On February 22, 2023, the European Data Protection Board (“EDPB”) released its Work Program for 2023-2024 (“the Program”), outlining the key priority areas for the next two years. The Program is divided into four pillars, which largely reflect the priorities already set out in its Strategy 2021-2023.
1. Advancing harmonization and facilitating compliance with the GDPR
The EDPB will continue to publish guidance on key concepts of EU data protection law. It intends to release guidelines on the following topics:
- The concept of legitimate interest;
- Processing children’s data; and
- Processing of data for medical and scientific research purposes.
2. Supporting effective enforcement and efficient cooperation among supervisory authorities
The EDPB aims to facilitate and streamline the cooperation and consistency mechanisms with national supervisory authorities, and further strengthen the EDPB’s role as a forum for the exchange of information. Accordingly, the EDPB intends to:
- Publish guidelines on mutual assistance, the urgency procedure, and templates for data subject complaints;
- Implement the Coordinated Enforcement Framework (i.e., a structure set up in 2020 to coordinate supervisory authorities’ recurring annual activities and facilitate joint actions) to support coordinated actions on selected topics, for instance, on the designation and position of the DPO (see our blogpost on the first Coordinated Enforcement Framework’s report on the public sector’s use of cloud-based services here), and the Support Pool of Experts;
- Provide support in cases of strategic importance; and
- Create taskforces where cooperation is required (see our blogpost on the Cookie Taskforce here).
3. Adopting a fundamental rights approach to new technologies
The EDPB is committed to supporting industry and authorities by advising on data protection as it relates to emerging technologies, such as blockchain, telemetry and diagnostic data, and on the interplay between the upcoming AI Act and the GDPR (see our blogpost here). The EDPB will also publish its revised position on anonymization and pseudonymization techniques.
4. Setting and promoting high EU and global standards on international data transfers
International transfers continue to be central to the EDPB’s work. The EDPB will continue to advise on the Commission’s adequacy proposals. In particular, Japan’s adequacy decision is undergoing a periodic review, and the EDPB’s opinion on the proposed EU-U.S. adequacy finding, to replace the invalidated Privacy Shield, is expected on or around February 28, 2023 (see our blogpost here).
Moreover, the EDPB will release guidance on the following topics:
- Transfers or disclosures not authorized by Union law (Article 48 GDPR); and
- The referential for the approval of BCR Processors.
The EDPB also aims to strengthen engagement with international partners to promote EU data protection rules globally and ensure the protection of fundamental rights, for instance, in the context of the recently launched EU Digital Partnerships with Japan, South Korea and Singapore (see our blogpost here), and in other international fora (see our blogpost on the OECD and EU Declaration on Government Access to Personal Data here).
***
Covington’s Data Privacy and Cybersecurity Team regularly monitors regulatory guidance, legal and policy developments. Our team is happy to assist with any inquiries related to data protection and cybersecurity.