EDPB calls for alignment between GDPR and EU digital legislation

• Statement on the second report on GDPR application: the EDPB pinpoints the need to clarify the substantive and regulatory enforcement interplay between the application of the GDPR and other EU digital legislation, particularly the EU Artificial Intelligence (AI) Act and legislative acts from the EU Data Strategy and the Digital Services Package. The EDPB notes that some work in this area has already started, and calls for the development of joint guidance on, for example, the interplay between the GDPR and the Digital Markets Act. The EDPB also calls for the establishment of enforcement cooperation mechanisms between regulators which should be subject to the future evaluation of the GDPR and the digital legislation (see press release and statement).
• Draft Guidelines on Article 48 GDPR on data transfers to third country authorities, were adopted and are now open for public consultation until January 27, 2025. Article 48 GDPR addresses the recognition and enforceability of judgments and decisions from third country authorities that require the transfer or disclosure of personal data by controllers or processors in the EU. The Guidelines focus on direct requests from third country public authorities to private entities in the EU (see press release and the draft Guidelines).
• European Data Protection Seal: the EDPB adopted an opinion approving the Brand Compliance certification criteria concerning processing activities by controllers or processors. The Brand Compliance national certification criteria covering the Netherlands were approved in September 2023 (see here). The new approval makes these criteria applicable across the EU as a European Data Protection Seal (see press release).
• Letter to the European Commission on its review of eleven adequacy decisions adopted under Directive 95/46/EC: the European Commission’s review concluded that personal data transfers from the EU to Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland, and Uruguay continue to benefit from adequate data protection safeguards. The EDPB calls for more transparency in future assessments, especially regarding government access to data. It suggests detailed descriptions of legal frameworks and data processing bases in future reports. The EDPB stresses the need for strict monitoring of government access and voluntary data disclosures to ensure they are necessary and proportionate (see the letter here).

During the plenary session, the EDPB further discussed the future of the taskforce on the interplay between data protection, consumer protection and competition, and nominated a representative in the Working Group on Protection of Minors of the European Board for Digital Services. 

EDPB and the AI Act

Representatives of the European Commission’s AI Office have joined the plenary session and discussed future collaboration with the EDPB to ensure a coordinated approach to AI governance. 

On November 28, 2024, the EDPB also published its letter to the EU AI Office on the role of data protection authorities in the AI Act Framework, dated November 6, 2024. The letter clarifies that the EDPB is currently working on Article 64(2) GDPR Opinion on AI models, expected to be adopted on December 23, 2024. The EDPB has started to work on the Guidelines on interplay between the GDPR and the AI Act. The letter emphasised that the EDPB supports the establishment of appropriate mechanisms to ensure cooperation between the EDPB, the AI Office and the AI Board.

The plenary agenda is available here, and the letter here.