Many countries in Europe and beyond celebrate Carnival this week and next — a centuries-old tradition to mark the beginning of spring and nature's rebirth. One can walk the streets of Cyprus or Binche, the Belgian home of the Gille, to experience the celebrations. There is no time to visit carnivals, though, as the EU bubble is keeping us very busy.
This week the European Data Protection Board released two noteworthy documents. One is its Work Programme 2023-2024. This document builds on the EDPB Strategy 2021-2023 pillars of action, from advancing harmonization and facilitating compliance to supporting effective enforcement and efficient cooperation between national data protection authorities. The program prefaces a number of upcoming activities to watch out for this year, many of which the IAPP is already covering for you on the position of DPOs, international data transfers and many others. Common to all the priority areas are guidelines on topics like legitimate interest, children's data, anonymization, pseudonymization and templates for data subject complaints. Interestingly, the EDPB also underlined "promoting EU data protection as a global model" will remain a focus of its work at the international level.
The other one is a case digest of DPA decisions on the right to object and the right to erasure under the EU General Data Protection Regulation. This digest compiled the various scenarios in which these rights have been discussed in the one-stop shop and the decisions they led to. The EDPB indicated this digest will be the first of a series.
The EDPB is also gearing up to address a complaint Ireland's Data Protection Commission lodged before the European Union's General Court following the Meta decisions they issued in January. Through this action, the DPC is challenging what it perceives was an overreach by the EDPB in the application of the dispute resolution mechanism, suggesting its independence — and that of its fellow DPAs — is endangered by the EDPB instructing the DPC. It is requesting an annulment of the parts of the EDPB's binding decisions that require the DPC to engage in "a very open-ended and speculative investigation." The day the EDPB issued the decision, the DPC indicated it intended to take this to court. Ironically, the complaint was lodged on lovers' day, Feb. 14.
We are also waiting for a noteworthy development next week as the EDPB is expected to adopt its opinion on the commission's draft adequacy decision for the United States. This opinion will mark an important step in the formal process of approval, which could be wrapped up before the summer.
Elsewhere in Brussels:
- The European Commission is preparing a legislative proposal to improve cooperation and harmonize enforcement of the GDPR. This stems from the wish list the EDPB sent to the commission in October 2022. DPAs operate under different legal and administrative systems, which directly inform how the GDPR is implemented. Addressing some of the discrepancies in procedural law across member states could make GDPR cross-border enforcement more coordinated, predictable and ultimately more effective. It remains to be seen how supportive member states will be, as this proposal will mean they must concede changes to their national systems to meet the commission's and the EDPB's asks.
- European Parliament is progressing towards an internal agreement on the Artificial Intelligence Act. It has scheduled several technical meetings in March to discuss the many areas yet to be agreed upon. Key negotiators are hopeful a deal can be struck in late March and Parliament can reach its position in April. That would kick off the second phase of trilogue negotiations with the Council and Commission toward a final text.
- The European Commission closed its infringement proceeding against Belgium's DPA. The commission launched the procedure in June 2021 to address a lack of independence of some DPA staff members, who were either reporting to a management committee depending on the Belgian government, taking part in governmental projects on COVID-19 contact tracing or were members of the Information Security Committee. The commission didn't make any additional information public, but all signs indicate it is satisfied with the information the DPA provided and the reform of its overall structure and governance.