Brussels, 12 October - The EDPB adopted a list of aspects in national procedural law that it wishes to see harmonised at EU level to facilitate GDPR enforcement. This “wish list” is one of the key actions set out in the EDPB’s Vienna statement on enforcement cooperation. The list has been sent to the European Commission for its consideration.
EDPB Chair Andrea Jelinek said: “The EDPB has taken important steps to promote effective cooperation in view of strong and swift enforcement of the GDPR. We have identified some obstacles beyond our remit which may require a legislative initiative. The current patchwork of national procedures and practices has a detrimental impact on cooperation between data protection authorities.”
The list addresses, among others, the status and rights of the parties to the administrative procedures; procedural deadlines; requirements for admissibility or dismissal of complaints; investigative powers of data protection authorities; and the practical implementation of the cooperation procedure.
Next, the EDPB adopted an Opinion on the approval by the Board of the Europrivacy certification criteria submitted by the Luxembourg data protection authority (DPA). This Opinion marks the approval of the very first European Data Protection Seal by the EDPB pursuant to Art. 42 (5) GDPR.
The Europrivacy certification mechanism is a general scheme that targets a large range of different processing operations performed by both controllers and processors from various sectors. The scheme includes specific criteria that make it scalable and applicable to specific processing operations or sectors of activity.
This approval is another step towards greater GDPR compliance. Certification under the Data Protection Seal has validity in all EU Member States. It allows different controllers and processors in different countries to achieve the same level of compliance for similar processing operations.
Finally, the EDPB adopted a statement on the digital euro. In its statement, the EDPB reiterates the importance of ensuring privacy and data protection by design and by default in this project.
The EDPB cautions against the use of systematic validation and tracing of all transactions in digital euros. In this respect, the EDPB recommends that the digital euro is made available both online and offline, along a threshold below which no tracing is possible, to allow full anonymity of daily transactions. Finally, the EDPB calls on the European Central Bank and the European Commission to enhance public debate on the digital euro project to ensure it meets the highest standards of privacy and data protection.
The Coordinated Supervision Committee's (CSC) biannual report has now been published on the CSC webpage. The report details the work carried out by the CSC since its creation in 2019 and looks ahead at the work to come in the next few years. The CSC aims to enhance cooperation among the different data protection supervisory authorities and ensure a more effective supervision of EU large-scale IT systems and of EU bodies, offices and agencies. It coordinates the supervision of those EU large-scale information systems and bodies whose legal acts refer to Article 62 of Regulation 2018/1725 or to the European Data Protection Board, and by implication, to the CSC.
Over the last two years, the Internal Market Information System (IMI), Eurojust, the European Public Prosecutor’s Office (EPPO) and Europol have come into the scope of the CSC. While the CSC continues developing its working methods, it has been working full speed to accommodate the large-scale information systems that have already come under its purview and to prepare the arrival of the others. Gradually, the Committee will also cover other IT systems, bodies, offices and agencies in the fields of Border, Asylum and Migration (SIS, EES, Eurodac, ETIAS, VIS, and their interoperability), Police and Justice Cooperation (SIS, ECRIS-TCN) and the next generation Prüm.
Brussels, 15 September - Following the EDPB’s binding dispute resolution decision of July 28th, the Irish Data Protection Authority (DPA) has adopted its decision regarding Instagram (Meta Platforms Ireland Limited (Meta IE)) and has issued a record GDPR fine of €405 million.
The LSA’s final decision follows an own-volition inquiry into Instagram’s public disclosure of email addresses and/or phone numbers of children using the Instagram business account feature and a public-by-default setting for personal Instagram accounts of children, during the period falling within the temporal scope of the inquiry. A practice which has since ended as a consequence of the LSA’s inquiry. EDPB Chair Andrea Jelinek said: “This is a historic decision. Not just because of the height of the fine - this is the second highest fine since the entry into application of the GDPR - it is also the first EU-wide decision on children’s data protection rights. With this binding decision, the EDPB makes it extra clear that companies targeting children have to be extra careful. Children merit specific protection with regard to their personal data.”
The EDPB’s binding decision was adopted on the basis of Art. 65 GDPR, after the Irish DPA as lead supervisory authority (LSA) had triggered the dispute resolution procedure concerning the objections raised by several concerned supervisory authorities (CSAs). Among others, the CSAs issued objections concerning the legal basis for processing and the determination of the fine. The DPC subsequently made amendments to its draft decision following the dispute resolution process.
This is the first binding decision of the EDPB addressing one of the fundamental pillars of EU data protection law: the lawfulness of processing in accordance with Art. 6 GDPR. In particular, the EDPB provided further clarification on the applicability of the legal bases of ‘performance of contract’ and ‘legitimate interest’.
Meta IE relied on these two legal bases alternatively for the publication of email addresses and/or phone numbers of children who used Instagram business accounts. The EDPB found that there were no grounds for the LSA to conclude that the processing at stake was necessary for the performance of a contract. Consequently, Meta IE could not have relied on Art. 6(1)(b) GDPR as a legal basis for this processing.
As regards legitimate interest, as an alternative legal basis for the processing, the EDPB found that the publication of the email addresses and/or phone numbers of children did not meet the requirements under Art. 6(1)(f) GDPR, since the processing was either unnecessary or, if it were to be considered necessary, it did not pass the balancing test required when determining legitimate interest.
The EDPB therefore concluded that Meta IE processed children’s personal data unlawfully without a legal basis and instructed the LSA to amend its draft decision in order to establish the infringement of Art. 6(1) GDPR.
Finally, the EDPB instructed the LSA to reassess its envisaged administrative fine in accordance with Art. 83(1) and 83(2) GDPR to:
-
impose an effective, proportionate and dissuasive administrative fine for the additional infringement, taking into consideration the nature and gravity of the infringement, as well as the number of data subjects affected;
-
ensure that the final amounts of the administrative fines are effective, proportionate and dissuasive.
This current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties.
The final decision taken by the Irish DPA is available in the Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.
