The European Data Protection Board (EDPB) published its GDPR Strategy 2021-2023 on 5 January 2021, setting out four main pillars and key actions, which include:

Pillar 1: Advancing harmonisation and facilitating compliance

Although the GDPR is a EU regulation, fragmentation and inconsistencies in application of GDPR-based data protection rules still exist among member states, despite EDPB attempts to advance harmonisation of the rules. Therefore, the EDPB intends to issue guidances on the concept of legitimate interest and the scope of data subject rights, which will address practical issues affecting SMEs, NGOs and DPOs. The Board will also promote the use of codes of conduct and certification as compliance tools that can be communicated through dedicated workshops and staff training. The EDPB also plans to issue guidelines and opinions on these topics for both IT professionals and non-experts (e.g. data subjects and children).

Pillar 2: Effective enforcement and cooperation between national supervisory authorities

Because the gaps and differences in the national enforcement procedures of EU member states slow down the management of cross-border data protection cases, the EDPB plans to strengthen cooperation between national supervisory authorities in enforcement by streamlining internal processes and implementing a Coordinated Enforcement Framework (CEF) to ensure more efficient operations. The board will facilitate joint actions for raising awareness, gathering information and ensuring that investigations have common methodologies. The EDPB also hopes to establish a Support Pool of Experts (SPE) for sharing expertise in investigations and enforcement activities.

Pillar 3: Fundamental rights approach to new technology

A fundamental rights approach for new technologies is not new to the EDPB, which emphasised it in previous guidelines and repeatedly refers to the EU Charter of Fundamental Rights. Over the next two years, the EDPB will continue to monitor the risks of new technology and will issue guidances outlining policies on AI, biometrics, profiling, cloud services and blockchain with a focus on data security (i.e. privacy by design and default, accountability). The Board will also cooperate with consumer protection and competition authorities in order to provide the optimal level of safeguards for individuals.

Pillar 4: International data transfers – global promotion

The application of the GDPR to data transfers from the EU to third countries remains a highly debated issue after the Schrems II judgment last summer. The EDPB continues to maintain high EU standards for international data transfers and will issue further information and guidances on transfer tools.

Practical implications of the EDPB’s strategy

The practical implications of the EDPB strategy include:

  • data controllers and processors are advised to monitor the EDPB’s new guideline, opinions and statements regarding legitimate interest and data subject rights – issues that potentially affect their daily data processing activity.

  • developers, operators and users of AI, blockchain, cloud services and biometric identification should be aware that there will be data protection guidances issued in the coming years for the use of this new technology.

  • national supervisory authorities will initiate joint actions, investigations and procedures promoting consumer protection and the work of competition authorities (e.g. the Hungarian competition authority’s new market analysis on “Digital markets – role of data asset in e-commerce”), which will carry implications for every data controller and processor.

  • cross-border enforcement will be faster and more efficient.

  • guidances on international data transfers should be expected.