EDPB’s Fifteenth Plenary session: Important topics discussed

On November 12 and 13, 2019, the European Data Protection Board (EDPB) met in its fifteenth plenary session. The EDPB discussed important topics.

Adoption of EU-US Privacy Shield Third Annual Review Report. After the Third Annual Joint Review of the Shield, the EDPB adopted its report. The EDPB appreciates the improvements by the US Authorities[i] but still harbors concerns, in particular on the compliance checks with the Privacy Shield’s principles, on the application of the Privacy Shield requirements for onward transfers, on HR data and processors, and on the recertification process. The EDPB is unable to conclude that the Ombudsperson has sufficient powers to access information and to issue remedies for non-compliance.  The EDPB regrets that the Review Team did not have unrestricted access to non-public information on commercial aspects and investigations. The EDPB wishes that US Privacy and Civil Liberties Oversight Board (PCLOB) would issue further reports on collection of data by public authorities for the purpose of providing an independent assessment of surveillance programs outside the US territory.

Adoption of the final version of the Guidelines on Territorial Scope
After public consultation, the EDPB adopted a final version of the Guidelines on Territorial Scope (see more on these guidelines here). The Guidelines want to give to the European DPAs a common interpretation when applying Article 3 on the territorial scope. The Guidelines conatin several scenarios and also give guidance on the appointment of a representative under Art. 27 GDPR. The final version maintains the overall interpretation and methodology of the first version but contains some updated wording and further legal reasoning as a result of comments and feedbacks.

Adoption of a version for public consultation of Guidelines on Data Protection by Design & Default
The EDPB adopted Guidelines on Data Protection by Design & Default (DPbDD). The requirements of DPbDD is set forth in Art. 25 GDPR. Controllers must implement appropriate technical and organisational measures and safeguards necessary in order to implement data protection principles in an effective manner for the protection of the data subjects. In addition, controllers must be able to demonstrate the effectiveness of the measures. The guidelines will be open for public consultation.

Other topics discussed were the adoption of Article 64 Opinion on ExxonMobil Binding Corporate Rules (BCRs), submitted by the Belgian DPA, the adoption of the Response letter to European Parliament’s committee for Civil Liberties (LIBE) on EU Information Systems and the adoption of an Additional protocol to the Council of Europe Convention on Cybercrime (Budapest Convention).

For more information, Francesca Giannoni-Crystal



[i] The ex officio oversight and enforcement actions, the Privacy and Civil Liberties Oversight Board (PCLOB)’s last member appointment and the appointment of permanent Ombudsperson.