The European Data Protection Board (EDPB), a Board reuniting all the EU data protection authorities, met for its 40th plenary session on October 21. During this meeting, the EDPB :
- adopted the final version of the Guidelines on Data Protection by Design & Default following the public consultation;
- decided to set up the Cooordinated Enforcement Framework (CEF);
- adopted a letter concerning the data protection implication of article 17 of the Copyright Directive.
1. Final version of the Guidelines on Data Protection by Design & Default adopted
The EDPB adopted the final version of the Guidelines on Data Protection by Design & Default following a public consultation.
Data Protection by Design and by Default is set forth in article 25 GDPR and is about the effective implementation of the data protection principles and data subjects’ rights and freedoms by design and by default through technical and organisational measures. These principles entail that controllers should be able to demonstrate that the implemented measures are effective.
The new version of the guidelines contains:
- guidance and practical examples to better understand how to implement the data protection principles. They also provide recommendations on how controllers, processors and producers can cooperate to achieve DPbDD ; and
updated wording and further legal reasoning.
In this respect, I will update the article dedicated to the privacy by design and by default principles in the GDPR at a glance section.
2. Setting up of the Coordinated Enforcement Framework (CEF)
The objective of the CEF is to facilitate joint actions in a flexible and coordinated manner, ranging from joint awareness-raising and information gathering to enforcement sweeps and joint investigations. The purpose of recurring annual coordinated actions is to promote compliance, to empower data subjects to exercise their rights and to raise awareness.
3. Letter on the data protection implications of Art. 17 of the Copyright Directive.
Article 17 of the Copyright Directive regulates the use of protected content by online content-sharing service providers.
Under this article, content-sharing service providers may be held liable for sharing copyright-protected content uploaded by their users if they have not been granted authorisation from the copyright holder. As a result, content-sharing platforms may implement upload filters.
In this regard, the EDPB adopted a letter in response to the Europäische Akademie für Informationsfreiheit und Datenschutz concerning the data protection implications of these provisions. For the EDPB, any processing of personal data carried out for the purpose of upload filters must be proportionate and necessary and therefore, no personal data should be processed as far as possible.
However, where the processing of personal data is necessary (e.g., the redress mechanism), only the personal data necessary for this specific purpose should be processed.