What are the key takeaways for organisations processing personal data set out in the recent Guidelines and Opinions adopted by the European Data Protection Board (EDPB)?
The key takeaway
One of the EDPB's priorities is to ensure that regulatory frameworks keep pace with the latest technological developments. While certain exceptions apply, both the Guidelines and the Opinion reinforce that when processing or controlling personal data, businesses (a) must comply with applicable data protection laws including the EU General Data Protection Legislation (EU GDPR), and (b) have a responsibility to ensure that data protection standards are maintained even when personal data is transferred to third parties.
The background
The EDPB is an independent organisation that aims to ensure that EU data protection laws are applied consistently across relevant jurisdictions. It publishes guidance, adopts recommendations and encourages closer co-operation between national data protection authorities that enforce the EU GDPR. While its recommendations and guidance are no longer directly applicable in the UK, due to the similarities between the two pieces of legislation they are often relevant to organisations following UK data protection laws.
The EDPB has recently issued several guidelines and opinions that are relevant to organisations that process personal data subject to the EU GDPR. These include guidelines on the scope of the EU's ePrivacy Directive (the ePD) and on the application of the legitimate interests lawful basis for processing personal data, and an opinion on the use of processors and sub-processors by a data controller.
The development
The key takeaways from each EDPB publication are as follows:
Guidelines on the Technical Scope of Article 5(3) of the ePrivacy Directive:
Opinion 22/2024 on certain obligations following from the reliance on processor(s) and sub-processor(s)
Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR
Why is this important?
In the UK, the Privacy and Electronic Communications Regulations (PECR) implement the ePD, with Article 5(3) of the ePD being reflected in Section 6 of the PECR. PECR complements the general data protection regime in the UK under the Data Protection Act 2018 and the EU GDPR as it forms part of retained EU law in the UK (the UK GDPR). Whilst the new guidelines on the ePD are not directly applicable to PECR (ie given that the UK has left the EU), they may offer further guidance into newly emerging tracking tools.
The guidelines on legitimate interests and on the reliance on processors also show the direction of legislative travel for these areas and provide useful guardrails for organisations that are subject to the UK GDPR as well as the EU GDPR.
Any practical tips?
New tracking tools that can optimise consumer data may offer businesses attractive opportunities. However, when adopting these technologies, businesses should consider the EDPB's guidance, as regulators are likely to expect them to have considered this when implementing them.
Similarly, when outsourcing data processing to third parties, businesses must be cautious and bear the EDPB's recommendations in mind. It is critical to ensure the third-party processor provides the same level of protection for that data as the controller. Practically, organisations should aim to achieve this by performing due diligence on processors, and ensuring that the contracts with processors include all the appropriate protections.