During its 31st plenary session, the EDPB decided to establish a taskforce to coordinate potential actions and to acquire a more comprehensive overview of TikTok’s processing and practices across the EU, and adopted a letter with regard to the use of Clearview AI by law enforcement authorities. In addition, the EDPB adopted a response to the ENISA advisory group and a letter in response to an Open Letter from NOYB.
The EDPB announced its decision to establish a taskforce to coordinate potential actions and to acquire a more comprehensive overview of TikTok’s processing and practices across the EU.
In response to MEP Körner’s request regarding TikTok, the EDPB indicates that it has already issued guidelines and recommendations that should be taken into account by all data controllers whose processing is subject to the GDPR, in particular when it comes to the transfer of personal data to third countries, substantive and procedural conditions for access to personal data by public authorities or the application of the GDPR territorial scope, in particular when it comes to the processing of minors’ data. The EDPB recalls that the GDPR applies to the processing of personal data by a controller, even if it is not established in the Union, where the processing activities are related to the offering of goods or services to data subjects in the Union.
In its response to MEPs regarding Clearview AI, the EDPB shared its concerns regarding certain developments in facial recognition technologies. The EDPB recalls that under the Law Enforcement Directive (EU) 2016/680, law enforcement authorities may process biometric data for the purpose of uniquely identifying a natural person only in accordance with the strict conditions of Articles 8 and 10 of the Directive.
The EDPB has doubts as to whether any Union or Member State law provides a legal basis for using a service such as the one offered by Clearview AI. Therefore, as it stands and without prejudice to any future or pending investigation, the lawfulness of such use by EU law enforcement authorities cannot be ascertained.
Without prejudice to further analysis on the basis of additional elements provided, the EDPB is therefore of the opinion that the use of a service such as Clearview AI by law enforcement authorities in the European Union would, as it stands, likely not be consistent with the EU data protection regime.
Finally, the EDPB refers to its guidelines on the processing of personal data through video devices and announces upcoming work on the use of facial recognition technology by law enforcement authorities.
In response to a letter from the European Union Agency for Cybersecurity (ENISA) requesting that the EDPB nominate a representative to the ENISA Advisory group, the Board appointed Gwendal Le Grand, Deputy Secretary-General CNIL, as representative. The Advisory Group assists the Executive Director of ENISA with drawing up an annual work programme and ensuring communication with the relevant stakeholders.
The EDPB adopted a response to an Open Letter by NOYB regarding cooperation between the Supervisory Authorities and the consistency procedures. In its letter, the Board indicates it has been working constantly on the improvement of the cooperation between the Supervisory Authorities and the consistency procedures. The Board is aware that there are issues requiring improvement, such as the differences in national administrative procedural laws and practices, together with the time and resources needed to resolve cross-border cases. The Board reiterates it is committed to finding solutions, where these lie within its competence.
The agenda of the 31st plenary is available here
Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.