On 10 March 2021, the European Data Protection Board (EDPB) published a press release about its 46th plenary session held on 9 March 2021. We look at some of the highlights below.
Statement on proposed ePrivacy Regulation
The EDPB raises concerns regarding several core provisions of the proposal for the ePrivacy Regulation adopted by the Council of European Union as the basis for trilogue negotiations with the European Parliament and the European Commission. The concerns of the EDPB include:
- Provisions governing the processing and retention of electronic communication data for law enforcement and national security purposes. The EDPB notes that future ePrivacy Regulation should not derogate from the application of the case law of the Court of Justice of European Union (CJEU) in this area, including (for example, with respect to general and indiscriminate retention of traffic and location data) with the EU Charter for Fundamental Rights.
- Provisions on confidentiality of electronic communications should only allow very specific, proportionate and narrowly formulated exceptions. Strong state-of-the-art encryption should be a general rule for electronic communications and end-to-end encryption is the only way to ensure security of data in transit. The EDPB warns against any attempts to weaken encryption, even for national security purposes.
- Consent requirements for the use of cookies and similar technologies should be aligned with the GDPR; cookie walls should be prohibited unless providers offer fair alternatives to the users. Operators of websites and apps should be obliged to put in place a user friendly and effective mechanism for obtaining valid consents.
- Derogation for audience measurement should be limited to non-intrusive practices, such as low-level analytics necessary for analysis of the performance of the service. They should include an opt-out mechanism and prohibit collection of cross-device or service navigation data.
- Further processing of electronic communications metadata or data collected through cookies and similar technologies for compatible purposes should be generally prohibited, with very narrowly construed exceptions.
- Data protection authorities should oversee the provisions of the ePrivacy Regulation that relate to the processing of personal data.
Joint EDPB/EDPS Opinion on the Data Governance Act (DGA)
The Joint Opinion on the DGA recognises the role of the DGA as one of the key elements of the EU’s proposed data-driven economy framework. It notes the legitimate objectives of the DGA to improve the availability of public sector data for reuse, foster data sharing between businesses and data intermediaries, and facilitate data use for altruistic purposes. However, the EDPB and EDPS are critical of the proposal, for failure to take into account the fundamental right to protection of personal data, and for lack of alignment with existing EU law.
The document raises numerous concerns, including inconsistencies and possible conflicts of the proposed text with the GDPR. This includes inconsistencies of the subject matter, scope of the DGA and definitions (such as of data holder, data user, metadata, highly sensitive non-personal data or the rights of legal persons.
It can be expected that the concerns raised by the EDPB will require some time to addressed, which may slow the progress of the DGA.
Draft Guidelines on Virtual Voice Assistants
The draft Guidelines on Virtual Voice Assistants (VVA) have been released today for public consultation. The Guidelines describe the basic characteristics of VVAs and address the typical data protection aspects of using VVAs, focusing on the most common uses of VVAs, including for executing requests, improving the machine learning models, biometric identification and profiling for personalised content or advertising. The Guidelines discuss processing of special categories of data, children’s data, data security, data retention, privacy by design and by default and accountability of VVA providers. They also look into how data subject rights can be effectively exercised in this context.
The consultation is open until 23 April 2021.
Draft UK adequacy decision
The EDPB held discussions on two draft adequacy decisions proposed by the European Commission for data transfers between the UK and the EEA post-Brexit. The EDPB will review the draft decisions, with a focus on the need for continuity and a high level of protection for data transfers from the EEA. In previous statements on this topic, EDPB representatives suggested mid-April 2021 as the anticipated timeframe for issuing its opinions.
Other issues discussed by the EDPB during the plenary include:
- the final Guidelines on processing personal data in the context of connected vehicles and mobility related applications (available here);
- the final Guidelines on relevant and reasoned objection (available here);
- internal guidelines on the cooperation procedure under Article 60 GDPR;
- state of play with the draft Recommendations on supplementary measures following the Schrems II decision and data flow provisions in international agreements;
- a letter to ENISA on the European Cybersecurity Scheme for Cloud Services (available here); and
- a United States order for airlines on Covid-19 related health data.
The press release on the plenary outcomes is available here, and the agenda is available here. The statement on the ePrivacy Regulation is available here. A press release on the Joint Opinion on DGA is available here, and the Joint Opinion on DGA here. The Guidelines on Virtual Voice Assistants are available here.