EDPS publishes Annual Report 2020
European Commission publishes proposals for new legal frameworks on AI and machinery
EDPS publishes statement on proposed AI regulation
EDPB finalises guidelines on targeting of social media users
ESMA publishes guidelines on outsourcing to cloud service providers
EDPB adopts opinions on transnational codes of conduct regarding cloud service providers
European Parliament urges European Commission to guide on international data transfers
EDPB publishes 2020 Annual Report
European Commission adopts new standard contractual clauses
EDPB adopts final recommendations on supplementary measures for data transfers
EDPB and EDPS adopt joint opinion on ban on use of AI for facial recognition in public spaces
EDPB publishes leaflet on consistency and one-stop-shop

This article covers key EU privacy and cybersecurity regulatory and legal developments from April 2021 to June 2021.

EDPS publishes Annual Report 2020

The European Data Protection Supervisor (EDPS) has published its Annual Report 2020. The report focuses on the ways in which the EDPS maintained its role as the data protection authority for EU institutions throughout the covid-19 pandemic. Themes include:

  • the establishment of an internal covid-19 taskforce to coordinate and carry out work surrounding the impact of the pandemic on data privacy;
  • the advocacy of a pan-European approach to fighting the virus, with a particular emphasis on contact-tracing apps;
  • the maintenance of a strong level of oversight over the processing of individuals' personal data by EU institutions, agencies and bodies;
  • the introduction of online audits;
  • the issuance of more opinions and comments to the European Commission, the European Parliament and the European Council than ever before;
  • the creation of open-source software tools in the context of automating privacy and personal data protection inspections of websites; and
  • a proposal for the creation of a support pool of experts to help strengthen the enforcement of data protection law in the European Union.

The report also highlights the EDPS's commitment to making sure that EU institutions comply with the Schrems II judgment through the publication of a strategic document.

Finally, the report launched the new EDPS Strategy for 2020 to 2024. The new strategy will seek to shape a safer digital future and focuses on the three pillars of foresight, action and solidarity.

European Commission publishes proposals for new legal frameworks on AI and machinery

The European Commission has published its proposals for a new legal framework on artificial intelligence (AI) (proposed AI regulation), a coordinated plan regarding AI with member states (for further details please see "EU AI regulation proposal published") and a new regulation on machinery (machinery regulation).

Following a risk-based approach, the proposed AI regulation will split the rules governing AI into categories:

  • unacceptable risk (eg, "social scoring" systems) – AI systems in this category will be banned;
  • high-risk (eg, remote biometric identification systems) – AI systems in this category will be subject to rigorous obligations, including risk assessments and mitigation systems;
  • limited risk (eg, chatbots) – transparency obligations that are specific to the system will be necessary for AI systems in this category. For example, chatbots might be required to remind users that they are talking with a machine; and
  • minimal risk – most AI systems fall under this category. The proposed AI regulation does not cover systems that are classed as minimal risk.

The establishment of a European Artificial Intelligence Board to govern the application and implementation of the new AI rules is also proposed.

In addition, several voluntary codes of conduct regarding non-high-risk AI are planned for publication. Regulatory sandboxes will also be established to enable responsible innovation.

A new coordinated plan will build on the current coordinated plan that was published in 2018. The new plan will focus on the following goals:

  • creating enabling conditions for the development of AI through investment and knowledge sharing;
  • fostering AI excellence through creating research, development and innovation opportunities and facilities;
  • ensuring that AI is a force for good in society through enabling the development and deployment of trustworthy AI; and
  • strengthening strategic leadership in the AI context within high-impact sectors and technologies (eg, the environment).

It is proposed that the current Machinery Directive (2006/42/EC) will be replaced by the new machinery regulation. The machinery regulation will seek to:

  • protect the safety of machine users;
  • encourage innovation;
  • ensure the safe integration of AI into machinery; and
  • provide greater legal clarity on the current provisions.

The European Parliament and member states will move towards adopting the European Commission's proposals on the proposed AI regulation and the machinery regulation. At the same time, the European Commission will work with member states to implement the actions detailed in the coordinated plan.

EDPS publishes statement on proposed AI regulation

The EDPS has published a statement welcoming the proposed AI regulation and expressing approval of its new role as the AI regulator for the EU public administration.

The EDPS is critical of the European Commission's failure to use the proposed AI regulation to address the use of remote biometric identification systems in public spaces. The EDPS calls for a stricter approach to regulating these systems, owing to their potential to intrude deeply into individuals' private lives.

The EDPS will now commence analysing the European Commission's proposal in detail.

EDPB finalises guidelines on targeting of social media users

The European Data Protection Board (EDPB) published Guidelines 8/2020 on the targeting of social media users. The guidelines will be useful for organisations engaging with social media as part of their marketing initiatives.

The guidelines focus on the collection and use of personal data through targeting services offered by social media platforms. The services involve sharing data on an individual's personal characteristics. This information is either collected with the consent of the individual or observed or inferred by the platform or third parties and aggregated with other data to build up a picture of an individual. The resulting profile is used in order to target users with messages that fit their profile. This process is called "targeting".

The EDPB considers the following:

The combination and analysis of data originating from different sources, together with the potentially sensitive nature of personal data processed in the context of social media, creates risks to the fundamental rights and freedoms of individuals.

This includes scope for infringing data protection rights as well as discrimination, exclusion and user manipulation.

The guidelines explore the data protection roles and responsibilities at play in various social media targeting scenarios (including analysis taking account of the judgments in Fashion ID and Wirtschaftsakademie). The paper also discusses the compliance issues that arise in relation to:

  • transparency and the rights of access;
  • the completion of data protection impact assessments;
  • special categories of personal data; and
  • joint controllership.

ESMA publishes guidelines on outsourcing to cloud service providers

The European Securities and Markets Authority (ESMA) has released guidelines around outsourcing to cloud service providers. Competent authorities and firms must comply with the guidelines (article 16(3) of the ESMA Regulation).

The guidelines aim to:

  • establish consistent, efficient and effective supervisory practices within the European System of Financial Supervision;
  • assure a common, uniform and consistent approach to applying aspects of relevant EU legislation (as outlined in the guidelines) when firms outsource to cloud service providers; and
  • help firms and competent authorities with identifying, addressing and monitoring risks and challenges posed by cloud outsourcing arrangements, for instance regarding:
    • making the decision to outsource;
    • choosing a cloud service provider;
    • monitoring outsourced activities; and
    • providing exit strategies.

The guidelines came into force on 31 July 2021. They apply to all cloud outsourcing arrangements entered into, renewed or amended on or after 31 July 2021. Firms have until 31 December 2022 to amend existing cloud outsourcing agreements to ensure that they comply with the guidelines. When a cloud outsourcing agreement does not comply with the guidelines on or before 31 December 2022, firms can, in limited circumstances, inform their competent authority of this, along with proposed harmonisation measures or a possible exit strategy from the agreement.

EDPB adopts opinions on transnational codes of conduct regarding cloud service providers

The EDPB has adopted two opinions under article 64 of the EU General Data Protection Regulation (GDPR) on the first draft decisions on transnational codes of conduct (ie, those that relate to processing activities in several member states).

Both of the draft decisions, which come from the French and Belgian supervisory authorities (SAs), are relevant to cloud service providers. The Belgian SA's draft decision concerns the EU Cloud Code of Conduct, while the French SA's draft decision concerns the Cloud Infrastructure Service Providers Europe Code of Conduct.

These codes are designed to provide guidance and define certain specific requirements (under article 28 of the GDPR) for relevant processors in the European Union – they are not to be used in the context of international transfers of personal data.

According to the EDPB, both draft codes comply with the GDPR, fulfilling the requirements of articles 40 and 41 thereof.

European Parliament urges European Commission to guide on international data transfers

Members of the European Parliament have voted in favour of a resolution urging the European Commission to issue clear guidelines on making data transfers compliant with the European Court of Justice's findings in Schrems II.

Following a report initially published by its Civil Liberties Committee, the European Parliament adopted the resolution, which calls for the European Commission to issue comprehensive guidance that would integrate the EDPB's recommendations for data transfers and the EDPB-EDPS Joint Opinion 2/2021 on standard contractual clauses for the transfer of personal data to third countries (published in January). This would provide a toolkit of measures to bring protections in line with the standards required by the GDPR.

EDPB publishes 2020 Annual Report

The EDPB has issued its 2020 Annual Report. Notable EDPB activities in 2020 included:

  • contributing to the European Commission's evaluation and review of the GDPR as required under article 97 of the GDPR;
  • producing guidance around processing personal data in the context of the covid-19 pandemic;
  • the Schrems II judgment, along with issuing guidance documents including an FAQs document and some recommendations concerning the judgment; and
  • adopting the first binding decision under article 65 of the GDPR.

The 2020 Annual Report also sets out the EDPB's main objectives for 2021, which follow the priorities set out in the EDPB 2021-2023 Strategy.

European Commission adopts new standard contractual clauses

The European Commission has adopted two new sets of standard contractual clauses (SCCs). One set is for controllers and processors under article 28(7) of the GDPR (the article 28 SCCs); the other set is for the transfer of personal data to third countries (the transfer SCCs).

The new sets of clauses reflect updated requirements under the GDPR. The European Commission says that they will offer more legal predictability to businesses in the form of an easy-to-implement template.

The transfer SCCs have attracted particular attention as a means of plugging a compliance gap brought about by the Schrems II judgment, but the transfer SCCs in and of themselves are not sufficient to comply with the judgment (for further details please see "New rules on protection of transfers of personal data outside European Union").

The article 28 SCCs serve a different purpose to the transfer SCCs – they provide a ready-made annex that controllers and processors can choose to insert into contracts to meet the requirements of articles 28(3) and (4) of the GDPR, which to date have commonly been addressed by organisations in different ways. Although the article 28 SCCs contain certain provisions that favour a particular party (controller or processor), they generally present a balanced position and are optional. Therefore, while the clauses provide a useful benchmarking tool, it is expected that many organisations will continue using their own precedents when negotiating data processing clauses using in order to secure more favourable terms.

EDPB adopts final recommendations on supplementary measures for data transfers

The EDPB has published the final version of its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU-level of protection of personal data (EDPB recommendations).

The EDPB recommendations are designed to be read in tandem with the new transfer SCCs and set out a six-step plan to help organisations assess third countries and identify appropriate supplementary measures to be implemented on a case-by-case basis where needed. The EDPB also released an infographic, which provides an illustrative summary of the necessary steps.

The EDPB updated the recommendations (which were originally published in November 2020) to reflect the European Commission's position on organisations being able to consider practical experience of public authorities' access to personal data. In summary, if "problematic legislation" or practices are identified in the destination country that impinge on the effectiveness of the appropriate safeguards of the transfer tools, the EDPB now recommends the exporter to consider whether the laws or practices will be applied in practice to the relevant data, taking into account the importer's experience and sector.

EDPB and EDPS adopt joint opinion on ban on use of AI for facial recognition in public spaces

The EDPB and the EDPS have adopted a joint opinion on the European Commission's proposed AI regulation.

Among other things, the opinion expresses concern over the exclusion of international law enforcement cooperation from the proposal. In addition, the EDPB and EDPS call for the proposal to be amended so that the concept of "risk to fundamental rights" is aligned with the EU data protection framework as well as a general ban on any use of AI for automated recognition of human features in publicly accessible spaces (including recognition of faces, gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioural signals, in any context). The EDPB and EDPS also consider that data protection authorities should be designated as national supervisory authorities (pursuant to article 59 of the proposal) to help ensure that the regulation is applied consistently.

EDPB publishes leaflet on consistency and one-stop-shop

The EDPB has published a leaflet on consistency and the one-stop-shop under the GDPR. The one-stop-shop is a system of cooperation between national data protection authorities that helps individuals to enforce their rights and reduces the administrative burden on organisations. National data protection authorities can communicate with each other in order to investigate potential breaches of data protection rights.

For further information on this topic please contact Paula Barrett or Lizzie Charlton at Eversheds Sutherland's London office by telephone (+44 20 7919 4500) or email ([email protected] or [email protected]). Alternatively, contact Emmanuel Ronco at Eversheds Sutherland's Paris office by telephone (+33 1 55 73 40 00) or email ([email protected]) or Olaf van Haperen at Eversheds Sutherland's Amsterdam office by telephone (+31 20 5600 600) or email ([email protected]). The Eversheds Sutherland website can be accessed at www.eversheds-sutherland.com.

Nils Müller, partner, assisted in the preparation of this article.