safeguards to transfers of data outside the EEA.

Letter on AI liability

The EDPB also adopted a letter on AI liability. In its letter, the EDPB welcomed the Commission’s initiative to adapt liability rules to the digital age and artificial intelligence, in light of the evaluation of the Product Liability Directive. The EDPB considers it appropriate to strengthen the liability regime of providers of AI systems, so that processors and controllers can rely on those systems. In addition, AI systems should be explainable by design and providers of AI systems should embed security by design throughout the entire lifecycle of the AI.