TOOLS ADOPTED BY THE EDPB IN FEBRUARY 2023
By Mugurel Olariu, RPD protectie date
The European Data Protection Board held two plenary meetings in February – on the 14/15 and 28, during which it adopted several documents, some of which are intended for the activity of controllers and processors. From the releases section*1 of the EDPB, we briefly present the following:
✔ Guidelines 5/2021 on the Interplay between the application of Art. 3 and the provisions on international transfers as per Chapter V GDPR, final form (after public consultation):
The Guidelines clarify the interplay between the territorial scope of the GDPR (Art. 3) and the provisions on international transfers in Chapter V. They aim to assist controllers and processors when identifying whether a processing operation constitutes an international transfer, and to provide a common understanding of the concept of international transfers.
Following public consultation, the guidelines were updated and further clarifications were added. Most notably, a clarification was added regarding the responsibilities of the controller when the data exporter is a processor. In addition, further examples were added to clarify aspects of direct collection, as well as the meaning of “the data importer is in a third country”. Moreover, an annex was added with further illustrations of the examples included in the guidelines to facilitate understanding.
✔ Guidelines 3/2022 on deceptive design patterns in social media platform interfaces, final form (after public consultation):
The guidelines offer practical recommendations to designers and users of social media platforms on how to assess and avoid deceptive design patterns in social media interfaces that infringe on GDPR requirements. The guidelines give concrete examples of deceptive design pattern types, present best practices for different use cases and contain specific recommendations for designers of user interfaces that facilitate the effective implementation of the GDPR.
Following public consultation, the final version integrates updated wording and further clarifications in order to address comments and feedback received. In particular, the title of the Guidelines has been modified and the term “dark pattern” has been replaced by the term “deceptive design patterns”. In addition, some clarifications were added, for example on how to integrate the present Guidelines in the design thinking process and a second Annex was added, providing a quick overview of all the best practices.
✔ Guidelines 7/2022 on certification as a tool for transfers, final form (after public consultation):
The main purpose of these guidelines is to provide further clarification on the practical use of this transfer tool. The guidelines are composed of four parts, each focusing on specific aspects regarding certification as a tool for transfers. The guidelines complement Guidelines 1/2018 on certification, which provide more general guidance on certification.
Following public consultation, the Guidelines were updated to reflect comments received.
✔ Opinion 5/2023 on the European Commission Draft Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework
In this context, we specify that, on 13.12.2022, the European Commission published the draft Decision on the New US-EU General Framework, based on which the transfers of personal data will be carried out (which will replace the previous agreement known as the Privacy Shield , invalidated by the EU Court of Justice in the 2020 Schrems II Case). From the press release, we mention:
The EDPB welcomes substantial improvements such as the introduction of requirements embodying the principles of necessity and proportionality for U.S. intelligence gathering of data and the new redress mechanism for EU data subjects. At the same time, it expresses concerns and requests clarifications on several points. These relate, in particular, to certain rights of data subjects, onward transfers, the scope of exemptions, temporary bulk collection of data and the practical functioning of the redress mechanism. The EDPB would welcome if not only the entry into force but also the adoption of the decision were conditional upon the adoption of updated policies and procedures to implement Executive Order 14086 by all U.S. intelligence agencies. The EDPB recommends the Commission to assess these updated policies and procedures and share its assessment with the EDPB.
EDPB Chair Andrea Jelinek said: “A high level of data protection is essential to safeguard the rights and freedoms of EU individuals. While we acknowledge that the improvements brought to the U.S. legal framework are significant, we recommend to address the concerns expressed and to provide clarifications requested to ensure the adequacy decision will endure. For the same reason, we think that after the first review of the adequacy decision, subsequent reviews should take place at least every three years and we are committed to contributing to them.”
————————————————————————
*1. https://edpb.europa.eu/news/news_ro
