Promoting compliance, cooperation and safeguarding data on both a global and a digital scale are some of the key factors set out in the European Data Protection Board (EDPB) strategy for 2024-2027. The strategy is built around four pillars of priorities, and sets key actions to achieve the goals.
The four pillars are:
- Pillar 1 – Enhancing harmonization and promoting compliance.
- Pillar 2 – Reinforcing a common enforcement culture and effective cooperation.
- Pillar 3 – Safeguarding data protection in the developing digital and cross-regulatory landscape.
- Pillar 4 – Contributing to the global dialogue on data protection.
“The new strategy takes the existing vision in a new direction in order to respond to the data protection needs of today, and the ever-evolving digital landscape. The strategy is the result of a collaborative effort, involving all EU data protection authorities (DPAs) and sets out common priorities for the years to come,” said EDPB Chair Anu Talus.
Coordinated enforcement actions
The EDPB aims to continue its work to promote compliance with data protection law by establishing “clear, concise and practical guidance on important topics,” and by creating materials for a larger audience.
Enforcement cooperation will also remain as an important priority, and the EDPB will keep building on the vision set out in its so-called Vienna Statement, where coordinated enforcement actions comprise one initiative.
“The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous.”
Andrea Jelinek, former EDPB Chair
New to this strategy is the focus on the interplay with the new regulatory digital framework with laws such as the Digital Markets Act and the Digital Services Act, and how they will affect data protection and privacy. The EDPB says that it will work to enhance cooperation with other regulatory authorities with “a view to embedding the right to data protection in the overall regulatory architecture.”
The EDPB will also keep track on challenges raised by new technologies such as AI.
In connection to the EU-US Data Privacy Framework (DPF), the public information note and template complaint forms’ Rules of Procedure have also been adopted – these constitute two redress mechanisms under the DPF. It will handle complaints by EU individuals, and only deal with those concerning national security or commercial purposes, and only affect data transmitted after July 10, 2023.
Meta and Tiktok fines in 2023
This week, the EDPB also launched its Annual Report 2023, which includes milestones such as:
- electing Anu Talus as EDPB Chair;
- adoption of two binding decisions and one urgent binding decision that provide important interpretations of data protection law and legal principles that “will shape the digital landscape”; and
- the launch of the EDPB’s first outreach project for a general audience: the EDPB Data Protection Guide for small business.
Following the binding decisions, Meta IE was fined €1.2 billion ($1.3 billion) by the Irish Data Protection Commission (DPC), and a reprimand, compliance order and a fine of €345m ($368m) were imposed on TikTok IE.
“The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive,” said Andrea Jelinek, the EDPB Chair at the time of the decision.
“The new strategy takes the existing vision in a new direction in order to respond to the data protection needs of today, and the ever-evolving digital landscape.”
EDPB Chair Anu Talus
Datatilsynet, the Norwegian Data Protection Authority, also requested final measures regarding Meta Platforms Ireland Ltd, which resulted in an urgent binding decision with which the Irish DPA imposed a ban on Meta IE for “the processing of personal data for behavioural advertising purposes on the basis of contract and legitimate interest.”
To date, the EDPB has issued 11 binding decisions.
“2023 was another transformative year at the EDPB, full of notable achievements. We have built an impressive compendium of guidelines, created new cooperation methods for the DPAs, and adopted significant binding decisions which will help shape digital services,” said EDPB Chair, Anu Talus.
“We also worked hard to raise awareness of the GDPR at the European and international level, so that individuals know their rights and exercise them, and that companies, even small ones, can understand how to comply with their legal duties.”