95th Plenary meeting

16 July 2024
Remote

EDPB adopts statement on DPAs role in AI Act framework, EU-U.S. Data Privacy Framework FAQ and new European Data Protection Seal

17 July 2024

Brussels, 17 July - During its latest plenary, the European Data Protection Board (EDPB) adopted a statement on the Data Protection Authorities’ (DPAs) role in the Artificial Intelligence Act (AI Act) framework.

According to the EDPB, DPAs already have experience and expertise when dealing with the impact of AI on fundamental rights, in particular the right to protection of personal data, and should therefore be designated as Market Surveillance Authorities (MSAs) in a number of cases. This would ensure better coordination among different regulatory authorities, enhance legal certainty for all stakeholders and strengthen the supervision and enforcement of both the AI Act and EU data protection law.

According to the AI Act, Members States shall appoint MSAs at national level before 2 August 2025, for the purpose of supervising the application and implementation of the AI Act.

In its statement, the EDPB recommends that:

  • As already indicated in the AI Act, DPAs should be designated as MSAs for high-risk AI systems used for law enforcement, border management, administration of justice and democratic processes;
  • Member States should consider appointing DPAs as MSAs also for other high-risk AI systems, taking account of the views of the national DPA, particularly where those high-risk AI systems are in sectors likely to impact natural persons rights and freedoms with regard to the processing of personal data;
  • DPAs, where appointed as MSAs, should be designated as the single points of contact for the public and counterparts at Member State and EU levels;
  • Clear procedures should be established for cooperation between MSAs and the other regulatory authorities which are tasked with the supervision of AI systems, including DPAs. In addition, appropriate cooperation should be established between the EU AI Office and the DPAs/EDPB.

EDPB Deputy Chair Irene Loizidou Nicolaidou said: “DPAs should play a prominent role in enforcing the AI Act as most AI systems involve processing of personal data. I strongly believe that DPAs are suitable for this role because of their full independence and deep understanding of the risks of AI for fundamental rights, based on their existing experience.”

Next, the Board adopted two Frequently Asked Questions (FAQ) documents concerning the EU-U.S. Data Privacy Framework (DPF), aimed at providing more clarification on the functioning of the DPF.

The FAQ for individuals provides information on the functioning of the DPF: how to benefit from it, how to lodge a complaint and how this complaint will be handled.

Likewise, the FAQ for businesses explains which U.S. companies are eligible to join the DPF: what to do before transferring personal data to a company in the U.S. which is DPF-certified, and where to find further guidance.

Finally, the EDPB adopted an opinion approving the EuroPriSe Criteria Catalogue for  the  certification of processing activities by processors, resulting in a European Data Protection Seal.* European Data Protection Seals serve as important tools contributing to GDPR compliance.

In September 2022, the EDPB had adopted an opinion on the EuroPriSe certification criteria, enabling their recognition in Germany as certification criteria for processing operations by processors. Following an update of the scheme, this new opinion approves the criteria as being applicable in the whole EU/EEA, and as a European Data Protection Seal.

GDPR certification contributes to the demonstration of compliance efforts and to increased transparency and trust. It allows for better assessment of the degree of protection offered by products, services, processes or systems used by organisations that process personal data.

Note to editors:

*The EuroPrise European Data Protection Seal will be added to the register of certification mechanisms and data protection seals in accordance with Article 42(8) GDPR.

The opinion on the approval of the EuroPriSe certification scheme as European Data Protection Seal, adopted during the EDPB Plenary, is subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once it has been completed.