European Data Protection Board (the “EDPB”) held its third plenary session on September 25 and 26, 2018. Several topics were discussed by the Board members during the plenary.

The EDPB Discussed EU-Japan Adequacy Decision

The EDPB received a draft adequacy decision from Commissioner Věra Jourová and will thoroughly review the draft. The Board will consider two major points: the wide-ranging impact of the draft adequacy decision as well as the need to protect personal data in the EU.

The EDPB Published 22 Opinions for National DPIA Lists

The GDPR requires Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in high risks to the rights and freedoms of individuals. The GDPR calls for national supervisory authorities (SAs) to creates lists of types of operations that are likely to result in a high risk. To gain more consistency in these national lists, the EDPB collected 22 draft national DPIA lists and published opinions after reviewing each list to establish common criteria for DPIA lists. These opinions include changes for SAs to make.

For example, the EDPB requests UK ICO and Irish DPC to add in conditions on requesting mandatory DPIAs when biometric, genetic and location data is processed – “adding that the item requires a DPIA to be carried out only when it is done in conjunction of at least one other criterion”. [1] Also, the EDPB requests Irish DPC and French CNIL to address the non-exclusive nature of their DPIA lists. [2]

These opinions are addressed to SAs. A SA needs to communicate to the Chair of the EDPB within two weeks after receiving the opinion for its DPIA list. The SA is required to inform the Chair whether it will amend its list or maintain such list. Within the same period, the SA must also provide its amended draft list. Or, where it does not intend to follow the opinion of the EDPB, the SA is required to provide relevant grounds for which it does not intend to follow this opinion, in whole or in part.

The EDPB Adopted New Draft Guidelines on Territorial Scope

The EDPB adopted new draft guidelines on the territorial scope of the GDPR. The new guidelines will address issues such as the territorial scope of the GDPR application where a data controller or processor is established outside of EU, including the designation of a representative. The guidelines will open for a public consultation.

The EDPB Adopted an Opinion on the New E-evidence Regulation

The European Commission proposed new E-evidence rules in the form of a Regulation and a Directive  for the collection of electronic evidence. The EDPB adopted an opinion for the new rules. The EDPB stressed that the E-evidence rules should sufficiently safeguard individuals’ data protection rights and should be more consistent with EU data protection law. The new rules will provide strong protection for personal data including legal remedies for service providers from whom data is being requested as well as individuals whose personal data is being sought. The proposed new rules introduce two Orders.

  • A European Production Order will allow a judicial authority in one Member State to obtain electronic evidence (such as emails, text or messages in apps, as well as information to identify a perpetrator as a first step) directly from a service provider or its legal representative in another Member State. The service provider or its legal representative must respond such request within 10 days, and within 6 hours in cases of emergency (compared to up to 120 days for the existing European Investigation Order or an average of 10 months for a Mutual Legal Assistance procedure).
  • A European Preservation Order will allow a judicial authority in one Member State to request that a service provider or its legal representative in another Member State preserves specific data in view of a subsequent request to produce this data via mutual legal assistance, a European Investigation Order or a European Production Order.

How OneTrust Helps

As new guidelines and opinions are released regarding the GDPR and other global privacy regulations, OneTrust’s privacy and legal teams work together to embed these regulations and changes into OneTrust software and solutions. OneTrust’s OnePIA features the EDPB processing activities that are likely to result in high risks to the rights and freedoms of individuals, making it easy for companies to follow this guidance as part of their regular PIA workflow.

To stay up to date on global privacy regulations and updates from OneTrust’s privacy team, follow us on LinkedIn, Twitter and Facebook, and visit our blog each Tuesday for “Last Week in Privacy.”

[1] See this suggestion in opinions to UK ICO, Irish DPC, etc.

[2] See this suggestion in opinions to Irish DPC, French CNIL. etc.