European Data Protection Board holds latest plenary session

February 19, 2024

Among other things, the EDPB adopted an Opinion on the notion of main establishment.

During its latest plenary, the EDPB adopted an Opinion on the notion of main establishment and on the criteria for the application of the One-Stop-Shop mechanism, following a request under Article 64(2) GDPR by the French data protection authority. The Opinion clarifies the notion of a controller’s “main establishment” in the EU, especially where decisions regarding the processing are taken outside the EU.

In its Opinion, the EDPB considers that a controller’s “place of central administration” in the EU can only be considered as a main establishment under Article 4(16)(a) GDPR if it makes the decisions on the purposes and means of the processing of personal data and if it has the power to have such decisions implemented. The EDPB further explains that the One-Stop-Shop mechanism can only apply if there is evidence that one of the controller’s establishments in the EU takes decisions on the purposes and means for the relevant processing operations and has the power to have these decisions implemented. This means that, when the decisions on the purposes and means of the processing are taken outside the EU, there is no main establishment of the controller in the EU, and therefore the One-Stop-Shop should not apply.

This Opinion follows the EDPB’s Vienna Statement on cross-border enforcement, aiming to streamline enforcement and cooperation among data protection authorities.

In addition, the EDPB adopted a Statement on the legislative developments regarding the Proposal for a Regulation laying down rules to prevent and combat child sexual abuse. The Statement follows the EDPB-EDPS Joint Opinion on the European Commission’s Proposal for a Regulation and focuses on the latest legislative developments, in particular the position of the European Parliament of November 2023.

The EDPB welcomes the many improvements proposed by the Parliament, such as exempting end-to-end encrypted communications from detection orders. However, the EDPB says that the updated text does not fully resolve important issues flagged by the EDPB and the EDPS related to general and indiscriminate monitoring of private communications, especially regarding detection orders.

The EDPB stresses the importance of further limiting the risk that those orders could affect individuals who are unlikely to be involved in child sexual abuse-related crimes. Furthermore, the EDPB says that detection orders are not limited to child sexual abuse materials (CSAM) that are already known to authorities, despite the fact that the technologies used to detect new CSAM have proven in the past to have significant error rates. During the plenary, the EDPB also discussed the scope of the guidance related to the Consent or Pay model. In addition to the upcoming Article 64 (2) Opinion, which will address the Consent or Pay model in the context of large online platforms, it was agreed that there is a need to consecutively develop Guidelines with a broader scope.