The European Data Protection Board, group made up of the EEA supervisory authorities and the European Data Protection Supervisor met for its met for their eighteenth plenary session on February 18 and 19 and released documents on February 24.
It dealt with the following issues:
- Assessment and review of the GDPR as required under art. 97 thereof.
- Adoption of draft guidelines to provide clarification regarding the application of article 46.2 (a) and 46 46.3 (b) GDPR relating to transfers of personal data from EEA public authorities or bodies to public bodies in third countries or international organisations.
- Release of a statement of privacy implications of mergers following the announcement by Google LLC of its decision to acquire Fitbit, a health application provider.
1.Assessment of the GDPR
The EDPB is of the opinion that the application of the GDPR in the first 20 months has been successful and that cooperation between Supervisory Authorities has been good and will result in a common data protection culture.
However, it points out that Supervisory faces some challenges such as the following:
- Lack of resources for all Supervisory Authority is still a concern.
- Patchwork of national procedures that may hinder the good cooperation between the authorities. In this regard, although it is working on finding solutions, it also calls upon the European Commission to check if national procedures impact the effectiveness of the cooperation procedures.
In its assessment it also raises issues relating to international transfers tools, impact of the GDPR on SMEs, development of new technologies and concluded that it would be premature to revise the GDPR at this point in time.
2. Draft guidelines on international transfer from public authorities
The guidelines recommend which safeguards to implement in legally binding instruments (art. 46.2 (a)) or in administrative arrangements (Art. 46.3 (b)) and will be submitted for public consultation.
3. Statement on privacy implications of mergers (Google / Fitbit)
Following the announcement of Google’s intention to acquire Fitbit, a company providing a health application, the EDPB worried about the privacy risks for users that such a merger could cause. Indeed, at the time they downloaded and started using the application provided by Fitbit, they could not know or foresee that their health data (i.e. sensitive data), could end up being processed by Google that already processes a massive amount of personal data of million indeed billions of users around the world.
Given the risks at stake, the EDPB reminded Google and Fitbit, of their obligations under the GDPR and strongly recommended them to conduct, in a transparent manner, a full assessment of the data protection requirements and privacy implications of the merger and to mitigate possible risks to the rights to privacy and data protection before notifying the merger to the European Commission.