European Data Protection Board 45th Plenary session: report highlights

February 8, 2021

The EDPB has reported on its 45th Plenary session. Firstly, it adopted Recommendations on adequacy under the Law Enforcement Directive. One of the EDPB’s roles is to ensure the consistent application of EU data protection law in the EU, including the Directive, which deals with the processing of personal data for law enforcement purposes. The aim of the Recommendations is to provide a list of elements to be examined when assessing the adequacy of a third country under the Directive. The document sets out the concept and procedural aspects of adequacy under the Directive and the case law of the CJEU, as well as the EU standards for data protection for police and judicial cooperation in criminal matters.

Secondly, the EDPB adopted an opinion on the draft Administrative Arrangement for transfers of personal data between the Haut Conseil du Commissariat aux Comptes (H3C) and the Public Company Accounting Oversight Board. The Arrangement will be submitted to the French supervisory authority for authorisation at national level. The French supervisory authority will monitor the application of the Arrangement in practice and, if necessary, suspend any transfer performed by the H3C, if the Arrangement ceases to provide data subjects with an essentially equivalent level of protection.

The EDPB also adopted a Statement on the draft provisions on a protocol to the Cybercrime Convention. This statement complements the EDPB’s contribution to the draft second additional protocol to the Council of Europe Convention on Cybercrime and follows the publication of the new draft provisions. In this statement, the EDPB notes that the provisions currently being discussed are likely to affect the conditions for access to personal data in the EU for law enforcement purposes and calls for a careful scrutiny of the ongoing negotiation by the relevant EU and national institutions. In addition, the EDPB stresses the need to guarantee full consistency with the EU acquis in the field of personal data protection. 

In addition, the EDPB adopted its response to the European Commission questionnaire on processing personal data for scientific research, focusing on health related research. The answers provided by the EDPB form a preliminary position on this topic and aim to provide clarity as to the application of the GDPR in the domain of scientific health research. The EDPB is currently developing guidelines on processing personal data for scientific research purposes that will elaborate on these issues. 

Finally, the Members of the Board discussed WhatsApp’s recent Privacy Policy update.