The European General Court delivered an important judgment 29 Jan. confirming the European Data Protection Board has the authority to request a lead national supervisory authority to conduct additional investigations and, based on such investigations, issue new draft decisions.
In the case at hand, Ireland's Data Protection Commission questioned the EDPB's authority to request such actions after it ordered the DPC to carry out new investigations into the personal data processing activities of Facebook, Instagram and WhatsApp, and issue new draft decisions.
The orders stem from the binding decisions adopted by the EDPB as part of the dispute resolution procedure under Article 65(1)(a) of the EU General Data Protection Regulation, following objections from several DPAs concerning the Irish regulator's draft decisions in which it refused to investigate Meta's processing of special categories of personal data.
This judgment, although appealable to the Court of Justice of the European Union, provides a conclusion on the EDPB's role in deciding the scope of investigations. It will be relevant in ongoing negotiations on the proposal for a regulation on additional procedural rules for enforcement of the GDPR, which, among other things, touches upon the dispute resolution procedure.
During its first plenary of the year, the EDPB adopted guidelines on pseudonymization that are open to consultation until 28 Feb. Among other things included in the guidelines, the board breaks down the definition of pseudonymization, elaborates on its objectives and advantages as well as risks and mitigation techniques, and provides real-life examples.
The board also published a position paper on the interplay between competition law and data protection. The EDPB highlighted the importance and, in some cases like the CJEU's Meta vs. Bundeskartellamt judgment, the requirement of cooperation between authorities responsible for each domain. The position paper not only explains the reasons why such cooperation may be necessary, but also provides examples and recommendations on how it could be done in practice.
The beginning of the year was marked by yet another addition to the EU's digital rulebook. On 21 Jan., the Council of the European Union adopted the European Health Data Space, a regulation on the first sector-specific EU data space under the European strategy for data.
The EHDS establishes a legal framework improving individuals' access and control of their electronic health data, enhancing the interoperability of electronic health records across the EU, and boosting research and innovation possibilities by establishing an infrastructure for access and reuse of anonymized health data.
It will be interesting to see how these sector-specific rules will interplay with other legislation, such as the Data Act, the Data Governance Act, the GDPR and the AI Act.
The Polish presidency of the Council of the European Union started its six-month term 1 Jan. In its recently published programme, the new Council's leadership revealed it will focus on reducing administrative and regulatory burdens placed on businesses by numerous EU digital laws, through actions such as streamlining notification obligations — a theme the European Commission is embracing in its Competitiveness Compass initiative.
The presidency also emphasized its plans to support the development of a comprehensive and horizontal approach to cybersecurity to strengthen the EU's resilience. The topic of artificial intelligence was addressed, as well, namely the goal of strengthening AI research, development and competence centers across the EU and supporting activities for entrepreneurs implementing disruptive technologies.
The programme also specified the presidency's commitment to continue its work on digital diplomacy, including on policies for managing the digital space, and to continue working toward the creation of multilateral and bilateral rules for international digital trade.
Laura Pliauskaite is European operations coordinator for the IAPP.
This article originally appeared in the Europe Data Protection Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
