The European Data Protection Board (EDPB) held its 77th plenary meeting on 28 March 2023. The EDPB considered the following key topics:

• discussions on the Guidelines on data subject access right, following public consultation;
• discussions on targeted updates to the Guidelines for identifying a controller or processor’s lead supervisory authority, following public consultation;
• discussions on targeted updates to the “Guidelines on data breach notification” following public consultation;
• a request for mandate to create a taskforce on the interplay between data protection, competition and consumer protection; and
• a proposal for a Regulation on the transparency and targeting of political advertising.

Guidelines on personal data breach notification

The plenary adopted the final Guidelines on personal data breach notification under GDPR (the Guidelines). The updated Guidelines clarify various practical aspects of data breach notification obligations, explain conditions when notification is not required and provide examples of data breaches that are subject to reporting to a supervisory authority and individuals.

The key change in the final Guidelines compared to the consultation version is clarification of the data breach notification obligations by organisations processing personal data of EU residents but not having an establishment in the EEA.

The EDPB notes that these controllers, and not their EEA representatives, remain responsible for notifying a data breach to all relevant EEA supervisory authorities. In view of the EDPB, the function of a representative of the controller in the EEA is not compatible with the role of an external data protection officer (DPO), therefore the responsibility to notify the breach remains with the controller. This interpretation is aligned with the EDPB Guidelines 3/2018 on territorial scope of the GDPR (Article 3). The representative can be involved in the notification process if that is expressly provided in the written mandate.

Data sharing for AML/CFT purposes

The EDPB also adopted a letter on data sharing for AML/CFT purposes, addressed to the European Commission, the European Parliament and the Council of the EU. The letter discusses a proposed Regulation on AML/CFT, currently under trigloue negotiations. The EDPB warns about serious data protection risks posed by some provisions in the latest draft and recommends removing them. These provisions relate to:

• permitting public-private partnerships, where private parties monitor individuals for AML/CFT purposes based on operational information provided by law enforcement authorities;
• data sharing (or data pooling) between obliged entities for customer due diligence and suspicious transactions reporting. The EDPB notes this would entail disproportionate, large scale processing, leading to mass surveillance by private entities. Moreover, this data sharing/pooling could have serious legal consequences for the individual (e.g. difficulties in opening or accessing bank accounts, payments, credits etc.);
• legislative measures that may limit privacy and data protection rights to enable data sharing/pooling. The EDPB calls for a rigorous multidisciplinary assessment, involving FIUs among others;
• data sharing safeguards for data subjects, which are inadequate, despite the potential impacts for individuals (such as black-listing, exclusion from financial services or criminal investigations).

Insightful minutes from earlier plenary sessions

The EDPB also adopted and published the minutes of two earlier plenary sessions held in February 2023. The minutes provide valuable insights into the discussions within the EDPB on various matters. For instance, when adopting the final version of the Guidelines on certification as a tool for transfers, the EDPB considered the European Commission’s proposal to clarify the possibility of including binding and enforceable commitments in the certification agreement and to require the development of templates to that effect. While the EDPB members rejected these proposals as they found that the Guidelines already provide sufficient flexibility in those aspects, they noted that the Guidelines might be updated in the future.

Another example concerns the discussion on large-scale cross-border inquiries and the use by the European Commission of a template table for collecting information from the supervisory authorities in such inquiries. The EDPB noted that the European Ombudsman has reviewed a template used by the Irish Data Protection Commission and considered it appropriate. Going forward, the European Commission will use this template to obtain information from supervisory authorities leading large-scale cross-border inquiries. Some EDPB members raised concerns about the confidentiality of the ongoing inquiries and the risks of information leaks (such as the names of companies subject to investigations). The minutes indicate that further discussions will be carried out on this topic.

Read the minutes of the 75th meeting and the minutes of the 76th meeting.

Two earlier studies commissioned by the EDPB

The EDPB published two studies on 13 April 2022 that it had commissioned in 2020-2021. These studies examined:

• The enforcement of GDPR against entities established outside EEA: the study analysed how national supervisory authorities can use their investigative and enforcement powers against data controllers and processors that fall under Article 3(2) GDPR but do not cooperate or have a representative in the EEA. It focused on entities established in the US (California), the UK and China. The study found that national supervisory authorities face many obstacles in this context, such as lack of practice, shortcomings in the legal framework, problems in producing evidence. It suggested that international cooperation and instruments, such as memorandums of understanding, MLATs and trade agreements with effective enforcement mechanisms, could help overcome these obstacles.
• The national administrative rules for DPA cooperation duties: the study explored the procedural rules that national supervisory authorities have to follow when they cooperate with each other in cross-border cases. For example, it looked into the time limits, the possibility of amicable settlement, the right of the parties affected to be heard and the obligation to notify an entity of an investigation or enforcement action. Although some of the information may be outdated, the study provided a useful overview of the procedural rules in 27 EU Member States. It highlighted the challenges posed by the significant differences in national approaches, which could affect the consistency, efficiency and legal predictability of the one-stop-shop mechanism of the GDPR.