European Data Protection Board - Third Plenary session: EU-Japan draft adequacy decision, DPIA lists, territorial scope and e-evidence.
Brussels, 26 September - On September 25th and 26th, the European Data Protection Authorities, assembled in the European Data Protection Board, met for their third plenary session. During the plenary a wide range of topics were discussed.
EU-Japan adequacy decision
The Board Members discussed the EU-Japan draft adequacy decision which they received from Commissioner Věra Jourová and have been asked to provide an opinion on. The Board will now thoroughly review the draft decision. The Board is determined to take into account the wide-ranging impact of the draft adequacy decision, as well as the need to protect personal data in the EU.
The EDPB reached an agreement on and adopted the 22 opinions establishing common criteria for Data Protection Impact Assessment (DPIA) lists. These lists form an important tool for the consistent application of the GDPR across the EU. DPIA is a process to help identify and mitigate data protection risks that could affect the rights and freedoms of individuals. To help clarify the types of processing which could require a DPIA, the GDPR calls for the national supervisory authorities to create and publish lists of types of operations that are likely to result in a high risk. The Board received 22 national lists with an overall of 260 different types of processing. The EDPB Chair, Andrea Jelinek said: “It has been an enormous task for the members of the Board as well as the EDPB Secretariat to examine all of these lists and to establish common criteria on what triggers a DPIA and what not. It was an excellent opportunity for the EDPB to test the possibilities and challenges of consistency in practice. The GDPR does not require full harmonisation or an 'EU list', but does require more consistency, which we have achieved in these 22 opinions by agreeing on a common view.”
The 22 opinions on the DPIA lists result from art 35.4 and art. 35.6 GDPR and are in line with earlier guidance established by the Article 29 Working Party.
Guidelines on territorial scope
The EDPB adopted new draft guidelines, which will help provide a common interpretation of the territorial scope of the GDPR and provide further clarification on the application of the GDPR in various situations, in particular where the data controller or processor is established outside of the EU, including on the designation of a representative. The guidelines will be subject to a public consultation.
The EDPB adopted an opinion on the new E-evidence regulation, proposed by the European Commission in April 2018. The Board stressed that the proposed new rules providing for the collection of electronic evidence should sufficiently safeguard the data protection rights of individuals and should be more consistent with EU data protection law.