On 18th - 19th November 2024, the EDPS co-hosted the 74th Meeting of the International Working Group on Data Protection in Technology.  Read about the event in the Supervisor's blogpost. 

Watch with us another episode with one of the most influential privacy activist and lawyer who became known for campaigns against privacy violations, advocating for stronger enforcement of data protection and privacy law against big tech companies

This year, we focused on the rapidly growing AI technologies and described how emerging trends could impact the rights and freedoms of individuals . In the report you will find critical overview of six trends. 

Have a listen to our new episode of the Newsletter Digest on Artificial Intelligence with the Secretary-General of the EDPS, Leonardo Cervera Navas. Now you can also watch the episode here.

Brussels, 05 November - During its latest plenary, the European Data Protection Board (EDPB) adopted a report on the first review1 of EU-U.S. Data Privacy Framework (DPF), as well as a statement on the recommendations of the high-level group (HLG)2 on access to data for effective law enforcement.

The EDPB welcomes the efforts by the U.S. authorities and the European Commission to implement the DPF, and takes note of several developments that took place since the adoption of the adequacy decision in July 2023.

Regarding commercial aspects, i.e. the application and enforcement of requirements applying to companies self-certified under this framework, the EDPB notes that the U.S Department of Commerce took all relevant steps to implement the certification process. This includes developing a new website, updating procedures, engaging with companies, and conducting awareness-raising activities.

In addition, the redress mechanism for EU individuals has been implemented and there is comprehensive complaint-handling guidance published on both sides of the Atlantic. However, the low number of complaints received so far under the DPF highlights the importance of having U.S. authorities initiate monitoring activities concerning compliance of DPF-certified companies with the substantive DPF Principles.

The EDPB encourages the development of guidance by U.S. authorities, clarifying the requirements that DPF-certified companies would need to comply with when they transfer personal data that they have received from EU exporters. Guidance by U.S. authorities on human resources data would also be welcome. The EDPB expresses its availability to provide feedback on these guidance documents.

Concerning the access by U.S. public  authorities  to  personal  data transferred from the EU to certified organisations, the EDPB focused; on the  effective  implementation  of  the  safeguards introduced by the Executive Order 14086 in the U.S. legal framework, such as the necessity and proportionality principles  and  the  new  redress  mechanism. The Board considers that the elements of the redress mechanism are in place; at the same time, it renews the call to the European Commission to monitor the practical functioning of the different safeguards, e.g. the implementation of the principles of necessity and proportionality. The EDPB also recommends that the Commission monitors future developments related to the U.S. Foreign Intelligence Surveillance Act, in particular given the extended reach of Section 702 after its re-authorisation by the U.S. Congress earlier this year.

EDPB Deputy Chair Zdravko Vukić said: “We are pleased that progress has been made since the adoption of the adequacy decision thanks to the fruitful cooperation between U.S. authorities, the EU Commission and the EDPB. At the same time, there is still space for improvement and we should continue working together to maintain a high level of data protection and safeguard the rights and freedoms of EU individuals.”

Finally, the Board recommends that the next review of the EU-U.S. adequacy decision should take place within three years or less.

 The statement on the recommendations of the HLG on access to data for effective law enforcement underlines that fundamental rights must be safeguarded when law enforcement agencies access the personal data of individuals. While the EDPB supports the aim of effective law enforcement, it points out that some of the HLG’s recommendations could cause serious intrusiveness vis-à-vis fundamental rights, in particular the respect for privacy and family life.

 While the EDPB positively notes the recommendation may lead to the establishment of a level-playing field on data retention, it considers that a broad and general obligation to retain data in electronic form by all service providers would create a significant interference with the rights of individuals. Therefore, the EDPB questions whether this would meet the requirements of necessity and proportionality of the Charter of Fundamental Rights of the EU and the CJEU jurisprudence. 

In its statement, the EDPB also emphasizes that the recommendations concerning encryption should not prevent its use or weaken the effectivity of the protection it provides. For example, the introduction of a client-side process allowing remote access to data before it is encrypted and sent on a communication channel, or after it is decrypted at the recipient, would in practice weaken encryption. Preserving the protection and effectivity of encryption is important to avoid that the respect for private life and confidentiality is negatively impacted and to ensure that the freedom of expression and economic growth, which depend on trustworthy technologies, are safeguarded. 

Note to editors

1 In line with art. 3 of EU-U.S. adequacy decision, the EU Commission is required to review the adequacy decision one year after its adoption. The review meeting was held in Washington D.C. on 18-19 July 2024 and the EU Commission was accompanied by five representatives of the EDPB.

2 The HLG was launched by the European Commission in June 2023 and it is co-chaired by the EU Commission and the rotating Presidency of the Council. It was launched with the aim to explore challenges for law enforcement practitioners in connection to access to data and propose solutions and recommendations.

In June 2024, the  HLG  published  42  recommendations  for  the further development of EU policies and legislation, structured as “capacity  building  measures”,  “cooperation  with  industry  and standardisation” and “legislative measures”. The  recommendations  cover  in  particular  encryption, cooperation  with  the  industry  as  well  as  between  law  enforcement agencies, and the need for harmonised rules on data retention.
 

The EDPB is holding a stakeholder event on “AI models” with participants representing European sector associations, organisations, NGOs, individual companies, law firms and academics. 

During today’s event, the EDPB will collect input for of the preparation of a consistency opinion on AI models, requested by the Irish Data Protection Authority under Art. 64 (2) GDPR.

EDPB Chair Anu Talus said: “During the stakeholder event we will tackle a number of targeted questions, which will feed our reflection in the context of the preparation of our Opinion on AI models. Stakeholder input is especially valuable for these fast-moving technologies with an exceptional societal impact.”

The EDPB's opinion on “AI models” is due by the end of 2024.

On 28 January 2025 in Brussels, to mark Data Protection Day, European Data Protection Supervisor (EDPS) together with Council of Europe (CoE) and Computers, Privacy and Data Protection, organises a one-day hybrid event focused on exploring the current and future landscape of data protection. 

The full programme and registration are available at https://cpdp-dataprotectionday.eu/

With a strong background in planetary science and a passion for the search for life beyond Earth, our guest has been instrumental in advancing research on extreme environments, often considered analogs for other planets. Watch it with us. 

EDPS issues the Supervisory opinion on the draft Europol management board decision laying down rules to determine time limits for the storage of administrative personal data.

He is interviewed by Prof. Lee A. Bygrave, Director of the Norwegian Research Center for Computers and Law (NRCCL) at the University of Oslo, and Prof. Gloria González Fuster, Director of the Law, Science, Technology and Society (LSTS) Research Group at the Vrije Universiteit Brussel (VUB).

Mini video series is a collaborative project of the European Data Protection Supervisor and LSTS Research Group at the Vrije Universitet Brussel. This series features in-depth interviews with leading experts in the field of data protection who shed light on how the landscape of data protection has transformed over time and what lies ahead. 

Update on 15/10/24: The call is now closed.
Thank you to all those who expressed an interest in taking part in the EDPB stakeholder event on ‘AI models’. We will carefully review all applications and communicate the results of the process to those who applied in the coming weeks.

Brussels, 15 October - The European Data Protection Board (EDPB) organises a remote stakeholder event, taking place on 5 November 2024 (time to be confirmed), aimed at collecting input from stakeholders in the context of a request for an Art. 64(2) GDPR opinion relating to artificial intelligence models (‘AI models’) submitted to the EDPB by the Irish Data Protection Authority (DPA).

How to take part?

The EDPB launches a call for expression of interest in order to select participants for the EDPB’s stakeholder event on AI models. You can find further information on this event and instructions on how to register here. If you have technical problems submitting the application, we invite you to refresh the page or open the form in a different browser.

The call will be closed as soon as a sufficiently high number of applicants is reached with a view to ensuring the participation of a maximum number of stakeholders.

On 8 October 2024, the European Data Protection Board met with Commissioners and representatives of Data Protection Authorities (DPAs) from the fifteen countries having been subject to an EU adequacy decision. The meeting took place in the margins of the EDPB October’s plenary and reflects the EDPB’s commitment to international engagement.

The European Commission has so far recognised the following adequate countries:  Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, Uruguay and United States.

Adequacy decisions are the result of a high degree of  convergence of data protection laws and enable safer data flows. 

During the meeting, the EDPB and the DPAs from the adequate countries discussed multilateral engagement on advisory work and guidelines, and on enforcement cooperation.  

Note to editors
Adequacy decisions are the result of a key mechanism in the EU's data protection framework that allows the free-based flow of personal data from the EU to adequate countries, provided that the European Commission has decided that these countries ensure an adequate level of data protection. In this case, the transfer does not require any specific authorisation. Adequacy decisions promote international data transfers by not requiring companies in these countries to have Standard Contractual Clauses or Binding Corporate Rules.
 

Brussels, 11 October -The EDPB will organise a stakeholder event on ‘AI models’ on 5 November 2024 (exact time to be confirmed). 

During its latest plenary, the European Data Protection Board (EDPB) exceptionally agreed to organise a remote public event aimed at collecting input from stakeholders on issues relating to the request for an Art. 64(2) GDPR opinion on artificial intelligence ("AI") submitted to the EDPB by the Irish Data Protection Authority (DPA). 

Individuals representing European sector associations, organisations or NGOs and individual companies, law firms or academics are invited to take part in this event (one participant per organisation). The EDPB encourages all organisations interested in this matter to delegate a representative with technical knowledge of this topic.

As a general rule, participants will be registered on a first-come first-serve basis. Nonetheless, the EDPB reserves the right to give precedence to specific stakeholders among those who expressed their interest, in light of their relevance for the subject matter of this event with the aim to ensure relevant expertise among participants, as well as the diversity of the views expressed at the event.  

Do you wish to participate? 

The EDPB will launch a call for expression of interest to participate in the EDPB’s stakeholder event on ‘AI models’ on 15 October at 10.00 am (Brussels time).

The call will be closed as soon as a sufficiently high number of applicants is reached with a view to ensuring the participation of a maximum number of stakeholders.

The call will be launched on the EDPB website. More details will follow on the day of the launch of the call.

With our participation in the G7 DPA Roundtable this year, we aim to help shape the global debate on the importance of data protection in the development of ethical and trustworthy AI. Collaborating with our partners from like-minded G7 countries enables us also to create common approaches to privacy and data protection in this fast-moving landscape.

Read Press Release

Brussels, 10 October - During its October 2024 plenary, the European Data Protection Board (EDPB) selected the topic for its fourth Coordinated Enforcement Action (CEF), which will concern the implementation of the right to erasure (‘right to be forgotten’) by controllers. Data Protection Authorities (DPAs) will join this action on a voluntary basis in the coming weeks and the action itself will be launched during the first semester of 2025.

The right to erasure (Art.17 GDPR) is one of the most frequently exercised data protection rights and one about which DPAs frequently receive complaints. The aim of this coordinated action will be, among other objectives, to evaluate the implementation of this right in practice. For example, this will be done by analysing and comparing the processes put in place by different controllers to identify the most important issues in complying with this right, but also to get an overview of best practices.

In a coordinated enforcement action, the EDPB prioritises a specific topic for DPAs to work on at national level. In the past three years, DPAs have already coordinated their national actions on different topics, namely: the use of cloud in the public sector, the designation and position of Data Protection Officers and the implementation of the right of access by data controllers.

The results of these national actions are then aggregated and analysed together to generate deeper insight into the topic and allowing for targeted follow-up on both national and EU level.

In 2023, the EDPB published the report on its first coordinated action on the use of cloud-based services by the public sector.
Earlier this year, the EDPB also published the report on the outcome of the second coordinated action on the designation and position of Data Protection Officers.

The report on the outcome of the 2024 coordinated action on the right of access will be adopted at the beginning of 2025.
Coordinated actions follow the EDPB’s decision to set up a Coordinated Enforcement Framework (CEF) in October 2020. The CEF is a key action of the EDPB under its 2024-2027 Strategy, together with the Support Pool of Experts (SPE). The two initiatives aim to streamline enforcement and cooperation among DPAs.