The European Data Protection Board (EDPB), the body tasked with ensuring consistent application of the GDPR across Europe, has published its annual report for 2019. As we approach the two year anniversary of the GDPR, the EDPB Chair refers to a “common data protection culture” emerging as a result of the continued cooperation between European Data Protection Authorities (DPAs).

The following are some of the key points from the EDPB’s activities in 2019.

General Guidance

Over the course of 2019, the EDPB adopted and consulted on guidelines aimed at clarifying a range of provisions under the GDPR, including:

  • Guidelines 1/2019 on Codes of Conduct
  • Guideline 2/2019 on the processing of personal data under Art.6(1)(b) GDPR in the context of online services
  • Guidelines 3/2019 on the processing of personal data through video devices
  • Guidelines 4/2019 on Data Protection by Design and by Default (final version not yet adopted)
  • Guidelines 5/2019 on the Right to be Forgotten (final version not yet adopted)
  • Guidelines 3/2018 on territorial scope of the GDPR

The EDPB also adopted 16 Consistency Opinions on topics such as processing operations requiring a DPIA; binding corporate rules; the competence of a supervisory authority in case of a change in circumstances relating to a main/single establishment; and on the interplay between the GDPR and ePrivacy Directive (further discussed here).

Consistency and Cooperation

The EDPB is responsible for issuing Consistency Opinions and Decisions under the ‘cooperation and consistency mechanism‘. The EDPB notes that national Supervisory Authorities (SAs) have faced certain challenges in implementing this mechanism, due to disparities in national procedural laws, complaint handling procedures, and resources.

To promote cooperation between the SAs in each member state, the EDPB provides a robust IT system.  Since 25 May 2018, the SAs have been using a platform called the Internal Market Information (IMI) system, which allows member states to exchange information in a standardised and secured way. By analysing the cases registered on the IMI system between 2018 and 2019, the EDPB was able to provide the following statistics:

  • Identification of LSA: 1,346 procedures were initiated for cases concerning the identification of the Lead Supervisory Authority (LSA) and Concerned Supervisory Authorities (CSA). The LSA is the authority in the member state where an organisation, which is subject to formal investigation, has their place of main establishment. If there is a conflict as to which authority should be designated as the LSA, the EDPB will act as a dispute resolution body and issue a binding decision, however to date no such disputes have occurred.
  • Mutual Assistance: There have been 2,542 mutual assistance procedures triggered since the GDPR came into force. This procedure enables SAs to gather information or seek assistance from other national SAs while carrying out investigations or in cross-border cases as part of the OSS procedure. The overwhelming majority of these (95%) were informal consultation procedures, with a small number constituting formal requests.
  • OSS: By the end of 2019, 142 One-Stop-Shop (OSS) procedures were initiated by SAs, with 79 of these resulting in a final decision. The OSS mechanism allows an organisation established in the EU and engaged in cross-border processing to deal with a single LSA for their processing activities, who will also cooperate with other concerned CSAs.
  • Joint Operations: The GDPR enables SAs to carry out joint investigations and joint enforcement measures in OSS cases or national cases having a cross-border element. No such investigations were carried out in 2019.

National Cases

The Report contains a summary of the various fines issued and corrective measures taken by SAs across the Member States. Some trends identified by the EDPB included data breaches caused by inadequate technical and organisational measures, as well as unlawful processing of special category data (e.g. biometric data or sensitive financial information).

The Spanish and Romanian SAs in particular had a notable year, issuing 31 and 20 fines respectively for GDPR violations ranging from unauthorised disclosure of personal data to failure to comply with the SA’s request for information. Several jurisdictions, such as Belgium, Lithuania, and Sweden, issued their first GDPR fines in 2019. The Irish Data Protection Commission (DPC) was notable for its absence from this report, however in the past week the DPC has taken steps to issue its first fine under the GDPR.

Some of the significant fines discussed in the report include:

  • Germany: A €14.5 million fine was imposed on the property company Deutsche Wohnen SE for unnecessarily storing its tenants’ personal data without providing the possibility of removing the data.
  • Austria: The Austrian post office was fined €18 million for unlawfully processing special category data (including political opinions) without explicit consent from its data subjects.
  • United Kingdom: The UK Information Commissioner’s Office announced its intention to impose the largest GDPR fines to date on British Airways (£183.39m) and Marriott International Inc. (£99.2m). The ICO has pushed back its final decision on these fines until August-September 2020.

What’s ahead for 2020?

The EDPB’s priorities for 2020 include new guidance on the concepts of controller and processor, data subjects’ rights, and ‘legitimate interest’ as a legal basis for processing. The EDPB will also continue its work on emerging technologies such as connected vehicles, blockchain, and AI (including digital assistants). The EDPB will continue to advise the European Commission on issues such as cross-border e-Evidence data access requests, and the revision or adoption of adequacy decisions for data transfers to third countries.