European Data Protection Board outlines priorities for 2020 in annual report

The European Data Protection Board (EDPB) has pledged to focus on the concepts of data controllers and processors and data subject rights among other areas in the coming year, as it published its annual report for 2019.

The body said during 2019 it had carried out stakeholder consultations on the concepts of data controllers and processors, as well as guidance on data subject rights, and would continue to develop guidance on these areas in 2020. It said it would also focus on the concept of legitimate interest and intensify its work in the context of advanced technologies, including connected vehicles, blockchain, artificial intelligence, and digital assistants.

According to the annual report (27 page / 4.6MB PDF), in 2019 the EDPB consulted on the specific obligations for data processors and the contracts between data controllers and processors. It also examined the concept of joint controllership, where more than one organisation is considered to be a data controller with responsibility for the processing of personal data.

"Updated guidance on the application of the definitions of controller and processor aligned with the GDPR would be very useful. The previous guidance on this topic, the Article 29 Working Party's Opinion 1/2010, caused confusion by using different language than was in the legislation. The new guidance should focus on assisting organisations with practically applying the GDPR, particularly in the digital era and where increasingly more than one controller or processor is involved processing personal data," said data protection expert Michele Voznick of Pinsent Masons.

Stakeholders responding to EDPB consultations in 2019 on the concepts of controller and processor had highlighted the changing business context for data sharing, as well as difficulties in incorporating practical duties of controllers in contracts. They said EDPB guidance should further clarify the criteria to be taken into account when determining whether a relationship qualifies as a joint controllership.

Data protection expert Christina Kirichenko of Pinsent Masons, the law firm behind Out-Law, said several recent Court of Justice of the EU (CJEU) cases had considerably broadened the concept of joint controllership, but the court had not set clear criteria for determining whether a relationship qualifies as a joint controllership. In many of these cases, one party appeared to indicate it was not a controller or was not processing personal data; not all those involved were accepting their own responsibility for the processing. 

“As a result, local data protection authorities have started to lean on the broad interpretation made by the CJEU in individual cases and further develop the characteristics of joint controllership set forth by the CJEU,” Kirichenko said.

“This may lead to a situation where one and the same business concept which includes processing of personal data by two or more controllers could be considered as joint controllership or cooperation between independent controllers depending on the interpretation by the supervisory authority responsible for each controller,” Kirichenko said.

“In 2019 and the beginning of 2020 we have encountered an increasing number of cases where it is difficult to draw a clear line between joint controllership and other forms of cooperation. The guidance determining clear criteria is particularly necessary at the moment,” Kirichenko said.

Voznick said: "These recent cases highlight the need that the guidance should assist the organisations who cooperate or are part of a 'processing chain' ensure there are no compliance gaps where more than one controller or processor is involved in the same processing."

Data subject rights was another area of focus for the EDPB in 2019 and moving into 2020, with particular focus on three areas. In a stakeholder event last year the participants debated the right of access; right to rectification and erasure; and the right to restrict processing and to object to data use, especially related to direct marketing.

The board said it will take into account input provided during the workshop, with an expert subgroup set to produce data subject rights guidance this year.

“It would be great if the EDPB could clarify some practical questions in this regard and provide a ready-to-use ‘best practice’ guidance,” Kirichenko said. "For example, there is range of practical problems regarding the right of access. These problems stem, in part, from a lack of guidance on the limited exemptions available, particularly the 'manifestly unfounded or excessive' exemption, and the limited time available to consider such exemptions. Context-specific guidance on the application of the rules relating to access requests would be most welcome."

The EDPB is tasked under the EU’s General Data Protection Regulation (GDPR) with ensuring the consistent application of data protection rules across the European Economic Area. The European Commission will soon deliver an evaluation report and review of the GDPR to EU law makers, which will among other areas look at the effectiveness of the EDPB and the guidance it has produced since its establishment.