During its 34th plenary session that took place on 20 July 2020, the European Data Protection Board (EDPB) adopted the following documents:
- a statement on the CJEU’s ruling in Facebook Ireland v Schrems in which it states that it is working on guidance on the use of data transfer instruments;
- guidelines on the interplay between the second Payment Services Directive (PSD2) and the GDPR;
- a response letter to MEP Ďuriš Nicholsonová on contact tracing, interoperability of apps and DPIAs.
The EDPB is working on guidance following the judgment of the Court of Justice of the European Union in Case C-311/18 (Schrem 2)
As stated in our analysis of the judgment (here), the judgment Schrem 2 invalidates the Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield and considers Commission Decision 2010/87 on Standard Contractual Clauses (SCC) for the transfer of personal data to processors established in third countries valid.
Given the legal uncertainty resulting from this judgement with regard to personal data transfers to the United States (US), the EDPB will assess the judgment in more detail and provide further clarification for stakeholders and guidance on the use of instruments for the transfer of personal data to third countries pursuant to the judgment.
In addition to the guidance on the use of data transfer instruments, the EDPB will also be looking further into what the additional measures to those included in the SCCs could consist of. Indeed, the Court ruled that data exporter may have to implement additional measures when considering using SCCs to transfer data to certain third countries to ensure a level essentially equivalent to that provided in the EU.
The EDPB declare that it follows the CJEU position by further stating that the EU and the U.S. should achieve a complete and effective framework ensuring a level of protection of personal data in the U.S. essentially equivalent to that guaranteed within the EU. In this regard, the EDPB informs that it is ready to help the European Commission by providing guidelines and advice.
For a full reading of the EDPB statement (here).
Guidelines on the second Payment Services Directive (PSD2)
The PSD2 modernises the legal framework for the payment services market, in particular, by introducing a legal framework for new payment initiation services (PISP) and account information services (AISP).
Users can grant these new payment service providers access to their payment accounts. The EDPB developed Guidelines on the application of the GDPR to these new payment services.
In this guidelines these guidelines, the EDPB recalls that :
- in this context, special categories of data may be processed with the explicit consent of the data subject or where the processing is necessary for reasons of substantial public interest;
- provisions of the PSD2 (i.e. Article 66 (3) (g) and Article 67 (2) (f)) do not allow for any further processing unless it is provided for by EU or Member State law or data subjects have given their additional consent.
It also addresses conditions under which Account Servicing Payment Service Providers (ASPSPs) grant PISPs and AISPs access to payment account information.
Letter in response to MEP questions on data protection in the context of Covid-19 pandemic
The letter addresses questions on the harmonisation and interoperability of contact tracing applications, the requirement of a DPIA for such processing and the duration for which processing may be put in place.