On 15 December 2020, the EU data protection regulator – the European Data Protection Board – adopted its Strategy for 2021-2023, which outlines its objectives and key actions for the upcoming years. At the outset, the EDPB recalls that its strategy, as well as its work in general, are guided by the following core principles:

  • Protection of individuals’ personal data
  • Development of a common data protection culture, which serves as an inspiration and model globally

The EDPB has expressed its strategic objectives for the period of 2021-2023 in four pillars, where each pillar also contains specific key actions, which the EDPB will take to achieve the set objectives. Below is a summary of these pillars and their key actions:

Pillar 1: Advancing harmonization and facilitating compliance

The EDPB wants to ensure more consistency and less fragmentation in the application of the GDPR by data protection authorities. To that end, it will continue to provide easily understandable and accessible guidance on EU data protection law, as well as promote tools to help implement data protection in practice.

  • Key action 1: provide guidance on key notions of EU data protection law (e.g., legitimate interests, data subjects’ rights, etc.), and ensure its relevance by engaging with key stakeholders.
  • Key actions 2 and 3: Develop and promote tools that help implement the GDPR into practice, i.e.:
    • Compliance mechanisms for controllers and processors – i.e., codes of conduct and certification schemes
    • Common tools and awareness raising and outreach activities for non-experts such as SMEs, data subjects and children

Pillar 2: Supporting effective enforcement and efficient cooperation between national supervisory authorities

The EDPB aims to support cooperation between all national DPAs by streamlining internal processes, combining expertise and promoting enhanced coordination. This will improve the functioning of the cooperation and consistency mechanisms, as well as further the goal of a genuine EU-wide enforcement culture among DPAs.

  • Key action 1: encourage and facilitate the use of the GDPR’s cooperation tools and minimize the differences between national enforcement procedures.
  • Key action 2: implement a Coordinated Enforcement Framework to facilitate such cooperation.
  • Key action 3: establish a Support Pool of Experts, which will help DPAs with investigations and enforcement activities.

Pillar 3: A fundamental rights approach to new technologies

The EDPB will monitor the impact on fundamental rights of individuals by emerging technologies, so that Europe’s digital future is shaped in line with common values and rules, such as human dignity, autonomy, liberty and nondiscrimination.

  • Key action 1: assess and establish a common position on new technologies (e.g., AI, biometrics, blockchain, etc.).
  • Key action 2: provide guidance on how to implement the accountability and the privacy by design and by default principles in new technologies.
  • Key action 3: cooperate more with other regulators and policymakers (e.g., in the fields of consumer protection and competition) to ensure adequate protection of individuals and draft new proposals, if needed.

Pillar 4: The global dimension

The EDPB aims to set and promote high EU and global standards for international data transfers to third countries in the private and the public sector. It further wants to promote EU data protection as a global model and ensure protection of personal data outside the EU as well.

  • Key action 1: promote international data transfer tools, which ensure an essentially equivalent level of protection of personal data; develop guidance on how such tools can maintain a high level of personal data protection, taking into account the associated risks (access to the data by public authorities, ensuring effective rights and redress to individuals, and safeguards concerning onward transfers).
  • Key actions 2 and 3: engage with the international community in general, and with third-country DPAs specifically to provide leadership, promote high data protection standards and ensure effective cooperation in global enforcement cases.

EDPB Strategy in practice – what does it mean for companies?

The EDPB has played a very active and important role in promoting and enforcing the GDPR since it came into effect back in 2018. This strategy will be further implemented within the EDPB’s more detailed Work Program, and it will report on the progress achieved in relation to each pillar as part of its annual reports.

Companies can expect from the EDPB a regular flow of future guidance on key GDPR notions, as well as other initiatives that will strengthen data protection culture across the EU and abroad.

It is also likely that even more rigorous and active enforcement activity from the DPAs could be expected, as their cooperation becomes more efficient, coordinated by the EDPB.