ARBEJDSDOKUMENT FRA KOMMISSIONENS TJENESTEGRENE […] Ledsagedokument til MEDDELELSE FRA KOMMISSIONEN TIL EUROPA-PARLAMENTET OG RÅDET Databeskyttelse som en hjørnesten i borgernes indflydelse og EU's tilgang til den digitale omstilling - to års anvendelse af den generelle forordning om databeskyttelse
Tilhører sager:
- Hovedtilknytning: MEDDELELSE FRA KOMMISSIONEN TIL EUROPA-PARLAMENTET OG RÅDET Databeskyttelse som en hjørnesten i borgernes indflydelse og EU's tilgang til den digitale omstilling — to års anvendelse af den generelle forordning om databeskyttelse {SWD(2020) 115 final} ()
- Hovedtilknytning: MEDDELELSE FRA KOMMISSIONEN TIL EUROPA-PARLAMENTET OG RÅDET Databeskyttelse som en hjørnesten i borgernes indflydelse og EU's tilgang til den digitale omstilling — to års anvendelse af den generelle forordning om databeskyttelse {SWD(2020) 115 final} ()
Aktører:
1_EN_autre_document_travail_service_part1_v7.pdf
https://www.ft.dk/samling/20201/kommissionsforslag/kom(2020)0264/forslag/1675383/2217036.pdf
EN EN EUROPEAN COMMISSION Brussels, 24.6.2020 SWD(2020) 115 final COMMISSION STAFF WORKING DOCUMENT […] Accompanying the document COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition - two years of application of the General Data Protection Regulation {COM(2020) 264 final} Europaudvalget 2020 KOM (2020) 0264 Offentligt 1 Contents 1 Context....................................................................................................................3 2 Enforcement of the GDPR and functioning of the cooperation and consistency mechanisms....................................................................................................................4 2.1 Use of strengthened powers by data protection authorities.............................4 Specific issues for the public sector.......................................................................5 Cooperation with other regulators .........................................................................6 2.2 The cooperation and consistency mechanisms................................................6 One-stop-shop........................................................................................................7 Mutual assistance...................................................................................................8 Consistency mechanism.........................................................................................8 Challenges to be addressed ....................................................................................9 2.3 Advice and guidelines ...................................................................................10 Awareness raising and advice by data protection authorities ..............................10 Guidelines of the European Data Protection Board.............................................11 2.4 Resources of the data protection authorities .................................................12 3 Harmonised rules but still a degree of fragmentation and diverging approaches.14 3.1 Implementation of the GDPR by the Member States....................................14 Main issues relating to national implementation .................................................15 Reconciliation of the right to the protection of personal data with freedom of expression and information..................................................................................16 3.2 Facultative specification clauses and their limits..........................................17 Fragmentation linked to the use of facultative specification clauses...................17 4 Empowering individuals to control their data ......................................................19 5 Opportunities and challenges for organisations, in particular Small and Medium size Enterprises ............................................................................................................22 Toolbox for businesses ........................................................................................25 6 The application of the GDPR to new technologies ..............................................26 7 International transfers and global cooperation .....................................................28 7.1 Privacy: a global issue...................................................................................28 7.2 The GDPR transfer toolbox...........................................................................30 Adequacy decisions .............................................................................................31 Appropriate safeguards ........................................................................................35 Derogations..........................................................................................................41 Decisions by foreign courts or authorities: not a ground for transfers ................42 7.3 International cooperation in the area of data protection................................44 2 The bilateral dimension........................................................................................44 The multilateral dimension ..................................................................................46 Annex I: Clauses for facultative specifications by national legislation Annex II: Overview of the resources of data protection authorities 3 1 CONTEXT The General Data Protection Regulation1 (hereafter ‘the GDPR’) is the result of eight years of preparation, drafting and inter-institutional negotiations, and entered into application on 25 May 2018 following a two-year transition period (May 2016 - May 2018). Article 97 of the GDPR requires the Commission to report on the evaluation and review of the Regulation, starting with a first report after two years of application and every four years thereafter. The evaluation is also part of multi-faceted approach that the Commission already followed before the GDPR entered into application and has continued to actively pursue since then. As part of this approach, the Commission engaged into on-going bilateral dialogues with Member States on the compliance of national legislation with the GDPR, actively contributed to the work of the European Data Protection Board (hereafter ‘the Board’) by providing its experience and expertise, supported data protection authorities and maintained close contacts with a wide range of stakeholders on the practical application of the Regulation. The evaluation builds on the stocktaking exercise that the Commission carried out on the first year of the GDPR application and that was summarised in the Communication issued in July 20192 . It also follows-up on the Communication on the application of the GDPR issued in January 20183 . The Commission also adopted the Guidance on the use of personal data in the electoral context published in September 2018 and the Guidance on apps supporting the fight against the COVID-19 pandemic issued in April 2020. Although its focus is on the two issues highlighted in Article 97(2) of the GDPR, namely international transfers and the cooperation and consistency mechanisms, this evaluation takes a broader approach in order to address issues which have been raised by various actors during the last two years. To prepare the evaluation, the Commission took into account the contributions from: the Council4 ; the European Parliament (Committee on Civil Liberties, Justice and Home Affairs)5 ; the Board6 and individual data protection authorities7 , based on a questionnaire sent by the Commission; 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC - OJ L 119, 4.5.2016, p. 1–88 2 Communication from the Commission to the European Parliament and the Council, Data Protection as a trust-enabler in the EU and beyond – taking stock – COM(2019) 374 final, 24.7.2019 4 Council position and findings on the application of the General Data Protection Regulation – 14994/2/19 Rev2, 15.01.2020: https://data.consilium.europa.eu/doc/document/ST-14994-2019-REV-2/en/pdf 5 Letter of the LIBE Committee of the European Parliament of 21 February 2020 to Commissioner Reynders, Ref.: IPOL-COM-LIBE D (2020)6525. 4 the feedback from the members of the Multi-stakeholder expert Group to support the application of the GDPR8 , also based on a questionnaire sent by the Commission; and ad hoc contributions received from stakeholders. 2 ENFORCEMENT OF THE GDPR AND FUNCTIONING OF THE COOPERATION AND CONSISTENCY MECHANISMS The GDPR set up an innovative governance system and created the foundation of a truly European data protection culture that aims to ensure not only a harmonised interpretation, but also a harmonised application and enforcement of data protection rules. Its pillars are the independent national data protection authorities and the newly established Board. As the data protection authorities are key to the functioning of the whole EU data protection system, the Commission is attentively monitoring their effective independence, including as regards adequate financial, human and technical resources. It is still too early to fully assess the functioning of the cooperation and consistency mechanisms, given the short experience gathered so far9 . In addition, data protection authorities have not yet used the full array of tools provided for by the GDPR to strengthen their cooperation further. 2.1 Use of strengthened powers by data protection authorities The GDPR establishes independent data protection authorities and provides them with harmonised and strengthened enforcement powers. Since the GDPR applies, those authorities have been using of a wide range of corrective powers provided for in the GDPR, such as administrative fines (22 EU/EEA authorities)10 , warnings and reprimands (23), orders to comply with data subject’s requests (26), orders to bring processing operations into compliance with the GDPR (27), and orders to rectify, erase or restrict processing (17). Around half of the data protection authorities (13) have imposed temporary or definitive limitations on processing, including bans. This demonstrates a conscious use of all corrective measures provided for in the GDPR; 6 Contribution of the Board to the evaluation of the GDPR under Article 97, adopted on 18 February 2020: https://edpb.europa.eu/our-work-tools/our-documents/other/contribution-edpb-evaluation- gdpr-under-article-97_en 7 https://edpb.europa.eu/individual-replies-data-protection-supervisory-authorities_en 8 The Multi-stakeholder expert group on the GDPR set up by the Commission involves civil society and business representatives, academics and practitioners: https://ec.europa.eu/transparency/regexpert/index.cfm?do=groupDetail.groupDetail&groupID=3537 The report of the Multi-stakeholder Group is available at: https://ec.europa.eu/transparency/regexpert/index.cfm?do=groupDetail.groupMeeting&meetingId= 21356 9 This fact is also highlighted in particular by the Council in its position and findings on the application of the GDPR and by the Board in its contribution to the evaluation. 10 The figures in parenthesis indicate the number of EU/EEA data protection authorities that made use of the listed power between May 2018 and the end of November 2019. See contribution from the Board on pages 32-33. 5 the data protection authorities did not shy away from imposing administrative fines in addition to or instead of other corrective measures, depending on the circumstances of individual cases. Administrative fines: Between 25 May 2018 and 30 November 2019, 22 EU/EEA data protection authorities issued approximately 785 fines. Only a few authorities have not yet imposed any administrative fines, although proceedings that are currently ongoing might lead to such fines. Most of the fines related to infringements against: the principle of lawfulness; valid consent; protection of sensitive data; the obligation of transparency, the rights of data subjects; and data breaches. Examples of fines imposed by data protection authorities include11 : - EUR 200 000 for non-compliance with the right to object direct marketing in Greece; - EUR 220 000 on a data broker company in Poland for failure to inform individuals that their data was being processed; - EUR 250 000 imposed on the Spanish football league LaLiga, for lack of transparency in the design of its smartphone application; - EUR 14,5 million for infringement of data protection principles, in particular unlawful storage, by a German real estate company; - EUR 18 million for unlawful processing of special categories of data at a large scale by Austrian postal services; - EUR 50 million on Google in France, because of the conditions for obtaining consent from users. The success of the GDPR should not be measured by the number of fines issued, since the GDPR provides for a broader palette of corrective powers. Depending on the circumstances, for example, the deterrent effect of a ban on processing or the suspension of data flows can be much stronger. Specific issues for the public sector The GDPR allows Member States to determine whether and to what extent administrative fines may be imposed on public authorities and bodies. Where Member States make use of this possibility, this does not deprive the data protection authorities of using all the other corrective powers vis-à-vis public authorities and bodies12 . Another specific issue is the supervision of courts: although the GDPR also applies to the activities of courts, these are exempted from supervision by data protection authorities when acting in their judicial capacity. However, the Charter and the TFEU oblige Member States to entrust an independent body within their judicial systems with the supervision of such processing operations13 . 11 Several of the decisions imposing fines are still subject to judicial review. 12 Article 83(7) GDPR. 13 Article 8(3) of the Charter; Article 16 (2) TFEU; recital 20 of the GDPR. 6 Cooperation with other regulators As announced in its Communication of July 2019, the Commission supports interaction with other regulators, in full respect of the respective competencies. Promising areas of cooperation include consumer protection and competition. The Board indicated its willingness to engage with other regulators in particular in relation to concentration in digital markets14 . The Commission recognised the importance of privacy and data protection as a qualitative parameter for competition15 . Members of the Board participated in joint workshops with the Consumer Protection Cooperation Network on cooperation on better enforcement of the EU consumer and data protection legislation. This approach will be pursued to foster common understanding and develop practical ways to address concrete problems experienced by consumers in particular in the digital economy. In order to ensure a consistent approach to privacy and data protection, and pending the adoption of the ePrivacy Regulation, close cooperation with the authorities competent for enforcing the ePrivacy Directive16 , the lex specialis in the area of electronic communications, is indispensable. Closer cooperation with the authorities competent under the NIS-Directive17 , and the NIS Cooperation Group, would be to the mutual benefit of those authorities and the data protection authorities. 2.2 The cooperation and consistency mechanisms The GDPR created the cooperation mechanism (one-stop-shop system for operators, joint operations and mutual assistance between data protection authorities) and the consistency mechanism in order to foster a uniform application of the data protection rules, through a consistent interpretation and the resolution of possible disagreement between authorities by the Board. The Board, gathering all data protection authorities, has been established as an EU body with legal personality and is fully operational, supported by a secretariat18 . It is crucial for the functioning of the two mechanisms mentioned above. By the end of 2019, the Board had adopted 67 documents, including 10 new guidelines19 and 43 opinions2021 . 14 Cf. the statement of the Board on the data protection impacts of economic concentration, https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_economic_concentration_en.pdf. 15 See Case COMP M. 8124 Microsoft/LinkedIn. 16 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) - OJ L 201 , 31/07/2002 P. 0037 - 0047 17 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union - OJ L 194, 19.7.2016, p. 1–30 18 See details on the secretariat activities in the contribution from the Board, pages 24-26. 19 In addition to the 10 guidelines adopted by the Article 29 Working Party in the run-up to the GDPR’s entry into application and endorsed by the Board. Moreover, the Board has adopted 4 additional guidelines between January and end May 2020, and updated an existing one. 20 42 of these opinions were adopted under Article 64 of the GDPR and one was adopted under Article 70(1)(s) of the GDPR and concerned the adequacy decision with respect to Japan. 21 See contribution from the Board, pages 18-23 for a complete overview of the Board’s activities. 7 The important role of the Board emerged where there was a need to rapidly provide for consistent interpretation of the GDPR and to find immediately applicable solutions at EU level. For example in the context of the COVID-19 outbreak, in March 2020 the Board adopted a statement on the processing of personal data, which deals inter alia with the lawfulness of processing and the use of mobile location data in that context22 , and in April 2020 it adopted guidelines on the processing of data concerning health for the purpose of scientific research in the context of the COVID- 19 outbreak 23 and guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak 24 . The Board also made a significant contribution to design of the EU approach to tracing apps by the Commission and the Member States. Day-to-day cooperation between data protection authorities, whether they act in their own capacity or as members of the Board, is based on exchanges of information and notifications of cases opened by the authorities. In order to facilitate communication between authorities, the Commission gave significant support by providing them with an information exchange system25 .Most authorities consider it as adapted to the needs of the cooperation and consistency mechanisms, even though it could be further fine- tuned for example by making it more user-friendly. Although it is still early days, a number of achievements and challenges can already be identified and are presented below. They show that, so far, data protection authorities have made an effective use of the cooperation tools, with a preference for more flexible solutions. One-stop-shop As a general rule, in cross-border cases, a Member State’s data protection authority can be involved either (i) as lead authority when the main establishment of the operator is located in this Member State, or (ii) as a concerned authority when the operator has an establishment on the territory of this Member State, when individuals in this Member State are substantially affected, or when a complaint has been lodged with them. Such close cooperation has become daily practice: since the date of application of the GDPR, data protection authorities in all Member States have at some point been identified either as lead authorities or as concerned authorities in cross-border cases, although to a different extent. From May 2018 until end 2019, the data protection authority in Ireland acted as lead authority in the highest number of cross-border cases (127), followed by Germany (92), Luxembourg (87), France (64) and the Netherlands (45). This ranking reflects notably the specific situation of Ireland and Luxembourg, who host several big multinational tech companies. 22 https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_2020_ processingpersonaldataandcovid-19_en.pdf 23 https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032020-processing- data-concerning-health-purpose_en. 24 https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_20200420_contact_tracing_covid_ with_annex_en.pdf 25 Internal Market Information System ('IMI'). 8 The ranking is different as regards involvement as concerned data protection authorities with the authorities in Germany being involved in the highest number of cases (435), followed by Spain (337), Denmark (327), France (332) and Italy (306)26 . Between 25 May 2018 and 31 December 2019, 141 draft decisions were submitted through the one-stop-shop procedure, out of which 79 resulted in final decisions. At the date of the publication of this report, several important decisions with a cross- border dimension and subject to the one-stop-shop mechanism are pending. Among these decisions, some involve multinational big tech companies27 . They are expected to provide clarification and to contribute to an increased harmonisation in the interpretation of the GDPR. Mutual assistance Data protection authorities have made a wide use of the mutual assistance tool. By the end of 2019, there had been 115 Mutual Assistance28 procedures, in particular for carrying out investigations, most of them by the data protection authorities of Spain (26), Germany (20), Denmark (13), Poland (12) and Czech Republic (10). On the other hand, Ireland (19), France (11), Austria (10), Germany (10) and Luxembourg (9) had received the most requests 29 . The vast majority of authorities find mutual assistance a very useful tool for cooperation and have not encountered any particular obstacle to applying the mutual assistance procedure. The voluntary mutual assistance exchange, which does not have a legal deadline or strict duty to answer, has been used more frequently, in 2 427 procedures. The data protection authority of Ireland sent and received the highest number of mutual assistance requests (527 sent and 359 received), followed by German authorities (260 sent/356 received). On the other hand, joint operations30 , which would make it possible for data protection authorities of several Member States to be involved already at the level of the investigations of cross-border cases, have not been conducted yet. Reflection is on-going within the Board on the practical implementation of this tool and how to promote its use. Consistency mechanism So far only the first leg of the consistency mechanism has been used, namely the adoption of Board opinions31 . On the other hand, no dispute resolution at Board level32 or urgency procedure33 has been triggered yet. 26 See contribution from the Board, page 8. 27 For instance, on 22 May 2020, the Irish data protection authority has submitted a draft decision to other concerned authorities, in accordance with Article 60 of the Regulation, concerning an investigation into Twitter International Company regarding data breach notification. On the same day, the Irish data protection authority also announced that a draft decision on WhatsApp Ireland Limited for submission under Article 60 was in preparation, concerning transparency including in relation to transparency around what information is shared with Facebook. 28 Article 61 GDPR. 29 See contribution from the Board, pages 12-14. 30 Article 62 GDPR. 31 Based on Article 64 GDPR. 9 Between 25 May 2018 and 31 December 2019, the Board issued 36 opinions in the context of the adoption of measures by one of its members34 . Most of them (31) concerned the adoption of national lists of processing operations requiring a data protection impact assessment. Two opinions concerned Binding Corporate Rules, two others concerned draft accreditation requirements for a code of conduct monitoring body, and one concerned Standard Contractual Clauses35 . Furthermore, the Board adopted, on request, six opinions36 . Three of these opinions concerned national lists identifying processing which does not require a data protection impact assessment. The others concerned respectively an administrative arrangement for the transfer of personal data between EEA and non-EEA financial supervisory authorities, the interplay between the ePrivacy Directive and the GDPR and the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment.37 Challenges to be addressed Although the data protection authorities have been very actively working together in the Board and already intensively use the cooperation tool of mutual assistance, building a truly data protection common culture is still an ongoing process. In particular, the handling of cross-border cases calls for a more efficient and harmonised approach and the effective use of all cooperation tools provided in the GDPR. There is a very broad consensus on this point since it was raised in different ways by the European Parliament, the Council, the European Data Protection Supervisor, stakeholders (within the Multi-stakeholder Group and beyond) and by the data protection authorities. The main issues to be tackled in this context include differences in: national administrative procedures, concerning in particular: complaint handling procedures, the admissibility criteria for complaints, the duration of proceedings due to different timeframes or the absence of any deadlines, the moment in the procedure when the right to be heard is granted, the information and involvement of complainants during the procedure; interpretations of concepts relating to the cooperation mechanism, such as relevant information, the notion of “without delay”, “complaint”, the document which is defined as the “draft decision” of the lead data protection authority, amicable settlement (in particular the procedure leading to amicable settlement and the legal form of the settlement); and the approach to when to start the cooperation procedure, involve the concerned data protection authorities and communicate information to them. Complainants also lack clarity on how their cases are handled in cross-border situations, as was stressed by several members of the Multi-stakeholder Group. Moreover, 32 Article 65 GDPR. 33 Article 66 GDPR. 34 Under Article 64(1) GDPR. 35 Article 28(8) GDPR. 36 Under Article 64(2) GDPR. 37 See contribution from the Board, page 15. 10 businesses mention that in certain instances national data protection authorities did not refer cases to the lead data protection authority, but handled them as local cases. The Commission welcomes the Board’s announcement that it has started a reflection on how to address these concerns. In particular, the Board indicated that it will clarify the procedural steps involved in the cooperation between the lead data protection authority and the concerned data protection authorities, analyse national administrative procedural laws, work towards a common interpretation of key concepts, and strengthen communication and cooperation (including joint operations). The Board’s reflection and analysis should lead to devising more efficient working arrangements in cross-border cases38 , including by building on the expertise of its members and by strengthening the involvement of its secretariat. In addition, it should be noted that the Board’s responsibility in ensuring a consistent interpretation of the GDPR cannot be discharged by simply finding the lowest common denominator. Finally, as an EU body the Board must also apply EU administrative law and ensure transparency in the decision making process. 2.3 Advice and guidelines Awareness raising and advice by data protection authorities Several data protection authorities created new tools, such as help lines for individuals and businesses, and toolkits for businesses39 . Many operators welcome the pragmatism shown by these authorities in assisting with the application of the GDPR. In particular, several of them have actively and closely collaborated and communicated with data protection officers, including through data protection officers’ associations. Many authorities also issued guidelines covering the data protection officers’ role and obligations to support data protection officers during their daily activities and held seminars specifically designed for them. However, this is not the case for all data protection authorities. Feedback received from stakeholders also points to a number of issues as regards guidance and advice: the lack of a consistent approach and guidance between national data protection authorities on certain issues (e.g. on cookies40 , the application of legitimate interest, on data breach notifications or on data protection impact assessments) or even between data protection authorities within the same Member States (e.g. in Germany on the notions of controller and processor); the inconsistency of guidelines adopted at national level with those adopted by the Board; 38 As also pointed out in the Council position and findings. 39 See below under point 7. 40 Pending the adoption of the ePrivacy Regulation, close cooperation with the competent authorities responsible for the enforcement of the ePrivacy Directive in the Member States is necessary. In accordance with that Directive, in some Member States the authorities competent for enforcing Article 5(3) of the ePrivacy Directive (which sets out the conditions under which "cookies” may be set and accessed on a user’s terminal equipment) are not the same as the GDPR supervisory authorities. 11 the absence of public consultations on certain guidelines adopted at national level; different levels of engagement with stakeholders among data protection authorities; delays in receiving responses to information requests; difficulties in obtaining practical and valuable advice from data protection authorities; the need to increase the level of sectoral expertise in some data protection authorities (e.g. in the health and pharma sector). Several of these issues are also linked to the lack of resources in several data protection authorities (see below). Divergent practices as regards the notification of data breaches41 While the Council highlights the burden caused by such notifications, there are significant discrepancies on notifications between Member States: whereas from May 2018 to end November 2019, in most Member States the total number of data breach notifications was below 2 000, and in 7 Member States between 2 000 and 10 000, the Dutch and German data protection authorities reported respectively 37 400 and 45 600 notifications42 . This may point to a lack of consistent interpretation and implementation, despite the existence of EU-level guidelines on data breach notifications. Guidelines of the European Data Protection Board To date, the Board adopted more than 20 guidelines covering key aspects of the GDPR43 . The guidelines are an essential tool for the consistent application of the GDPR and have, therefore, been to a large extent welcomed by stakeholders. Stakeholders have appreciated the systematic (6 to 8 weeks) public consultation. However, they ask for more dialogue with the Board. In this context, the practice of organising workshops on targeted topics prior to drafting guidelines should be continued and amplified to ensure the transparency, inclusiveness, and relevance of the Board’s work. Stakeholders also request that the interpretation of the most contentious issues should be addressed in the guidelines, since these are subject to public consultation, and not within opinions under Article 64(2) of the GDPR. Some stakeholders also call for more practical guidelines, detailing the application of concepts and provisions of the GDPR44 . Members of the Multi-stakeholder Group stress the need for more concrete examples to reduce the room for diverging interpretations between data protection authorities as much as possible. At the same time, the requests to clarify how to apply the GDPR and to provide legal certainty 41 Article 33 GDPR. 42 See contribution from the Board page 35. 43 The work on guidelines already started before the entry into application of the GDPR on 25 May 2018 in the context of the Article 29 Working Party. See the full list of guidelines at https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best- practices_en 44 This has also been highlighted by the European Parliament and by the Council. 12 should not lead to additional requirements or diminish the advantages of the risk- based approach and the accountability principle. The topics on which stakeholders would like additional guidelines from the Board include: the scope of data subjects’ rights (including in the employment context); updates to the opinion on processing based on legitimate interest; the notions of controller, joint controller and processor and the necessary arrangements between the parties45 ; the application of the GDPR to new technologies (such as blockchain and artificial intelligence); processing in the context of scientific research (including in relation to international collaboration); the processing of children’s data; pseudonymisation and anonymisation; and the processing of health data. The Board has already indicated that it will issue guidelines on many of these topics and the work already started on several of them (e.g. on the application of legitimate interest as a legal basis for processing). Stakeholders ask the Board to update and revise existing guidelines where appropriate,, taking into account the experience gathered since their publication and taking the opportunity to go into more detail where needed. 2.4 Resources of the data protection authorities Providing each data protection authority with the necessary human, technical and financial resources, premises and infrastructure is a prerequisite for the effective performance of their tasks and exercise of their powers, and therefore an essential condition for their independence46 . Most data protection authorities benefited from an increase in staff and resources since the GDPR entered into force in 201647 . However many of them still report that they do not have sufficient resources48 . Number of staff working for national data protection authorities The total number of staff working in EEA data protection authorities considered together has increased by 42% between 2016 and 2019 (by 62% if one considers the 2020 forecast). The number of staff has increased in most authorities during this period, with the biggest increase (as a percentage) registered for authorities in Ireland (+169%), the Netherlands (+145%), Iceland (+143%), Luxembourg (+126%) and Finland (+114%). On the other hand, the number of staff decreased in several data protection authorities, with the sharpest decreases observed in Greece (-15%), Bulgaria (-14%), Estonia (- 11%), Latvia (-10%) and Lithuania (-8%). In some authorities, the decrease in staff is also due to the departure of data protection experts to the private sector offering more attractive conditions. 45 Guidelines from the Board on controllers and processors are currently in preparation. 46 See Article 52(4) GDPR. 47 The Regulation entered into force in May 2016 and into application in May 2018, following a 2- year transition period. 48 See contribution from the Board, pages 26-30. 13 In general, the forecast for 2020 provides for an increase of staff compared to 2019, except for authorities in Austria, Bulgaria, Italy, Sweden and Iceland (where staff numbers are expected to remain stable), Cyprus and Denmark (where staff numbers are expected to decrease). The German data protection authorities49 together have the highest number of staff (888 in 2019/1002 in 2020 forecast), followed by the data protection authorities in Poland (238/260), France (215/225), Spain (170/220), the Netherlands (179/188), Italy (170/170) and Ireland (140/176). The data protection authorities with the lowest staff numbers are those in Cyprus (24/22), Latvia (19/31), Iceland (17/17), Estonia (16/18) and Malta (13/15). Budget of national data protection authorities The total budget of EEA data protection authorities considered together has increased by 49% between 2016 and 2019 (by 64% if one considers the 2020 forecast). The budget of most authorities increased during this period, with the biggest increase (as a percentage) registered for authorities in Ireland (+223%), Iceland (+167%), Luxembourg (+165%), the Netherland (+130%) and Cyprus (+114%). On the other hand, some authorities saw only a small budget increase, with the smallest increases registered for data protection authorities in Estonia (7%), Latvia (4%), Romania (3%) and Belgium (1%), while the authority in France experienced a decrease (-2%). In general, the forecast for 2020 provides for an increase in budget compared to 2019, except for the authorities in Austria, Bulgaria, Estonia and the Netherlands (whose budgets are expected to remain stable). The data protection authorities with the highest budget are those of Germany (EUR 76.6 million in 2019/EUR 85.8 million in the 2020 forecast), Italy (29.1/30.1), The Netherlands (18.6/18.6), France (18.5/20.1) and Ireland (15.2/16.9). The authorities with the lowest budget are those of Croatia (EUR 1.2 million in 2019/EUR 1.4 million in the 2020 forecast), Romania (1.1/1.3), Latvia (0.6/1.2), Cyprus (0.5/0.5) and Malta (0.5/0.6). The table in Annex II provides an overview of the human and budgetary resources of national data protection authorities. Besides impacting their capacity to enforce rules at national level, the lack of resources also limits data protection authorities’ capacity to participate in and contribute to the cooperation and consistency mechanisms, and to the work carried out within the Board. As highlighted by the Board, the success of the one-stop-shop mechanism depends on the time and effort that data protection authorities can dedicate to the handling of and cooperation on individual cross-border cases. The resource issue is compounded by the authorities’ increased role in the supervision of large-scale IT systems that are currently being developed. Furthermore, the data 49 There are 18 authorities in Germany, of which one is a federal authority and 17 are regional authorities (including two in Bavaria). 14 protection authorities in Ireland and Luxembourg have specific resource needs given their role as lead authorities for the enforcement of the GDPR vis-à-vis big tech companies, which are located mostly in these Member States. While the Council points to the impact of the cooperation mechanism and its deadlines on the work of data protection authorities50 , the GDPR obliges Member States to provide their national data protection authorities with adequate human, financial and technical resources51 . The secretariat of the Board, which is provided by the European Data Protection Supervisor52 , is currently composed of 20 people, including legal, IT and communication experts. It is to be assessed whether this figure needs to evolve in the future in light of the effective fulfilment of its function of analytical, administrative and logistical support to the Board and its subgroups, including through the management of the information exchange system, 3 HARMONISED RULES BUT STILL A DEGREE OF FRAGMENTATION AND DIVERGING APPROACHES The GDPR provides for a consistent approach to data protection rules throughout the EU, replacing the different national regimes that existed under the 1995 Data Protection Directive. 3.1 Implementation of the GDPR by the Member States The GDPR has been directly applicable in all Member States since 25 May 2018. It obliged Member States to legislate, in particular to set up national data protection authorities and the general conditions for their members, in order to ensure that each authority acts with complete independence in performing its tasks and exercising its powers in accordance with the GDPR. Legal obligations and public tasks can constitute a legal ground for the processing of personal data only if they are laid down in (Union or) national law. In addition, Member States must lay down rules on penalties in particular for infringements not subject to administrative fines and must reconcile the right to the protection of personal data with the right to freedom of expression and information. National law can also provide for a legal basis for the exemption from the general prohibition for processing special categories of personal data, for example for reasons of substantial public interest in the area of public health, including protection against serious cross-border threats to health. Furthermore, Member States must ensure the accreditation of certification bodies. The Commission is monitoring the implementation of the GDPR in national legislation. At the time of writing this report, all Member States except Slovenia has adopted new data protection legislation or adapted their law in this area. The 50 Article 60 GDPR. 51 Article 52(4) GDPR. 52 Article 75 GDPR. 15 Commission therefore requested Slovenia to provide clarification on the progress made to date and urged it to finalise that process53 . In addition, the compliance of national legislation with data protection rules as regards the Schengen acquis is also assessed in the context of the Schengen Evaluation Mechanism coordinated by the Commission. The Commission and Member States jointly evaluate how countries implement and apply the Schengen acquis in a number of areas; for data protection this concerns large-scale IT systems like the Schengen Information System and the Via Information System and includes the role of data protection authorities in supervising the processing of personal data within those systems. Work on adapting sectoral laws is still on-going at national level. Following the GDPR’s incorporation into the European Economic Area Agreement, its application was extended to Norway, Iceland and Lichtenstein. These countries have also adopted their national data protection laws. The Commission will make use of all the tools at its disposal, including infringement procedures, to ensure that Member States comply with the GDPR. Main issues relating to national implementation The main issues identified to date as part of the ongoing assessment of national legislation and bilateral exchanges with Member States include: Restrictions to the GDPR’s application: some Member States, for example, completely exclude the activities of the national parliament ; Differences in the applicability of national specification laws. Some Member States link the applicability of their national law to the place where the goods or services are offered, others to the place of establishment of the controller or processor. This runs contrary to the objective of harmonisation pursued by the GDPR; National laws that raise questions on the proportionality of the interference with the right to data protection. For example, the Commission launched an infringement procedure against a Member State that had enacted legislation requiring judges to disclose specific information about their non-professional activities, which is incompatible with the right to respect for private life and the right to the protection of personal data54 ; The absence of an independent body for the supervision of data processing by courts acting in their judicial capacity55 . Legislation in areas fully regulated by the GDPR beyond the margin for specifications or restrictions. This is, in particular, the case where national 53 It has to be noted that the national data protection authority in Slovenia is set up based on the current national data protection law and supervise the application of the GDPR in that Member State. 54 This infringement procedure concerns the Polish law on the judiciary of 20 December 2019, which affects the independence of the judges and concerns, inter alia, the disclosure of the engagement of judges in non-professional activities: https://ec.europa.eu/commission/presscorner/detail/en/ip_20_772. 55 See Article 8(3) of the Charter; Article 16 TFEU; recital 20 of the GDPR. 16 provisions determine conditions for processing based on legitimate interest, by providing for the balancing of the respective interests of the controller and of the individuals concerned, while the GDPR obliges each and every controller to undertake such balancing individually and avail itself of that legal basis. Specifications and additional requirements beyond processing for compliance with a legal obligation or performance of a public task (e.g. for video surveillance in the private sector or for direct marketing); and for concepts used in the GDPR (e.g. ‘large scale’ or ‘erasure’). Some of these issues may be clarified by the Court of Justice in cases that are still pending56 . Reconciliation of the right to the protection of personal data with freedom of expression and information A specific issue concerns the implementation of the obligation for Member States to reconcile by law the right to the protection of personal data with freedom of expression and information57 . This issue is very complex, since an assessment of the balancing between these fundamental rights must also take into account provisions and safeguards in press and media laws. The assessment of Member State legislation shows different approaches to the reconciliation of the right to the protection of personal data with freedom of expression and information: Some Member States lay down the principle of precedence of freedom of expression or exempt in principle the application of entire chapters mentioned in Article 85(2) GDPR if processing for journalistic purposes and for academic, artistic and literary expression is at stake. To a certain extent, media laws provide for some safeguards as regards data subject rights. Some Member States lay down the precedence of the protection of personal data and exempt the application of data protection rules only in specific situations, such as where a person with public status is concerned. Other Member States provide for a certain balancing by the legislator and/or a case-by-case assessment as regards derogations from certain provisions of the GDPR. The Commission will continue its assessment of national legislation on the basis of the requirements of the Charter. The reconciliation must be provided for by law, respect the essence of those fundamental rights, and be proportional and necessary (Article 52(1) of the Charter). Data protection rules should not affect the exercise of freedom of expression and information especially by creating a chilling effect or by being interpreted as a way to put pressure on journalists to disclose their sources. 56 For example, the exemption of a parliamentary committee from the application of the GDPR is subject to a pending court case for a preliminary ruling (C-272/19). 57 Article 85 GDPR. 17 3.2 Facultative specification clauses and their limits The GDPR gives Member States the possibility to further specify its application in a limited number of areas. This margin for national legislation is to be distinguished from the obligation to implement certain other provisions of the GDPR as mentioned above. The clauses for facultative specifications are listed in Annex I. The margins for Member State law are subject to the conditions and limits set by the GDPR and do not allow for a parallel national data protection regime58 . Member States are obliged to amend or repeal the national data protection laws, including sectoral legislation with data protection aspects. Furthermore, related Member State legislation must not include provisions which might create confusion regarding the direct application of the GDPR. Therefore, where the GDPR provides for specifications or restrictions of its rules by Member State law, Member States may incorporate elements of the GDPR in their national law, to the extent necessary to ensure coherence and to render the national provisions comprehensible to the persons to whom they apply59 . Stakeholders consider that Member States should reduce or refrain from using facultative specification clauses since they do not contribute to harmonisation. The national divergences in both the implementation of the laws and their interpretation by data protection authorities considerably increase the cost of legal compliance across the EU. Fragmentation linked to the use of facultative specification clauses Age limit for children consent for information society services A number of Member States have made use of the possibility to provide for a lower age than 16 years for consent in relation to information society services (Article 8(1) GDPR). Whereas nine Member States apply the 16 years’ age limit, eight Member States opted for 13 years, six for 14 years and three for 15 years.60 Consequently, a company providing information society services to minors across the EU has to distinguish between the ages of potential users, depending in which Member State they reside. This is contrary to the key objective of the GDPR to provide for an equal level of protection to individuals and of business opportunities in all Member States. Such differences lead to situations where the Member State in which the controller is established provides for another age limit than the Member States where the data subjects are residing. 58 The widely used term of “opening clauses” to mean specification clauses is misleading since it might give the impression that Member States have margins of manoeuvre beyond the provisions of the Regulation. 59 Recital 8 of the GDPR. 60 13 years for Belgium, Denmark, Estonia, Finland, Latvia, Malta, Portugal and Sweden; 14 years for Austria, Bulgaria, Cyprus, Spain, Italy and Lithuania; 15 years for Czech Republic, Greece and France; 16 years for Germany, Hungary, Croatia, Ireland, Luxembourg, the Netherlands, Poland, Romania and Slovakia. 18 Health and research When implementing derogations from the general prohibition for processing special categories of personal data61 , Member State legislation follows different approaches as regards the level of specification and safeguards, including for health and research purposes. Most Member States introduced or maintained further conditions for the processing of genetic data, biometric data or data concerning health. This is also true for derogations related to data subject rights for research purposes62 , both as regards the extent of the derogations and the related safeguards. The Board’s future guidelines on the use of personal data in the field of scientific research will contribute to a harmonised approach in this area. The Commission will provide input to the Board, in particular as regards health research, including in the form of concrete questions and analysis of concrete scenarios that it received from the research community. It would be helpful if these guidelines could be adopted before the launch of Horizon Europe Framework Programme in view of harmonising data protection practices and facilitating data sharing for research advancements. Guidelines from the Board on the processing of personal data in the area of health could also be useful. The GDPR provides a robust framework for national legislation in the area of public health and explicitly includes cross-border health threats and the monitoring of epidemics and their spread63 , which was relevant in the context of the fight against the COVID-19 pandemic. At EU level, on 8 April 2020 the Commission adopted a Recommendation for a toolbox for the use of technology and data in this context, including mobile applications and the use of anonymised mobility data64 , and on 16 April 2020 a guidance on apps supporting the fight against the pandemic in relation to data protection65 . The Board published a statement on data processing in this context on 19 March 202066 , followed on 21 April 2020 by guidelines on data processing for research purposes and on the use of localisation data and contact tracing tools in this context67 . These recommendations and guidelines clarify how the principles and rules on the protection of personal data apply in the context of the fight against the pandemic. Extensive restrictions of data subjects’ rights Most national data protection laws that restrict data subject’s rights do not specify the objectives of general public interest safeguarded by these restrictions and/or do not sufficiently meet the conditions and safeguards required by Article 23(2) of the 61 Article 9 GDPR. 62 Article 89(2) GDPR. 63 See Article 9(2)(i) GDPR and recital 46. 64 https://ec.europa.eu/info/sites/info/files/recommendation_on_apps_for_contact_tracing_4.pdf . 65 https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020XC0417 (08) & from = EN. 66 https://edpb.europa.eu/news/news/2020/statement-processing-personal-data-context-covid-19- outbreak_en. 67 https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best- practices_en. 19 GDPR68 . Several Member States leave no room for the proportionality test or extend the restrictions even beyond the scope of Article 23(1) of the GDPR. For example, some national laws deny the right of access for reasons of disproportionate effort on the side of controller, for personal data which are stored on the basis of a retention obligation or related to the performance of public tasks without limiting such restriction to objectives of general public interest. Additional requirements for companies Although the requirement of a mandatory data protection officer is based on the risk- based approach69 , one Member State70 extended it to a quantitative criteria, obliging companies in which 20 employees or more are permanently involved in the automated processing of personal data to designate a data protection officer, independently of the risks connected with the processing activities71 . This has led to additional burdens. 4 EMPOWERING INDIVIDUALS TO CONTROL THEIR DATA The GDPR makes fundamental rights effective, in particular the right to the protection of personal data, but also the other fundamental rights recognised by the Charter, including the respect for private and family life, freedom of expression and information, non-discrimination, freedom of thought, conscience and religion, freedom to conduct a business and the right to an effective remedy. These rights must be balanced against each other in accordance with the principle of proportionality72 . The GDPR provides individuals with enforceable rights, such as the right of access, rectification, erasure, objection, portability and enhanced transparency. It also gives individuals the right to lodge a complaint with a data protection authority, including through representative actions, and to judicial redress. Individuals are increasingly aware of their rights, as shown in the results of the July 2019 Eurobarometer73 and the survey carried out by the Fundamental Rights Agency74 . According to the Fundamental Rights Survey carried out by the Fundamental Rights Agency: 69% of the population aged 16+ in the EU have heard about the GDPR; 71% of respondents in the EU have heard about their national data protection authority; this figure ranges from 90% in the Czech Republic to 44% in Belgium; 68 For instance because they simply repeat the wording of Article 23(1) GDPR. 69 Article 37(1) GDPR. 70 Germany. 71 Making use of the specification clause in Article 37(4) GDPR. 72 Cf. recital 4 of the GDPR. 73 https://ec.europa.eu/commission/presscorner/detail/en/IP_19_2956 74 European Union Agency for Fundamental Rights (FRA) (2020): Fundamental Rights Survey 2019. Data protection and technology: https://fra.europa.eu/en/publication/2020/fundamental-rights- survey-data-protection 20 60% of respondents in the EU are aware of a law that allows them to access their personal data as held by public administration; however, this percentage decreases to 51% for private companies; more than one in five respondents (23%) in the EU do not want to share personal data (such as one’s address, citizenship or date of birth) with public administration, and 41% do not want to share these data with private companies. Individuals are increasingly using their right to lodge complaints with data protection authorities, either individually or by representative actions75 . Only a few Member States have allowed non-governmental organisations to launch actions without a mandate, in line with the possibility provided by the GDPR. The proposed Directive on representative actions for the protection of the collective interests of consumers76 is expected, once adopted, to strengthen the framework for representative actions also in the field of data protection. Complaints The total number of complaints between May 2018 and end of November 2019 as reported by the Board is around 275 00077 . However, this figure should be considered with much caution given that the definition of a complaint is not identical among authorities. The absolute number of complaints received by data protection authorities78 is very different between Member States. The highest numbers of complaints were registered in Germany (67 000), the Netherlands (37 000), Spain and France (18 000 each), Italy (14 000), Poland and Ireland (12 000 each). Two-thirds of authorities reported the number of complaints as ranging between 8 000 and 600. The lowest numbers of complaints were registered in Estonia and Belgium (around 500 each), Malta and Iceland (fewer than 200 each). The number of complaints is not necessarily correlated to the size of the population or GDP, with for instance close to twice as many complaints in Germany compared to the Netherlands, and four times as many compared to Spain and France. Feedback from the Multi-stakeholder Group shows that organisations have put in place a variety of measures to facilitate the exercise of data subjects’ rights, including implementing processes that ensure individual review of requests and a reply from the controller, the use of several channels (mail, dedicated email address, website, etc.), updated internal procedures and policies on the timely internal handling of requests, and staff training. Some companies have put in place digital portals accessible through the company’s website (or the company’s intranet for employees) to facilitate the exercise of rights by data subjects. However, further progress is needed on the following points: Not all data controllers comply with their obligation to facilitate the exercise of data subjects’ rights79 . They need to ensure that data subjects have an effective point of contact to whom they can explain their problems. This can be the data 75 Article 80 GDPR. 76 COM/2018/0184 final - 2018/089 (COD) 77 Both under Articles 77 and 80 GDPR. 78 See contribution from the Board, pages 31-32. 79 Article 12(2) GDPR. 21 protection officer, whose contact details have to be provided pro-actively to the data subject80 . The contact modalities must not be limited to e-mails, but must also enable the data subject to address the controller through other means. Individuals still face difficulties when requesting access to their data, for instance from platforms, data brokers and adtech companies. The right to data portability is not used to its full potential. The European Strategy for Data (hereafter Data Strategy)81 , adopted by the Commission on 19 February 2020, emphasised the need to facilitate all possible uses of this right (e.g. by mandating technical interfaces and machine-readably formats allowing portability of data in (near-to) real-time). Operators note that there are sometimes difficulties in providing the data in a structured, commonly used machine-readable format (due to the lack of standard). Only organisations in particular sectors, such as banking, telecommunications, water and heating meters, report having implemented the necessary interfaces82 . New technological tools have been developed to facilitate the exercise by individuals of their rights under the GDPR, not limited to data portability (e.g. personal data spaces and personal information management services). Rights of children: Several members of the Multi-stakeholder Group stress the need to provide information to children and the fact that many organisations ignore that children may be concerned by their data processing. The Council stressed that particular attention could be paid to the protection of children when drafting codes of conduct. The protection of children is also a focus of data protection authorities83 . Right to information: some companies have a very legalistic approach, taking data protection notices as a legal exercise, with information being quite complex, difficult to understand or incomplete, whereas the GDPR requires that any information should be concise and use clear and plain language84 . It seems that some companies do not follow the Board’s recommendations, for example as regards listing the names of the entities with whom they share data. Several Member States extensively restricted data subjects’ rights through national law, and some even beyond the margins of Article 23 of the GDPR. The exercise of the rights of individuals is sometimes hampered by the practices of a few major digital players that make it difficult for individuals to choose the settings that most protect their privacy (in violation of the requirement of data protection by design and default85 )86 . 80 Article 13(1)(b) and Article 14 (1)(b) GDPR. 81 https://ec.europa.eu/info/sites/info/files/communication-european-strategy-data-19feb2020_en.pdf 82 See report from the Multi-stakeholder Group. 83 See the results of a public consultation on children’s data protection rights carried out by the Irish data protection authority: https://www.dataprotection.ie/sites/default/files/uploads/2019- 09/Whose%20Rights%20Are%20They%20Anyway_Trends%20and%20Hightlights%20from%20S tream%201.pdf. The French data protection authority also launched a public consultation in April 2020: https://www.cnil.fr/fr/la-cnil-lance-une-consultation-publique-sur-les-droits-des-mineurs- dans-lenvironnement-numerique 84 Article 12(1) GDPR. 85 Article 25 GDPR. 22 The Board’s guidelines on data subjects’ rights are eagerly awaited by stakeholders. 5 OPPORTUNITIES AND CHALLENGES FOR ORGANISATIONS, IN PARTICULAR SMALL AND MEDIUM SIZE ENTERPRISES Opportunities for organisations The GDPR fosters competition and innovation. Together with the Free Flow of Non- Personal Data Regulation87 , it ensures the free flow of data within the EU and creates a level playing field with companies not established in the EU. By creating a harmonised framework for the protection of personal data, the GDPR ensures that all actors in the internal market are bound by the same rules and benefit from the same opportunities, regardless of whether they are established and where the processing takes place. The technological neutrality of the GDPR provides the data protection framework for new technological developments. The principles of data protection by design and by default incentivises innovative solutions, which include data protection considerations from the outset and may reduce the cost of compliance with data protection rules. In addition, privacy becomes an important competitive parameter that individuals increasingly take into consideration when choosing their services. Those who are more informed and sensitive to data protection considerations look for products and services that ensure effective protection of personal data. The implementation of the right to data portability has the potential to lower the barriers to entry for businesses offering innovative, data-protection-friendly services. The effects of a potentially broader use of this right on the market in different sectors should be monitored. Compliance with the data protection rules and their transparent application will create trust on the use of the people’s personal data and thus new opportunities for businesses. Like all regulation, data protection rules have inherent compliance costs for companies. However, these costs are outweighed by the opportunities and advantages of strengthened trust in digital innovation and the societal benefits resulting from respecting a fundamental right. By ensuring a level playing field and equipping data protection authorities with what they need to enforce the rules effectively, the GDPR prevents non-compliant companies from free-riding on the trust built by those who follow the rules. Specific challenges for Small and Medium size Enterprises (SMEs) 86 See report by the Norwegian Consumer Council, Deceived by Design, which highlighted the “dark patterns”, default settings and other features and techniques used by companies to nudge users towards intrusive options: https://www.forbrukerradet.no/undersokelse/no-undersokelsekategori/deceived-by-design/ See also the research published in December 2019 by the Transatlantic Consumer Dialogue and the Heinrich-Böll-Stiftung Brussels European Union analysing the practices of three major global platforms: https://eu.boell.org/en/2019/12/11/privacy-eu-and-us-consumer-experiences-across-three-global- platforms 87 Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union - OJ L 303, 28.11.2018, p. 59–68 23 There is a general perception by stakeholders, but also by the European Parliament, the Council and data protection authorities that applying the GDPR is especially challenging for micro, small and medium size enterprises, and to small voluntary and charitable organisations. According to the risk-based approach, it would not be appropriate to provide derogations based on the size of the operators, as their size is not in itself an indication of the risks the processing of personal data that it undertakes can create for individuals. The risk-based approach pairs flexibility with effective protection. It takes into account the needs of SMEs that do not have processing of data as their core business, and calibrates their obligations in particular based on the likelihood and severity of the risks related to the specific processing they carry out.88 Small and low-risk processing should not be treated in the same way as high risk and frequent processing – independently of the size of the company that undertakes it. Therefore, as the Board concluded, “in any case, the risk-based approach promoted by the legislator in the text should be maintained, as risks for data subjects do not depend on the size of controllers”89 . The data protection authorities should fully take on board this principle when enforcing the GDPR, preferably within a common European approach in order not to create barriers to the Single Market. The data protection authorities developed several tools and stressed their intention to further improve them. Some authorities have launched awareness campaigns and will even hold free “GDPR classes” for SMEs. Examples of guidance and tools provided by data protection authorities specifically to SMEs publication of information addressed to SMEs; seminars for data protection officers and events for SMEs that do not need to designate a data protection officer; interactive guides to assist SMEs; hotlines for consultations; templates for processing contracts and records on processing activities. A description of activities carried out by data protection authorities is presented in the Board’s contribution90 . Several of the actions that specifically support SMEs received EU funding. The Commission provided financial support through three waves of grants, for a total of EUR 5 million, with the two most recent ones specifically aimed at supporting national data protection authorities in their efforts to reach out to individuals and SMEs. As a result, in 2018, EUR 2 million were allocated to nine data protection authorities for activities in 2018-2019 (Belgium, Bulgaria, Denmark, Hungary, 88 Article 24(1) GDPR. 89 See contribution from the Board, p. 35. 90 See contribution from the Board, pages 35-45. 24 Lithuania, Latvia, the Netherlands, Slovenia, and Iceland)91 , and in 2019 EUR 1 million was allocated to four data protection authorities for activities in 2020 (Belgium, Malta, Slovenia and Croatia in partnership with Ireland)92. An additional EUR 1 million will be allocated in 2020. Despite these initiatives, SMEs and start-ups often report that they struggle with the implementation of the accountability principle set forth under the GDPR93 . They notably report that they do not always get enough guidance and practical advice from the national data protection authorities, or that the time it takes to get guidance and advice is too long. There have also been cases where authorities were reluctant to engage in legal issues. When confronted with such situations, SMEs often turn to external advisors and lawyers to deal with the implementation of the accountability principle and the risk-based approach (including transparency requirements, records of processing and data breach notifications). This may also create further costs for them. One specific issue is the recording of processing activities, which is considered by SMEs and small associations as a cumbersome administrative burden. The exemption from that obligation in Article 30(5) GDPR is indeed very narrow. However, the related efforts for complying with that obligation should not be over-estimated. Where the core business of SMEs does not involve the processing of personal data, such records may be simple and not burdensome. The same applies for voluntary and other associations. Such simplified records would be facilitated by records templates, as is already the practice of some data protection authorities. In any case, everyone who processes personal data should have an overview on their data processing as a basic requirement of the accountability principle. The development of practical tools at EU level by the Board, such as harmonised forms for data breaches and simplified records of processing activities, may help SMEs and small associations94 whose main activities do not focus on the processing of personal data to meet their obligations. Various industry associations have made efforts to raise awareness and inform their members, for instance through conferences and seminars, providing businesses with information on available guidance, or developing a privacy assistance service for members. They also report an increasing number of seminars, meetings and events organised by think tanks and SME associations on matters related to the GDPR. In order to enhance the free movement of all data within the EU and to establish a coherent application of the GDPR and the Free Flow of Non-Personal Data Regulation, the Commission also issued a practical guidance on rules governing the 91 https://ec.europa.eu/info/funding-tenders/opportunities/portal/screen/opportunities/topic-details/rec- rdat-trai- ag-2017. 92 https://ec.europa.eu/info/law/law-topic/data-protection/eu-data-protection-rules/eu-funding- supporting-implementation-gdpr_en 93 See report from the Multi-stakeholder Group. 94 See contribution from the Council. 25 processing of mixed datasets, composed of both personal and non-personal data, and targeting especially SMEs95 . Toolbox for businesses The GDPR provides for tools that help demonstrate compliance, such as codes of conduct, certification mechanisms, and standard contractual clauses. Codes of conduct The Board has issued guidelines96 to support and facilitate “code owners” in drafting, amending or extending codes, and to provide practical guidance and interpretative assistance. These guidelines also clarify the procedures for the submission, approval and publication of codes at both national and EU level by setting out the minimum criteria required. Stakeholders consider codes of conduct as very useful tools. Although many codes are implemented at national level, a number of EU wide codes of conduct are currently in preparation (for instance on mobile health apps, health research in genomics, cloud computing, direct marketing, insurance, processing by prevention and counselling services for children)97 . Operators believe that EU-wide codes of conduct should be promoted more prominently as they foster the consistent application of the GDPR across all Member States. However, codes of conduct also require time and investment from operators both for their development and for the setting up of the required independent monitoring bodies. Representatives from SMEs stress the importance and usefulness of codes of conduct tailored to their situation and not entailing disproportionate costs. Consequently, business associations in a number of sectors implemented other kinds of self-regulatory tools such as codes of good practice or guidance. While such tools may provide useful information, they do not have the approval of data protection authorities and cannot serve as a tool to help demonstrate compliance with the GDPR. The Council stresses that codes of conduct must pay particular attention to the processing of children’s data and health data. The Commission is supporting code(s) of conducts that would harmonise the approach in health and research and facilitate the cross-border processing of personal data98 . The Board is in the process of approving draft accreditation requirements for codes of conduct monitoring bodies put forward by a number of data protection authorities99 . Once transnational or EU codes of conduct are ready to be submitted to data protection authorities for approval, they will undergo consultation of the Board. Having transnational codes of conduct rapidly in place is especially important for areas involving the processing of significant amounts of data (e.g. cloud computing) or sensitive data (e.g. health/research). 95 Communication from the Commission to the European Parliament and the Council - Guidance on the Regulation on a framework for the free flow of non-personal data in the European Union, COM/2019/250 final. 96 https://edpb.europa.eu/our-work-tools/our-documents/wytyczne/guidelines-12019-codes-conduct- and-monitoring-bodies-under_en. 97 See report from the Multi-stakeholder Group. 98 See actions announced in the European Strategy for Data, page 30. 99 Under Article 41(3) GDPR. See EDPB opinions at: https://edpb.europa.eu/our-work- tools/consistency-findings/opinions_en 26 Certification Certification can be a useful instrument to demonstrate compliance with specific requirements of the GDPR. It can increase legal certainty for businesses and promote the GDPR globally. As pointed out in the study on certification published in April 2019100 , the objective should be to facilitate the uptake of relevant schemes. The development of certification schemes in the EU will be supported by the guidelines issued by the Board on certification criteria 101 and on the accreditation of certification bodies102 . Security and data protection by design are key elements to be considered in certification schemes under the GDPR and would benefit from a common and ambitious approach throughout the EU. The Commission will continue to support the current contacts between the European Union Agency for Cybersecurity (ENISA), the data protection authorities and the Board. As regards cybersecurity, following the adoption of the Cybersecurity Act the Commission requested that ENISA prepare two certification schemes including one scheme for cloud services103 . Further schemes addressing the cybersecurity of services and products for consumers are under consideration. While these certification schemes established under the Cybersecurity Act, do not explicitly address data protection and privacy, they contribute to increasing consumers’ trust in digital services and products. Such schemes may provide evidence of adherence to the principles of security by design as well as the implementation of appropriate technical and organisational measures related to the security of processing of personal data. Standard contractual clauses The Commission is working on standard contractual clauses between controllers and processors104 , also in light of the modernisation of the standard contractual clauses for international transfers (see Section 7.2). A Union act, adopted by the Commission, will have EU-wide binding effect which will ensure full harmonisation and legal certainty. 6 THE APPLICATION OF THE GDPR TO NEW TECHNOLOGIES A technology neutral framework open to new technologies The GDPR is technology-neutral, trust-enabling, and based on principles105 . These principles, including lawful and transparent processing, purpose limitation and data 100 https://ec.europa.eu/info/study-data-protection-certification-mechanisms_en 101 https://edpb.europa.eu/our-work-tools/our-documents/smjernice/guidelines-12018-certification-and- identifying-certification_en. 102 https://edpb.europa.eu/our-work-tools/our-documents/retningslinjer/guidelines-42018-accreditation- certification-bodies_en. Several supervisory authorities have already submitted their accreditation requirements to the EDBP, both for code of conduct monitoring bodies and for certification bodies. See the overview at: https://edpb.europa.eu/our-work-tools/consistency-findings/opinions_en. 103 https://ec.europa.eu/digital-single-market/en/news/towards-more-secure-and-trusted-cloud-europe 104 Article 28(7) GDPR. 105 As recalled by the Council, the European Parliament and the Board in their contributions to the evaluation. 27 minimisation, provide for a solid basis for the protection of personal data, irrespective of the processing operations and techniques applied. Members of the Multi-stakeholder Group report that overall the GDPR has a positive impact on the development of new technologies and provides a good basis for innovation. The GDPR is seen as an essential and flexible tool for ensuring the development of new technologies in accordance with fundamental rights. The implementation of its core principles is particularly crucial for data intensive processing. The GDPR’s risk based and technology neutral approach provides a level of data protection that is adequate to address the risk of processing, including by emerging technologies. In particular, stakeholders mention that the GDPR’s principles of purpose limitation and further compatible processing, data minimisation, storage limitation, transparency, accountability and the conditions under which automated decision making processes106 can be legally deployed to a large extent address the concerns related to the use of artificial intelligence. The future-proof and risk based approach of the GDPR will also be applied in the possible future framework for artificial intelligence and when implementing the Data Strategy. The Data strategy aims at fostering data availability and at the creation of common European data spaces supported by federated cloud infrastructure services. As regards personal data, the GDPR provides the main legal framework, within which effective solutions can be devised on a case-by-case basis depending on the nature and content of each data space. The GDPR has increased awareness about the protection of personal data both within and outside the EU and has prompted companies to adapt their practices to take into account data protection principles when innovating. However, civil society organisations note that, although the GDPR’s impact on the development of new technologies appears positive, the practices of major digital players have not yet fundamentally changed towards more privacy-friendly processing. Strong and effective enforcement of the GDPR vis-à-vis large digital platforms and integrated companies, including in areas such as online advertising and micro-targeting, is an essential element for protecting individuals. The Commission is analysing the broader issues related to the market behaviours of large digital players in the context of the Digital Services Act package107 . As regards research in the field of social media, the Commission recalls that the GDPR cannot be used as an excuse by social media platforms to limit researchers’ and fact-checkers’ access to non-personal data such as statistics on which targeted ads have been sent to which categories of people, the criteria for designing this targeting, information on fake accounts, etc. The GDPR’s technologically-neutral and future-proof approach was put to the test during the COVID-19 pandemic and has proven to be successful. Its principles based rules supported the development of tools to combat and monitor the spread of the virus. 106 However, stakeholders observe that not all automated decision-making processes in an artificial intelligence context fall under Article 22 GDPR. 107 https://ec.europa.eu/commission/presscorner/detail/en/ip_20_962 28 Challenges to be addressed The development and application of new technologies do not put these principles into question. The challenges lie in clarifying how to apply the proven principles to the use of specific technologies such as artificial intelligence, blockchain, Internet of Things, facial recognition or quantum computing. In this context, the European Parliament and the Council stressed the need for a continuous monitoring to clarify how the GDPR applies to new technologies and big tech companies. In addition, stakeholders warn that the assessment of whether the GDPR remains fit for purpose also requires a constant monitoring. Industry stakeholders stress that innovation requires that the GDPR is applied in a principle-based way, in line with its design, rather than in a rigid and formal manner. They are of the view that Board’s guidelines on how to apply the GDPR principles, concepts and rules to new technologies such as artificial intelligence, blockchain or Internet of Things, taking into account the risk-based approach, would help provide clarifications and more legal certainty. Such soft law tools are well suited to accompany the GDPR’s application to the new technologies since they provide for more legal certainty and can be reviewed in line with technological developments. Some stakeholders also suggest that sectoral guidance on how to apply the GDPR to new technologies could be helpful. The Board stated that it will continue to consider the impact of emerging technologies on the protection of personal data. Stakeholders also underline the importance for regulators to get a thorough understanding of how technology is being used and to engage in a dialogue with industry on the development of emerging technologies. They consider that a ‘regulatory sandbox’ approach – as a means to obtain guidance on the application of the rules – could be an interesting option to test new technologies and help businesses apply the data protection by design and by default principle in new technologies. In terms of further policy action, stakeholders recommend that any future policy proposals on artificial intelligence should build on the existing legal frameworks and be aligned with the GDPR. Potential specific issues should be carefully assessed, based on relevant evidence, before new prescriptive rules are proposed. The Commission White Paper on Artificial Intelligence puts forward a number of policy options on which stakeholders’ views were sought until 14 June 2020. As regards facial recognition, a technology that may significantly impact individuals’ rights, the White Paper recalled the current legislative framework and opened a public debate on the specific circumstances, if any, which might justify the use of artificial intelligence for facial recognition and other remote biometric identification purposes in public places, and on common safeguards. 7 INTERNATIONAL TRANSFERS AND GLOBAL COOPERATION 7.1 Privacy: a global issue The demand for the protection of personal data knows no borders, as individuals around the world increasingly cherish and value the privacy and security of their data. 29 At the same time, the importance of data flows for individuals, governments, companies and, more generally, society at large is an inescapable fact in our interconnected world. They constitute an integral part of trade, cooperation between public authorities and social interactions. In that respect, the current COVID-19 pandemic also highlights how critical the transfer and exchange of personal data are for many essential activities, including ensuring the continuity of government and business operations – by enabling teleworking and other solutions that heavily rely on information and communication technologies – developing cooperation in scientific research on diagnostics, treatments and vaccines, and fighting new forms of cybercrime such as online fraud schemes offering counterfeit medicines claiming to prevent or cure COVID-19. Against this background, and more than ever before, protecting privacy and facilitating data flows have to go hand in hand. The EU, with its data protection regime combining openness to international transfers with a high level of protection for individuals, is very well placed to promote safe and trusted data flows. The GDPR has already emerged as a reference point at international level and acted as a catalyst for many countries around the world to consider introducing modern privacy rules. This is a truly global trend running, to mention just a few examples, from Chile to South Korea, from Brazil to Japan, from Kenya to India, from Tunisia to Indonesia, and from California to Taiwan. These developments are remarkable not only from a quantitative but also from a qualitative point of view: many of the privacy laws recently adopted, or in the process of being adopted, are based on a core set of common safeguards, rights and enforcement mechanisms that are shared by the EU. In a world that is too often characterised by different, if not divergent, regulatory approaches, this trend towards global convergence is a very positive development that brings new opportunities for increasing the protection of individuals in Europe while, at the same time, facilitating data flows and lowering transaction costs for business operators. To seize these opportunities and implement the strategy set out in its 2017 Communication on “Exchanging and Protecting Personal Data in a Globalised World”108 , the Commission has significantly stepped up its work on the international dimension of privacy making full use of the available transfer ‘toolbox’, as explained below. This included actively engaging with key partners with a view to reaching an “adequacy finding” and yielded important results, such as the creation of the world’s largest area of free and safe data flows between the EU and Japan. Besides its adequacy work, the Commission has worked closely with data protection authorities within the Board, as well as with other stakeholders, to harness the full potential of the GDPR’s flexible rules for international transfers. This concerns the modernisation of instruments such as standard contractual clauses, the development of certification schemes, codes of conduct or administrative arrangements for data exchanges between public authorities, as well as the clarification of key concepts 108 Communication from the Commission to the European Parliament and the Council ‘Exchanging and Protecting Personal Data in a Globalised World’, 10.1.2017 (COM(2017) 7 final). 30 relating to, for example, the territorial scope of EU data protection rules or the use of so-called “derogations” to transfer personal data. Finally, the Commission intensified its dialogue in a number of bilateral, regional and multilateral fora to foster a global culture of respect for privacy and develop elements of convergence between different privacy systems. In its efforts, the Commission could count on the active support of the European External Action Service and the network of EU delegations in third countries and missions to international organisations. This also ensured coherence and greater complementarity between different aspects of the external dimension of EU policies – from trade to the new Africa-EU Partnership. 7.2 The GDPR transfer toolbox As more and more private and public operators rely on international data flows as part of their routine operations, there is an increasing need for flexible instruments that can be adapted to different sectors, business models and transfer situations. Reflecting these needs, the GDPR offers a modernised toolbox that facilitates the transfer of personal data from the EU to a third country or international organisation, while ensuring that the data continues to benefit from a high level of protection. This continuity of protection is important, given that in today’s world data moves easily across borders and the protections guaranteed by the GDPR would be incomplete if they were limited to processing inside the EU. With Chapter V of the GDPR, the legislator confirmed the architecture of the transfer rules that already existed under Directive 95/46: data transfers may take place where the Commission has made an adequacy finding with respect to a third country or international organisation or, in the absence thereof, where the controller or processor in the EU (“data exporter”) has provided appropriate safeguards, for instance through a contract with the recipient (“data importer”). In addition, statutory grounds for transfers (so-called derogations), remain available for specific situations for which the legislator has decided that the balance of interests allows a data transfer under certain conditions. At the same time, the reform has clarified and simplified the existing rules, for instance by stipulating in detail the conditions for an adequacy finding or binding corporate rules, by limiting authorisation requirements to very few, specific cases and completely abolishing notification requirements. Moreover, new transfer tools like codes of conduct or certification schemes have been introduced and the possibilities for using existing instruments (e.g. standard contractual clauses) have been expanded. Today’s digital economy allows foreign operators to (remotely but) directly participate in the EU internal market and to compete for European customers and their personal data. Where they specifically target Europeans through the offering of goods or services, or monitoring of their behaviour, they should comply with EU law in the same way as EU operators. This is reflected in Article 3 of the GDPR, which extends the direct applicability of EU data protection rules to certain processing operations of controllers and processors outside the EU. This guarantees the necessary safeguards, and moreover a level playing field for all companies operating in the EU market. Its broad reach is one of the reasons why the effects of the GDPR have also been felt in other parts of the world. The detailed guidance issued by the Board on the GDPR territorial scope, following a comprehensive public consultation, is therefore 31 important to help foreign operators determine whether and which processing activities are directly subject to its safeguards, including by providing concrete examples 109 . The extension of the scope of application of EU data protection law, however, in and of itself is not sufficient to guarantee its respect in practice. As also highlighted by the Council110 , it is crucial to ensure compliance by, and effective enforcement against, foreign operators. The appointment of a representative in the EU (Article 27(1), (2) of the GDPR), who can be addressed by individuals and supervisory authorities in addition to or instead of the responsible company acting from abroad111 should play a key role in this regard. This approach, which is also increasingly taken in other contexts112 , should be pursued more vigorously to send a clear message that the lack of an establishment in the EU does not relieve foreign operators of their responsibility under the GDPR. Where these operators fail to meet their obligation to appoint a representative113 , supervisory authorities should make use of the full enforcement toolbox in Article 58 of the GDPR (e.g. public warnings, temporary or definitive bans on processing in the EU, enforcement against joint controllers established in the EU). Finally, it is very important that the Board finalises its work on further clarifying the relationship between Article 3 on the direct application of the GDPR and the rules on international transfers in Chapter V114 . Adequacy decisions The input received from stakeholders confirms that adequacy decisions continue to be an essential tool for EU operators to safely transfer personal data to third countries115 . Such decisions provide the most comprehensive, straightforward and cost-effective solution for data transfers as these are assimilated to intra-EU transmissions, thus ensuring the safe and free flow of personal data without further conditions or need for authorisation. Adequacy decisions therefore open up commercial channels for EU operators and facilitate cooperation between public authorities, while providing 109 EDPB, Guidelines 2/2018 on the territorial scope of the GDPR, 12.11.2019. The Guidelines address several of the points raised during the public consultation, for instance the interpretation of the targeting and monitoring criteria. 110 See Council position and findings, paras 34, 35 and 38. 111 See Article 27(4) and Recital 80 GDPR (“The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor”). 112 Proposal for a Directive of the European Parliament and of the Council laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings (COM/2018/226 final), Article 3; Proposal for a Regulation of the European Parliament and of the Council on preventing the dissemination of terrorist content online (COM(2018) 640 final), Article 16(2), (3). 113 According to one submission to the public consultation, one of the main points to address “is effective enforcement and real consequences for those who chose to ignore this requirement […] It should be borne in mind in particular that this also places businesses established in the Union at a competitive disadvantage to those noncompliant businesses established outside the Union trading into the Union.” See EU Business Partners, submission of 29 April 2020. 114 Several submissions to the public consultation have raised this point, for instance as regards the transmission of personal data to recipients outside the EU but covered by the GDPR. 115 Council position and findings, paragraph 17; Contribution from the Board, pp. 5-6. Several submissions to the public consultation, including from a number of business associations (like the French Association of Large Companies, Digital Europe, the Global Data Alliance/BSA, the Computer & Communication Industry Association (CCIA) or the US Chamber of Commerce) have called for stepping-up the work on adequacy findings, especially with important trading partners. 32 privileged access to the EU single market. Building on the practice under the 1995 Directive, the GDPR explicitly allows for an adequacy determination to be made with respect to a particular territory of a third country or to a specific sector or industry within a third country (so-called ‘partial’ adequacy). The GDPR builds upon the experience of the past years and the clarifications provided by the Court of Justice by setting out a detailed catalogue of elements that the Commission must take into account in its assessment. The adequacy standard requires a level of protection that is comparable (or ‘essentially equivalent’) to that ensured within the EU116 . This involves a comprehensive assessment of the third country’s system as a whole, including the substance of privacy protections, their effective implementation and enforcement, as well as the rules on access to personal data by public authorities, in particular for law enforcement and national security purposes117 . This is also reflected in the guidance adopted by the former Article 29 Working Party (and endorsed by the Board), in particular the so-called ‘adequacy referential’, which further clarifies the elements that the Commission must take into account when carrying out an adequacy assessment, including by providing an overview of ‘essential guarantees’ for access to personal data by public authorities118 . The latter builds in particular on the case law of the European Court of Human Rights. While the standard of ‘essential equivalence’ does not involve a point-to-point replication (‘photocopy’) of EU rules, given that the means of ensuring a comparable level of protection may vary between different privacy systems, often reflecting different legal traditions, it nevertheless requires a strong level of protection. This standard is justified by the fact that an adequacy decision essentially extends to a third country the benefits of the single market in terms of the free flow of data. However, it also means that sometimes there will be relevant differences between the level of protection ensured in the third country in question compared to the GDPR that need to be bridged, for instance through the negotiation of additional safeguards. Such safeguards should be viewed positively as they further strengthen the protections available to individuals in the EU. At the same time, the Commission agrees with the Board on the importance of continuously monitoring their application in practice, including effective enforcement by the third country data protection authority119 . The GDPR clarifies that adequacy decisions are ‘living instruments’ that should be continuously monitored and periodically reviewed120 . In line with these requirements, 116 Judgment of the Court of Justice of the EU of 6 October 2015 in Case C-362/14, Maximillian Schrems v Data Protection Commissioner (‘Schrems’), points 73, 74 and 96. See also Recital 104 of the GDPR, which refers to the standard of essential equivalence. 117 Article 45(2) and Recital 104 GDPR. See also Schrems , points 75, 91-91. 118 Adequacy Referential, WP 254 rev. 01, 6 February 2018 (available at: https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614108). 119 Contribution from the Board, pp. 5-6. 120 Article 45(4) and (5) GDPR require the Commission to monitor developments in third countries on an ongoing basis and to regularly – at least every four years – review an adequacy finding. They also give the Commission the power to repeal, amend or suspend an adequacy decision if it finds that the country or international organisation concerned no longer ensures an adequate level of protection. Article 97(2)(a) GDPR furthermore requires the Commission to submit an evaluation report to the European Parliament and the Council by 2020. See also the judgment of the Court of 33 the Commission has regular exchanges with the relevant authorities to pro-actively follow-up on new developments. For example, since the adoption of the decision on the EU-U.S. Privacy Shield in 2016121 , the Commission, together with representatives from the Board, carried out three annual reviews to evaluate all aspects of the functioning of the framework.122 These reviews relied on information obtained through exchanges with the U.S. authorities as well as input from other stakeholders, such as EU data protection authorities, civil society and trade associations. They have allowed to improve the practical functioning of various elements of the framework. In a wider perspective, the annual reviews contributed to establishing a broader dialogue with the U.S. administration on privacy in general, and the limitations and safeguards with respect to national security in particular. As part of its first evaluation of the GDPR, the Commission is also required to review the adequacy decisions adopted under the 1995 Directive123 . The Commission services have engaged in an intense dialogue with each of the 11 concerned countries and territories to assess how their personal data protection systems have evolved since the adequacy decision was adopted and whether they meet the standard set by the GDPR. The need to ensure the continuity of such decisions, as they are a key tool for trade and international cooperation, is one of the factors that has prompted several of these countries and territories to modernise and strengthen their privacy laws. These are certainly welcome developments. Additional safeguards are being discussed with some of these countries and territories to address relevant differences in protection. However, given that the Court of Justice in a judgment to be delivered on 16 July may provide clarifications that could be relevant for certain elements of the adequacy standard, the Commission will report separately on the evaluation of the mentioned 11 adequacy decisions after the Court of Justice has handed down its judgment in that case.124 Justice of the EU of 6 October 2015 in Case C-362/14, Maximillian Schrems v Data Protection Commissioner, point 76. 121 Commission implementing decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield. This adequacy decision is a specific case that, in the absence of general data protection legislation in the U.S., relies on commitments made by participating companies (that are enforceable under U.S. law) to apply the data protection standards set out by this arrangement. Moreover, the Privacy Shield builds on the specific representations and assurances made by the U.S. government as regards access for national security purposes that underpin the adequacy finding 122 Reviews took place in 2017 (Report from the Commission to the European Parliament and the Council on the first annual review of the functioning of the EU-U.S. Privacy Shield, COM(2017) 611 final), 2018 (Report from the Commission to the European Parliament and the Council on the second annual review of the functioning of the EU-U.S. Privacy Shield, COM(2018) 860 final) and 2019 (Report from the Commission to the Parliament and the Council on the third annual review of the functioning of the EU-U.S. Privacy Shield, COM(2019) 495 final). 123 These existing adequacy decisions concern countries that are closely integrated with the European Union and its Member States (Switzerland, Andorra, Faroe Islands, Guernsey, Jersey, Isle of Man), important trading partners (e.g. Argentina, Canada, Israel), and countries that played a pioneering role in developing data protection laws in their region (New Zealand, Uruguay) 124 Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (“Schrems II”), concerns a reference for a preliminary ruling on the so-called standard contractual clauses. However, certain elements of the adequacy standard may also be further clarified by the 34 Implementing the strategy laid down in its 2017 Communication on “Exchanging and Protecting Personal Data in a Globalised World”, the Commission also engaged in new adequacy dialogues125 . This work already yielded significant results involving key partners of the EU. In January 2019, the Commission adopted its adequacy decision for Japan, which is based on a high degree of convergence, including through specific safeguards such as in the area of onward transfers and through the creation of a mechanism to investigate and resolve individuals’ complaints concerning government access to personal data for law enforcement and national security purposes. As the first adequacy finding adopted under the GDPR, the framework agreed with Japan provides a useful precedent for future decisions126 . This includes the fact that it was reciprocated on the Japanese side with an “adequacy” finding for the EU. Together, these mutual adequacy findings create the largest area of safe and free personal data flows in the world, thereby complementing the EU-Japan Economic Partnership Agreement. In fact, the arrangement supports around EUR 124 billion of trade in goods and EUR 42.5 billion of trade in services every year. The adequacy process is also at an advanced stage with South Korea. One important outcome thereof is South Korea’s recent legislative reform that led to the establishment of an independent data protection authority equipped with strong enforcement powers. This illustrates how an adequacy dialogue can contribute to increased convergence between the EU’s data protection rules and those of a foreign country. The Commission fully agrees with the call from stakeholders to intensify the dialogue with selected third countries in view of possible new adequacy findings127 . It is actively exploring this possibility with other important partners in Asia, Latin America and the Neighbourhood, building on the current trend towards upward global convergence in data protection standards. For example, comprehensive privacy legislation has been adopted or is at an advanced stage of the legislative process in Latin America (Brazil, Chile), and promising developments are taking place in Asia (e.g. India, Indonesia, Malaysia, Sri Lanka, Taiwan and Thailand), Africa (e.g. Ethiopia, Kenya) as well as in the European Eastern and Southern neighbourhood Court. The hearing in this case took place on 9 July 2019 and the judgment has been announced for 16 July 2020. 125 See supra fn 109. The Commission explained that the following criteria will be taken into account when assessing with which third countries a dialogue on adequacy should be pursued: (i) the extent of the EU's (actual or potential) commercial relations with the third country, including the existence of a free trade agreement or ongoing negotiations; (ii) the extent of personal data flows from the EU, reflecting geographical and/or cultural ties; (iii) the country’s pioneering role in the field of privacy and data protection that could serve as a model for other countries in its region; and (iv) the overall political relationship with the country, in particular as regards the promotion of common values and shared objectives at international level. 126 European Parliament, Resolution of 13 December 2018 on the adequacy of the protection of personal data afforded by Japan (2018/2979(RSP)), point 27; Contribution from the Board, pp. 5-6. 127 See e.g. European Parliament, Resolution of 12 December 2017 on ‘Towards a digital trade strategy’ (2017/2065(INI)), points 8, 9; Council position and findings on the application of the General Data Protection Regulation (GDPR), 19.12.2019 (14994/1/19), paragraph 17; Contribution from the Board, p. 5. 35 (e.g. Georgia, Tunisia). Where possible, the Commission will work towards achieving comprehensive adequacy decisions covering both the private and public sector128 . Moreover, the GDPR also introduced the possibility for the Commission to adopt adequacy findings for international organisations. At a time when some international organisations are modernising their data protection regimes by putting in place comprehensive rules, as well as mechanisms that provide independent oversight and redress, this avenue could be explored for the first time. Adequacy also plays an important role in the context of the relationship with the United Kingdom following Brexit, provided that the applicable conditions are met. It constitutes an enabling factor for trade, including digital trade, and an essential prerequisite for a close and ambitious cooperation in the area of law enforcement and security129 . Moreover, given the significance of data flows with the UK and its proximity to the EU market, a high degree of convergence between data protection rules on both sides of the Channel is an important element for ensuring a level playing field. In line with the Political Declaration on the Future Relationship between the EU and the UK, the Commission is currently carrying out an adequacy assessment under both the GDPR and the Law Enforcement Directive130 . Considering the autonomous and unilateral nature of an adequacy assessment, these talks follow a separate track from the negotiations on an agreement on the future relationship between the EU and the UK. Finally, the Commission welcomes that other countries are putting in place data transfer mechanisms similar to an adequacy finding. In doing so, they often recognise the EU and countries for which the Commission has adopted an adequacy decision, as safe destinations for transfers131 . The growing number of countries benefitting from EU adequacy decisions, on the one hand, and this form of recognition by other countries, on the other hand, has the potential of creating a network of countries where data can flow freely and safely. The Commission considers this a welcome development that will further increase the benefits of an adequacy decision for third countries and contribute to global convergence. This type of synergies can also usefully contribute to the development of frameworks for the safe and free flow of data, such as in the context of the ‘data free flow with trust’ initiative (see below). Appropriate safeguards The GDPR provides for a number of other transfer instruments beyond the comprehensive solution of an adequacy finding. The flexibility of this “toolbox” is 128 As also requested by the Council, see Council position and findings on the application of the General Data Protection Regulation (GDPR), 19.12.2019 (14994/1/19), paragraphs 17 and 40. However, this requires that the conditions for an adequacy finding concerning data transfers to public authorities are met, including as regards independent oversight. 129 See the negotiating directives annexed to the Council Decision authorising the opening of negotiations with the United Kingdom of Great Britain and Northern Ireland for a new partnership agreement (ST 5870/20 ADD 1 REV 3), paragraphs 13 and 118. 130 See revised text of the political declaration setting out the framework for the future relationship between the European Union and the United Kingdom as agreed at negotiators’ level on 17 October 2019, paragraphs 8-10 (available at https://ec.europa.eu/commission/sites/beta- political/files/revised_political_declaration.pdf ). 131 For example, by Argentina, Colombia, Israel, Switzerland or Uruguay. 36 demonstrated by Article 46 GDPR, which regulates data transfers based on “appropriate safeguards”, including enforceable data subject rights and effective legal remedies. To guarantee appropriate safeguards, different instruments are available in order to cater to the transfer needs of both commercial operators and public bodies. Standard contractual clauses (SCCs) The first group of these instruments concerns contractual tools, which can be either tailor-made, ad hoc data protection clauses agreed between an EU data exporter and a data importer outside the EU authorised by the competent data protection authority (Article 46(3)(a) GDPR) or model clauses pre-approved by the Commission (Article 46(2)(c), (d) GDPR132 ). The most important of these instruments are so-called standard contractual clauses (SCCs), i.e. model data protection clauses which the data exporter and the data importer can incorporate into their contractual arrangements (e.g. a service contract requiring the transfer of personal data) on a voluntary basis and that set out the requirements related to appropriate safeguards. SCCs represent by far the most widely used data transfer mechanism133 . Thousands of EU companies rely on SCCs in order to provide a wide range of services to their clients, suppliers, partners and employees, including services essential to the functioning of the economy. Their broad use indicates that they are very helpful to businesses in their compliance efforts and of particular benefit to companies that do not have the resources to negotiate individual contracts with each of their commercial partners. Through their standardisation and pre-approval, SCCs provide companies with an easy-to-implement tool to meet data protection requirements in a transfer context. The existing sets of SCCs134 were adopted and approved on the basis of the 1995 Directive. These SCCs remain in force until amended, replaced or repealed, if necessary, by a Commission decision (Article 46(5) of the GDPR). The GDPR expands the possibilities to use SCCs both within the EU and for international transfers. The Commission is working together with stakeholders to make use of these possibilities and to update existing clauses135 . In order to ensure that the future design of SCCs is fit for purpose, the Commission has been collecting feedback on 132 Standard contractual clauses (SCCs) for international transfers always require Commission approval, but may be prepared either by the Commission itself or by a national DPA. All existing SCCs fall into the first category. 133 According to the IAPP-EY Annual Privacy Governance Report 2019, “the most popular of these [transfer] tools – year over year – are overwhelmingly standard contractual contracts: 88% of respondents in this year’s survey reported SCCs as their top method for extraterritorial data transfers, followed by compliance with the EU-U.S. Privacy Shield arrangement (60%). For respondents transferring data from the EU to the U.K. (52%), 91% report they intend to use SCCs for data-transfer compliance after Brexit”. 134 There are currently three sets of standard contractual clauses adopted by the Commission for the transfer of personal data to third countries: two for transfers from an EEA-controller to a non-EEA controller and one for transfers from an EEA-controller to a non-EEA-processor. They were amended in 2016, further to the judgment of the Court of Justice in the Schrems I case (C-362/14), to remove any restrictions on the competent supervisory authorities to exercise their powers to oversee data transfers. See https://ec.europa.eu/info/law/law-topic/data-protection/international- dimension-data-protection/standard-contractual-clauses-scc_en. 135 See also Contribution from the Board, pp. 6-7. Likewise, the Council has called on the Commission “to review and revise [the SCCs] in the near future to take into account the needs of controllers and processors”. See Council position and findings. 37 stakeholders’ experiences with SCCs, through the ‘Multi-stakeholder Group on the GDPR’ and a dedicated workshop held in September 2019, but also via multiple contacts with companies using SCCs as well as civil society organisations. The Board is also updating a number of guidelines that could be relevant for the review of SCCs, for instance on the concepts of controller and processor. Building on the feedback received, the Commission services are currently working on revising the SCCs. In that context, a number of areas for improvement have been identified, in particular with regard to the following aspects: 1. Updating the SCCs in light of new requirements introduced by the GDPR, such as those concerning the controller-processor relationship under Article 28 GDPR (in particular the processor obligations), the transparency obligations of the data importer (in terms of the necessary information to be provided to the data subject), etc. 2. Addressing a number of transfer scenarios that are not covered by the current SCCs, such as the transfer of data from an EU processor to a non-EU (sub) processor, but also for instance situations where the controller is located outside the EU136 . 3. Better reflecting the realities of processing operations in the modern digital economy, where such operations often involve multiple data importers and exporters, long and often complex processing chains, evolving business relationships, etc. In order to cater for such situations, solutions being explored include, for example, the possibility to enable the signing of SCCs by multiple parties or accession of new parties throughout the lifetime of the contract. In addressing these points, the Commission is also considering ways to make the current ‘architecture’ of the SCCs more user friendly, for example by replacing multiple sets of SCCs by a single comprehensive document. The challenge is to strike a good balance between the need for clarity and a certain degree of standardisation, on the one hand, and the necessary flexibility that will allow the clauses to be used by a number of operators with different requirements, in different contexts and for different types of transfers, on the other hand. Another important aspect to consider is the possible need, in light of current litigation before the Court of Justice137 , to further clarify the safeguards as regards access by foreign public authorities to data transferred based on SCCs, in particular for national security purposes. This may include requiring the data importer or the data exporter, or both, to take action, and to clarify the role of data protection authorities in that context. Although the revision of the SCCs is well-advanced, it will be necessary to wait for the judgment of the Court to reflect any possible additional requirement in the revised clauses, before a draft decision on a new set of SCCs can be submitted to the 136 Several submissions to the public consultation have commented on this last scenario, often raising concerns that requiring EU processors to ensure appropriate safeguards in their relationship with non-EU controllers would place them at a competitive disadvantage vis-à-vis foreign processors offering similar services. 137 See Schrems II case. 38 Board for its opinion and then proposed for adoption through the “comitology procedure”138 . In parallel, the Commission is in contact with international partners that are developing similar tools.139 This dialogue, allowing for an exchange of experiences and best practices, could significantly contribute to further developing convergence ‘on the ground’, and in this way facilitate compliance with cross-border transfer rules for companies operating across different regions of the world. Binding corporate rules (BCRs) Another important instrument are the so-called binding corporate rules (BCRs). These are legally binding policies and arrangements that apply to the members of a corporate group, including their employees (Articles, 46(2)(b), 47 of the GDPR). The use of BCRs allows personal data to move freely among the various group members worldwide – dispensing with the need to have contractual arrangements between each and every corporate entity – while ensuring that the same high level of protection of personal data is complied with throughout the group. They offer a particularly good solution for complex and large corporate groups and for close cooperation of enterprises exchanging data across multiple jurisdictions. Unlike for the 1995 Directive, under the GDPR BCRs can be used by a group of enterprises engaged in a joint economic activity but not forming part of the same corporate group. Procedurally, BCRs have to be approved by the competent data protection authorities, based on a non-binding opinion by the Board140 . To guide this process, the Board has reviewed the BCR ‘referentials’ (setting out substantive standards) for controllers141 and processors142 in light of the GDPR, and continues to update these documents on the basis of the practical experience gained by supervisory authorities. It has also adopted various guidance documents to help applicants, and streamline the application and approval process for BCRs143 . According to the Board, more than 40 BCRs are currently in the pipeline for approval, half of which are expected to be approved by the end of 2020144 . It is important that data protection authorities continue working on further streamlining the approval process, as the length of such 138 In accordance with Article 46(2)(c) GDPR, standard contractual clauses have to be adopted through the examination procedure laid down under Article 5 of Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers - OJ L 55, 28.2.2011, p. 13–18. This involves in particular a positive decision from a committee composed of representatives of the Member States. 139 This includes, for instance, the work currently being carried out by the ASEAN Member States to develop ‘ASEAN model contractual clauses’. See ASEAN, Key Approaches for ASEAN Cross Border Data Flows Mechanism (available at: https://asean.org/storage/2012/05/Key-Approaches- for-ASEAN-Cross-Border-Data-Flows-Mechanism.pdf). 140 For an overview of the EDPB opinions rendered so far, see https://edpb.europa.eu/our-work- tools/consistency-findings/opinions_en. 141 https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614109. 142 https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614110. 143 These documents were adopted (by the former Article 29 Working Party) following the entry into force of the GDPR, but before the end of the transition period. See WP263 (https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623056); WP264 (https://edpb.europa.eu/sites/edpb/files/files/file2/wp264_art29_wp_bcr-c_application_form.pdf); WP265 (https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623848). 144 Contribution from the Board, p. 7. 39 procedures is often mentioned by stakeholders as a practical obstacle to the broader use of BCRs. Finally, regarding specifically BCRs approved by the UK data protection authority – the Information Commissioner Office – companies will be able to continue to use them as a valid transfer mechanism under the GDPR after the end of the transition period under the EU-UK Withdrawal Agreement, but only if they are amended so that any connection to the UK legal order is replaced with appropriate references to corporate entities and competent authorities within the EU. The approval of any new BCRs should be sought from one of the supervisory authorities in the EU. Certification mechanisms and codes of conduct In addition to modernising and broadening the application of the already existing transfer tools, the GDPR has also introduced new instruments, thereby expanding the possibilities for international transfers. This includes the use, under certain conditions, of approved codes of conduct and certification mechanisms (such as privacy seals or marks) for ensuring appropriate safeguards. These are bottom-up tools that allow for tailor-made solutions – as a general accountability mechanism (see Articles 40 to 42 of the GDPR) and, specifically, for international data transfers – reflecting, for instance, the specific features and needs of a given sector or industry, or of particular data flows. By calibrating the obligations with the risks, Codes of Conduct can also be a very useful and cost-effective way for small and medium-sized businesses to meet their GDPR obligations. As regards certification mechanisms, although the Board adopted guidelines to foster their use within the EU, its work on developing criteria to approve certification mechanisms as international transfer tools is still ongoing. The same is true for codes of conduct, regarding which the Board is currently working on guidelines for using them as a tool for transfers. Given the importance of providing operators with a broad range of transfer instruments that are adapted to their needs, and the potential that in particular certification mechanisms hold for facilitating data transfers while ensuring a high level of data protection, the Commission urges the Board to finalise as soon as possible its guidance in this regard. This concerns both substantive (criteria) and procedural aspects (approval, monitoring, etc.). Stakeholders have expressed a lot of interest in these transfer mechanisms and should be able to make full use of the GDPR’s toolkit. The Board’s guidelines would also contribute to promoting the EU model for data protection globally and foster convergence as other privacy systems are using similar instruments. Valuable lessons can be drawn from existing standardisation efforts in the area of privacy, both at European and international level. One interesting example is the recently released international standard ISO 27701145 , which aims to help businesses meet privacy requirements and manage risks related to the processing of personal data through ‘privacy information management systems’ . Although certification under the standard as such does not fulfil the requirements of Articles 42 and 43 of the GDPR, 145 The list of specific requirements making up this ISO standard is available at: https://www.iso.org/standard/71670.html. 40 applying Privacy Information Management Systems can contribute to accountability, including in the context of international data transfers. International agreements and administrative arrangements The GDPR also makes it possible to ensure appropriate safeguards for data transfers between public authorities or bodies on the basis of international agreements (Article 46(2)(a)) or administrative arrangements (Article 46(3)(b)). While both instruments have to guarantee the same outcome in terms of safeguards, including enforceable data subject rights and effective legal remedies, they differ as to their legal nature and adoption procedure. Unlike international agreements, which create binding obligations under international law, administrative arrangements (e.g. in the form of a Memorandum of Understanding) are typically non-binding and therefore require prior authorisation by the competent data protection authority (see also Recital 108 of the GDPR). One early example concerns the administrative arrangement for the transfer of personal data between EEA and non-EEA financial supervisors cooperating under the umbrella of the International Organisation of Securities Commission (IOSCO), on which the Board gave its Opinion146 in early 2019. Since then, the Board has further developed its interpretation of the ‘minimum safeguards’ that international (cooperation) agreements and administrative arrangements between public authorities or bodies (including international organisations) need to ensure to comply with the requirements of Article 46 GDPR. On 18 January 2020 it adopted draft guidelines147 , thereby addressing the Member States’ request for further clarification and guidance as to what may be considered appropriate safeguards for transfers between public authorities148 . The Board strongly recommends that public authorities use these guidelines as a reference point for their negotiations with third parties149 . The guidelines demonstrate the flexibility in the design of such instruments, including on important aspects such as oversight150 and redress151 . This should allow public 146 EDPB, Opinion 4/2019 on the draft Administrative Arrangement for the transfer of personal data between European Economic Area (EEA) Financial Supervisory Authorities and non-EEA Financial Supervisory Authorities, 12.2.2019. 147 EDPB, Guidelines 2/2020 on articles 46(2)(a) and 46(3)(b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies (draft available at: https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-22020-articles- 46-2-and-46-3-b_en ). According to the EDPB, “[t]he competent [supervisory authority] will base its examination on the general recommendations set out in these guidelines, but might also ask for more guarantees depending on the specific case.” The EDPB submitted these draft guidelines to a public consultation that ended on 18 May 2020. 148 Council position and findings, paragraph 20. 149 At the same time, the EDPB clarifies that public authorities remain “free to rely on other relevant tools providing for appropriate safeguards in accordance with Article 46 GDPR.” Regarding the choice of instrument, the EDPB underlines that “[i]t should be carefully assessed whether or not to make use of non-legally binding administrative arrangements to provide safeguards in the public sector, in view of the purpose of the processing and the nature of the data at hand. If data protection rights and redress for EEA individuals are not provided for in the domestic law of the third country, preference should be given to concluding a legally binding agreement. Irrespective of the type of instrument adopted, the measures in place have to be effective to ensure the appropriate implementation, enforcement and supervision” (paragraph 67). 150 This may include, for instance, combining internal checks (with a commitment to inform the other party of any instance of non-compliance with independent oversight through external or at least 41 authorities to overcome the difficulties in, for instance, ensuring enforceable data subject rights through non-binding arrangements. An important element of such arrangements is their continuous monitoring by the competent data protection authority – supported by information and record-keeping requirements – and the suspension of data flows if appropriate safeguards can no longer be ensured in practice. Derogations Finally, the GDPR clarifies the use of so-called ‘derogations’. These are specific grounds for data transfers (e.g. explicit consent152 , performance of a contract or important reasons of public interest) recognised in law, and on which entities can rely in the absence of other transfer tools and under certain conditions. To clarify the use of such statutory grounds, the Board has issued specific guidance153 and has interpreted Article 49 in a number of cases with respect to specific transfer scenarios154 . Due to their exceptional character, the Board considers that derogations have to be interpreted restrictively, on a case-by-case basis. Despite their strict interpretation, these grounds cover a broad range of transfer scenarios. This includes in particular data transfers by both public authorities and private entities necessary for ‘important reasons of public interest’, for example between competition, financial, tax or customs authorities, services competent for social security matters or for public health (such as in the case of contact tracing for contagious diseases or in order to eliminate doping in sport)155 . Another area is that of cross-border cooperation for criminal law enforcement purposes, in particular as regards serious crime156 . through functionally autonomous mechanisms, as well as the possibility for the transferring public body to suspend or terminate the transfer. 151 This may include, for instance, quasi-judicial, binding mechanisms (e.g. arbitration) or alternative dispute resolution mechanisms, combined with the possibility for the transferring public authority to suspend or terminate the transfer of personal data if the parties do not succeed in resolving a dispute amicably, plus a commitment from the receiving public body to return or delete the personal data. When opting for alternative redress mechanisms in binding and enforceable instruments because there is no possibility to ensure effective judicial redress, the EDPB recommends seeking the advice of the competent supervisory authority before concluding these instruments. 152 This is a change from Directive 95/46 which merely required ‘unambiguous’ consent. In addition, the general requirements for consent pursuant to Article 4(11) GDPR apply. 153 EDPB, Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, 25.5.2018 (available at: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf). 154 This includes, for instance, international transfers of health data for research purposes in the context of the COVID-19 outbreak. See EDPB, Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak, 21.4.2020 (available at: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202003_healthdatascientificresea rchcovid19_en.pdf). 155 See Recital 112. 156 See Brief of the European Commission on behalf of the European Union as Amicus Curiae in Support of Neither Party in the Case US v. Microsoft, p. 15: “In general, Union as well as Member State law recognize the importance of the fight against serious crime—and thus criminal law enforcement and international cooperation in that respect—as an objective of general interest. […] Article 83 of the TFEU identifies several areas of crime that are particularly serious and have cross- border dimensions, such as illicit drug trafficking.” (available at: 42 The Board has clarified that, although the relevant public interest must be recognised in EU or Member State law, this can be also established on the basis of “an international agreement or convention which recognises a certain objective and provides for international cooperation to foster that objective can be an indicator when assessing the existence of a public interest pursuant to Article 49(1)(d), as long as the EU or the Member States are a party to that agreement or convention”157 . Decisions by foreign courts or authorities: not a ground for transfers In addition to positively setting out the grounds for data transfers, Chapter V of the GDPR also clarifies, in its Article 48, that orders from courts and decisions of administrative authorities outside of the EU in themselves do not provide such grounds, unless they are recognised or made enforceable based on an international agreement (e.g. a Mutual Legal Assistance Treaty). Any disclosure by the requested entity in the EU to the foreign court or authority in response to such an order or decision constitutes an international data transfer that needs to be based on one of the mentioned transfer instruments.158 The GDPR does not constitute a “blocking statute” and will, under certain conditions, permit a transfer in response to an appropriate law enforcement request from a third country. The important point is that it is EU law that should determine whether this is the case and on the basis of which safeguards such transfers can take place. The Commission explained the functioning of Article 48 GDPR, including the possible reliance on the public interest derogation, in the context of a production order (warrant) by a foreign criminal law enforcement authority in the Microsoft case before the U.S. Supreme Court.159 In its submission, the Commission stressed the EU’s interest in ensuring that law enforcement cooperation takes place “within a legal framework that avoids conflicts of law, and is based on […] respect for each others’ fundamental interests in both privacy and law enforcement”160 . In particular, “from the perspective of public international law, when a public authority requires a https://www.supremecourt.gov/DocketPDF/17/17-2/23655/20171213123137791_17- 2%20ac%20European%20Commission%20for%20filing.pdf). 157 EDPB, Derogation Guidelines (supra fn. 153), p. 10. The EDPB further clarified that, while data transfers based on the public interest derogation must not be “large scale” or “systematic”, but “need to be restricted to specific situations and […] meet the strict necessity test”, there is no requirement for them to be “occasional”. 158 This is made clear by the wording of Article 48 GDPR (“without prejudice to other grounds for transfer pursuant to this Chapter”) and the accompanying Recital 115 (“[t]ransfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met. This may be the case, inter alia, where disclosure is necessary for an important ground of public interest recognised in Union or Member State law to which the controller is subject”). It is also recognised by the EDPB, see Derogation Guidelines (supra fn. 153), p. 5. As for all processing operations, the other safeguards under the Regulation must also be complied with (e.g. that data is transferred for a specific purpose, is relevant, limited to what is necessary for the purpose of the request, etc.). 159 Microsoft submission (supra fn. 156). As the Commission explained, the GDPR thus makes MLATs the “preferred option” for transfers as such treaties “provide for collection of evidence by consent, and embody a carefully negotiated balance between the interests of different states that is designed to mitigate jurisdictional conflicts that can otherwise arise.” See also EDPB, Derogation Guidelines (supra fn. 153), p. 5 (“In situations where there is an international agreement, such as a mutual legal assistance treaty (MLAT), EU companies should generally refuse direct requests and refer the requesting third country authority to existing MLAT or agreement”). 160 Microsoft submission (supra fn. 156), p. 4. 43 company established in its own jurisdiction to produce electronic data stored on a server in a foreign jurisdiction, the principles of territoriality and comity under public international law are engaged”161 . This is also reflected in the Commission’s proposal for a Regulation on European Production and Preservation Orders for electronic evidence in criminal matters162 , which contains a specific ‘comity clause’ that makes it possible to raise an objection against a production order if compliance would conflict with the laws of a third country prohibiting disclosure in particular on the ground that this is necessary to protect the fundamental rights of the individuals concerned163 . Ensuring comity is important, given that law enforcement – like crime and in particular cybercrime – is increasingly cross-border and thus often raises jurisdictional questions and creates potential conflicts of law164 . Not surprisingly, the best way of addressing these issues is through international agreements that provide for the necessary limitations and safeguards for cross-border access to personal data, including by ensuring a high level of data protection on the side of the requesting authority. The Commission, acting on behalf of the EU, is currently engaged in multilateral negotiations for a Second Additional Protocol to the Council of Europe Cybercrime (‘Budapest’) Convention, which aims to enhance existing rules to obtain cross-border access to electronic evidence in criminal investigations while ensuring appropriate data protection safeguards as part of the Protocol165 . Similarly, bilateral negotiations have started on an agreement between the EU and the United States on cross-border 161 Microsoft submission (supra fn. 156), p. 6. 162 European Commission, Proposal for a Regulation of the European Parliament and of the Council on European Production and Preservation Orders for electronic evidence in criminal matters, 17.4.2018 (COM(2018) 225 final). The Council adopted its general approach on the proposed Regulation on 7.12.2018 (available at: https://www.consilium.europa.eu/en/press/press- releases/2018/12/07/regulation-on-cross-border-access-to-eevidence-council-agrees-its-position/#). See also EDPS, Opinion 7/19 on proposals regarding European Production and Preservation Orders for electronic evidence in criminal matters (available at: https://edps.europa.eu/data- protection/ourwork/publications/opinions/electronic-evidence-criminal-matters_en). 163 The Explanatory Memorandum, p. 21, makes clear that, in addition to ensuring comity with respect to the sovereign interests of third countries, protecting the individual concerned and avoiding conflicts of law for service providers, one important motivation for the comity clause is reciprocity, i.e. to ensure respect for EU rules, including on the protection of personal data (Article 48 GDPR). See also Statement of the Article 29 Working Party of 29 November 2017, Data protection and privacy aspects of cross-border access to electronic evidence (WP29 Statement) (available at: file:///C:/Users/ralfs/AppData/Local/Packages/Microsoft.MicrosoftEdge_8wekyb3d8bbwe/TempSt ate/Downloads/20171207_e-Evidence_Statement_FINALpdf%20(1).pdf), p. 9. 164 See WP29 Statement (supra fn. 163), p. 6. 165 See Recommendation for a Council Decision authorising the participation in negotiations on a second Additional Protocol to the Council of Europe Convention on Cybercrime (CETS No. 185), 5.2.2019 (COM(2019) 71 final). See also EDPS, Opinion 3/2019 regarding the participation in the negotiations in view of a Second Additional Protocol to the Budapest Cybercrime Convention, 2.4.2019 (available at: https://edps.europa.eu/sites/edp/files/publication/19-04- 02_edps_opinion_budapest_convention_en.pdf); EDPB, Contribution to the consultation on a draft second additional protocol to the Council of Europe Convention on Cybercrime (Budapest Convention), 13.11.2019 (available at: https://edpb.europa.eu/sites/edpb/files/files/file1/edpbcontributionbudapestconvention_en.pdf). 44 access to electronic evidence for judicial cooperation in criminal matters166 . The Commission counts on the support of the European Parliament and the Council, and the guidance of the EDPB, throughout these negotiations. More generally, it is important to ensure that when companies active in the European market are called on the basis of a legitimate request to share data for law enforcement purposes, they can do so without facing conflicts of law and in full respect of EU fundamental rights. To improve such transfers, the Commission is committed to develop appropriate legal frameworks with its international partners to avoid conflicts of law and support effective forms of cooperation, notably by providing for the necessary data protection safeguards, and thereby contribute to a more effective fight against crime. 7.3 International cooperation in the area of data protection Fostering convergence between different privacy systems also means learning from each other, through the exchange of knowledge, experience and best practices. Such exchanges are essential to address new challenges that are increasingly global in nature and scope. This is why the Commission has intensified its dialogue on data protection and data flows with a broad range of actors and in different fora, at bilateral, regional and multilateral level. The bilateral dimension Following the adoption of the GDPR, there has been an increasing interest in the EU’s experience in the design, negotiation and implementation of modern privacy rules. Dialogue with countries going through similar processes has taken several forms. The Commission services have made submissions to a number of public consultations organised by foreign governments considering legislation in the area of privacy, for example by the US167 , India168 , Malaysia and Ethiopia. In some third countries, the Commission’s services had the privilege to testify before the competent parliamentary bodies, for example in Brazil169 , Chile170 , Ecuador, and Tunisia171 . 166 See Recommendation for a Council Decision authorising the opening of negotiations in view of an agreement between the EU and the United States of America on cross-border access to electronic evidence for judicial cooperation in criminal matters, 5.2.2019 (COM(2019) 70 final). See also EDPS, Opinion 2/2019 on the negotiating mandate of an EU-US agreement on cross-border access to electronic evidence (available at: https://edps.europa.eu/sites/edp/files/publication/19-04- 02_edps_opinion_on_eu_us_agreement_on_e-evidence_en.pdf). 167 See DG Justice and Consumers submission of 9 November 2018 in response to a request for public comments on a proposed approach to consumer privacy [Docket No. 180821780-8780-01] by the US National Telecommunications and Information Administration (available at: https://ec.europa.eu/info/sites/info/files/european_commission_submission_on_a_proposed_approa ch_to_consumer_privacy.pdf ) 168 See DG Justice and Consumers submission of 19 November 2018 on the draft Personal Data Protection Bill of India 2018 to the Ministry of Electronics and Information Technology (available at:https://eeas.europa.eu/delegations/india/53963/submission-draft-personal-data-protection-bill- india-2018-directorate-general-justice_en). 169 See plenary meeting of 17 April 2018 of the Brazilian Senate (https://www25.senado.leg.br/web/atividade/sessao-plenaria/-/pauta/23384 ), meeting of the 10 April 2019 of the Joint Committee on MP 869/2018 of the Brazilian Congress(https://www12.senado.leg.br/ecidadania/visualizacaoaudiencia?id=15392), and meeting 45 Moreover, within the context of ongoing reforms of data protection laws, dedicated meetings took place with government representatives or parliamentary delegations from many regions of the world (e.g. Georgia, Kenya, Taiwan, Thailand, Morocco). This included the organisation of seminars and study visits, for example with representatives of the Indonesian government and a delegation of staffers from the US Congress. This provided opportunities to clarify important concepts of the GDPR, improve mutual understanding of privacy matters and illustrate the benefits of convergence for ensuring a high level of protection of individual rights, trade and cooperation. In some cases, it also allowed cautioning against certain misconceptions of data protection that can lead to the introduction of protectionist measures such as forced localisation requirements. Since the adoption of the GDPR, the Commission has also engaged with several international organisations, including in light of the importance of data exchanges with those organisations in a number of policy areas. In particular, a specific dialogue has been established with the United Nations, with a view to facilitate discussions with all involved stakeholders to ensure smooth data transfers and develop further convergence between the respective data protection regimes. As part of this dialogue, the Commission will work closely with the EDPB to further clarify how EU public and private operators can comply with their GDPR obligations when exchanging data with international organisation such as the UN. The Commission stands ready to continue sharing the lessons learned from its reform process with interested countries and international organisations, in the same way it learned from other systems when developing its proposal for new EU data protection rules. This type of dialogue is mutually beneficial for the EU and its partners as it allows to obtain a better understanding of the fast evolving privacy landscape and to exchange views on emerging legal and technological solutions. It is in this spirit that the Commission is setting up a “Data Protection Academy” to foster exchanges between European and third country regulators and, in this way, improve cooperation ‘on the ground’. In addition there is a need to develop appropriate legal instruments for closer forms of cooperation and mutual assistance, including by allowing the necessary exchange of information in the context of investigations. The Commission will therefore make use of the powers granted in this area by Article 50 of the GDPR and, in particular, seek authorisation to open negotiations for the conclusion of enforcement cooperation of 26 November 2019 of the Special Committee of the Brazilian Chamber of Deputies (https://www.camara.leg.br/noticias/616579-comissao-discutira-protecao-de-dados-no-ambito-das- constituicoes-de-outros-paises/). 170 See meetings of 29 May 2018 (https://senado.cl/appsenado/index.php?mo=comisiones&ac=asistencia_sesion&idcomision=186&i dsesion=12513&idpunto=15909&sesion=29/05/2018&listado=1), 24 April 2019 (https://www.senado.cl/appsenado/index.php?mo=comisiones&ac=sesiones_celebradas&idcomisio n=186&tipo=3&legi=485&ano=2019&desde=0&hasta=0&idsesion=13603&idpunto=17283&listad o=2) and of the Constitutional, Legislative and Justice Affairs Committee of the Chilean Senate. 171 See meeting of 2 November 2018 of the Rights, Freedoms and External Relations Committee of the Tunisian Assembly of the Representatives of the People (https://www.facebook.com/1515094915436499/posts/2264094487203201/ ). 46 agreements with relevant third countries. In this context, it will also take into account the Board’s views as to which countries should be prioritised in light of the volume of data transfers, the role and powers of the privacy enforcer in the third country and the need for enforcement cooperation to address cases of common interest. The multilateral dimension Beyond bilateral exchanges, the Commission is also actively participating in a number of multilateral fora to promote shared values and build convergence at regional and global level. The increasingly universal membership of the Council of Europe’s ‘Convention 108’, the only legally binding multilateral instrument in the area of personal data protection, is a clear sign of this trend towards (upward) convergence172 . The Convention, which is also open to non-members of the Council of Europe, has already been ratified by 55 countries, including a number of African and Latin American States173 . The Commission significantly contributed to the successful outcome of the negotiations on the modernisation of the Convention174 , and ensured that it reflected the same principles as those enshrined in the EU data protection rules. Most EU Member States have now signed the Amending Protocol, although the signatures of Denmark, Malta and Romania are still outstanding. Only four Member States (Bulgaria, Croatia, Lithuania and Poland) have so far ratified the Amending Protocol. The Commission urges the three remaining Member States to sign the modernised Convention, and all Member States to swiftly proceed to ratification, to allow for its entry into force in the near future175 . Beyond that, it will continue to proactively encourage accession by third countries. Data flows and protection have recently also been addressed within the G20 and G7. In 2019, global leaders for the first time endorsed the idea that data protection contributes to trust in the digital economy and facilitates data flows. With the 172 Importantly, the modernised Convention is not just a treaty setting out strong data protection safeguards, but also creates a network of supervisory authorities with tools for enforcement cooperation and, with the Convention Committee, a forum for discussions, exchange of best practices and development of international standards. 173 See full list of members: https://www.coe.int/en/web/conventions/full-list/- /conventions/treaty/108/signatures. Countries from Africa include Cabo Verde, Mauritius, Morocco, Senegal and Tunisia, from Latin America Argentina, Mexico and Uruguay. Burkina Faso has been invited to join the Convention. 174 See the text of the modernised Convention: https://search.coe.int/cm/Pages/result_details.aspx?ObjectId=09000016807c65bf. 175 According to its Decision on the Amending Protocol of 18 May 2018, the Committee of Ministers “urged member States and other Parties to the Convention to take without delay the necessary measures to allow the entry into force of the Protocol within three years from its opening for signature and to initiate immediately, but in any case no later than one year after the date on which the Protocol has been opened for signature, the process under their national law leading to ratification...” It also “instructed its Deputies to examine bi-annually, and for the first time one year after the date of opening for signature of the Protocol, the overall progress made towards ratification on the basis of the information to be provided to the Secretary General by each of the member States and other Parties to the Convention at the latest one month ahead of such an examination.” See https://search.coe.int/cm/pages/result_details.aspx?objectid=09000016808a3c9f. 47 Commission’s active support176 , leaders endorsed the concept of “data free flow with trust” (DFFT) originally proposed by Japan in the G20 Osaka Declaration177 as well as the G7 summit in Biarritz178 . This approach is also reflected in the Commission’s 2020 Communication on “A European strategy for data”179 which highlights its intention to continue promoting data sharing with trusted partners while fighting against abuses such as disproportionate access of (foreign) public authorities to data. In doing so, the EU will also be able to rely on a number of tools in different policy areas that increasingly take into account the impact on privacy: for example the first- ever EU framework for the screening of foreign investment, which will become fully applicable in October 2020, gives the EU and its Member States the possibility to screen investment transactions that have effects on “access to sensitive information, including personal data, or the ability to control such information” if they affect security or public order180 . The Commission is working with like-minded countries in several other multilateral fora to actively promote its values and standards. One important forum is the OECD’s recently created Working Party on Data Governance and Privacy (DGP), which is pursuing a number of important initiatives related to data protection, data sharing, and data transfers. This includes the evaluation of the 2013 OECD Privacy Guidelines. Moreover, the Commission actively contributed to the OECD Council Recommendation on Artificial Intelligence181 and ensured that the EU human-centric approach, meaning that AI applications must comply with fundamental rights and in particular data protection, was reflected in the final text. Importantly, the AI Recommendation – which has subsequently been incorporated into the G20 AI Principles annexed to the G20 Osaka Leaders’ Declaration182 – stipulates the principles of transparency and explainability with a view “to enable those adversely affected by an AI system to challenge its outcome based on plain and easy-to- understand information on the factors and the logic that served as the basis for the prediction, recommendation or decision”, thereby closely mirroring the principles of the GDPR as regards automated-decision making183 . 176 In the margin of the April 2019 EU-Japan Summit, President Juncker expressed support for Japan’s ‘data free flow with trust’ initiative and the launching of the ‘Osaka Track’ and committed the Commission to “play an active role in both initiatives”. 177 See text of the G20 Osaka Leaders’ Declaration: https://www.consilium.europa.eu/media/40124/final_g20_osaka_leaders_declaration.pdf 178 See text of the G7 Biarritz Strategy for an open, free and secure digital transformation: https://www.elysee.fr/admin/upload/default/0001/05/62a9221e66987d4e0d6ffcb058f3d2c649fc6d9 d.pdf 179 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, A European strategy for data, 19.2.2020 (COM(2020) 66 final) (https://ec.europa.eu/info/sites/info/files/communication- european-strategy-data-19feb2020_en.pdf), pp. 23-24. 180 Art. 4(1)(d) Regulation (EU) 2019/452 of the European Parliament and of the Council of 19.03.2019 establishing a framework for the screening of foreign direct investment into the Union (OJ L 79I, 21.03.2019). 181 https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0449 182 G20 Ministerial Statement on Trade and Digital Economy: https://g20trade- digital.go.jp/dl/Ministerial_Statement_on_Trade_and_Digital_Economy.pdf 183 See Articles 13(2)(f), 14(2)(g), 22 GDPR. 48 The Commission is also stepping up its dialogue with regional organisations and networks that are increasingly playing a central role in shaping common data protection standards184 , promoting the exchange of best practices, and fostering cooperation between enforcers. This concerns, in particular, the Association of Southeast Asian Nations (ASEAN) – including in the context of its ongoing work on data transfer tools –, the African Union, the Asia Pacific Privacy Authorities (APPA) forum and the Ibero-American Data Protection Network, all of which launched important initiatives in this area and provide fora for fruitful dialogue between privacy regulators and other stakeholders. Africa is a telling example of the complementarity between the national, regional and global dimensions of privacy. Digital technologies are quickly and deeply transforming the African continent. This has the potential to accelerate the achievement of the Sustainable Development Goals by boosting economic growth, alleviating poverty and improving people’s lives. Having in place a modern data protection framework attracting investment and fostering the development of competitive business while contributing to the respect for human rights, democracy and the rule of law is a key element of this transformation. The harmonisation of data protection rules across Africa would enable digital market integration, while convergence with global standards would facilitate data exchanges with the EU. These different dimensions of data protection are interlinked and mutually reinforcing. There is now a growing interest in data protection in many African countries, and the number of African countries that have adopted or are in the process of adopting modern data protection rules, have ratified Convention 108185 or the Malabo Convention186 continues to increase187 . At the same time, the regulatory framework remains highly uneven and fragmented across the African continent. Many countries still offer few or no data protection safeguards. Measures restricting data flows are still widespread and hamper the development of a regional digital economy. To harness the mutual benefits of convergent data protection rules, the Commission will engage with its African partners both bilaterally and in regional fora188 . This 184 See, for instance, the African Union Convention on Cyber Security and Personal Data Protection (‘Malabo Convention’) and the Standards for Data Protection for the Ibero-American States developed by the Ibero-American Data Protection Network. 185 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data https://www.coe.int/en/web/conventions/full-list/- /conventions/treaty/108/signatures?p_auth=DW5jevqD 186 African Union Convention on Cyber Security and Personal Data Protection https://au.int/en/treaties/african-union-convention-cyber-security-and-personal-data-protection. In addition, several of the Regional Economic Communities (RECs) have developed data protection rules, for instance, the Economic Community of West African States (ECOWAS) and the Southern African Development Community (SADC). See, respectively, http://www.tit.comm.ecowas.int/wp- content/uploads/2015/11/SIGNED-Data-Protection-Act.pdf and http://www.itu.int/ITU- D/projects/ITU_EC_ACP/hipssa/docs/SA4docs/data%20protection.pdf. 188 Inter alia, through the Policy and Regulation Initiative for Digital Africa (PRIDA), see information at: https://www.africa-eu-partnership.org/en/projects/policy-and-regulation-initiative-digital-africa- prida. 49 builds on the work of the EU-AU Digital Economy Task Force within the context of the New Africa-Europe Digital Economy Partnership189 . It is also in furtherance of such objectives that the scope of the Commission’s partnership instrument ‘Enhanced Data Protection and Data Flows’ has been extended to include Africa. The project will be mobilised to support African countries that intend to develop modern data protection frameworks or that wish to strengthen the capacity of their regulatory authorities, through training, knowledge sharing and exchange of best practices. Finally, while promoting convergence of data protection standards at international level, as a way to facilitate data flows and thus trade, the Commission is also determined to tackle digital protectionism, as recently highlighted in the Data Strategy.190 To that end, it has developed specific provisions on data flows and data protection in trade agreements which it systematically tables in its bilateral – most recently with Australia, New Zealand, and the UK – and multilateral negotiations such as the current WTO e-commerce talks. These horizontal provisions rule out unjustified restrictions, such as forced data localisation requirements, while preserving the regulatory autonomy of the parties to protect the fundamental right to data protection. Whereas dialogues on data protection and trade negotiations must follow separate tracks, they can complement each other. In fact, convergence, based on high standards and backed-up by effective enforcement, provides the strongest foundation for the exchange of personal data, something that is increasingly recognised by our international partners. Given that companies more and more operate across borders and prefer to apply similar sets of rules in all their business operations worldwide, such convergence helps creating an environment conducive to direct investment, facilitating trade and improving trust between commercial partners. Synergies between trade and data protection instruments should thus be further explored to ensure free and safe international data flows that are essential for the business operations, competitiveness and growth of European companies, including SMEs, in our increasingly digitalised economy. 189 See Joint Communication of the European Commission and the High Representative for Foreign Affairs and Security Policy ‘Towards a comprehensive strategy for Africa’ (available at: https://ec.europa.eu/international-partnerships/system/files/communication-eu-africa-strategy-join- 2020-4-final_en.pdf); Digital Economy Task Force, New Africa-Europe Digital Economy Partnership: Accelerating the Achievement of the Sustainable Development Goals (available at: https://www.africa- eu-partnership.org/sites/default/files/documents/finaldetfreportpdf.pdf). 190 https://ec.europa.eu/info/sites/info/files/communication-european-strategy-data-19feb2020_en.pdf, p. 23. 50 ANNEX I – Clauses for facultative specifications by national legislation Subject Scope GDPR articles Specifications for legal obligations and public task Adapting the application of provisions with regard to the processing for compliance with a legal obligation or a public task, including for specific processing situations under Chapter IX Article 6(2) and 6(3) Age limit for consent in relation to information society services Determination of the minimum age between 13 and 16 years Article 8(1) Processing of special categories of data Maintaining or introducing further conditions, including limitations, for the processing of genetic data, biometric data or data concerning health. Article 9(4) Derogation from information requirements Obtaining or disclosure expressly laid down by law or for professional secrecy regulated by law Article 14(5)(c) and (d) Automated individual decision-making Authorisation for automated decision- making in derogation from the general prohibition Article 22(2)(b) Restrictions of data subject rights Restrictions from Articles 12 to 22, Article 34 and corresponding provisions in Article 5, when necessary and proportionate to safeguard exhaustively listed important objectives Article 23(1) Consultation and authorisation requirement Requirement for controllers to consult or obtain authorisation from the data protection authority for processing for a task in the public interest Article 36(5) Designation of a data protection officer in additional cases Designation of a data protection officer in cases other than the ones in paragraph 1 of Article 37 Article 37(4) Limitations of transfers Limitation of transfers of specific categories of personal data Article 49(5) Complaints and court actions of organisations in their own right Authorisation of privacy organisations to lodge complaints and court actions independently from a mandate by data subjects Article 80(2) Access to official documents Reconciliation of public access to official documents with the right to the protection of personal data Article 86 51 Processing of the national identification number Specific conditions for the processing of the national identification number Article 87 Processing in the employment context More specific rules for processing employees’ personal data Article 88 Derogations for processing for archiving in the public interest, research or statistical purposes Derogations from specified data subject rights in so far as such rights are likely to render impossible or seriously impair the achievement of specific purposes Article 89(2) and (3) Reconciliation of data protection with obligations of secrecy Specific rules on investigative powers of data protection authorities in relation to controllers or processors subject to obligations of professional secrecy Article 90 52 ANNEX II – Overview of the resources of data protection authorities The table below presents an overview of the resources (staff and budget) of data protection authorities per EU/EEA Member State191 . When comparing the figures between Member States, it is important to bear in mind that authorities may have tasks assigned to them beyond those under the GDPR, and that these may vary between Member States. The ratio of staff employed by the authorities to one million inhabitants and the ratio of the budget of the authorities to one million euro of GDP are only included to provide additional elements of comparison among Member States of similar size and should not be looked at in isolation. The absolute figures, ratios and evolution over the past years should be considered together when assessing the resources of a given authority. STAFF (Full Time Equivalents) BUDGET (EUR) EU/EEA Member States 2019 Forecast 2020 % growth 2016- 2019 % growth 2016- 2020 (forecast) Staff per million inhabitants (2019) 2019 Forecast 2020 % growth 2016- 2019 % growth 2016- 2020 (forecast) Budget per million EUR of GDP (2019) Austria 34 34 48% 48% 3,8 2.282.000 2.282.000 29% 29% 5,7 Belgium 59 65 9% 20% 5,2 8.197.400 8.962.200 1% 10% 17,3 Bulgaria 60 60 -14% -14% 8,6 1.446.956 1.446.956 24% 24% 23,8 Croatia 39 60 39% 114% 9,6 1.157.300 1.405.000 57% 91% 21,5 Cyprus 24 22 NA NA 27,4 503.855 NA 114% NA 23,0 Czech Rep. 101 109 0% 8% 9,5 6.541.288 6.720.533 10% 13% 29,7 Denmark 66 63 106% 97% 11,4 5.610.128 5.623.114 101% 101% 18,0 Estonia 16 18 -11% 0% 12,1 750.331 750.331 7% 7% 26,8 Finland 45 55 114% 162% 8,2 3.500.000 4.500.000 94% 150% 14,6 France 215 225 9% 14% 3,2 18.506.734 20.143.889 -2% 7% 7,7 Germany 888 1002 52% 72% 10,7 76.599.800 85.837.500 48% 66% 22,3 Greece 33 46 -15% 18% 3,1 2.849.000 3.101.000 38% 50% 15,2 Hungary 104 117 42% 60% 10,6 3.505.152 4.437.576 102% 155% 24,4 Iceland 17 17 143% 143% 47,6 2.272.490 2.294.104 167% 170% 105,2 Ireland 140 176 169% 238% 28,5 15.200.000 16.900.000 223% 260% 43,8 Italy 170 170 40% 40% 2,8 29.127.273 30.127.273 46% 51% 16,3 Latvia 19 31 -10% 48% 9,9 640.998 1.218.978 4% 98% 21,0 Lithuania 46 52 -8% 4% 16,5 1.482.000 1.581.000 40% 49% 30,6 Luxembourg 43 48 126% 153% 70,0 5.442.416 6.691.563 165% 226% 85,7 Malta 13 15 30% 50% 26,3 480.000 550.000 41% 62% 36,3 Netherlands 179 188 145% 158% 10,4 18.600.000 18.600.000 130% 130% 22,9 Norway 49 58 2% 21% 9,2 5.708.950 6.580.660 27% 46% 15,9 Poland 238 260 54% 68% 6,3 7.506.345 9.413.381 66% 108% 14,2 Portugal 25 27 -4% 4% 2,4 2.152.000 2.385.000 67% 86% 10,1 Romania 39 47 -3% 18% 2,0 1.103.388 1.304.813 3% 22% 4,9 Slovakia 49 51 20% 24% 9,0 1.731.419 1.859.514 47% 58% 18,4 Slovenia 47 49 42% 48% 22,6 2.242.236 2.266.485 68% 70% 46,7 Spain 170 220 13% 47% 3,6 15.187.680 16.500.000 8% 17% 12,2 Sweden 87 87 81% 81% 8,5 8.800.000 10.300.000 96% 129% 18,5 TOTAL 2.966 3.372 42% 62% 6,6 249.127.139 273.782.870 49% 64% 17,4 Source of raw figures: contribution from the Board. Calculations from the Commission. 191 Except for Liechtenstein.
1_EN_autre_document_travail_service_part1_v9.pdf
https://www.ft.dk/samling/20201/kommissionsforslag/kom(2020)0264/forslag/1675383/2231158.pdf
EN EN EUROPEAN COMMISSION Brussels, 24.6.2020 SWD(2020) 115 final/2 This document corrects document SWD(2020) 115 final of 24.06.2020 Concerns the EN language version. Footnote 3 completed. The text shall read as follows: COMMISSION STAFF WORKING DOCUMENT […] Accompanying the document COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition - two years of application of the General Data Protection Regulation {COM(2020) 264 final} Europaudvalget 2020 KOM (2020) 0264 Offentligt 1 Contents 1 Context....................................................................................................................3 2 Enforcement of the GDPR and functioning of the cooperation and consistency mechanisms....................................................................................................................4 2.1 Use of strengthened powers by data protection authorities.............................4 Specific issues for the public sector.......................................................................5 Cooperation with other regulators .........................................................................6 2.2 The cooperation and consistency mechanisms................................................6 One-stop-shop........................................................................................................7 Mutual assistance...................................................................................................8 Consistency mechanism.........................................................................................8 Challenges to be addressed ....................................................................................9 2.3 Advice and guidelines ...................................................................................10 Awareness raising and advice by data protection authorities ..............................10 Guidelines of the European Data Protection Board.............................................11 2.4 Resources of the data protection authorities .................................................12 3 Harmonised rules but still a degree of fragmentation and diverging approaches.14 3.1 Implementation of the GDPR by the Member States....................................14 Main issues relating to national implementation .................................................15 Reconciliation of the right to the protection of personal data with freedom of expression and information..................................................................................16 3.2 Facultative specification clauses and their limits..........................................17 Fragmentation linked to the use of facultative specification clauses...................17 4 Empowering individuals to control their data ......................................................19 5 Opportunities and challenges for organisations, in particular Small and Medium size Enterprises ............................................................................................................22 Toolbox for businesses ........................................................................................25 6 The application of the GDPR to new technologies ..............................................26 7 International transfers and global cooperation .....................................................28 7.1 Privacy: a global issue...................................................................................28 7.2 The GDPR transfer toolbox...........................................................................30 Adequacy decisions .............................................................................................31 Appropriate safeguards ........................................................................................35 Derogations..........................................................................................................41 Decisions by foreign courts or authorities: not a ground for transfers ................42 7.3 International cooperation in the area of data protection................................44 2 The bilateral dimension........................................................................................44 The multilateral dimension ..................................................................................46 Annex I: Clauses for facultative specifications by national legislation Annex II: Overview of the resources of data protection authorities 3 1 CONTEXT The General Data Protection Regulation1 (hereafter ‘the GDPR’) is the result of eight years of preparation, drafting and inter-institutional negotiations, and entered into application on 25 May 2018 following a two-year transition period (May 2016 - May 2018). Article 97 of the GDPR requires the Commission to report on the evaluation and review of the Regulation, starting with a first report after two years of application and every four years thereafter. The evaluation is also part of multi-faceted approach that the Commission already followed before the GDPR entered into application and has continued to actively pursue since then. As part of this approach, the Commission engaged into on-going bilateral dialogues with Member States on the compliance of national legislation with the GDPR, actively contributed to the work of the European Data Protection Board (hereafter ‘the Board’) by providing its experience and expertise, supported data protection authorities and maintained close contacts with a wide range of stakeholders on the practical application of the Regulation. The evaluation builds on the stocktaking exercise that the Commission carried out on the first year of the GDPR application and that was summarised in the Communication issued in July 20192 . It also follows-up on the Communication on the application of the GDPR issued in January 20183 . The Commission also adopted the Guidance on the use of personal data in the electoral context published in September 2018 and the Guidance on apps supporting the fight against the COVID-19 pandemic issued in April 2020. Although its focus is on the two issues highlighted in Article 97(2) of the GDPR, namely international transfers and the cooperation and consistency mechanisms, this evaluation takes a broader approach in order to address issues which have been raised by various actors during the last two years. To prepare the evaluation, the Commission took into account the contributions from: the Council4 ; the European Parliament (Committee on Civil Liberties, Justice and Home Affairs)5 ; the Board6 and individual data protection authorities7 , based on a questionnaire sent by the Commission; 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC - OJ L 119, 4.5.2016, p. 1–88 2 Communication from the Commission to the European Parliament and the Council, Data Protection as a trust-enabler in the EU and beyond – taking stock – COM(2019) 374 final, 24.7.2019 3 Communication from the Commission to the European Parliament and the Council: Stronger protection, new opportunities – Commission guidance on the direct application of the General Data Protection Regulation as of 25 May 2018, COM/2018/043 final 4 Council position and findings on the application of the General Data Protection Regulation – 14994/2/19 Rev2, 15.01.2020: https://data.consilium.europa.eu/doc/document/ST-14994-2019-REV-2/en/pdf 5 Letter of the LIBE Committee of the European Parliament of 21 February 2020 to Commissioner Reynders, Ref.: IPOL-COM-LIBE D (2020)6525. 4 the feedback from the members of the Multi-stakeholder expert Group to support the application of the GDPR8 , also based on a questionnaire sent by the Commission; and ad hoc contributions received from stakeholders. 2 ENFORCEMENT OF THE GDPR AND FUNCTIONING OF THE COOPERATION AND CONSISTENCY MECHANISMS The GDPR set up an innovative governance system and created the foundation of a truly European data protection culture that aims to ensure not only a harmonised interpretation, but also a harmonised application and enforcement of data protection rules. Its pillars are the independent national data protection authorities and the newly established Board. As the data protection authorities are key to the functioning of the whole EU data protection system, the Commission is attentively monitoring their effective independence, including as regards adequate financial, human and technical resources. It is still too early to fully assess the functioning of the cooperation and consistency mechanisms, given the short experience gathered so far9 . In addition, data protection authorities have not yet used the full array of tools provided for by the GDPR to strengthen their cooperation further. 2.1 Use of strengthened powers by data protection authorities The GDPR establishes independent data protection authorities and provides them with harmonised and strengthened enforcement powers. Since the GDPR applies, those authorities have been using of a wide range of corrective powers provided for in the GDPR, such as administrative fines (22 EU/EEA authorities)10 , warnings and reprimands (23), orders to comply with data subject’s requests (26), orders to bring processing operations into compliance with the GDPR (27), and orders to rectify, erase or restrict processing (17). Around half of the data protection authorities (13) have imposed temporary or definitive limitations on processing, including bans. This demonstrates a conscious use of all corrective measures provided for in the GDPR; 6 Contribution of the Board to the evaluation of the GDPR under Article 97, adopted on 18 February 2020: https://edpb.europa.eu/our-work-tools/our-documents/other/contribution-edpb-evaluation- gdpr-under-article-97_en 7 https://edpb.europa.eu/individual-replies-data-protection-supervisory-authorities_en 8 The Multi-stakeholder expert group on the GDPR set up by the Commission involves civil society and business representatives, academics and practitioners: https://ec.europa.eu/transparency/regexpert/index.cfm?do=groupDetail.groupDetail&groupID=3537 The report of the Multi-stakeholder Group is available at: https://ec.europa.eu/transparency/regexpert/index.cfm?do=groupDetail.groupMeeting&meetingId= 21356 9 This fact is also highlighted in particular by the Council in its position and findings on the application of the GDPR and by the Board in its contribution to the evaluation. 10 The figures in parenthesis indicate the number of EU/EEA data protection authorities that made use of the listed power between May 2018 and the end of November 2019. See contribution from the Board on pages 32-33. 5 the data protection authorities did not shy away from imposing administrative fines in addition to or instead of other corrective measures, depending on the circumstances of individual cases. Administrative fines: Between 25 May 2018 and 30 November 2019, 22 EU/EEA data protection authorities issued approximately 785 fines. Only a few authorities have not yet imposed any administrative fines, although proceedings that are currently ongoing might lead to such fines. Most of the fines related to infringements against: the principle of lawfulness; valid consent; protection of sensitive data; the obligation of transparency, the rights of data subjects; and data breaches. Examples of fines imposed by data protection authorities include11 : - EUR 200 000 for non-compliance with the right to object direct marketing in Greece; - EUR 220 000 on a data broker company in Poland for failure to inform individuals that their data was being processed; - EUR 250 000 imposed on the Spanish football league LaLiga, for lack of transparency in the design of its smartphone application; - EUR 14,5 million for infringement of data protection principles, in particular unlawful storage, by a German real estate company; - EUR 18 million for unlawful processing of special categories of data at a large scale by Austrian postal services; - EUR 50 million on Google in France, because of the conditions for obtaining consent from users. The success of the GDPR should not be measured by the number of fines issued, since the GDPR provides for a broader palette of corrective powers. Depending on the circumstances, for example, the deterrent effect of a ban on processing or the suspension of data flows can be much stronger. Specific issues for the public sector The GDPR allows Member States to determine whether and to what extent administrative fines may be imposed on public authorities and bodies. Where Member States make use of this possibility, this does not deprive the data protection authorities of using all the other corrective powers vis-à-vis public authorities and bodies12 . Another specific issue is the supervision of courts: although the GDPR also applies to the activities of courts, these are exempted from supervision by data protection authorities when acting in their judicial capacity. However, the Charter and the TFEU oblige Member States to entrust an independent body within their judicial systems with the supervision of such processing operations13 . 11 Several of the decisions imposing fines are still subject to judicial review. 12 Article 83(7) GDPR. 13 Article 8(3) of the Charter; Article 16 (2) TFEU; recital 20 of the GDPR. 6 Cooperation with other regulators As announced in its Communication of July 2019, the Commission supports interaction with other regulators, in full respect of the respective competencies. Promising areas of cooperation include consumer protection and competition. The Board indicated its willingness to engage with other regulators in particular in relation to concentration in digital markets14 . The Commission recognised the importance of privacy and data protection as a qualitative parameter for competition15 . Members of the Board participated in joint workshops with the Consumer Protection Cooperation Network on cooperation on better enforcement of the EU consumer and data protection legislation. This approach will be pursued to foster common understanding and develop practical ways to address concrete problems experienced by consumers in particular in the digital economy. In order to ensure a consistent approach to privacy and data protection, and pending the adoption of the ePrivacy Regulation, close cooperation with the authorities competent for enforcing the ePrivacy Directive16 , the lex specialis in the area of electronic communications, is indispensable. Closer cooperation with the authorities competent under the NIS-Directive17 , and the NIS Cooperation Group, would be to the mutual benefit of those authorities and the data protection authorities. 2.2 The cooperation and consistency mechanisms The GDPR created the cooperation mechanism (one-stop-shop system for operators, joint operations and mutual assistance between data protection authorities) and the consistency mechanism in order to foster a uniform application of the data protection rules, through a consistent interpretation and the resolution of possible disagreement between authorities by the Board. The Board, gathering all data protection authorities, has been established as an EU body with legal personality and is fully operational, supported by a secretariat18 . It is crucial for the functioning of the two mechanisms mentioned above. By the end of 2019, the Board had adopted 67 documents, including 10 new guidelines19 and 43 opinions2021 . 14 Cf. the statement of the Board on the data protection impacts of economic concentration, https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_economic_concentration_en.pdf. 15 See Case COMP M. 8124 Microsoft/LinkedIn. 16 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) - OJ L 201 , 31/07/2002 P. 0037 - 0047 17 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union - OJ L 194, 19.7.2016, p. 1–30 18 See details on the secretariat activities in the contribution from the Board, pages 24-26. 19 In addition to the 10 guidelines adopted by the Article 29 Working Party in the run-up to the GDPR’s entry into application and endorsed by the Board. Moreover, the Board has adopted 4 additional guidelines between January and end May 2020, and updated an existing one. 20 42 of these opinions were adopted under Article 64 of the GDPR and one was adopted under Article 70(1)(s) of the GDPR and concerned the adequacy decision with respect to Japan. 21 See contribution from the Board, pages 18-23 for a complete overview of the Board’s activities. 7 The important role of the Board emerged where there was a need to rapidly provide for consistent interpretation of the GDPR and to find immediately applicable solutions at EU level. For example in the context of the COVID-19 outbreak, in March 2020 the Board adopted a statement on the processing of personal data, which deals inter alia with the lawfulness of processing and the use of mobile location data in that context22 , and in April 2020 it adopted guidelines on the processing of data concerning health for the purpose of scientific research in the context of the COVID- 19 outbreak 23 and guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak 24 . The Board also made a significant contribution to design of the EU approach to tracing apps by the Commission and the Member States. Day-to-day cooperation between data protection authorities, whether they act in their own capacity or as members of the Board, is based on exchanges of information and notifications of cases opened by the authorities. In order to facilitate communication between authorities, the Commission gave significant support by providing them with an information exchange system25 .Most authorities consider it as adapted to the needs of the cooperation and consistency mechanisms, even though it could be further fine- tuned for example by making it more user-friendly. Although it is still early days, a number of achievements and challenges can already be identified and are presented below. They show that, so far, data protection authorities have made an effective use of the cooperation tools, with a preference for more flexible solutions. One-stop-shop As a general rule, in cross-border cases, a Member State’s data protection authority can be involved either (i) as lead authority when the main establishment of the operator is located in this Member State, or (ii) as a concerned authority when the operator has an establishment on the territory of this Member State, when individuals in this Member State are substantially affected, or when a complaint has been lodged with them. Such close cooperation has become daily practice: since the date of application of the GDPR, data protection authorities in all Member States have at some point been identified either as lead authorities or as concerned authorities in cross-border cases, although to a different extent. From May 2018 until end 2019, the data protection authority in Ireland acted as lead authority in the highest number of cross-border cases (127), followed by Germany (92), Luxembourg (87), France (64) and the Netherlands (45). This ranking reflects notably the specific situation of Ireland and Luxembourg, who host several big multinational tech companies. 22 https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_2020_ processingpersonaldataandcovid-19_en.pdf 23 https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032020-processing- data-concerning-health-purpose_en. 24 https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_20200420_contact_tracing_covid_ with_annex_en.pdf 25 Internal Market Information System ('IMI'). 8 The ranking is different as regards involvement as concerned data protection authorities with the authorities in Germany being involved in the highest number of cases (435), followed by Spain (337), Denmark (327), France (332) and Italy (306)26 . Between 25 May 2018 and 31 December 2019, 141 draft decisions were submitted through the one-stop-shop procedure, out of which 79 resulted in final decisions. At the date of the publication of this report, several important decisions with a cross- border dimension and subject to the one-stop-shop mechanism are pending. Among these decisions, some involve multinational big tech companies27 . They are expected to provide clarification and to contribute to an increased harmonisation in the interpretation of the GDPR. Mutual assistance Data protection authorities have made a wide use of the mutual assistance tool. By the end of 2019, there had been 115 Mutual Assistance28 procedures, in particular for carrying out investigations, most of them by the data protection authorities of Spain (26), Germany (20), Denmark (13), Poland (12) and Czech Republic (10). On the other hand, Ireland (19), France (11), Austria (10), Germany (10) and Luxembourg (9) had received the most requests 29 . The vast majority of authorities find mutual assistance a very useful tool for cooperation and have not encountered any particular obstacle to applying the mutual assistance procedure. The voluntary mutual assistance exchange, which does not have a legal deadline or strict duty to answer, has been used more frequently, in 2 427 procedures. The data protection authority of Ireland sent and received the highest number of mutual assistance requests (527 sent and 359 received), followed by German authorities (260 sent/356 received). On the other hand, joint operations30 , which would make it possible for data protection authorities of several Member States to be involved already at the level of the investigations of cross-border cases, have not been conducted yet. Reflection is on-going within the Board on the practical implementation of this tool and how to promote its use. Consistency mechanism So far only the first leg of the consistency mechanism has been used, namely the adoption of Board opinions31 . On the other hand, no dispute resolution at Board level32 or urgency procedure33 has been triggered yet. 26 See contribution from the Board, page 8. 27 For instance, on 22 May 2020, the Irish data protection authority has submitted a draft decision to other concerned authorities, in accordance with Article 60 of the Regulation, concerning an investigation into Twitter International Company regarding data breach notification. On the same day, the Irish data protection authority also announced that a draft decision on WhatsApp Ireland Limited for submission under Article 60 was in preparation, concerning transparency including in relation to transparency around what information is shared with Facebook. 28 Article 61 GDPR. 29 See contribution from the Board, pages 12-14. 30 Article 62 GDPR. 31 Based on Article 64 GDPR. 9 Between 25 May 2018 and 31 December 2019, the Board issued 36 opinions in the context of the adoption of measures by one of its members34 . Most of them (31) concerned the adoption of national lists of processing operations requiring a data protection impact assessment. Two opinions concerned Binding Corporate Rules, two others concerned draft accreditation requirements for a code of conduct monitoring body, and one concerned Standard Contractual Clauses35 . Furthermore, the Board adopted, on request, six opinions36 . Three of these opinions concerned national lists identifying processing which does not require a data protection impact assessment. The others concerned respectively an administrative arrangement for the transfer of personal data between EEA and non-EEA financial supervisory authorities, the interplay between the ePrivacy Directive and the GDPR and the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment.37 Challenges to be addressed Although the data protection authorities have been very actively working together in the Board and already intensively use the cooperation tool of mutual assistance, building a truly data protection common culture is still an ongoing process. In particular, the handling of cross-border cases calls for a more efficient and harmonised approach and the effective use of all cooperation tools provided in the GDPR. There is a very broad consensus on this point since it was raised in different ways by the European Parliament, the Council, the European Data Protection Supervisor, stakeholders (within the Multi-stakeholder Group and beyond) and by the data protection authorities. The main issues to be tackled in this context include differences in: national administrative procedures, concerning in particular: complaint handling procedures, the admissibility criteria for complaints, the duration of proceedings due to different timeframes or the absence of any deadlines, the moment in the procedure when the right to be heard is granted, the information and involvement of complainants during the procedure; interpretations of concepts relating to the cooperation mechanism, such as relevant information, the notion of “without delay”, “complaint”, the document which is defined as the “draft decision” of the lead data protection authority, amicable settlement (in particular the procedure leading to amicable settlement and the legal form of the settlement); and the approach to when to start the cooperation procedure, involve the concerned data protection authorities and communicate information to them. Complainants also lack clarity on how their cases are handled in cross-border situations, as was stressed by several members of the Multi-stakeholder Group. Moreover, 32 Article 65 GDPR. 33 Article 66 GDPR. 34 Under Article 64(1) GDPR. 35 Article 28(8) GDPR. 36 Under Article 64(2) GDPR. 37 See contribution from the Board, page 15. 10 businesses mention that in certain instances national data protection authorities did not refer cases to the lead data protection authority, but handled them as local cases. The Commission welcomes the Board’s announcement that it has started a reflection on how to address these concerns. In particular, the Board indicated that it will clarify the procedural steps involved in the cooperation between the lead data protection authority and the concerned data protection authorities, analyse national administrative procedural laws, work towards a common interpretation of key concepts, and strengthen communication and cooperation (including joint operations). The Board’s reflection and analysis should lead to devising more efficient working arrangements in cross-border cases38 , including by building on the expertise of its members and by strengthening the involvement of its secretariat. In addition, it should be noted that the Board’s responsibility in ensuring a consistent interpretation of the GDPR cannot be discharged by simply finding the lowest common denominator. Finally, as an EU body the Board must also apply EU administrative law and ensure transparency in the decision making process. 2.3 Advice and guidelines Awareness raising and advice by data protection authorities Several data protection authorities created new tools, such as help lines for individuals and businesses, and toolkits for businesses39 . Many operators welcome the pragmatism shown by these authorities in assisting with the application of the GDPR. In particular, several of them have actively and closely collaborated and communicated with data protection officers, including through data protection officers’ associations. Many authorities also issued guidelines covering the data protection officers’ role and obligations to support data protection officers during their daily activities and held seminars specifically designed for them. However, this is not the case for all data protection authorities. Feedback received from stakeholders also points to a number of issues as regards guidance and advice: the lack of a consistent approach and guidance between national data protection authorities on certain issues (e.g. on cookies40 , the application of legitimate interest, on data breach notifications or on data protection impact assessments) or even between data protection authorities within the same Member States (e.g. in Germany on the notions of controller and processor); the inconsistency of guidelines adopted at national level with those adopted by the Board; 38 As also pointed out in the Council position and findings. 39 See below under point 7. 40 Pending the adoption of the ePrivacy Regulation, close cooperation with the competent authorities responsible for the enforcement of the ePrivacy Directive in the Member States is necessary. In accordance with that Directive, in some Member States the authorities competent for enforcing Article 5(3) of the ePrivacy Directive (which sets out the conditions under which "cookies” may be set and accessed on a user’s terminal equipment) are not the same as the GDPR supervisory authorities. 11 the absence of public consultations on certain guidelines adopted at national level; different levels of engagement with stakeholders among data protection authorities; delays in receiving responses to information requests; difficulties in obtaining practical and valuable advice from data protection authorities; the need to increase the level of sectoral expertise in some data protection authorities (e.g. in the health and pharma sector). Several of these issues are also linked to the lack of resources in several data protection authorities (see below). Divergent practices as regards the notification of data breaches41 While the Council highlights the burden caused by such notifications, there are significant discrepancies on notifications between Member States: whereas from May 2018 to end November 2019, in most Member States the total number of data breach notifications was below 2 000, and in 7 Member States between 2 000 and 10 000, the Dutch and German data protection authorities reported respectively 37 400 and 45 600 notifications42 . This may point to a lack of consistent interpretation and implementation, despite the existence of EU-level guidelines on data breach notifications. Guidelines of the European Data Protection Board To date, the Board adopted more than 20 guidelines covering key aspects of the GDPR43 . The guidelines are an essential tool for the consistent application of the GDPR and have, therefore, been to a large extent welcomed by stakeholders. Stakeholders have appreciated the systematic (6 to 8 weeks) public consultation. However, they ask for more dialogue with the Board. In this context, the practice of organising workshops on targeted topics prior to drafting guidelines should be continued and amplified to ensure the transparency, inclusiveness, and relevance of the Board’s work. Stakeholders also request that the interpretation of the most contentious issues should be addressed in the guidelines, since these are subject to public consultation, and not within opinions under Article 64(2) of the GDPR. Some stakeholders also call for more practical guidelines, detailing the application of concepts and provisions of the GDPR44 . Members of the Multi-stakeholder Group stress the need for more concrete examples to reduce the room for diverging interpretations between data protection authorities as much as possible. At the same time, the requests to clarify how to apply the GDPR and to provide legal certainty 41 Article 33 GDPR. 42 See contribution from the Board page 35. 43 The work on guidelines already started before the entry into application of the GDPR on 25 May 2018 in the context of the Article 29 Working Party. See the full list of guidelines at https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best- practices_en 44 This has also been highlighted by the European Parliament and by the Council. 12 should not lead to additional requirements or diminish the advantages of the risk- based approach and the accountability principle. The topics on which stakeholders would like additional guidelines from the Board include: the scope of data subjects’ rights (including in the employment context); updates to the opinion on processing based on legitimate interest; the notions of controller, joint controller and processor and the necessary arrangements between the parties45 ; the application of the GDPR to new technologies (such as blockchain and artificial intelligence); processing in the context of scientific research (including in relation to international collaboration); the processing of children’s data; pseudonymisation and anonymisation; and the processing of health data. The Board has already indicated that it will issue guidelines on many of these topics and the work already started on several of them (e.g. on the application of legitimate interest as a legal basis for processing). Stakeholders ask the Board to update and revise existing guidelines where appropriate,, taking into account the experience gathered since their publication and taking the opportunity to go into more detail where needed. 2.4 Resources of the data protection authorities Providing each data protection authority with the necessary human, technical and financial resources, premises and infrastructure is a prerequisite for the effective performance of their tasks and exercise of their powers, and therefore an essential condition for their independence46 . Most data protection authorities benefited from an increase in staff and resources since the GDPR entered into force in 201647 . However many of them still report that they do not have sufficient resources48 . Number of staff working for national data protection authorities The total number of staff working in EEA data protection authorities considered together has increased by 42% between 2016 and 2019 (by 62% if one considers the 2020 forecast). The number of staff has increased in most authorities during this period, with the biggest increase (as a percentage) registered for authorities in Ireland (+169%), the Netherlands (+145%), Iceland (+143%), Luxembourg (+126%) and Finland (+114%). On the other hand, the number of staff decreased in several data protection authorities, with the sharpest decreases observed in Greece (-15%), Bulgaria (-14%), Estonia (- 11%), Latvia (-10%) and Lithuania (-8%). In some authorities, the decrease in staff is also due to the departure of data protection experts to the private sector offering more attractive conditions. 45 Guidelines from the Board on controllers and processors are currently in preparation. 46 See Article 52(4) GDPR. 47 The Regulation entered into force in May 2016 and into application in May 2018, following a 2- year transition period. 48 See contribution from the Board, pages 26-30. 13 In general, the forecast for 2020 provides for an increase of staff compared to 2019, except for authorities in Austria, Bulgaria, Italy, Sweden and Iceland (where staff numbers are expected to remain stable), Cyprus and Denmark (where staff numbers are expected to decrease). The German data protection authorities49 together have the highest number of staff (888 in 2019/1002 in 2020 forecast), followed by the data protection authorities in Poland (238/260), France (215/225), Spain (170/220), the Netherlands (179/188), Italy (170/170) and Ireland (140/176). The data protection authorities with the lowest staff numbers are those in Cyprus (24/22), Latvia (19/31), Iceland (17/17), Estonia (16/18) and Malta (13/15). Budget of national data protection authorities The total budget of EEA data protection authorities considered together has increased by 49% between 2016 and 2019 (by 64% if one considers the 2020 forecast). The budget of most authorities increased during this period, with the biggest increase (as a percentage) registered for authorities in Ireland (+223%), Iceland (+167%), Luxembourg (+165%), the Netherland (+130%) and Cyprus (+114%). On the other hand, some authorities saw only a small budget increase, with the smallest increases registered for data protection authorities in Estonia (7%), Latvia (4%), Romania (3%) and Belgium (1%), while the authority in France experienced a decrease (-2%). In general, the forecast for 2020 provides for an increase in budget compared to 2019, except for the authorities in Austria, Bulgaria, Estonia and the Netherlands (whose budgets are expected to remain stable). The data protection authorities with the highest budget are those of Germany (EUR 76.6 million in 2019/EUR 85.8 million in the 2020 forecast), Italy (29.1/30.1), The Netherlands (18.6/18.6), France (18.5/20.1) and Ireland (15.2/16.9). The authorities with the lowest budget are those of Croatia (EUR 1.2 million in 2019/EUR 1.4 million in the 2020 forecast), Romania (1.1/1.3), Latvia (0.6/1.2), Cyprus (0.5/0.5) and Malta (0.5/0.6). The table in Annex II provides an overview of the human and budgetary resources of national data protection authorities. Besides impacting their capacity to enforce rules at national level, the lack of resources also limits data protection authorities’ capacity to participate in and contribute to the cooperation and consistency mechanisms, and to the work carried out within the Board. As highlighted by the Board, the success of the one-stop-shop mechanism depends on the time and effort that data protection authorities can dedicate to the handling of and cooperation on individual cross-border cases. The resource issue is compounded by the authorities’ increased role in the supervision of large-scale IT systems that are currently being developed. Furthermore, the data 49 There are 18 authorities in Germany, of which one is a federal authority and 17 are regional authorities (including two in Bavaria). 14 protection authorities in Ireland and Luxembourg have specific resource needs given their role as lead authorities for the enforcement of the GDPR vis-à-vis big tech companies, which are located mostly in these Member States. While the Council points to the impact of the cooperation mechanism and its deadlines on the work of data protection authorities50 , the GDPR obliges Member States to provide their national data protection authorities with adequate human, financial and technical resources51 . The secretariat of the Board, which is provided by the European Data Protection Supervisor52 , is currently composed of 20 people, including legal, IT and communication experts. It is to be assessed whether this figure needs to evolve in the future in light of the effective fulfilment of its function of analytical, administrative and logistical support to the Board and its subgroups, including through the management of the information exchange system, 3 HARMONISED RULES BUT STILL A DEGREE OF FRAGMENTATION AND DIVERGING APPROACHES The GDPR provides for a consistent approach to data protection rules throughout the EU, replacing the different national regimes that existed under the 1995 Data Protection Directive. 3.1 Implementation of the GDPR by the Member States The GDPR has been directly applicable in all Member States since 25 May 2018. It obliged Member States to legislate, in particular to set up national data protection authorities and the general conditions for their members, in order to ensure that each authority acts with complete independence in performing its tasks and exercising its powers in accordance with the GDPR. Legal obligations and public tasks can constitute a legal ground for the processing of personal data only if they are laid down in (Union or) national law. In addition, Member States must lay down rules on penalties in particular for infringements not subject to administrative fines and must reconcile the right to the protection of personal data with the right to freedom of expression and information. National law can also provide for a legal basis for the exemption from the general prohibition for processing special categories of personal data, for example for reasons of substantial public interest in the area of public health, including protection against serious cross-border threats to health. Furthermore, Member States must ensure the accreditation of certification bodies. The Commission is monitoring the implementation of the GDPR in national legislation. At the time of writing this report, all Member States except Slovenia has adopted new data protection legislation or adapted their law in this area. The 50 Article 60 GDPR. 51 Article 52(4) GDPR. 52 Article 75 GDPR. 15 Commission therefore requested Slovenia to provide clarification on the progress made to date and urged it to finalise that process53 . In addition, the compliance of national legislation with data protection rules as regards the Schengen acquis is also assessed in the context of the Schengen Evaluation Mechanism coordinated by the Commission. The Commission and Member States jointly evaluate how countries implement and apply the Schengen acquis in a number of areas; for data protection this concerns large-scale IT systems like the Schengen Information System and the Via Information System and includes the role of data protection authorities in supervising the processing of personal data within those systems. Work on adapting sectoral laws is still on-going at national level. Following the GDPR’s incorporation into the European Economic Area Agreement, its application was extended to Norway, Iceland and Lichtenstein. These countries have also adopted their national data protection laws. The Commission will make use of all the tools at its disposal, including infringement procedures, to ensure that Member States comply with the GDPR. Main issues relating to national implementation The main issues identified to date as part of the ongoing assessment of national legislation and bilateral exchanges with Member States include: Restrictions to the GDPR’s application: some Member States, for example, completely exclude the activities of the national parliament ; Differences in the applicability of national specification laws. Some Member States link the applicability of their national law to the place where the goods or services are offered, others to the place of establishment of the controller or processor. This runs contrary to the objective of harmonisation pursued by the GDPR; National laws that raise questions on the proportionality of the interference with the right to data protection. For example, the Commission launched an infringement procedure against a Member State that had enacted legislation requiring judges to disclose specific information about their non-professional activities, which is incompatible with the right to respect for private life and the right to the protection of personal data54 ; The absence of an independent body for the supervision of data processing by courts acting in their judicial capacity55 . Legislation in areas fully regulated by the GDPR beyond the margin for specifications or restrictions. This is, in particular, the case where national 53 It has to be noted that the national data protection authority in Slovenia is set up based on the current national data protection law and supervise the application of the GDPR in that Member State. 54 This infringement procedure concerns the Polish law on the judiciary of 20 December 2019, which affects the independence of the judges and concerns, inter alia, the disclosure of the engagement of judges in non-professional activities: https://ec.europa.eu/commission/presscorner/detail/en/ip_20_772. 55 See Article 8(3) of the Charter; Article 16 TFEU; recital 20 of the GDPR. 16 provisions determine conditions for processing based on legitimate interest, by providing for the balancing of the respective interests of the controller and of the individuals concerned, while the GDPR obliges each and every controller to undertake such balancing individually and avail itself of that legal basis. Specifications and additional requirements beyond processing for compliance with a legal obligation or performance of a public task (e.g. for video surveillance in the private sector or for direct marketing); and for concepts used in the GDPR (e.g. ‘large scale’ or ‘erasure’). Some of these issues may be clarified by the Court of Justice in cases that are still pending56 . Reconciliation of the right to the protection of personal data with freedom of expression and information A specific issue concerns the implementation of the obligation for Member States to reconcile by law the right to the protection of personal data with freedom of expression and information57 . This issue is very complex, since an assessment of the balancing between these fundamental rights must also take into account provisions and safeguards in press and media laws. The assessment of Member State legislation shows different approaches to the reconciliation of the right to the protection of personal data with freedom of expression and information: Some Member States lay down the principle of precedence of freedom of expression or exempt in principle the application of entire chapters mentioned in Article 85(2) GDPR if processing for journalistic purposes and for academic, artistic and literary expression is at stake. To a certain extent, media laws provide for some safeguards as regards data subject rights. Some Member States lay down the precedence of the protection of personal data and exempt the application of data protection rules only in specific situations, such as where a person with public status is concerned. Other Member States provide for a certain balancing by the legislator and/or a case-by-case assessment as regards derogations from certain provisions of the GDPR. The Commission will continue its assessment of national legislation on the basis of the requirements of the Charter. The reconciliation must be provided for by law, respect the essence of those fundamental rights, and be proportional and necessary (Article 52(1) of the Charter). Data protection rules should not affect the exercise of freedom of expression and information especially by creating a chilling effect or by being interpreted as a way to put pressure on journalists to disclose their sources. 56 For example, the exemption of a parliamentary committee from the application of the GDPR is subject to a pending court case for a preliminary ruling (C-272/19). 57 Article 85 GDPR. 17 3.2 Facultative specification clauses and their limits The GDPR gives Member States the possibility to further specify its application in a limited number of areas. This margin for national legislation is to be distinguished from the obligation to implement certain other provisions of the GDPR as mentioned above. The clauses for facultative specifications are listed in Annex I. The margins for Member State law are subject to the conditions and limits set by the GDPR and do not allow for a parallel national data protection regime58 . Member States are obliged to amend or repeal the national data protection laws, including sectoral legislation with data protection aspects. Furthermore, related Member State legislation must not include provisions which might create confusion regarding the direct application of the GDPR. Therefore, where the GDPR provides for specifications or restrictions of its rules by Member State law, Member States may incorporate elements of the GDPR in their national law, to the extent necessary to ensure coherence and to render the national provisions comprehensible to the persons to whom they apply59 . Stakeholders consider that Member States should reduce or refrain from using facultative specification clauses since they do not contribute to harmonisation. The national divergences in both the implementation of the laws and their interpretation by data protection authorities considerably increase the cost of legal compliance across the EU. Fragmentation linked to the use of facultative specification clauses Age limit for children consent for information society services A number of Member States have made use of the possibility to provide for a lower age than 16 years for consent in relation to information society services (Article 8(1) GDPR). Whereas nine Member States apply the 16 years’ age limit, eight Member States opted for 13 years, six for 14 years and three for 15 years.60 Consequently, a company providing information society services to minors across the EU has to distinguish between the ages of potential users, depending in which Member State they reside. This is contrary to the key objective of the GDPR to provide for an equal level of protection to individuals and of business opportunities in all Member States. Such differences lead to situations where the Member State in which the controller is established provides for another age limit than the Member States where the data subjects are residing. 58 The widely used term of “opening clauses” to mean specification clauses is misleading since it might give the impression that Member States have margins of manoeuvre beyond the provisions of the Regulation. 59 Recital 8 of the GDPR. 60 13 years for Belgium, Denmark, Estonia, Finland, Latvia, Malta, Portugal and Sweden; 14 years for Austria, Bulgaria, Cyprus, Spain, Italy and Lithuania; 15 years for Czech Republic, Greece and France; 16 years for Germany, Hungary, Croatia, Ireland, Luxembourg, the Netherlands, Poland, Romania and Slovakia. 18 Health and research When implementing derogations from the general prohibition for processing special categories of personal data61 , Member State legislation follows different approaches as regards the level of specification and safeguards, including for health and research purposes. Most Member States introduced or maintained further conditions for the processing of genetic data, biometric data or data concerning health. This is also true for derogations related to data subject rights for research purposes62 , both as regards the extent of the derogations and the related safeguards. The Board’s future guidelines on the use of personal data in the field of scientific research will contribute to a harmonised approach in this area. The Commission will provide input to the Board, in particular as regards health research, including in the form of concrete questions and analysis of concrete scenarios that it received from the research community. It would be helpful if these guidelines could be adopted before the launch of Horizon Europe Framework Programme in view of harmonising data protection practices and facilitating data sharing for research advancements. Guidelines from the Board on the processing of personal data in the area of health could also be useful. The GDPR provides a robust framework for national legislation in the area of public health and explicitly includes cross-border health threats and the monitoring of epidemics and their spread63 , which was relevant in the context of the fight against the COVID-19 pandemic. At EU level, on 8 April 2020 the Commission adopted a Recommendation for a toolbox for the use of technology and data in this context, including mobile applications and the use of anonymised mobility data64 , and on 16 April 2020 a guidance on apps supporting the fight against the pandemic in relation to data protection65 . The Board published a statement on data processing in this context on 19 March 202066 , followed on 21 April 2020 by guidelines on data processing for research purposes and on the use of localisation data and contact tracing tools in this context67 . These recommendations and guidelines clarify how the principles and rules on the protection of personal data apply in the context of the fight against the pandemic. Extensive restrictions of data subjects’ rights Most national data protection laws that restrict data subject’s rights do not specify the objectives of general public interest safeguarded by these restrictions and/or do not sufficiently meet the conditions and safeguards required by Article 23(2) of the 61 Article 9 GDPR. 62 Article 89(2) GDPR. 63 See Article 9(2)(i) GDPR and recital 46. 64 https://ec.europa.eu/info/sites/info/files/recommendation_on_apps_for_contact_tracing_4.pdf . 65 https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020XC0417 (08) & from = EN. 66 https://edpb.europa.eu/news/news/2020/statement-processing-personal-data-context-covid-19- outbreak_en. 67 https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best- practices_en. 19 GDPR68 . Several Member States leave no room for the proportionality test or extend the restrictions even beyond the scope of Article 23(1) of the GDPR. For example, some national laws deny the right of access for reasons of disproportionate effort on the side of controller, for personal data which are stored on the basis of a retention obligation or related to the performance of public tasks without limiting such restriction to objectives of general public interest. Additional requirements for companies Although the requirement of a mandatory data protection officer is based on the risk- based approach69 , one Member State70 extended it to a quantitative criteria, obliging companies in which 20 employees or more are permanently involved in the automated processing of personal data to designate a data protection officer, independently of the risks connected with the processing activities71 . This has led to additional burdens. 4 EMPOWERING INDIVIDUALS TO CONTROL THEIR DATA The GDPR makes fundamental rights effective, in particular the right to the protection of personal data, but also the other fundamental rights recognised by the Charter, including the respect for private and family life, freedom of expression and information, non-discrimination, freedom of thought, conscience and religion, freedom to conduct a business and the right to an effective remedy. These rights must be balanced against each other in accordance with the principle of proportionality72 . The GDPR provides individuals with enforceable rights, such as the right of access, rectification, erasure, objection, portability and enhanced transparency. It also gives individuals the right to lodge a complaint with a data protection authority, including through representative actions, and to judicial redress. Individuals are increasingly aware of their rights, as shown in the results of the July 2019 Eurobarometer73 and the survey carried out by the Fundamental Rights Agency74 . According to the Fundamental Rights Survey carried out by the Fundamental Rights Agency: 69% of the population aged 16+ in the EU have heard about the GDPR; 71% of respondents in the EU have heard about their national data protection authority; this figure ranges from 90% in the Czech Republic to 44% in Belgium; 68 For instance because they simply repeat the wording of Article 23(1) GDPR. 69 Article 37(1) GDPR. 70 Germany. 71 Making use of the specification clause in Article 37(4) GDPR. 72 Cf. recital 4 of the GDPR. 73 https://ec.europa.eu/commission/presscorner/detail/en/IP_19_2956 74 European Union Agency for Fundamental Rights (FRA) (2020): Fundamental Rights Survey 2019. Data protection and technology: https://fra.europa.eu/en/publication/2020/fundamental-rights- survey-data-protection 20 60% of respondents in the EU are aware of a law that allows them to access their personal data as held by public administration; however, this percentage decreases to 51% for private companies; more than one in five respondents (23%) in the EU do not want to share personal data (such as one’s address, citizenship or date of birth) with public administration, and 41% do not want to share these data with private companies. Individuals are increasingly using their right to lodge complaints with data protection authorities, either individually or by representative actions75 . Only a few Member States have allowed non-governmental organisations to launch actions without a mandate, in line with the possibility provided by the GDPR. The proposed Directive on representative actions for the protection of the collective interests of consumers76 is expected, once adopted, to strengthen the framework for representative actions also in the field of data protection. Complaints The total number of complaints between May 2018 and end of November 2019 as reported by the Board is around 275 00077 . However, this figure should be considered with much caution given that the definition of a complaint is not identical among authorities. The absolute number of complaints received by data protection authorities78 is very different between Member States. The highest numbers of complaints were registered in Germany (67 000), the Netherlands (37 000), Spain and France (18 000 each), Italy (14 000), Poland and Ireland (12 000 each). Two-thirds of authorities reported the number of complaints as ranging between 8 000 and 600. The lowest numbers of complaints were registered in Estonia and Belgium (around 500 each), Malta and Iceland (fewer than 200 each). The number of complaints is not necessarily correlated to the size of the population or GDP, with for instance close to twice as many complaints in Germany compared to the Netherlands, and four times as many compared to Spain and France. Feedback from the Multi-stakeholder Group shows that organisations have put in place a variety of measures to facilitate the exercise of data subjects’ rights, including implementing processes that ensure individual review of requests and a reply from the controller, the use of several channels (mail, dedicated email address, website, etc.), updated internal procedures and policies on the timely internal handling of requests, and staff training. Some companies have put in place digital portals accessible through the company’s website (or the company’s intranet for employees) to facilitate the exercise of rights by data subjects. However, further progress is needed on the following points: Not all data controllers comply with their obligation to facilitate the exercise of data subjects’ rights79 . They need to ensure that data subjects have an effective point of contact to whom they can explain their problems. This can be the data 75 Article 80 GDPR. 76 COM/2018/0184 final - 2018/089 (COD) 77 Both under Articles 77 and 80 GDPR. 78 See contribution from the Board, pages 31-32. 79 Article 12(2) GDPR. 21 protection officer, whose contact details have to be provided pro-actively to the data subject80 . The contact modalities must not be limited to e-mails, but must also enable the data subject to address the controller through other means. Individuals still face difficulties when requesting access to their data, for instance from platforms, data brokers and adtech companies. The right to data portability is not used to its full potential. The European Strategy for Data (hereafter Data Strategy)81 , adopted by the Commission on 19 February 2020, emphasised the need to facilitate all possible uses of this right (e.g. by mandating technical interfaces and machine-readably formats allowing portability of data in (near-to) real-time). Operators note that there are sometimes difficulties in providing the data in a structured, commonly used machine-readable format (due to the lack of standard). Only organisations in particular sectors, such as banking, telecommunications, water and heating meters, report having implemented the necessary interfaces82 . New technological tools have been developed to facilitate the exercise by individuals of their rights under the GDPR, not limited to data portability (e.g. personal data spaces and personal information management services). Rights of children: Several members of the Multi-stakeholder Group stress the need to provide information to children and the fact that many organisations ignore that children may be concerned by their data processing. The Council stressed that particular attention could be paid to the protection of children when drafting codes of conduct. The protection of children is also a focus of data protection authorities83 . Right to information: some companies have a very legalistic approach, taking data protection notices as a legal exercise, with information being quite complex, difficult to understand or incomplete, whereas the GDPR requires that any information should be concise and use clear and plain language84 . It seems that some companies do not follow the Board’s recommendations, for example as regards listing the names of the entities with whom they share data. Several Member States extensively restricted data subjects’ rights through national law, and some even beyond the margins of Article 23 of the GDPR. The exercise of the rights of individuals is sometimes hampered by the practices of a few major digital players that make it difficult for individuals to choose the settings that most protect their privacy (in violation of the requirement of data protection by design and default85 )86 . 80 Article 13(1)(b) and Article 14 (1)(b) GDPR. 81 https://ec.europa.eu/info/sites/info/files/communication-european-strategy-data-19feb2020_en.pdf 82 See report from the Multi-stakeholder Group. 83 See the results of a public consultation on children’s data protection rights carried out by the Irish data protection authority: https://www.dataprotection.ie/sites/default/files/uploads/2019- 09/Whose%20Rights%20Are%20They%20Anyway_Trends%20and%20Hightlights%20from%20S tream%201.pdf. The French data protection authority also launched a public consultation in April 2020: https://www.cnil.fr/fr/la-cnil-lance-une-consultation-publique-sur-les-droits-des-mineurs- dans-lenvironnement-numerique 84 Article 12(1) GDPR. 85 Article 25 GDPR. 22 The Board’s guidelines on data subjects’ rights are eagerly awaited by stakeholders. 5 OPPORTUNITIES AND CHALLENGES FOR ORGANISATIONS, IN PARTICULAR SMALL AND MEDIUM SIZE ENTERPRISES Opportunities for organisations The GDPR fosters competition and innovation. Together with the Free Flow of Non- Personal Data Regulation87 , it ensures the free flow of data within the EU and creates a level playing field with companies not established in the EU. By creating a harmonised framework for the protection of personal data, the GDPR ensures that all actors in the internal market are bound by the same rules and benefit from the same opportunities, regardless of whether they are established and where the processing takes place. The technological neutrality of the GDPR provides the data protection framework for new technological developments. The principles of data protection by design and by default incentivises innovative solutions, which include data protection considerations from the outset and may reduce the cost of compliance with data protection rules. In addition, privacy becomes an important competitive parameter that individuals increasingly take into consideration when choosing their services. Those who are more informed and sensitive to data protection considerations look for products and services that ensure effective protection of personal data. The implementation of the right to data portability has the potential to lower the barriers to entry for businesses offering innovative, data-protection-friendly services. The effects of a potentially broader use of this right on the market in different sectors should be monitored. Compliance with the data protection rules and their transparent application will create trust on the use of the people’s personal data and thus new opportunities for businesses. Like all regulation, data protection rules have inherent compliance costs for companies. However, these costs are outweighed by the opportunities and advantages of strengthened trust in digital innovation and the societal benefits resulting from respecting a fundamental right. By ensuring a level playing field and equipping data protection authorities with what they need to enforce the rules effectively, the GDPR prevents non-compliant companies from free-riding on the trust built by those who follow the rules. Specific challenges for Small and Medium size Enterprises (SMEs) 86 See report by the Norwegian Consumer Council, Deceived by Design, which highlighted the “dark patterns”, default settings and other features and techniques used by companies to nudge users towards intrusive options: https://www.forbrukerradet.no/undersokelse/no-undersokelsekategori/deceived-by-design/ See also the research published in December 2019 by the Transatlantic Consumer Dialogue and the Heinrich-Böll-Stiftung Brussels European Union analysing the practices of three major global platforms: https://eu.boell.org/en/2019/12/11/privacy-eu-and-us-consumer-experiences-across-three-global- platforms 87 Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union - OJ L 303, 28.11.2018, p. 59–68 23 There is a general perception by stakeholders, but also by the European Parliament, the Council and data protection authorities that applying the GDPR is especially challenging for micro, small and medium size enterprises, and to small voluntary and charitable organisations. According to the risk-based approach, it would not be appropriate to provide derogations based on the size of the operators, as their size is not in itself an indication of the risks the processing of personal data that it undertakes can create for individuals. The risk-based approach pairs flexibility with effective protection. It takes into account the needs of SMEs that do not have processing of data as their core business, and calibrates their obligations in particular based on the likelihood and severity of the risks related to the specific processing they carry out.88 Small and low-risk processing should not be treated in the same way as high risk and frequent processing – independently of the size of the company that undertakes it. Therefore, as the Board concluded, “in any case, the risk-based approach promoted by the legislator in the text should be maintained, as risks for data subjects do not depend on the size of controllers”89 . The data protection authorities should fully take on board this principle when enforcing the GDPR, preferably within a common European approach in order not to create barriers to the Single Market. The data protection authorities developed several tools and stressed their intention to further improve them. Some authorities have launched awareness campaigns and will even hold free “GDPR classes” for SMEs. Examples of guidance and tools provided by data protection authorities specifically to SMEs publication of information addressed to SMEs; seminars for data protection officers and events for SMEs that do not need to designate a data protection officer; interactive guides to assist SMEs; hotlines for consultations; templates for processing contracts and records on processing activities. A description of activities carried out by data protection authorities is presented in the Board’s contribution90 . Several of the actions that specifically support SMEs received EU funding. The Commission provided financial support through three waves of grants, for a total of EUR 5 million, with the two most recent ones specifically aimed at supporting national data protection authorities in their efforts to reach out to individuals and SMEs. As a result, in 2018, EUR 2 million were allocated to nine data protection authorities for activities in 2018-2019 (Belgium, Bulgaria, Denmark, Hungary, 88 Article 24(1) GDPR. 89 See contribution from the Board, p. 35. 90 See contribution from the Board, pages 35-45. 24 Lithuania, Latvia, the Netherlands, Slovenia, and Iceland)91 , and in 2019 EUR 1 million was allocated to four data protection authorities for activities in 2020 (Belgium, Malta, Slovenia and Croatia in partnership with Ireland)92. An additional EUR 1 million will be allocated in 2020. Despite these initiatives, SMEs and start-ups often report that they struggle with the implementation of the accountability principle set forth under the GDPR93 . They notably report that they do not always get enough guidance and practical advice from the national data protection authorities, or that the time it takes to get guidance and advice is too long. There have also been cases where authorities were reluctant to engage in legal issues. When confronted with such situations, SMEs often turn to external advisors and lawyers to deal with the implementation of the accountability principle and the risk-based approach (including transparency requirements, records of processing and data breach notifications). This may also create further costs for them. One specific issue is the recording of processing activities, which is considered by SMEs and small associations as a cumbersome administrative burden. The exemption from that obligation in Article 30(5) GDPR is indeed very narrow. However, the related efforts for complying with that obligation should not be over-estimated. Where the core business of SMEs does not involve the processing of personal data, such records may be simple and not burdensome. The same applies for voluntary and other associations. Such simplified records would be facilitated by records templates, as is already the practice of some data protection authorities. In any case, everyone who processes personal data should have an overview on their data processing as a basic requirement of the accountability principle. The development of practical tools at EU level by the Board, such as harmonised forms for data breaches and simplified records of processing activities, may help SMEs and small associations94 whose main activities do not focus on the processing of personal data to meet their obligations. Various industry associations have made efforts to raise awareness and inform their members, for instance through conferences and seminars, providing businesses with information on available guidance, or developing a privacy assistance service for members. They also report an increasing number of seminars, meetings and events organised by think tanks and SME associations on matters related to the GDPR. In order to enhance the free movement of all data within the EU and to establish a coherent application of the GDPR and the Free Flow of Non-Personal Data Regulation, the Commission also issued a practical guidance on rules governing the 91 https://ec.europa.eu/info/funding-tenders/opportunities/portal/screen/opportunities/topic-details/rec- rdat-trai- ag-2017. 92 https://ec.europa.eu/info/law/law-topic/data-protection/eu-data-protection-rules/eu-funding- supporting-implementation-gdpr_en 93 See report from the Multi-stakeholder Group. 94 See contribution from the Council. 25 processing of mixed datasets, composed of both personal and non-personal data, and targeting especially SMEs95 . Toolbox for businesses The GDPR provides for tools that help demonstrate compliance, such as codes of conduct, certification mechanisms, and standard contractual clauses. Codes of conduct The Board has issued guidelines96 to support and facilitate “code owners” in drafting, amending or extending codes, and to provide practical guidance and interpretative assistance. These guidelines also clarify the procedures for the submission, approval and publication of codes at both national and EU level by setting out the minimum criteria required. Stakeholders consider codes of conduct as very useful tools. Although many codes are implemented at national level, a number of EU wide codes of conduct are currently in preparation (for instance on mobile health apps, health research in genomics, cloud computing, direct marketing, insurance, processing by prevention and counselling services for children)97 . Operators believe that EU-wide codes of conduct should be promoted more prominently as they foster the consistent application of the GDPR across all Member States. However, codes of conduct also require time and investment from operators both for their development and for the setting up of the required independent monitoring bodies. Representatives from SMEs stress the importance and usefulness of codes of conduct tailored to their situation and not entailing disproportionate costs. Consequently, business associations in a number of sectors implemented other kinds of self-regulatory tools such as codes of good practice or guidance. While such tools may provide useful information, they do not have the approval of data protection authorities and cannot serve as a tool to help demonstrate compliance with the GDPR. The Council stresses that codes of conduct must pay particular attention to the processing of children’s data and health data. The Commission is supporting code(s) of conducts that would harmonise the approach in health and research and facilitate the cross-border processing of personal data98 . The Board is in the process of approving draft accreditation requirements for codes of conduct monitoring bodies put forward by a number of data protection authorities99 . Once transnational or EU codes of conduct are ready to be submitted to data protection authorities for approval, they will undergo consultation of the Board. Having transnational codes of conduct rapidly in place is especially important for areas involving the processing of significant amounts of data (e.g. cloud computing) or sensitive data (e.g. health/research). 95 Communication from the Commission to the European Parliament and the Council - Guidance on the Regulation on a framework for the free flow of non-personal data in the European Union, COM/2019/250 final. 96 https://edpb.europa.eu/our-work-tools/our-documents/wytyczne/guidelines-12019-codes-conduct- and-monitoring-bodies-under_en. 97 See report from the Multi-stakeholder Group. 98 See actions announced in the European Strategy for Data, page 30. 99 Under Article 41(3) GDPR. See EDPB opinions at: https://edpb.europa.eu/our-work- tools/consistency-findings/opinions_en 26 Certification Certification can be a useful instrument to demonstrate compliance with specific requirements of the GDPR. It can increase legal certainty for businesses and promote the GDPR globally. As pointed out in the study on certification published in April 2019100 , the objective should be to facilitate the uptake of relevant schemes. The development of certification schemes in the EU will be supported by the guidelines issued by the Board on certification criteria 101 and on the accreditation of certification bodies102 . Security and data protection by design are key elements to be considered in certification schemes under the GDPR and would benefit from a common and ambitious approach throughout the EU. The Commission will continue to support the current contacts between the European Union Agency for Cybersecurity (ENISA), the data protection authorities and the Board. As regards cybersecurity, following the adoption of the Cybersecurity Act the Commission requested that ENISA prepare two certification schemes including one scheme for cloud services103 . Further schemes addressing the cybersecurity of services and products for consumers are under consideration. While these certification schemes established under the Cybersecurity Act, do not explicitly address data protection and privacy, they contribute to increasing consumers’ trust in digital services and products. Such schemes may provide evidence of adherence to the principles of security by design as well as the implementation of appropriate technical and organisational measures related to the security of processing of personal data. Standard contractual clauses The Commission is working on standard contractual clauses between controllers and processors104 , also in light of the modernisation of the standard contractual clauses for international transfers (see Section 7.2). A Union act, adopted by the Commission, will have EU-wide binding effect which will ensure full harmonisation and legal certainty. 6 THE APPLICATION OF THE GDPR TO NEW TECHNOLOGIES A technology neutral framework open to new technologies The GDPR is technology-neutral, trust-enabling, and based on principles105 . These principles, including lawful and transparent processing, purpose limitation and data 100 https://ec.europa.eu/info/study-data-protection-certification-mechanisms_en 101 https://edpb.europa.eu/our-work-tools/our-documents/smjernice/guidelines-12018-certification-and- identifying-certification_en. 102 https://edpb.europa.eu/our-work-tools/our-documents/retningslinjer/guidelines-42018-accreditation- certification-bodies_en. Several supervisory authorities have already submitted their accreditation requirements to the EDBP, both for code of conduct monitoring bodies and for certification bodies. See the overview at: https://edpb.europa.eu/our-work-tools/consistency-findings/opinions_en. 103 https://ec.europa.eu/digital-single-market/en/news/towards-more-secure-and-trusted-cloud-europe 104 Article 28(7) GDPR. 105 As recalled by the Council, the European Parliament and the Board in their contributions to the evaluation. 27 minimisation, provide for a solid basis for the protection of personal data, irrespective of the processing operations and techniques applied. Members of the Multi-stakeholder Group report that overall the GDPR has a positive impact on the development of new technologies and provides a good basis for innovation. The GDPR is seen as an essential and flexible tool for ensuring the development of new technologies in accordance with fundamental rights. The implementation of its core principles is particularly crucial for data intensive processing. The GDPR’s risk based and technology neutral approach provides a level of data protection that is adequate to address the risk of processing, including by emerging technologies. In particular, stakeholders mention that the GDPR’s principles of purpose limitation and further compatible processing, data minimisation, storage limitation, transparency, accountability and the conditions under which automated decision making processes106 can be legally deployed to a large extent address the concerns related to the use of artificial intelligence. The future-proof and risk based approach of the GDPR will also be applied in the possible future framework for artificial intelligence and when implementing the Data Strategy. The Data strategy aims at fostering data availability and at the creation of common European data spaces supported by federated cloud infrastructure services. As regards personal data, the GDPR provides the main legal framework, within which effective solutions can be devised on a case-by-case basis depending on the nature and content of each data space. The GDPR has increased awareness about the protection of personal data both within and outside the EU and has prompted companies to adapt their practices to take into account data protection principles when innovating. However, civil society organisations note that, although the GDPR’s impact on the development of new technologies appears positive, the practices of major digital players have not yet fundamentally changed towards more privacy-friendly processing. Strong and effective enforcement of the GDPR vis-à-vis large digital platforms and integrated companies, including in areas such as online advertising and micro-targeting, is an essential element for protecting individuals. The Commission is analysing the broader issues related to the market behaviours of large digital players in the context of the Digital Services Act package107 . As regards research in the field of social media, the Commission recalls that the GDPR cannot be used as an excuse by social media platforms to limit researchers’ and fact-checkers’ access to non-personal data such as statistics on which targeted ads have been sent to which categories of people, the criteria for designing this targeting, information on fake accounts, etc. The GDPR’s technologically-neutral and future-proof approach was put to the test during the COVID-19 pandemic and has proven to be successful. Its principles based rules supported the development of tools to combat and monitor the spread of the virus. 106 However, stakeholders observe that not all automated decision-making processes in an artificial intelligence context fall under Article 22 GDPR. 107 https://ec.europa.eu/commission/presscorner/detail/en/ip_20_962 28 Challenges to be addressed The development and application of new technologies do not put these principles into question. The challenges lie in clarifying how to apply the proven principles to the use of specific technologies such as artificial intelligence, blockchain, Internet of Things, facial recognition or quantum computing. In this context, the European Parliament and the Council stressed the need for a continuous monitoring to clarify how the GDPR applies to new technologies and big tech companies. In addition, stakeholders warn that the assessment of whether the GDPR remains fit for purpose also requires a constant monitoring. Industry stakeholders stress that innovation requires that the GDPR is applied in a principle-based way, in line with its design, rather than in a rigid and formal manner. They are of the view that Board’s guidelines on how to apply the GDPR principles, concepts and rules to new technologies such as artificial intelligence, blockchain or Internet of Things, taking into account the risk-based approach, would help provide clarifications and more legal certainty. Such soft law tools are well suited to accompany the GDPR’s application to the new technologies since they provide for more legal certainty and can be reviewed in line with technological developments. Some stakeholders also suggest that sectoral guidance on how to apply the GDPR to new technologies could be helpful. The Board stated that it will continue to consider the impact of emerging technologies on the protection of personal data. Stakeholders also underline the importance for regulators to get a thorough understanding of how technology is being used and to engage in a dialogue with industry on the development of emerging technologies. They consider that a ‘regulatory sandbox’ approach – as a means to obtain guidance on the application of the rules – could be an interesting option to test new technologies and help businesses apply the data protection by design and by default principle in new technologies. In terms of further policy action, stakeholders recommend that any future policy proposals on artificial intelligence should build on the existing legal frameworks and be aligned with the GDPR. Potential specific issues should be carefully assessed, based on relevant evidence, before new prescriptive rules are proposed. The Commission White Paper on Artificial Intelligence puts forward a number of policy options on which stakeholders’ views were sought until 14 June 2020. As regards facial recognition, a technology that may significantly impact individuals’ rights, the White Paper recalled the current legislative framework and opened a public debate on the specific circumstances, if any, which might justify the use of artificial intelligence for facial recognition and other remote biometric identification purposes in public places, and on common safeguards. 7 INTERNATIONAL TRANSFERS AND GLOBAL COOPERATION 7.1 Privacy: a global issue The demand for the protection of personal data knows no borders, as individuals around the world increasingly cherish and value the privacy and security of their data. 29 At the same time, the importance of data flows for individuals, governments, companies and, more generally, society at large is an inescapable fact in our interconnected world. They constitute an integral part of trade, cooperation between public authorities and social interactions. In that respect, the current COVID-19 pandemic also highlights how critical the transfer and exchange of personal data are for many essential activities, including ensuring the continuity of government and business operations – by enabling teleworking and other solutions that heavily rely on information and communication technologies – developing cooperation in scientific research on diagnostics, treatments and vaccines, and fighting new forms of cybercrime such as online fraud schemes offering counterfeit medicines claiming to prevent or cure COVID-19. Against this background, and more than ever before, protecting privacy and facilitating data flows have to go hand in hand. The EU, with its data protection regime combining openness to international transfers with a high level of protection for individuals, is very well placed to promote safe and trusted data flows. The GDPR has already emerged as a reference point at international level and acted as a catalyst for many countries around the world to consider introducing modern privacy rules. This is a truly global trend running, to mention just a few examples, from Chile to South Korea, from Brazil to Japan, from Kenya to India, from Tunisia to Indonesia, and from California to Taiwan. These developments are remarkable not only from a quantitative but also from a qualitative point of view: many of the privacy laws recently adopted, or in the process of being adopted, are based on a core set of common safeguards, rights and enforcement mechanisms that are shared by the EU. In a world that is too often characterised by different, if not divergent, regulatory approaches, this trend towards global convergence is a very positive development that brings new opportunities for increasing the protection of individuals in Europe while, at the same time, facilitating data flows and lowering transaction costs for business operators. To seize these opportunities and implement the strategy set out in its 2017 Communication on “Exchanging and Protecting Personal Data in a Globalised World”108 , the Commission has significantly stepped up its work on the international dimension of privacy making full use of the available transfer ‘toolbox’, as explained below. This included actively engaging with key partners with a view to reaching an “adequacy finding” and yielded important results, such as the creation of the world’s largest area of free and safe data flows between the EU and Japan. Besides its adequacy work, the Commission has worked closely with data protection authorities within the Board, as well as with other stakeholders, to harness the full potential of the GDPR’s flexible rules for international transfers. This concerns the modernisation of instruments such as standard contractual clauses, the development of certification schemes, codes of conduct or administrative arrangements for data exchanges between public authorities, as well as the clarification of key concepts 108 Communication from the Commission to the European Parliament and the Council ‘Exchanging and Protecting Personal Data in a Globalised World’, 10.1.2017 (COM(2017) 7 final). 30 relating to, for example, the territorial scope of EU data protection rules or the use of so-called “derogations” to transfer personal data. Finally, the Commission intensified its dialogue in a number of bilateral, regional and multilateral fora to foster a global culture of respect for privacy and develop elements of convergence between different privacy systems. In its efforts, the Commission could count on the active support of the European External Action Service and the network of EU delegations in third countries and missions to international organisations. This also ensured coherence and greater complementarity between different aspects of the external dimension of EU policies – from trade to the new Africa-EU Partnership. 7.2 The GDPR transfer toolbox As more and more private and public operators rely on international data flows as part of their routine operations, there is an increasing need for flexible instruments that can be adapted to different sectors, business models and transfer situations. Reflecting these needs, the GDPR offers a modernised toolbox that facilitates the transfer of personal data from the EU to a third country or international organisation, while ensuring that the data continues to benefit from a high level of protection. This continuity of protection is important, given that in today’s world data moves easily across borders and the protections guaranteed by the GDPR would be incomplete if they were limited to processing inside the EU. With Chapter V of the GDPR, the legislator confirmed the architecture of the transfer rules that already existed under Directive 95/46: data transfers may take place where the Commission has made an adequacy finding with respect to a third country or international organisation or, in the absence thereof, where the controller or processor in the EU (“data exporter”) has provided appropriate safeguards, for instance through a contract with the recipient (“data importer”). In addition, statutory grounds for transfers (so-called derogations), remain available for specific situations for which the legislator has decided that the balance of interests allows a data transfer under certain conditions. At the same time, the reform has clarified and simplified the existing rules, for instance by stipulating in detail the conditions for an adequacy finding or binding corporate rules, by limiting authorisation requirements to very few, specific cases and completely abolishing notification requirements. Moreover, new transfer tools like codes of conduct or certification schemes have been introduced and the possibilities for using existing instruments (e.g. standard contractual clauses) have been expanded. Today’s digital economy allows foreign operators to (remotely but) directly participate in the EU internal market and to compete for European customers and their personal data. Where they specifically target Europeans through the offering of goods or services, or monitoring of their behaviour, they should comply with EU law in the same way as EU operators. This is reflected in Article 3 of the GDPR, which extends the direct applicability of EU data protection rules to certain processing operations of controllers and processors outside the EU. This guarantees the necessary safeguards, and moreover a level playing field for all companies operating in the EU market. Its broad reach is one of the reasons why the effects of the GDPR have also been felt in other parts of the world. The detailed guidance issued by the Board on the GDPR territorial scope, following a comprehensive public consultation, is therefore 31 important to help foreign operators determine whether and which processing activities are directly subject to its safeguards, including by providing concrete examples 109 . The extension of the scope of application of EU data protection law, however, in and of itself is not sufficient to guarantee its respect in practice. As also highlighted by the Council110 , it is crucial to ensure compliance by, and effective enforcement against, foreign operators. The appointment of a representative in the EU (Article 27(1), (2) of the GDPR), who can be addressed by individuals and supervisory authorities in addition to or instead of the responsible company acting from abroad111 should play a key role in this regard. This approach, which is also increasingly taken in other contexts112 , should be pursued more vigorously to send a clear message that the lack of an establishment in the EU does not relieve foreign operators of their responsibility under the GDPR. Where these operators fail to meet their obligation to appoint a representative113 , supervisory authorities should make use of the full enforcement toolbox in Article 58 of the GDPR (e.g. public warnings, temporary or definitive bans on processing in the EU, enforcement against joint controllers established in the EU). Finally, it is very important that the Board finalises its work on further clarifying the relationship between Article 3 on the direct application of the GDPR and the rules on international transfers in Chapter V114 . Adequacy decisions The input received from stakeholders confirms that adequacy decisions continue to be an essential tool for EU operators to safely transfer personal data to third countries115 . Such decisions provide the most comprehensive, straightforward and cost-effective solution for data transfers as these are assimilated to intra-EU transmissions, thus ensuring the safe and free flow of personal data without further conditions or need for authorisation. Adequacy decisions therefore open up commercial channels for EU operators and facilitate cooperation between public authorities, while providing 109 EDPB, Guidelines 2/2018 on the territorial scope of the GDPR, 12.11.2019. The Guidelines address several of the points raised during the public consultation, for instance the interpretation of the targeting and monitoring criteria. 110 See Council position and findings, paras 34, 35 and 38. 111 See Article 27(4) and Recital 80 GDPR (“The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor”). 112 Proposal for a Directive of the European Parliament and of the Council laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings (COM/2018/226 final), Article 3; Proposal for a Regulation of the European Parliament and of the Council on preventing the dissemination of terrorist content online (COM(2018) 640 final), Article 16(2), (3). 113 According to one submission to the public consultation, one of the main points to address “is effective enforcement and real consequences for those who chose to ignore this requirement […] It should be borne in mind in particular that this also places businesses established in the Union at a competitive disadvantage to those noncompliant businesses established outside the Union trading into the Union.” See EU Business Partners, submission of 29 April 2020. 114 Several submissions to the public consultation have raised this point, for instance as regards the transmission of personal data to recipients outside the EU but covered by the GDPR. 115 Council position and findings, paragraph 17; Contribution from the Board, pp. 5-6. Several submissions to the public consultation, including from a number of business associations (like the French Association of Large Companies, Digital Europe, the Global Data Alliance/BSA, the Computer & Communication Industry Association (CCIA) or the US Chamber of Commerce) have called for stepping-up the work on adequacy findings, especially with important trading partners. 32 privileged access to the EU single market. Building on the practice under the 1995 Directive, the GDPR explicitly allows for an adequacy determination to be made with respect to a particular territory of a third country or to a specific sector or industry within a third country (so-called ‘partial’ adequacy). The GDPR builds upon the experience of the past years and the clarifications provided by the Court of Justice by setting out a detailed catalogue of elements that the Commission must take into account in its assessment. The adequacy standard requires a level of protection that is comparable (or ‘essentially equivalent’) to that ensured within the EU116 . This involves a comprehensive assessment of the third country’s system as a whole, including the substance of privacy protections, their effective implementation and enforcement, as well as the rules on access to personal data by public authorities, in particular for law enforcement and national security purposes117 . This is also reflected in the guidance adopted by the former Article 29 Working Party (and endorsed by the Board), in particular the so-called ‘adequacy referential’, which further clarifies the elements that the Commission must take into account when carrying out an adequacy assessment, including by providing an overview of ‘essential guarantees’ for access to personal data by public authorities118 . The latter builds in particular on the case law of the European Court of Human Rights. While the standard of ‘essential equivalence’ does not involve a point-to-point replication (‘photocopy’) of EU rules, given that the means of ensuring a comparable level of protection may vary between different privacy systems, often reflecting different legal traditions, it nevertheless requires a strong level of protection. This standard is justified by the fact that an adequacy decision essentially extends to a third country the benefits of the single market in terms of the free flow of data. However, it also means that sometimes there will be relevant differences between the level of protection ensured in the third country in question compared to the GDPR that need to be bridged, for instance through the negotiation of additional safeguards. Such safeguards should be viewed positively as they further strengthen the protections available to individuals in the EU. At the same time, the Commission agrees with the Board on the importance of continuously monitoring their application in practice, including effective enforcement by the third country data protection authority119 . The GDPR clarifies that adequacy decisions are ‘living instruments’ that should be continuously monitored and periodically reviewed120 . In line with these requirements, 116 Judgment of the Court of Justice of the EU of 6 October 2015 in Case C-362/14, Maximillian Schrems v Data Protection Commissioner (‘Schrems’), points 73, 74 and 96. See also Recital 104 of the GDPR, which refers to the standard of essential equivalence. 117 Article 45(2) and Recital 104 GDPR. See also Schrems , points 75, 91-91. 118 Adequacy Referential, WP 254 rev. 01, 6 February 2018 (available at: https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614108). 119 Contribution from the Board, pp. 5-6. 120 Article 45(4) and (5) GDPR require the Commission to monitor developments in third countries on an ongoing basis and to regularly – at least every four years – review an adequacy finding. They also give the Commission the power to repeal, amend or suspend an adequacy decision if it finds that the country or international organisation concerned no longer ensures an adequate level of protection. Article 97(2)(a) GDPR furthermore requires the Commission to submit an evaluation report to the European Parliament and the Council by 2020. See also the judgment of the Court of 33 the Commission has regular exchanges with the relevant authorities to pro-actively follow-up on new developments. For example, since the adoption of the decision on the EU-U.S. Privacy Shield in 2016121 , the Commission, together with representatives from the Board, carried out three annual reviews to evaluate all aspects of the functioning of the framework.122 These reviews relied on information obtained through exchanges with the U.S. authorities as well as input from other stakeholders, such as EU data protection authorities, civil society and trade associations. They have allowed to improve the practical functioning of various elements of the framework. In a wider perspective, the annual reviews contributed to establishing a broader dialogue with the U.S. administration on privacy in general, and the limitations and safeguards with respect to national security in particular. As part of its first evaluation of the GDPR, the Commission is also required to review the adequacy decisions adopted under the 1995 Directive123 . The Commission services have engaged in an intense dialogue with each of the 11 concerned countries and territories to assess how their personal data protection systems have evolved since the adequacy decision was adopted and whether they meet the standard set by the GDPR. The need to ensure the continuity of such decisions, as they are a key tool for trade and international cooperation, is one of the factors that has prompted several of these countries and territories to modernise and strengthen their privacy laws. These are certainly welcome developments. Additional safeguards are being discussed with some of these countries and territories to address relevant differences in protection. However, given that the Court of Justice in a judgment to be delivered on 16 July may provide clarifications that could be relevant for certain elements of the adequacy standard, the Commission will report separately on the evaluation of the mentioned 11 adequacy decisions after the Court of Justice has handed down its judgment in that case.124 Justice of the EU of 6 October 2015 in Case C-362/14, Maximillian Schrems v Data Protection Commissioner, point 76. 121 Commission implementing decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield. This adequacy decision is a specific case that, in the absence of general data protection legislation in the U.S., relies on commitments made by participating companies (that are enforceable under U.S. law) to apply the data protection standards set out by this arrangement. Moreover, the Privacy Shield builds on the specific representations and assurances made by the U.S. government as regards access for national security purposes that underpin the adequacy finding 122 Reviews took place in 2017 (Report from the Commission to the European Parliament and the Council on the first annual review of the functioning of the EU-U.S. Privacy Shield, COM(2017) 611 final), 2018 (Report from the Commission to the European Parliament and the Council on the second annual review of the functioning of the EU-U.S. Privacy Shield, COM(2018) 860 final) and 2019 (Report from the Commission to the Parliament and the Council on the third annual review of the functioning of the EU-U.S. Privacy Shield, COM(2019) 495 final). 123 These existing adequacy decisions concern countries that are closely integrated with the European Union and its Member States (Switzerland, Andorra, Faroe Islands, Guernsey, Jersey, Isle of Man), important trading partners (e.g. Argentina, Canada, Israel), and countries that played a pioneering role in developing data protection laws in their region (New Zealand, Uruguay) 124 Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (“Schrems II”), concerns a reference for a preliminary ruling on the so-called standard contractual clauses. However, certain elements of the adequacy standard may also be further clarified by the 34 Implementing the strategy laid down in its 2017 Communication on “Exchanging and Protecting Personal Data in a Globalised World”, the Commission also engaged in new adequacy dialogues125 . This work already yielded significant results involving key partners of the EU. In January 2019, the Commission adopted its adequacy decision for Japan, which is based on a high degree of convergence, including through specific safeguards such as in the area of onward transfers and through the creation of a mechanism to investigate and resolve individuals’ complaints concerning government access to personal data for law enforcement and national security purposes. As the first adequacy finding adopted under the GDPR, the framework agreed with Japan provides a useful precedent for future decisions126 . This includes the fact that it was reciprocated on the Japanese side with an “adequacy” finding for the EU. Together, these mutual adequacy findings create the largest area of safe and free personal data flows in the world, thereby complementing the EU-Japan Economic Partnership Agreement. In fact, the arrangement supports around EUR 124 billion of trade in goods and EUR 42.5 billion of trade in services every year. The adequacy process is also at an advanced stage with South Korea. One important outcome thereof is South Korea’s recent legislative reform that led to the establishment of an independent data protection authority equipped with strong enforcement powers. This illustrates how an adequacy dialogue can contribute to increased convergence between the EU’s data protection rules and those of a foreign country. The Commission fully agrees with the call from stakeholders to intensify the dialogue with selected third countries in view of possible new adequacy findings127 . It is actively exploring this possibility with other important partners in Asia, Latin America and the Neighbourhood, building on the current trend towards upward global convergence in data protection standards. For example, comprehensive privacy legislation has been adopted or is at an advanced stage of the legislative process in Latin America (Brazil, Chile), and promising developments are taking place in Asia (e.g. India, Indonesia, Malaysia, Sri Lanka, Taiwan and Thailand), Africa (e.g. Ethiopia, Kenya) as well as in the European Eastern and Southern neighbourhood Court. The hearing in this case took place on 9 July 2019 and the judgment has been announced for 16 July 2020. 125 See supra fn 109. The Commission explained that the following criteria will be taken into account when assessing with which third countries a dialogue on adequacy should be pursued: (i) the extent of the EU's (actual or potential) commercial relations with the third country, including the existence of a free trade agreement or ongoing negotiations; (ii) the extent of personal data flows from the EU, reflecting geographical and/or cultural ties; (iii) the country’s pioneering role in the field of privacy and data protection that could serve as a model for other countries in its region; and (iv) the overall political relationship with the country, in particular as regards the promotion of common values and shared objectives at international level. 126 European Parliament, Resolution of 13 December 2018 on the adequacy of the protection of personal data afforded by Japan (2018/2979(RSP)), point 27; Contribution from the Board, pp. 5-6. 127 See e.g. European Parliament, Resolution of 12 December 2017 on ‘Towards a digital trade strategy’ (2017/2065(INI)), points 8, 9; Council position and findings on the application of the General Data Protection Regulation (GDPR), 19.12.2019 (14994/1/19), paragraph 17; Contribution from the Board, p. 5. 35 (e.g. Georgia, Tunisia). Where possible, the Commission will work towards achieving comprehensive adequacy decisions covering both the private and public sector128 . Moreover, the GDPR also introduced the possibility for the Commission to adopt adequacy findings for international organisations. At a time when some international organisations are modernising their data protection regimes by putting in place comprehensive rules, as well as mechanisms that provide independent oversight and redress, this avenue could be explored for the first time. Adequacy also plays an important role in the context of the relationship with the United Kingdom following Brexit, provided that the applicable conditions are met. It constitutes an enabling factor for trade, including digital trade, and an essential prerequisite for a close and ambitious cooperation in the area of law enforcement and security129 . Moreover, given the significance of data flows with the UK and its proximity to the EU market, a high degree of convergence between data protection rules on both sides of the Channel is an important element for ensuring a level playing field. In line with the Political Declaration on the Future Relationship between the EU and the UK, the Commission is currently carrying out an adequacy assessment under both the GDPR and the Law Enforcement Directive130 . Considering the autonomous and unilateral nature of an adequacy assessment, these talks follow a separate track from the negotiations on an agreement on the future relationship between the EU and the UK. Finally, the Commission welcomes that other countries are putting in place data transfer mechanisms similar to an adequacy finding. In doing so, they often recognise the EU and countries for which the Commission has adopted an adequacy decision, as safe destinations for transfers131 . The growing number of countries benefitting from EU adequacy decisions, on the one hand, and this form of recognition by other countries, on the other hand, has the potential of creating a network of countries where data can flow freely and safely. The Commission considers this a welcome development that will further increase the benefits of an adequacy decision for third countries and contribute to global convergence. This type of synergies can also usefully contribute to the development of frameworks for the safe and free flow of data, such as in the context of the ‘data free flow with trust’ initiative (see below). Appropriate safeguards The GDPR provides for a number of other transfer instruments beyond the comprehensive solution of an adequacy finding. The flexibility of this “toolbox” is 128 As also requested by the Council, see Council position and findings on the application of the General Data Protection Regulation (GDPR), 19.12.2019 (14994/1/19), paragraphs 17 and 40. However, this requires that the conditions for an adequacy finding concerning data transfers to public authorities are met, including as regards independent oversight. 129 See the negotiating directives annexed to the Council Decision authorising the opening of negotiations with the United Kingdom of Great Britain and Northern Ireland for a new partnership agreement (ST 5870/20 ADD 1 REV 3), paragraphs 13 and 118. 130 See revised text of the political declaration setting out the framework for the future relationship between the European Union and the United Kingdom as agreed at negotiators’ level on 17 October 2019, paragraphs 8-10 (available at https://ec.europa.eu/commission/sites/beta- political/files/revised_political_declaration.pdf ). 131 For example, by Argentina, Colombia, Israel, Switzerland or Uruguay. 36 demonstrated by Article 46 GDPR, which regulates data transfers based on “appropriate safeguards”, including enforceable data subject rights and effective legal remedies. To guarantee appropriate safeguards, different instruments are available in order to cater to the transfer needs of both commercial operators and public bodies. Standard contractual clauses (SCCs) The first group of these instruments concerns contractual tools, which can be either tailor-made, ad hoc data protection clauses agreed between an EU data exporter and a data importer outside the EU authorised by the competent data protection authority (Article 46(3)(a) GDPR) or model clauses pre-approved by the Commission (Article 46(2)(c), (d) GDPR132 ). The most important of these instruments are so-called standard contractual clauses (SCCs), i.e. model data protection clauses which the data exporter and the data importer can incorporate into their contractual arrangements (e.g. a service contract requiring the transfer of personal data) on a voluntary basis and that set out the requirements related to appropriate safeguards. SCCs represent by far the most widely used data transfer mechanism133 . Thousands of EU companies rely on SCCs in order to provide a wide range of services to their clients, suppliers, partners and employees, including services essential to the functioning of the economy. Their broad use indicates that they are very helpful to businesses in their compliance efforts and of particular benefit to companies that do not have the resources to negotiate individual contracts with each of their commercial partners. Through their standardisation and pre-approval, SCCs provide companies with an easy-to-implement tool to meet data protection requirements in a transfer context. The existing sets of SCCs134 were adopted and approved on the basis of the 1995 Directive. These SCCs remain in force until amended, replaced or repealed, if necessary, by a Commission decision (Article 46(5) of the GDPR). The GDPR expands the possibilities to use SCCs both within the EU and for international transfers. The Commission is working together with stakeholders to make use of these possibilities and to update existing clauses135 . In order to ensure that the future design of SCCs is fit for purpose, the Commission has been collecting feedback on 132 Standard contractual clauses (SCCs) for international transfers always require Commission approval, but may be prepared either by the Commission itself or by a national DPA. All existing SCCs fall into the first category. 133 According to the IAPP-EY Annual Privacy Governance Report 2019, “the most popular of these [transfer] tools – year over year – are overwhelmingly standard contractual contracts: 88% of respondents in this year’s survey reported SCCs as their top method for extraterritorial data transfers, followed by compliance with the EU-U.S. Privacy Shield arrangement (60%). For respondents transferring data from the EU to the U.K. (52%), 91% report they intend to use SCCs for data-transfer compliance after Brexit”. 134 There are currently three sets of standard contractual clauses adopted by the Commission for the transfer of personal data to third countries: two for transfers from an EEA-controller to a non-EEA controller and one for transfers from an EEA-controller to a non-EEA-processor. They were amended in 2016, further to the judgment of the Court of Justice in the Schrems I case (C-362/14), to remove any restrictions on the competent supervisory authorities to exercise their powers to oversee data transfers. See https://ec.europa.eu/info/law/law-topic/data-protection/international- dimension-data-protection/standard-contractual-clauses-scc_en. 135 See also Contribution from the Board, pp. 6-7. Likewise, the Council has called on the Commission “to review and revise [the SCCs] in the near future to take into account the needs of controllers and processors”. See Council position and findings. 37 stakeholders’ experiences with SCCs, through the ‘Multi-stakeholder Group on the GDPR’ and a dedicated workshop held in September 2019, but also via multiple contacts with companies using SCCs as well as civil society organisations. The Board is also updating a number of guidelines that could be relevant for the review of SCCs, for instance on the concepts of controller and processor. Building on the feedback received, the Commission services are currently working on revising the SCCs. In that context, a number of areas for improvement have been identified, in particular with regard to the following aspects: 1. Updating the SCCs in light of new requirements introduced by the GDPR, such as those concerning the controller-processor relationship under Article 28 GDPR (in particular the processor obligations), the transparency obligations of the data importer (in terms of the necessary information to be provided to the data subject), etc. 2. Addressing a number of transfer scenarios that are not covered by the current SCCs, such as the transfer of data from an EU processor to a non-EU (sub) processor, but also for instance situations where the controller is located outside the EU136 . 3. Better reflecting the realities of processing operations in the modern digital economy, where such operations often involve multiple data importers and exporters, long and often complex processing chains, evolving business relationships, etc. In order to cater for such situations, solutions being explored include, for example, the possibility to enable the signing of SCCs by multiple parties or accession of new parties throughout the lifetime of the contract. In addressing these points, the Commission is also considering ways to make the current ‘architecture’ of the SCCs more user friendly, for example by replacing multiple sets of SCCs by a single comprehensive document. The challenge is to strike a good balance between the need for clarity and a certain degree of standardisation, on the one hand, and the necessary flexibility that will allow the clauses to be used by a number of operators with different requirements, in different contexts and for different types of transfers, on the other hand. Another important aspect to consider is the possible need, in light of current litigation before the Court of Justice137 , to further clarify the safeguards as regards access by foreign public authorities to data transferred based on SCCs, in particular for national security purposes. This may include requiring the data importer or the data exporter, or both, to take action, and to clarify the role of data protection authorities in that context. Although the revision of the SCCs is well-advanced, it will be necessary to wait for the judgment of the Court to reflect any possible additional requirement in the revised clauses, before a draft decision on a new set of SCCs can be submitted to the 136 Several submissions to the public consultation have commented on this last scenario, often raising concerns that requiring EU processors to ensure appropriate safeguards in their relationship with non-EU controllers would place them at a competitive disadvantage vis-à-vis foreign processors offering similar services. 137 See Schrems II case. 38 Board for its opinion and then proposed for adoption through the “comitology procedure”138 . In parallel, the Commission is in contact with international partners that are developing similar tools.139 This dialogue, allowing for an exchange of experiences and best practices, could significantly contribute to further developing convergence ‘on the ground’, and in this way facilitate compliance with cross-border transfer rules for companies operating across different regions of the world. Binding corporate rules (BCRs) Another important instrument are the so-called binding corporate rules (BCRs). These are legally binding policies and arrangements that apply to the members of a corporate group, including their employees (Articles, 46(2)(b), 47 of the GDPR). The use of BCRs allows personal data to move freely among the various group members worldwide – dispensing with the need to have contractual arrangements between each and every corporate entity – while ensuring that the same high level of protection of personal data is complied with throughout the group. They offer a particularly good solution for complex and large corporate groups and for close cooperation of enterprises exchanging data across multiple jurisdictions. Unlike for the 1995 Directive, under the GDPR BCRs can be used by a group of enterprises engaged in a joint economic activity but not forming part of the same corporate group. Procedurally, BCRs have to be approved by the competent data protection authorities, based on a non-binding opinion by the Board140 . To guide this process, the Board has reviewed the BCR ‘referentials’ (setting out substantive standards) for controllers141 and processors142 in light of the GDPR, and continues to update these documents on the basis of the practical experience gained by supervisory authorities. It has also adopted various guidance documents to help applicants, and streamline the application and approval process for BCRs143 . According to the Board, more than 40 BCRs are currently in the pipeline for approval, half of which are expected to be approved by the end of 2020144 . It is important that data protection authorities continue working on further streamlining the approval process, as the length of such 138 In accordance with Article 46(2)(c) GDPR, standard contractual clauses have to be adopted through the examination procedure laid down under Article 5 of Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers - OJ L 55, 28.2.2011, p. 13–18. This involves in particular a positive decision from a committee composed of representatives of the Member States. 139 This includes, for instance, the work currently being carried out by the ASEAN Member States to develop ‘ASEAN model contractual clauses’. See ASEAN, Key Approaches for ASEAN Cross Border Data Flows Mechanism (available at: https://asean.org/storage/2012/05/Key-Approaches- for-ASEAN-Cross-Border-Data-Flows-Mechanism.pdf). 140 For an overview of the EDPB opinions rendered so far, see https://edpb.europa.eu/our-work- tools/consistency-findings/opinions_en. 141 https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614109. 142 https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614110. 143 These documents were adopted (by the former Article 29 Working Party) following the entry into force of the GDPR, but before the end of the transition period. See WP263 (https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623056); WP264 (https://edpb.europa.eu/sites/edpb/files/files/file2/wp264_art29_wp_bcr-c_application_form.pdf); WP265 (https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623848). 144 Contribution from the Board, p. 7. 39 procedures is often mentioned by stakeholders as a practical obstacle to the broader use of BCRs. Finally, regarding specifically BCRs approved by the UK data protection authority – the Information Commissioner Office – companies will be able to continue to use them as a valid transfer mechanism under the GDPR after the end of the transition period under the EU-UK Withdrawal Agreement, but only if they are amended so that any connection to the UK legal order is replaced with appropriate references to corporate entities and competent authorities within the EU. The approval of any new BCRs should be sought from one of the supervisory authorities in the EU. Certification mechanisms and codes of conduct In addition to modernising and broadening the application of the already existing transfer tools, the GDPR has also introduced new instruments, thereby expanding the possibilities for international transfers. This includes the use, under certain conditions, of approved codes of conduct and certification mechanisms (such as privacy seals or marks) for ensuring appropriate safeguards. These are bottom-up tools that allow for tailor-made solutions – as a general accountability mechanism (see Articles 40 to 42 of the GDPR) and, specifically, for international data transfers – reflecting, for instance, the specific features and needs of a given sector or industry, or of particular data flows. By calibrating the obligations with the risks, Codes of Conduct can also be a very useful and cost-effective way for small and medium-sized businesses to meet their GDPR obligations. As regards certification mechanisms, although the Board adopted guidelines to foster their use within the EU, its work on developing criteria to approve certification mechanisms as international transfer tools is still ongoing. The same is true for codes of conduct, regarding which the Board is currently working on guidelines for using them as a tool for transfers. Given the importance of providing operators with a broad range of transfer instruments that are adapted to their needs, and the potential that in particular certification mechanisms hold for facilitating data transfers while ensuring a high level of data protection, the Commission urges the Board to finalise as soon as possible its guidance in this regard. This concerns both substantive (criteria) and procedural aspects (approval, monitoring, etc.). Stakeholders have expressed a lot of interest in these transfer mechanisms and should be able to make full use of the GDPR’s toolkit. The Board’s guidelines would also contribute to promoting the EU model for data protection globally and foster convergence as other privacy systems are using similar instruments. Valuable lessons can be drawn from existing standardisation efforts in the area of privacy, both at European and international level. One interesting example is the recently released international standard ISO 27701145 , which aims to help businesses meet privacy requirements and manage risks related to the processing of personal data through ‘privacy information management systems’ . Although certification under the standard as such does not fulfil the requirements of Articles 42 and 43 of the GDPR, 145 The list of specific requirements making up this ISO standard is available at: https://www.iso.org/standard/71670.html. 40 applying Privacy Information Management Systems can contribute to accountability, including in the context of international data transfers. International agreements and administrative arrangements The GDPR also makes it possible to ensure appropriate safeguards for data transfers between public authorities or bodies on the basis of international agreements (Article 46(2)(a)) or administrative arrangements (Article 46(3)(b)). While both instruments have to guarantee the same outcome in terms of safeguards, including enforceable data subject rights and effective legal remedies, they differ as to their legal nature and adoption procedure. Unlike international agreements, which create binding obligations under international law, administrative arrangements (e.g. in the form of a Memorandum of Understanding) are typically non-binding and therefore require prior authorisation by the competent data protection authority (see also Recital 108 of the GDPR). One early example concerns the administrative arrangement for the transfer of personal data between EEA and non-EEA financial supervisors cooperating under the umbrella of the International Organisation of Securities Commission (IOSCO), on which the Board gave its Opinion146 in early 2019. Since then, the Board has further developed its interpretation of the ‘minimum safeguards’ that international (cooperation) agreements and administrative arrangements between public authorities or bodies (including international organisations) need to ensure to comply with the requirements of Article 46 GDPR. On 18 January 2020 it adopted draft guidelines147 , thereby addressing the Member States’ request for further clarification and guidance as to what may be considered appropriate safeguards for transfers between public authorities148 . The Board strongly recommends that public authorities use these guidelines as a reference point for their negotiations with third parties149 . The guidelines demonstrate the flexibility in the design of such instruments, including on important aspects such as oversight150 and redress151 . This should allow public 146 EDPB, Opinion 4/2019 on the draft Administrative Arrangement for the transfer of personal data between European Economic Area (EEA) Financial Supervisory Authorities and non-EEA Financial Supervisory Authorities, 12.2.2019. 147 EDPB, Guidelines 2/2020 on articles 46(2)(a) and 46(3)(b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies (draft available at: https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-22020-articles- 46-2-and-46-3-b_en ). According to the EDPB, “[t]he competent [supervisory authority] will base its examination on the general recommendations set out in these guidelines, but might also ask for more guarantees depending on the specific case.” The EDPB submitted these draft guidelines to a public consultation that ended on 18 May 2020. 148 Council position and findings, paragraph 20. 149 At the same time, the EDPB clarifies that public authorities remain “free to rely on other relevant tools providing for appropriate safeguards in accordance with Article 46 GDPR.” Regarding the choice of instrument, the EDPB underlines that “[i]t should be carefully assessed whether or not to make use of non-legally binding administrative arrangements to provide safeguards in the public sector, in view of the purpose of the processing and the nature of the data at hand. If data protection rights and redress for EEA individuals are not provided for in the domestic law of the third country, preference should be given to concluding a legally binding agreement. Irrespective of the type of instrument adopted, the measures in place have to be effective to ensure the appropriate implementation, enforcement and supervision” (paragraph 67). 150 This may include, for instance, combining internal checks (with a commitment to inform the other party of any instance of non-compliance with independent oversight through external or at least 41 authorities to overcome the difficulties in, for instance, ensuring enforceable data subject rights through non-binding arrangements. An important element of such arrangements is their continuous monitoring by the competent data protection authority – supported by information and record-keeping requirements – and the suspension of data flows if appropriate safeguards can no longer be ensured in practice. Derogations Finally, the GDPR clarifies the use of so-called ‘derogations’. These are specific grounds for data transfers (e.g. explicit consent152 , performance of a contract or important reasons of public interest) recognised in law, and on which entities can rely in the absence of other transfer tools and under certain conditions. To clarify the use of such statutory grounds, the Board has issued specific guidance153 and has interpreted Article 49 in a number of cases with respect to specific transfer scenarios154 . Due to their exceptional character, the Board considers that derogations have to be interpreted restrictively, on a case-by-case basis. Despite their strict interpretation, these grounds cover a broad range of transfer scenarios. This includes in particular data transfers by both public authorities and private entities necessary for ‘important reasons of public interest’, for example between competition, financial, tax or customs authorities, services competent for social security matters or for public health (such as in the case of contact tracing for contagious diseases or in order to eliminate doping in sport)155 . Another area is that of cross-border cooperation for criminal law enforcement purposes, in particular as regards serious crime156 . through functionally autonomous mechanisms, as well as the possibility for the transferring public body to suspend or terminate the transfer. 151 This may include, for instance, quasi-judicial, binding mechanisms (e.g. arbitration) or alternative dispute resolution mechanisms, combined with the possibility for the transferring public authority to suspend or terminate the transfer of personal data if the parties do not succeed in resolving a dispute amicably, plus a commitment from the receiving public body to return or delete the personal data. When opting for alternative redress mechanisms in binding and enforceable instruments because there is no possibility to ensure effective judicial redress, the EDPB recommends seeking the advice of the competent supervisory authority before concluding these instruments. 152 This is a change from Directive 95/46 which merely required ‘unambiguous’ consent. In addition, the general requirements for consent pursuant to Article 4(11) GDPR apply. 153 EDPB, Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, 25.5.2018 (available at: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf). 154 This includes, for instance, international transfers of health data for research purposes in the context of the COVID-19 outbreak. See EDPB, Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak, 21.4.2020 (available at: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202003_healthdatascientificresea rchcovid19_en.pdf). 155 See Recital 112. 156 See Brief of the European Commission on behalf of the European Union as Amicus Curiae in Support of Neither Party in the Case US v. Microsoft, p. 15: “In general, Union as well as Member State law recognize the importance of the fight against serious crime—and thus criminal law enforcement and international cooperation in that respect—as an objective of general interest. […] Article 83 of the TFEU identifies several areas of crime that are particularly serious and have cross- border dimensions, such as illicit drug trafficking.” (available at: 42 The Board has clarified that, although the relevant public interest must be recognised in EU or Member State law, this can be also established on the basis of “an international agreement or convention which recognises a certain objective and provides for international cooperation to foster that objective can be an indicator when assessing the existence of a public interest pursuant to Article 49(1)(d), as long as the EU or the Member States are a party to that agreement or convention”157 . Decisions by foreign courts or authorities: not a ground for transfers In addition to positively setting out the grounds for data transfers, Chapter V of the GDPR also clarifies, in its Article 48, that orders from courts and decisions of administrative authorities outside of the EU in themselves do not provide such grounds, unless they are recognised or made enforceable based on an international agreement (e.g. a Mutual Legal Assistance Treaty). Any disclosure by the requested entity in the EU to the foreign court or authority in response to such an order or decision constitutes an international data transfer that needs to be based on one of the mentioned transfer instruments.158 The GDPR does not constitute a “blocking statute” and will, under certain conditions, permit a transfer in response to an appropriate law enforcement request from a third country. The important point is that it is EU law that should determine whether this is the case and on the basis of which safeguards such transfers can take place. The Commission explained the functioning of Article 48 GDPR, including the possible reliance on the public interest derogation, in the context of a production order (warrant) by a foreign criminal law enforcement authority in the Microsoft case before the U.S. Supreme Court.159 In its submission, the Commission stressed the EU’s interest in ensuring that law enforcement cooperation takes place “within a legal framework that avoids conflicts of law, and is based on […] respect for each others’ fundamental interests in both privacy and law enforcement”160 . In particular, “from the perspective of public international law, when a public authority requires a https://www.supremecourt.gov/DocketPDF/17/17-2/23655/20171213123137791_17- 2%20ac%20European%20Commission%20for%20filing.pdf). 157 EDPB, Derogation Guidelines (supra fn. 153), p. 10. The EDPB further clarified that, while data transfers based on the public interest derogation must not be “large scale” or “systematic”, but “need to be restricted to specific situations and […] meet the strict necessity test”, there is no requirement for them to be “occasional”. 158 This is made clear by the wording of Article 48 GDPR (“without prejudice to other grounds for transfer pursuant to this Chapter”) and the accompanying Recital 115 (“[t]ransfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met. This may be the case, inter alia, where disclosure is necessary for an important ground of public interest recognised in Union or Member State law to which the controller is subject”). It is also recognised by the EDPB, see Derogation Guidelines (supra fn. 153), p. 5. As for all processing operations, the other safeguards under the Regulation must also be complied with (e.g. that data is transferred for a specific purpose, is relevant, limited to what is necessary for the purpose of the request, etc.). 159 Microsoft submission (supra fn. 156). As the Commission explained, the GDPR thus makes MLATs the “preferred option” for transfers as such treaties “provide for collection of evidence by consent, and embody a carefully negotiated balance between the interests of different states that is designed to mitigate jurisdictional conflicts that can otherwise arise.” See also EDPB, Derogation Guidelines (supra fn. 153), p. 5 (“In situations where there is an international agreement, such as a mutual legal assistance treaty (MLAT), EU companies should generally refuse direct requests and refer the requesting third country authority to existing MLAT or agreement”). 160 Microsoft submission (supra fn. 156), p. 4. 43 company established in its own jurisdiction to produce electronic data stored on a server in a foreign jurisdiction, the principles of territoriality and comity under public international law are engaged”161 . This is also reflected in the Commission’s proposal for a Regulation on European Production and Preservation Orders for electronic evidence in criminal matters162 , which contains a specific ‘comity clause’ that makes it possible to raise an objection against a production order if compliance would conflict with the laws of a third country prohibiting disclosure in particular on the ground that this is necessary to protect the fundamental rights of the individuals concerned163 . Ensuring comity is important, given that law enforcement – like crime and in particular cybercrime – is increasingly cross-border and thus often raises jurisdictional questions and creates potential conflicts of law164 . Not surprisingly, the best way of addressing these issues is through international agreements that provide for the necessary limitations and safeguards for cross-border access to personal data, including by ensuring a high level of data protection on the side of the requesting authority. The Commission, acting on behalf of the EU, is currently engaged in multilateral negotiations for a Second Additional Protocol to the Council of Europe Cybercrime (‘Budapest’) Convention, which aims to enhance existing rules to obtain cross-border access to electronic evidence in criminal investigations while ensuring appropriate data protection safeguards as part of the Protocol165 . Similarly, bilateral negotiations have started on an agreement between the EU and the United States on cross-border 161 Microsoft submission (supra fn. 156), p. 6. 162 European Commission, Proposal for a Regulation of the European Parliament and of the Council on European Production and Preservation Orders for electronic evidence in criminal matters, 17.4.2018 (COM(2018) 225 final). The Council adopted its general approach on the proposed Regulation on 7.12.2018 (available at: https://www.consilium.europa.eu/en/press/press- releases/2018/12/07/regulation-on-cross-border-access-to-eevidence-council-agrees-its-position/#). See also EDPS, Opinion 7/19 on proposals regarding European Production and Preservation Orders for electronic evidence in criminal matters (available at: https://edps.europa.eu/data- protection/ourwork/publications/opinions/electronic-evidence-criminal-matters_en). 163 The Explanatory Memorandum, p. 21, makes clear that, in addition to ensuring comity with respect to the sovereign interests of third countries, protecting the individual concerned and avoiding conflicts of law for service providers, one important motivation for the comity clause is reciprocity, i.e. to ensure respect for EU rules, including on the protection of personal data (Article 48 GDPR). See also Statement of the Article 29 Working Party of 29 November 2017, Data protection and privacy aspects of cross-border access to electronic evidence (WP29 Statement) (available at: file:///C:/Users/ralfs/AppData/Local/Packages/Microsoft.MicrosoftEdge_8wekyb3d8bbwe/TempSt ate/Downloads/20171207_e-Evidence_Statement_FINALpdf%20(1).pdf), p. 9. 164 See WP29 Statement (supra fn. 163), p. 6. 165 See Recommendation for a Council Decision authorising the participation in negotiations on a second Additional Protocol to the Council of Europe Convention on Cybercrime (CETS No. 185), 5.2.2019 (COM(2019) 71 final). See also EDPS, Opinion 3/2019 regarding the participation in the negotiations in view of a Second Additional Protocol to the Budapest Cybercrime Convention, 2.4.2019 (available at: https://edps.europa.eu/sites/edp/files/publication/19-04- 02_edps_opinion_budapest_convention_en.pdf); EDPB, Contribution to the consultation on a draft second additional protocol to the Council of Europe Convention on Cybercrime (Budapest Convention), 13.11.2019 (available at: https://edpb.europa.eu/sites/edpb/files/files/file1/edpbcontributionbudapestconvention_en.pdf). 44 access to electronic evidence for judicial cooperation in criminal matters166 . The Commission counts on the support of the European Parliament and the Council, and the guidance of the EDPB, throughout these negotiations. More generally, it is important to ensure that when companies active in the European market are called on the basis of a legitimate request to share data for law enforcement purposes, they can do so without facing conflicts of law and in full respect of EU fundamental rights. To improve such transfers, the Commission is committed to develop appropriate legal frameworks with its international partners to avoid conflicts of law and support effective forms of cooperation, notably by providing for the necessary data protection safeguards, and thereby contribute to a more effective fight against crime. 7.3 International cooperation in the area of data protection Fostering convergence between different privacy systems also means learning from each other, through the exchange of knowledge, experience and best practices. Such exchanges are essential to address new challenges that are increasingly global in nature and scope. This is why the Commission has intensified its dialogue on data protection and data flows with a broad range of actors and in different fora, at bilateral, regional and multilateral level. The bilateral dimension Following the adoption of the GDPR, there has been an increasing interest in the EU’s experience in the design, negotiation and implementation of modern privacy rules. Dialogue with countries going through similar processes has taken several forms. The Commission services have made submissions to a number of public consultations organised by foreign governments considering legislation in the area of privacy, for example by the US167 , India168 , Malaysia and Ethiopia. In some third countries, the Commission’s services had the privilege to testify before the competent parliamentary bodies, for example in Brazil169 , Chile170 , Ecuador, and Tunisia171 . 166 See Recommendation for a Council Decision authorising the opening of negotiations in view of an agreement between the EU and the United States of America on cross-border access to electronic evidence for judicial cooperation in criminal matters, 5.2.2019 (COM(2019) 70 final). See also EDPS, Opinion 2/2019 on the negotiating mandate of an EU-US agreement on cross-border access to electronic evidence (available at: https://edps.europa.eu/sites/edp/files/publication/19-04- 02_edps_opinion_on_eu_us_agreement_on_e-evidence_en.pdf). 167 See DG Justice and Consumers submission of 9 November 2018 in response to a request for public comments on a proposed approach to consumer privacy [Docket No. 180821780-8780-01] by the US National Telecommunications and Information Administration (available at: https://ec.europa.eu/info/sites/info/files/european_commission_submission_on_a_proposed_approa ch_to_consumer_privacy.pdf ) 168 See DG Justice and Consumers submission of 19 November 2018 on the draft Personal Data Protection Bill of India 2018 to the Ministry of Electronics and Information Technology (available at:https://eeas.europa.eu/delegations/india/53963/submission-draft-personal-data-protection-bill- india-2018-directorate-general-justice_en). 169 See plenary meeting of 17 April 2018 of the Brazilian Senate (https://www25.senado.leg.br/web/atividade/sessao-plenaria/-/pauta/23384 ), meeting of the 10 April 2019 of the Joint Committee on MP 869/2018 of the Brazilian Congress(https://www12.senado.leg.br/ecidadania/visualizacaoaudiencia?id=15392), and meeting 45 Moreover, within the context of ongoing reforms of data protection laws, dedicated meetings took place with government representatives or parliamentary delegations from many regions of the world (e.g. Georgia, Kenya, Taiwan, Thailand, Morocco). This included the organisation of seminars and study visits, for example with representatives of the Indonesian government and a delegation of staffers from the US Congress. This provided opportunities to clarify important concepts of the GDPR, improve mutual understanding of privacy matters and illustrate the benefits of convergence for ensuring a high level of protection of individual rights, trade and cooperation. In some cases, it also allowed cautioning against certain misconceptions of data protection that can lead to the introduction of protectionist measures such as forced localisation requirements. Since the adoption of the GDPR, the Commission has also engaged with several international organisations, including in light of the importance of data exchanges with those organisations in a number of policy areas. In particular, a specific dialogue has been established with the United Nations, with a view to facilitate discussions with all involved stakeholders to ensure smooth data transfers and develop further convergence between the respective data protection regimes. As part of this dialogue, the Commission will work closely with the EDPB to further clarify how EU public and private operators can comply with their GDPR obligations when exchanging data with international organisation such as the UN. The Commission stands ready to continue sharing the lessons learned from its reform process with interested countries and international organisations, in the same way it learned from other systems when developing its proposal for new EU data protection rules. This type of dialogue is mutually beneficial for the EU and its partners as it allows to obtain a better understanding of the fast evolving privacy landscape and to exchange views on emerging legal and technological solutions. It is in this spirit that the Commission is setting up a “Data Protection Academy” to foster exchanges between European and third country regulators and, in this way, improve cooperation ‘on the ground’. In addition there is a need to develop appropriate legal instruments for closer forms of cooperation and mutual assistance, including by allowing the necessary exchange of information in the context of investigations. The Commission will therefore make use of the powers granted in this area by Article 50 of the GDPR and, in particular, seek authorisation to open negotiations for the conclusion of enforcement cooperation of 26 November 2019 of the Special Committee of the Brazilian Chamber of Deputies (https://www.camara.leg.br/noticias/616579-comissao-discutira-protecao-de-dados-no-ambito-das- constituicoes-de-outros-paises/). 170 See meetings of 29 May 2018 (https://senado.cl/appsenado/index.php?mo=comisiones&ac=asistencia_sesion&idcomision=186&i dsesion=12513&idpunto=15909&sesion=29/05/2018&listado=1), 24 April 2019 (https://www.senado.cl/appsenado/index.php?mo=comisiones&ac=sesiones_celebradas&idcomisio n=186&tipo=3&legi=485&ano=2019&desde=0&hasta=0&idsesion=13603&idpunto=17283&listad o=2) and of the Constitutional, Legislative and Justice Affairs Committee of the Chilean Senate. 171 See meeting of 2 November 2018 of the Rights, Freedoms and External Relations Committee of the Tunisian Assembly of the Representatives of the People (https://www.facebook.com/1515094915436499/posts/2264094487203201/ ). 46 agreements with relevant third countries. In this context, it will also take into account the Board’s views as to which countries should be prioritised in light of the volume of data transfers, the role and powers of the privacy enforcer in the third country and the need for enforcement cooperation to address cases of common interest. The multilateral dimension Beyond bilateral exchanges, the Commission is also actively participating in a number of multilateral fora to promote shared values and build convergence at regional and global level. The increasingly universal membership of the Council of Europe’s ‘Convention 108’, the only legally binding multilateral instrument in the area of personal data protection, is a clear sign of this trend towards (upward) convergence172 . The Convention, which is also open to non-members of the Council of Europe, has already been ratified by 55 countries, including a number of African and Latin American States173 . The Commission significantly contributed to the successful outcome of the negotiations on the modernisation of the Convention174 , and ensured that it reflected the same principles as those enshrined in the EU data protection rules. Most EU Member States have now signed the Amending Protocol, although the signatures of Denmark, Malta and Romania are still outstanding. Only four Member States (Bulgaria, Croatia, Lithuania and Poland) have so far ratified the Amending Protocol. The Commission urges the three remaining Member States to sign the modernised Convention, and all Member States to swiftly proceed to ratification, to allow for its entry into force in the near future175 . Beyond that, it will continue to proactively encourage accession by third countries. Data flows and protection have recently also been addressed within the G20 and G7. In 2019, global leaders for the first time endorsed the idea that data protection contributes to trust in the digital economy and facilitates data flows. With the 172 Importantly, the modernised Convention is not just a treaty setting out strong data protection safeguards, but also creates a network of supervisory authorities with tools for enforcement cooperation and, with the Convention Committee, a forum for discussions, exchange of best practices and development of international standards. 173 See full list of members: https://www.coe.int/en/web/conventions/full-list/- /conventions/treaty/108/signatures. Countries from Africa include Cabo Verde, Mauritius, Morocco, Senegal and Tunisia, from Latin America Argentina, Mexico and Uruguay. Burkina Faso has been invited to join the Convention. 174 See the text of the modernised Convention: https://search.coe.int/cm/Pages/result_details.aspx?ObjectId=09000016807c65bf. 175 According to its Decision on the Amending Protocol of 18 May 2018, the Committee of Ministers “urged member States and other Parties to the Convention to take without delay the necessary measures to allow the entry into force of the Protocol within three years from its opening for signature and to initiate immediately, but in any case no later than one year after the date on which the Protocol has been opened for signature, the process under their national law leading to ratification...” It also “instructed its Deputies to examine bi-annually, and for the first time one year after the date of opening for signature of the Protocol, the overall progress made towards ratification on the basis of the information to be provided to the Secretary General by each of the member States and other Parties to the Convention at the latest one month ahead of such an examination.” See https://search.coe.int/cm/pages/result_details.aspx?objectid=09000016808a3c9f. 47 Commission’s active support176 , leaders endorsed the concept of “data free flow with trust” (DFFT) originally proposed by Japan in the G20 Osaka Declaration177 as well as the G7 summit in Biarritz178 . This approach is also reflected in the Commission’s 2020 Communication on “A European strategy for data”179 which highlights its intention to continue promoting data sharing with trusted partners while fighting against abuses such as disproportionate access of (foreign) public authorities to data. In doing so, the EU will also be able to rely on a number of tools in different policy areas that increasingly take into account the impact on privacy: for example the first- ever EU framework for the screening of foreign investment, which will become fully applicable in October 2020, gives the EU and its Member States the possibility to screen investment transactions that have effects on “access to sensitive information, including personal data, or the ability to control such information” if they affect security or public order180 . The Commission is working with like-minded countries in several other multilateral fora to actively promote its values and standards. One important forum is the OECD’s recently created Working Party on Data Governance and Privacy (DGP), which is pursuing a number of important initiatives related to data protection, data sharing, and data transfers. This includes the evaluation of the 2013 OECD Privacy Guidelines. Moreover, the Commission actively contributed to the OECD Council Recommendation on Artificial Intelligence181 and ensured that the EU human-centric approach, meaning that AI applications must comply with fundamental rights and in particular data protection, was reflected in the final text. Importantly, the AI Recommendation – which has subsequently been incorporated into the G20 AI Principles annexed to the G20 Osaka Leaders’ Declaration182 – stipulates the principles of transparency and explainability with a view “to enable those adversely affected by an AI system to challenge its outcome based on plain and easy-to- understand information on the factors and the logic that served as the basis for the prediction, recommendation or decision”, thereby closely mirroring the principles of the GDPR as regards automated-decision making183 . 176 In the margin of the April 2019 EU-Japan Summit, President Juncker expressed support for Japan’s ‘data free flow with trust’ initiative and the launching of the ‘Osaka Track’ and committed the Commission to “play an active role in both initiatives”. 177 See text of the G20 Osaka Leaders’ Declaration: https://www.consilium.europa.eu/media/40124/final_g20_osaka_leaders_declaration.pdf 178 See text of the G7 Biarritz Strategy for an open, free and secure digital transformation: https://www.elysee.fr/admin/upload/default/0001/05/62a9221e66987d4e0d6ffcb058f3d2c649fc6d9 d.pdf 179 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, A European strategy for data, 19.2.2020 (COM(2020) 66 final) (https://ec.europa.eu/info/sites/info/files/communication- european-strategy-data-19feb2020_en.pdf), pp. 23-24. 180 Art. 4(1)(d) Regulation (EU) 2019/452 of the European Parliament and of the Council of 19.03.2019 establishing a framework for the screening of foreign direct investment into the Union (OJ L 79I, 21.03.2019). 181 https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0449 182 G20 Ministerial Statement on Trade and Digital Economy: https://g20trade- digital.go.jp/dl/Ministerial_Statement_on_Trade_and_Digital_Economy.pdf 183 See Articles 13(2)(f), 14(2)(g), 22 GDPR. 48 The Commission is also stepping up its dialogue with regional organisations and networks that are increasingly playing a central role in shaping common data protection standards184 , promoting the exchange of best practices, and fostering cooperation between enforcers. This concerns, in particular, the Association of Southeast Asian Nations (ASEAN) – including in the context of its ongoing work on data transfer tools –, the African Union, the Asia Pacific Privacy Authorities (APPA) forum and the Ibero-American Data Protection Network, all of which launched important initiatives in this area and provide fora for fruitful dialogue between privacy regulators and other stakeholders. Africa is a telling example of the complementarity between the national, regional and global dimensions of privacy. Digital technologies are quickly and deeply transforming the African continent. This has the potential to accelerate the achievement of the Sustainable Development Goals by boosting economic growth, alleviating poverty and improving people’s lives. Having in place a modern data protection framework attracting investment and fostering the development of competitive business while contributing to the respect for human rights, democracy and the rule of law is a key element of this transformation. The harmonisation of data protection rules across Africa would enable digital market integration, while convergence with global standards would facilitate data exchanges with the EU. These different dimensions of data protection are interlinked and mutually reinforcing. There is now a growing interest in data protection in many African countries, and the number of African countries that have adopted or are in the process of adopting modern data protection rules, have ratified Convention 108185 or the Malabo Convention186 continues to increase187 . At the same time, the regulatory framework remains highly uneven and fragmented across the African continent. Many countries still offer few or no data protection safeguards. Measures restricting data flows are still widespread and hamper the development of a regional digital economy. To harness the mutual benefits of convergent data protection rules, the Commission will engage with its African partners both bilaterally and in regional fora188 . This 184 See, for instance, the African Union Convention on Cyber Security and Personal Data Protection (‘Malabo Convention’) and the Standards for Data Protection for the Ibero-American States developed by the Ibero-American Data Protection Network. 185 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data https://www.coe.int/en/web/conventions/full-list/- /conventions/treaty/108/signatures?p_auth=DW5jevqD 186 African Union Convention on Cyber Security and Personal Data Protection https://au.int/en/treaties/african-union-convention-cyber-security-and-personal-data-protection. In addition, several of the Regional Economic Communities (RECs) have developed data protection rules, for instance, the Economic Community of West African States (ECOWAS) and the Southern African Development Community (SADC). See, respectively, http://www.tit.comm.ecowas.int/wp- content/uploads/2015/11/SIGNED-Data-Protection-Act.pdf and http://www.itu.int/ITU- D/projects/ITU_EC_ACP/hipssa/docs/SA4docs/data%20protection.pdf. 188 Inter alia, through the Policy and Regulation Initiative for Digital Africa (PRIDA), see information at: https://www.africa-eu-partnership.org/en/projects/policy-and-regulation-initiative-digital-africa- prida. 49 builds on the work of the EU-AU Digital Economy Task Force within the context of the New Africa-Europe Digital Economy Partnership189 . It is also in furtherance of such objectives that the scope of the Commission’s partnership instrument ‘Enhanced Data Protection and Data Flows’ has been extended to include Africa. The project will be mobilised to support African countries that intend to develop modern data protection frameworks or that wish to strengthen the capacity of their regulatory authorities, through training, knowledge sharing and exchange of best practices. Finally, while promoting convergence of data protection standards at international level, as a way to facilitate data flows and thus trade, the Commission is also determined to tackle digital protectionism, as recently highlighted in the Data Strategy.190 To that end, it has developed specific provisions on data flows and data protection in trade agreements which it systematically tables in its bilateral – most recently with Australia, New Zealand, and the UK – and multilateral negotiations such as the current WTO e-commerce talks. These horizontal provisions rule out unjustified restrictions, such as forced data localisation requirements, while preserving the regulatory autonomy of the parties to protect the fundamental right to data protection. Whereas dialogues on data protection and trade negotiations must follow separate tracks, they can complement each other. In fact, convergence, based on high standards and backed-up by effective enforcement, provides the strongest foundation for the exchange of personal data, something that is increasingly recognised by our international partners. Given that companies more and more operate across borders and prefer to apply similar sets of rules in all their business operations worldwide, such convergence helps creating an environment conducive to direct investment, facilitating trade and improving trust between commercial partners. Synergies between trade and data protection instruments should thus be further explored to ensure free and safe international data flows that are essential for the business operations, competitiveness and growth of European companies, including SMEs, in our increasingly digitalised economy. 189 See Joint Communication of the European Commission and the High Representative for Foreign Affairs and Security Policy ‘Towards a comprehensive strategy for Africa’ (available at: https://ec.europa.eu/international-partnerships/system/files/communication-eu-africa-strategy-join- 2020-4-final_en.pdf); Digital Economy Task Force, New Africa-Europe Digital Economy Partnership: Accelerating the Achievement of the Sustainable Development Goals (available at: https://www.africa- eu-partnership.org/sites/default/files/documents/finaldetfreportpdf.pdf). 190 https://ec.europa.eu/info/sites/info/files/communication-european-strategy-data-19feb2020_en.pdf, p. 23. 50 ANNEX I – Clauses for facultative specifications by national legislation Subject Scope GDPR articles Specifications for legal obligations and public task Adapting the application of provisions with regard to the processing for compliance with a legal obligation or a public task, including for specific processing situations under Chapter IX Article 6(2) and 6(3) Age limit for consent in relation to information society services Determination of the minimum age between 13 and 16 years Article 8(1) Processing of special categories of data Maintaining or introducing further conditions, including limitations, for the processing of genetic data, biometric data or data concerning health. Article 9(4) Derogation from information requirements Obtaining or disclosure expressly laid down by law or for professional secrecy regulated by law Article 14(5)(c) and (d) Automated individual decision-making Authorisation for automated decision- making in derogation from the general prohibition Article 22(2)(b) Restrictions of data subject rights Restrictions from Articles 12 to 22, Article 34 and corresponding provisions in Article 5, when necessary and proportionate to safeguard exhaustively listed important objectives Article 23(1) Consultation and authorisation requirement Requirement for controllers to consult or obtain authorisation from the data protection authority for processing for a task in the public interest Article 36(5) Designation of a data protection officer in additional cases Designation of a data protection officer in cases other than the ones in paragraph 1 of Article 37 Article 37(4) Limitations of transfers Limitation of transfers of specific categories of personal data Article 49(5) Complaints and court actions of organisations in their own right Authorisation of privacy organisations to lodge complaints and court actions independently from a mandate by data subjects Article 80(2) Access to official documents Reconciliation of public access to official documents with the right to the protection of personal data Article 86 51 Processing of the national identification number Specific conditions for the processing of the national identification number Article 87 Processing in the employment context More specific rules for processing employees’ personal data Article 88 Derogations for processing for archiving in the public interest, research or statistical purposes Derogations from specified data subject rights in so far as such rights are likely to render impossible or seriously impair the achievement of specific purposes Article 89(2) and (3) Reconciliation of data protection with obligations of secrecy Specific rules on investigative powers of data protection authorities in relation to controllers or processors subject to obligations of professional secrecy Article 90 52 ANNEX II – Overview of the resources of data protection authorities The table below presents an overview of the resources (staff and budget) of data protection authorities per EU/EEA Member State191 . When comparing the figures between Member States, it is important to bear in mind that authorities may have tasks assigned to them beyond those under the GDPR, and that these may vary between Member States. The ratio of staff employed by the authorities to one million inhabitants and the ratio of the budget of the authorities to one million euro of GDP are only included to provide additional elements of comparison among Member States of similar size and should not be looked at in isolation. The absolute figures, ratios and evolution over the past years should be considered together when assessing the resources of a given authority. STAFF (Full Time Equivalents) BUDGET (EUR) EU/EEA Member States 2019 Forecast 2020 % growth 2016- 2019 % growth 2016- 2020 (forecast) Staff per million inhabitants (2019) 2019 Forecast 2020 % growth 2016- 2019 % growth 2016- 2020 (forecast) Budget per million EUR of GDP (2019) Austria 34 34 48% 48% 3,8 2.282.000 2.282.000 29% 29% 5,7 Belgium 59 65 9% 20% 5,2 8.197.400 8.962.200 1% 10% 17,3 Bulgaria 60 60 -14% -14% 8,6 1.446.956 1.446.956 24% 24% 23,8 Croatia 39 60 39% 114% 9,6 1.157.300 1.405.000 57% 91% 21,5 Cyprus 24 22 NA NA 27,4 503.855 NA 114% NA 23,0 Czech Rep. 101 109 0% 8% 9,5 6.541.288 6.720.533 10% 13% 29,7 Denmark 66 63 106% 97% 11,4 5.610.128 5.623.114 101% 101% 18,0 Estonia 16 18 -11% 0% 12,1 750.331 750.331 7% 7% 26,8 Finland 45 55 114% 162% 8,2 3.500.000 4.500.000 94% 150% 14,6 France 215 225 9% 14% 3,2 18.506.734 20.143.889 -2% 7% 7,7 Germany 888 1002 52% 72% 10,7 76.599.800 85.837.500 48% 66% 22,3 Greece 33 46 -15% 18% 3,1 2.849.000 3.101.000 38% 50% 15,2 Hungary 104 117 42% 60% 10,6 3.505.152 4.437.576 102% 155% 24,4 Iceland 17 17 143% 143% 47,6 2.272.490 2.294.104 167% 170% 105,2 Ireland 140 176 169% 238% 28,5 15.200.000 16.900.000 223% 260% 43,8 Italy 170 170 40% 40% 2,8 29.127.273 30.127.273 46% 51% 16,3 Latvia 19 31 -10% 48% 9,9 640.998 1.218.978 4% 98% 21,0 Lithuania 46 52 -8% 4% 16,5 1.482.000 1.581.000 40% 49% 30,6 Luxembourg 43 48 126% 153% 70,0 5.442.416 6.691.563 165% 226% 85,7 Malta 13 15 30% 50% 26,3 480.000 550.000 41% 62% 36,3 Netherlands 179 188 145% 158% 10,4 18.600.000 18.600.000 130% 130% 22,9 Norway 49 58 2% 21% 9,2 5.708.950 6.580.660 27% 46% 15,9 Poland 238 260 54% 68% 6,3 7.506.345 9.413.381 66% 108% 14,2 Portugal 25 27 -4% 4% 2,4 2.152.000 2.385.000 67% 86% 10,1 Romania 39 47 -3% 18% 2,0 1.103.388 1.304.813 3% 22% 4,9 Slovakia 49 51 20% 24% 9,0 1.731.419 1.859.514 47% 58% 18,4 Slovenia 47 49 42% 48% 22,6 2.242.236 2.266.485 68% 70% 46,7 Spain 170 220 13% 47% 3,6 15.187.680 16.500.000 8% 17% 12,2 Sweden 87 87 81% 81% 8,5 8.800.000 10.300.000 96% 129% 18,5 TOTAL 2.966 3.372 42% 62% 6,6 249.127.139 273.782.870 49% 64% 17,4 Source of raw figures: contribution from the Board. Calculations from the Commission. 191 Except for Liechtenstein.
1_DA_autre_document_travail_service_part1_v2.pdf
https://www.ft.dk/samling/20201/kommissionsforslag/kom(2020)0264/forslag/1675383/2242053.pdf
DA DA EUROPA- KOMMISSIONEN Bruxelles, den 24.6.2020 SWD(2020) 115 final ARBEJDSDOKUMENT FRA KOMMISSIONENS TJENESTEGRENE […] Ledsagedokument til MEDDELELSE FRA KOMMISSIONEN TIL EUROPA-PARLAMENTET OG RÅDET Databeskyttelse som en hjørnesten i borgernes indflydelse og EU's tilgang til den digitale omstilling - to års anvendelse af den generelle forordning om databeskyttelse {COM(2020) 264 final} Europaudvalget 2020 KOM (2020) 0264 Offentligt 1 Indholdsfortegnelse 1 Kontekst..................................................................................................................3 2 Håndhævelse af persondataforordningen og samarbejds- og .................................. sammenhængsmekanismernes funktion .................................................................4 2.1 Brug af databeskyttelsesmyndighedernes styrkede beføjelser........................4 Specifikke forhold gældende for den offentlige sektor..........................................5 Samarbejde med andre reguleringsorganer............................................................5 2.2 Samarbejds- og sammenhængsmekanismerne................................................6 One-stop-shop........................................................................................................6 Gensidig bistand.....................................................................................................7 Sammenhængsmekanisme.....................................................................................8 Udfordringer ..........................................................................................................8 2.3 Rådgivning og vejledning ...............................................................................9 Databeskyttelsesmyndighedernes oplysningsaktiviteter og rådgivning ................9 Retningslinjer fra Det Europæiske Databeskyttelsesråd......................................10 2.4 Databeskyttelsesmyndighedernes ressourcer................................................11 3 Harmoniserede regler, men fortsat en vis grad af fragmentering og ....................... divergerende strategier .........................................................................................12 3.1 Medlemsstaternes gennemførelse af persondataforordningen ......................12 De vigtigste problemstillinger i forbindelse med national gennemførelse ..........13 Afstemning af retten til beskyttelse af personoplysninger med .............................. ytrings- og informationsfrihed .............................................................................14 3.2 Bestemmelser om fakultativ specifikation og deres begrænsninger .............15 Fragmentering i forbindelse med anvendelse af klausuler ..................................... om fakultative specifikationer..............................................................................15 4 Sætte enkeltpersoner i stand til at kontrollere deres data .....................................17 5 Muligheder og udfordringer for organisationer, navnlig små ................................. og mellemstore virksomheder ..............................................................................19 Værktøjskasse for virksomheder..........................................................................21 6 Anvendelsen af persondataforordningen på nye teknologier ...............................23 7 Internationale overførsler og globalt samarbejde .................................................25 7.1 Privatlivets fred: et globalt problem..............................................................25 7.2 Værktøjskassen for overførsler i persondataforordningen............................26 Afgørelser om tilstrækkeligheden af beskyttelsesniveauet..................................27 Fornødne garantier...............................................................................................31 Undtagelser ..........................................................................................................36 Afgørelser truffet af udenlandske domstole eller .................................................... myndigheder: ingen grund til overførsler ............................................................37 2 7.3 Internationalt samarbejde på databeskyttelsesområdet .................................39 Den bilaterale dimension .....................................................................................39 Den multilaterale dimension................................................................................40 Bilag I: Bestemmelser om fakultative specifikationer i national lovgivning Bilag II Oversigt over databeskyttelsesmyndighedernes ressourcer 3 1 KONTEKST Den generelle forordning om databeskyttelse1 (i det følgende "persondataforordningen") er resultatet af otte års forberedelse, udarbejdelse og forhandlinger mellem institutionerne, og den trådte i kraft den 25. maj 2018 efter en overgangsperiode på to år (maj 2016–maj 2018). I henhold til artikel 97 i persondataforordningen aflægger Kommissionen rapport om evalueringen og revisionen af forordningen, første gang efter to års anvendelse og derefter hvert fjerde år. Evalueringen er ligeledes en del af en mangesidet tilgang, som Kommissionen allerede har fulgt, før persondataforordningen trådte i kraft, og som den er fortsat med at følge aktivt siden da. Som led i denne tilgang indledte Kommissionen løbende bilaterale dialoger med medlemsstaterne om national lovgivnings overholdelse af persondataforordningen, og bidrog aktivt til arbejdet i Det Europæiske Databeskyttelsesråd (i det følgende benævnt "Databeskyttelsesrådet") ved at stille sin erfaring og ekspertise til rådighed, støttede databeskyttelsesmyndighederne og opretholdt tætte forbindelser med en lang række interessenter om den praktiske anvendelse af forordningen. Evalueringen bygger på den statusopgørelse, som Kommissionen har foretaget i det første år af persondataforordningens anvendelse, og som blev sammenfattet i den meddelelse, der blev udsendt i juli 20192 . Den følger også op på meddelelsen om anvendelsen af GDPR, der blev offentliggjort i januar 20183 . Kommissionen vedtog også vejledningen om anvendelse af personoplysninger i en valgsammenhæng, som blev offentliggjort i september 2018, og vejledningen om apps, der støtter bekæmpelsen af covid-19- pandemien, der blev offentliggjort i april 2020. Selv om dens fokus er på de to spørgsmål, der er fremhævet i artikel 97, stk. 2, i persondataforordningen, nemlig internationale overførsler og samarbejds- og sammenhængsmekanismer, anlægger denne evaluering en bredere tilgang for at behandle spørgsmål, der er blevet rejst af forskellige aktører i løbet af de seneste to år. For at forberede evalueringen har Kommissionen inddraget bidragene fra: Rådet4 Europa-Parlamentet (Udvalget om Borgernes Rettigheder og Retlige og Indre Anliggender)5 Databeskyttelsesrådet6 og de individuelle databeskyttelsesmyndigheder7 , baseret på et spørgeskema fra Kommissionen Feedback fra medlemmerne af flerpartsekspertgruppen til støtte for anvendelsen af persondataforordningen8 , ligeledes baseret på et spørgeskema fra Kommissionen 1 Europa-Parlamentets og Rådets forordning (EU) 2016/679 af 27. april 2016 om beskyttelse af fysiske personer i forbindelse med behandling af personoplysninger og om fri udveksling af sådanne oplysninger og om ophævelse af direktiv 95/46/EF (EUT L 119 af 4.5.2016, s. 1). 2 Meddelelse fra Kommissionen til Europa-Parlamentet og Rådet, Databeskyttelsesregler som en tillidsskabende katalysator i og uden for EU – status (COM(2019) 374 final af 24.7.2019). 3 Meddelelse fra Kommissionen til Europa-Parlamentet og Rådet: Stærkere beskyttelse, nye muligheder – Kommissionens vejledning om den direkte anvendelse af den generelle forordning om databeskyttelse fra den 25. maj 2018 (COM/2018/043 final). 4 Rådets holdning og resultater vedrørende anvendelse af den generelle forordning om databeskyttelse (GDPR) (14994/2/19 Rev2 af 15.1.2020): https://data.consilium.europa.eu/doc/document/ST-14994-2019-REV-2/en/pdf 5 Skrivelse fra Europa-Parlamentets LIBE-Udvalg af 21.2.2020 til kommissær Reynders, ref.: IPOL-COM-LIBE D (2020) 6525. 6 Databeskyttelsesrådets bidrag til evalueringen af persondataforordningen i henhold til artikel 97, vedtaget den 18.2.2020: https://edpb.europa.eu/our-work-tools/our-documents/other/contribution-edpb-evaluation-gdpr-under-article-97_en 7 https://edpb.europa.eu/individual-replies-data-protection-supervisory-authorities_en 8 Flerpartsekspertgruppen vedrørende persondataforordningen, der er oprettet af Kommissionen, inddrager civilsamfundet og repræsentanter for erhvervslivet, akademikere og fagfolk: https://ec.europa.eu/transparency/regexpert/index.cfm?do=groupDetail.groupDetail&groupID=3537 Flerpartsgruppens rapport findes på: 4 og ad hoc-bidrag fra interessenter. 2 HÅNDHÆVELSE AF PERSONDATAFORORDNINGEN OG SAMARBEJDS- OG SAMMENHÆNGSMEKANISMERNES FUNKTION Persondataforordningen indførte et innovativt forvaltningssystem og skabte grundlaget for en egentlig europæisk databeskyttelseskultur, der har til formål at sikre ikke blot en harmoniseret fortolkning, men også en harmoniseret anvendelse og håndhævelse af databeskyttelsesreglerne. Dens søjler er de uafhængige nationale databeskyttelsesmyndigheder og det nyligt oprettede Databeskyttelsesråd. Da databeskyttelsesmyndighederne er af afgørende betydning for, at hele EU's databeskyttelsessystem fungerer, overvåger Kommissionen nøje deres reelle uafhængighed, herunder for så vidt angår tilstrækkelige finansielle, menneskelige og tekniske ressourcer. Det er endnu for tidligt at foretage en fuldstændig vurdering af samarbejds- og sammenhængsmekanismernes funktion på grund af den korte periode til at indsamle erfaringer9 . Desuden har databeskyttelsesmyndighederne endnu ikke udnyttet den fulde palet af værktøjer, som persondataforordningen har stillet til rådighed til at styrke deres samarbejde yderligere. 2.1 Brug af databeskyttelsesmyndighedernes styrkede beføjelser Ved databeskyttelsesforordningen oprettes uafhængige databeskyttelsesmyndigheder, som tildeles harmoniserede og styrkede håndhævelsesbeføjelser. Eftersom persondataforordningen finder anvendelse, har disse myndigheder taget en bred vifte af korrigerende beføjelser i brug i henhold til persondataforordningen, f.eks. administrative bøder (22 EU-/EØS-myndigheder)10 , advarsler og kritik (23), påbud om at imødekomme den registreredes anmodninger (26), påbud om at bringe behandlingsaktiviteter i overensstemmelse med persondataforordningen (27), og påbud om berigtigelse, sletning eller begrænsning af behandling (17). Omkring halvdelen af databeskyttelsesmyndighederne (13) har indført midlertidige eller definitive begrænsninger i behandlingen, herunder forbud. Dette er bevis på en bevidst brug af alle de korrigerende foranstaltninger, der er fastsat i persondataforordningen. Databeskyttelsesmyndighederne holdt sig ikke tilbage fra at pålægge administrative bøder ud over eller i stedet for andre korrigerende foranstaltninger afhængigt af omstændighederne i de enkelte sager. Administrative bøder: Mellem 25. maj 2018 og 30. november 2019 udstedte 22 databeskyttelsesmyndigheder i EU/EØS omkring 785 bøder. Kun få myndigheder har endnu ikke pålagt administrative bøder, selv om de igangværende procedurer kan føre til sådanne bøder. De fleste bøder vedrørte overtrædelser af: princippet om lovlighed gyldigt samtykke beskyttelse af følsomme oplysninger forpligtelsen til gennemsigtighed, de registreredes rettigheder og brud på persondatasikkerheden. Eksempler på bøder pålagt af databeskyttelsesmyndigheder omfatter11 : - 200 000 EUR for manglende overholdelse af retten til at modsætte sig direkte markedsføring i Grækenland https://ec.europa.eu/transparency/regexpert/index.cfm?do=groupDetail.groupMeeting&meetingId=21356 9 Dette forhold fremhæves navnlig af Rådet i dets holdning og konklusioner vedrørende anvendelsen persondataforordningen og af Databeskyttelsesrådet i dets bidrag til evalueringen. 10 Tallene i parentes angiver antallet af EU/EØS-databeskyttelsesmyndigheder, der har gjort brug af den anførte beføjelse mellem maj 2018 og slutningen af november 2019. Se Databeskyttelsesrådets bidrag, s. 32-33. 11 En række afgørelser om bøder er stadig ved at blive prøvet ved domstolene. 5 - 220 000 EUR til et dataformidlingsselskab i Polen, som ikke havde oplyst kunderne om, at deres oplysninger blev behandlet - 250 000 EUR til den spanske fodboldliga La Liga på grund af manglende gennemsigtighed i udformningen af dens smartphone-applikation - 14,5 mio. EUR til en tysk ejendomsvirksomheds overtrædelse af databeskyttelsesprincipperne, navnlig ulovlig lagring - 18 mio. EUR til de østrigske posttjenester for ulovlig behandling af særlige kategorier af oplysninger i stor skala - 50 mio. EUR til Google i Frankrig på grund af betingelserne for at opnå samtykke fra brugere. Persondataforordningens succes bør ikke måles på antallet af udstedte bøder, idet persondataforordningen opstiller en bredere palet af korrigerende beføjelser. Afhængigt af omstændighederne kan den afskrækkende virkning af et forbud mod behandling eller suspension af overførsel af oplysninger være meget stærkere. Specifikke forhold gældende for den offentlige sektor Persondataforordningen giver medlemsstaterne mulighed for at afgøre, om og i hvilket omfang offentlige myndigheder og organer kan pålægges administrative bøder. Hvis medlemsstaterne gør brug af denne mulighed, fratager dette ikke databeskyttelsesmyndighederne muligheden for at anvende alle de øvrige korrigerende beføjelser over for offentlige myndigheder og organer12 . Et andet specifikt forhold er tilsynet med domstolene: selv om persondataforordningen også finder anvendelse på domstolenes aktiviteter, er disse fritaget for databeskyttelsesmyndigheders tilsyn, når de handler i deres egenskab af domstol. Chartret og TEUF forpligter imidlertid medlemsstaterne til at overlade det til et uafhængigt organ at føre tilsyn med sådanne databehandlingsaktiviteter13 . Samarbejde med andre reguleringsorganer Som anført i meddelelsen af juli 2019 støtter Kommissionen interaktionen med andre reguleringsorganer, idet den fuldt ud respekterer deres respektive kompetencer. Lovende samarbejdsområder omfatter forbrugerbeskyttelse og konkurrence. Databeskyttelsesrådet gav udtryk for sin villighed til at samarbejde med andre tilsynsmyndigheder, navnlig i forbindelse med koncentration på de digitale markeder14 . Kommissionen anerkendte betydningen af privatlivets fred og databeskyttelse som et kvalitetsparameter for konkurrencen15 . Databeskyttelsesrådets medlemmer deltog i fælles workshopper med netværket for forbrugerbeskyttelsessamarbejde om samarbejde om bedre håndhævelse af EU's forbruger- og databeskyttelseslovgivning. Denne tilgang vil blive anvendt til at fremme en fælles forståelse og udvikle praktiske måder til løsning af konkrete problemer, som forbrugere oplever, navnlig i den digitale økonomi. For at sikre en konsekvent tilgang til beskyttelse af privatlivets fred og beskyttelse af personoplysninger, og indtil e-databeskyttelsesforordningen er vedtaget, er et tæt samarbejde med de myndigheder, der har kompetence til at håndhæve e-databeskyttelsesdirektivet16 , som er lex specialis i forhold til elektronisk kommunikation, helt uomgængeligt. Et tættere samarbejde med de kompetente myndigheder i henhold til 12 Persondataforordningens artikel 83, stk. 7. 13 Chartrets artikel 8, stk. 3, artikel 16, stk. 2, i TEUF, betragtning 20 i persondataforordningen. 14 Jf. Databeskyttelsesrådets erklæring om virkningerne af økonomisk koncentration, https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_economic_concentration_en.pdf. 15 Se sag COMP M. 8124, Microsoft/LinkedIn. 16 Europa-Parlamentets og Rådets direktiv 2002/58/EF af 12. juli 2002 om behandling af personoplysninger og beskyttelse af privatlivets fred i den elektroniske kommunikationssektor (direktivet om databeskyttelse inden for elektronisk kommunikation) (EFT L 201 af 31.7.2002, s. 37). 6 NIS-direktivet17 , og NIS-samarbejdsgruppen vil være til gensidig fordel for disse myndigheder og databeskyttelsesmyndighederne. 2.2 Samarbejds- og sammenhængsmekanismerne Ved persondataforordningen blev samarbejdsmekanismen (one-stop-shop-system for operatører, fælles aktiviteter og gensidig bistand mellem databeskyttelsesmyndigheder) og sammenhængsmekanismen oprettet med det formål at fremme en ensartet anvendelse af databeskyttelsesreglerne gennem en konsekvent fortolkning og løsning af eventuel uenighed mellem myndighederne. Databeskyttelsesrådet, der samler alle databeskyttelsesmyndigheder, er oprettet som et EU-organ med status som juridisk person og er fuldt operationelt med støtte fra et sekretariat18 . Det er afgørende for de to ovennævnte mekanismers funktion. Ved udgangen af 2019 havde Databeskyttelsesrådet vedtaget 67 dokumenter, herunder 10 nye retningslinjer19 og 43 udtalelser2021 . Den vigtige rolle, som Databeskyttelsesrådet spiller, opstod, hvor der var behov for hurtigt at sikre en ensartet fortolkning af persondataforordningen og finde løsninger, der kunne finde øjeblikkelig anvendelse på EU-plan. I forbindelse med covid-19-udbruddet vedtog Databeskyttelsesrådet f.eks. i marts 2020 en erklæring om behandling af personoplysninger, der bl.a. omhandler lovligheden af behandling og anvendelse af mobile lokaliseringsdata i denne forbindelse22 , og i april 2020 vedtog det retningslinjer for behandling af helbredsoplysninger til videnskabelig forskning i forbindelse med covid-19-udbruddet 23 samt retningslinjer for anvendelse af lokaliseringsdata og kontaktopsporingsredskaber i forbindelse med covid- 19-udbruddet24 . Udvalget ydede også et betydeligt bidrag til udformningen af EU's strategi til Kommissionens og medlemsstaternes sporings-apps. Det daglige samarbejde mellem databeskyttelsesmyndighederne, hvad enten de handler på egne vegne eller som medlemmer af Databeskyttelsesrådet, er baseret på udveksling af oplysninger og meddelelser om sager, der er indledt af myndighederne. For at lette kommunikationen mellem myndighederne ydede Kommissionen betydelig støtte ved at give dem et informationsudvekslingssystem25 . De fleste myndigheder mener, at den er tilpasset samarbejds- og sammenhængsmekanismerne, selv om den kan finjusteres yderligere, f.eks. ved at gøre den mere brugervenlig. Selv om det stadig er tidligt, kan der allerede nu afdækkes en række resultater og udfordringer, som præsenteres nedenfor. De viser, at databeskyttelsesmyndighederne hidtil har gjort effektiv brug af samarbejdsværktøjerne med præference for mere fleksible løsninger. One-stop-shop 17 Europa-Parlamentets og Rådets direktiv (EU) 2016/1148 af 6. juli 2016 om foranstaltninger, der skal sikre et højt fælles sikkerhedsniveau for net- og informationssystemer i hele Unionen (EUT L 194 af 19.7.2016, s. 1). 18 Se nærmere oplysninger om sekretariatets aktiviteter i Databeskyttelsesrådets bidrag, s. 24-26. 19 Ud over de 10 retningslinjer, som Artikel 29-Gruppen har vedtaget op til persondataforordningens ikrafttræden, og som Databeskyttelsesrådet har godkendt. Desuden har Databeskyttelsesrådet vedtaget yderligere 4 retningslinjer mellem januar og maj 2020 og ajourført en eksisterende vejledning. 20 42 af disse udtalelser blev vedtaget i henhold til persondataforordningens artikel 64, og én blev vedtaget i henhold til persondataforordningens artikel 70, stk. 1, litra s), og vedrørte afgørelsen om tilstrækkeligheden af beskyttelsesniveauet vedrørende Japan. 21 Se Databeskyttelsesrådets bidrag, s. 18-23, for et fuldstændigt overblik over Databeskyttelsesrådets aktiviteter. 22 https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_2020_ processingpersonaldataandcovid-19_en.pdf. 23 https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032020-processing-data-concerning-health- purpose_en. 24 https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_20200420_contact_tracing_covid_ with_annex_da.pdf. 25 Informationssystemet for det indre marked (IMI). 7 I grænseoverskridende sager kan en medlemsstats databeskyttelsesmyndighed generelt være involveret enten i) som ledende myndighed, når operatørens hovedvirksomhed er beliggende i denne medlemsstat, eller ii) som berørt myndighed, når operatøren har en virksomhed på denne medlemsstats område, når personer i denne medlemsstat berøres væsentligt, eller når der er indgivet en klage til dem. Et sådant tæt samarbejde er blevet daglig praksis: Siden datoen for persondataforordningens anvendelse er databeskyttelsesmyndigheder i alle medlemsstater på et tidspunkt blevet konstateret enten som ledende myndigheder eller som berørte myndigheder i grænseoverskridende sager, om end i forskelligt omfang. Fra maj 2018 til slutningen af 2019 fungerede databeskyttelsesmyndigheden i Irland som ledende myndighed i det højeste antal grænseoverskridende sager (127), efterfulgt af Tyskland (92), Luxembourg (87), Frankrig (64) og Nederlandene (45). Denne rækkefølge afspejler især den særlige situation i Irland og Luxembourg, som er værtslande for flere store multinationale teknologivirksomheder. Anderledes ser rækkefølgen ud, for så vidt angår berørte myndigheder, hvor myndighederne i Tyskland er involveret i det højeste antal sager (435), efterfulgt af Spanien (337), Danmark (327), Frankrig (332) og Italien (306)26 . Mellem 25. maj 2018 og 31. december 2019 blev der indgivet 141 udkast til afgørelser via one-stop-shop- proceduren, hvoraf 79 førte til endelige afgørelser. Pr. datoen for offentliggørelsen af denne rapport afventes der i flere vigtige sager med en grænseoverskridende dimension, og som er omfattet af one-stop-shop- mekanismen, en afgørelse. Nogle af disse afgørelser involverer store multinationale teknologivirksomheder27 . De forventes at skabe klarhed og bidrage til en mere samordnet fortolkning af persondataforordningen. Gensidig bistand Databeskyttelsesmyndigheder har i vid udstrækning gjort brug af redskabet til gensidig bistand. Ved udgangen af 2019 havde der været 115 procedurer for gensidig bistand28 , navnlig til gennemførelse af undersøgelser, hvoraf de fleste var foretaget af databeskyttelsesmyndighederne i Spanien (26), Tyskland (20), Danmark (13), Polen (12) og Tjekkiet (10). På den anden side havde Irland (19), Frankrig (11), Østrig (10), Tyskland (10) og Luxembourg (9) modtaget de fleste anmodninger 29 . Langt de fleste myndigheder anser gensidig bistand for at være et meget nyttigt samarbejdsværktøj og er ikke stødt på væsentlige hindringer for anvendelsen af proceduren for gensidig bistand. Den frivillige udveksling af gensidig bistand, for hvilken der ikke er nogen juridisk frist, eller hvor der ikke er streng pligt til at svare, er blevet anvendt hyppigere, nemlig i 2 427 procedurer. Irlands databeskyttelsesmyndighed sendte og modtog det højeste antal anmodninger om gensidig bistand (527 sendt og 359 modtaget), efterfulgt af de tyske myndigheder (260 sent/356 modtaget). Omvendt er der ikke endnu blevet gennemført fælles aktiviteter30 , der ville gøre det muligt for flere medlemsstaters databeskyttelsesmyndigheder at blive involveret allerede i undersøgelserne af grænseoverskridende sager. Der er løbende overvejelser i gang i Databeskyttelsesrådet om den praktiske gennemførelse af dette redskab, og hvordan dets brug kan fremmes. 26 Se Databeskyttelsesrådets bidrag, s. 8. 27 F.eks. har den irske databeskyttelsesmyndighed den 22.5.2020 fremsendt et udkast til afgørelse til andre berørte myndigheder i overensstemmelse med forordningens artikel 60 vedrørende en undersøgelse af Twitter International Company i forbindelse med en underretning om brud på datasikkerheden. Samme dag meddelte den irske databeskyttelsesmyndighed tillige, at et udkast til afgørelse om WhatsApp Ireland Limited i medfør af artikel 60 var under forberedelse i forbindelse med gennemsigtighed, herunder gennemsigtighed med hensyn til, hvilke oplysninger der deles med Facebook. 28 Persondataforordningens artikel 61. 29 Se Databeskyttelsesrådets bidrag, s. 12-14. 30 Persondataforordningens artikel 62. 8 Sammenhængsmekanisme Indtil videre er kun sammenhængsmekanismens første del blevet udnyttet, nemlig vedtagelsen af Databeskyttelsesrådets udtalelser31 . Omvendt er der endnu ikke forekommet tilfælde af tvistbilæggelse i Databeskyttelsesrådet32 eller taget en hasteprocedure i brug33 . I perioden fra 25. maj 2018 til 31. december 2019 afgav Databeskyttelsesrådet 36 udtalelser i forbindelse med et af dets medlemmers vedtagelse af foranstaltningers34 . De fleste af disse (31) vedrørte vedtagelsen af nationale lister over aktiviteter, der kræver en konsekvensanalyse vedrørende databeskyttelse. To udtalelser vedrørte bindende virksomhedsregler, to andre vedrørte udkast til akkrediteringskrav til et kontrolorgan for adfærdskodeks, og én vedrørte standardkontraktbestemmelsers35 . Bestyrelsen vedtog endvidere efter anmodning seks udtalelsers36 . Tre af disse udtalelser vedrørte nationale lister til bestemmelse af behandlinger, der ikke kræver en konsekvensanalyse vedrørende databeskyttelse. De andre vedrørte henholdsvis en administrativ ordning for overførsel af personoplysninger mellem finanstilsynsmyndigheder inden for EØS og finanstilsynsmyndigheder uden for EØS, samspillet mellem e- databeskyttelsesdirektivet og persondataforordningen og en tilsynsmyndigheds kompetence i tilfælde af en ændring i omstændighederne vedrørende hovedvirksomhed eller eneste etablering37 . Udfordringer Selv om databeskyttelsesmyndighederne har samarbejdet meget aktivt i Databeskyttelsesrådet og i forvejen intensivt anvender samarbejdsværktøjet for gensidig bistand, er opbygningen af en egentlig fælles kultur stadig en pågående proces. Navnlig kræver håndteringen af grænseoverskridende sager en mere effektiv og harmoniseret tilgang og en effektiv anvendelse af alle samarbejdsværktøjer i persondataforordningen. Der er bred enighed om dette punkt, da det blev rejst på forskellige måder af Europa-Parlamentet, Rådet, Den Europæiske Tilsynsførende for Databeskyttelse, interessenter (inden for og uden for flerpartsgruppen) og databeskyttelsesmyndighederne. De vigtigste forhold, der skal tages op i denne forbindelse, er forskelle i: nationale administrative procedurer, navnlig vedrørende: klagebehandlingsprocedurer, antagelighedskriterier for klager, varigheden af procedurer på grund af forskellige tidsrammer eller manglende frister, det tidspunkt i proceduren, hvor retten til at blive hørt bevilges, oplysninger om og inddragelse af klagerne i proceduren fortolkninger af begreber vedrørende samarbejdsmekanismen, f.eks. relevante oplysninger, begrebet "straks", "klage", det dokument, der defineres som "udkastet til afgørelse" af den ledende databeskyttelsesmyndighed, mindelig løsning (navnlig den procedure, der fører til en mindelig løsning, løsningens retlige form), og på hvilken måde samarbejdsproceduren skal indledes, inddrage de berørte databeskyttelsesmyndigheder og formidle oplysninger til dem. Klagerne savner også klarhed om, hvordan deres sager håndteres i grænseoverskridende situationer, hvilket flere medlemmer af flerpartsgruppen har understreget. Desuden nævner virksomhederne, at de nationale databeskyttelsesmyndigheder i visse tilfælde ikke henviste sager til den ledende databeskyttelsesmyndighed, men håndterede dem som lokale sager. 31 Baseret på persondataforordningens artikel 64. 32 Persondataforordningens artikel 65. 33 Persondataforordningens artikel 66. 34 I henhold til persondataforordningens artikel 64, stk. 1. 35 Persondataforordningens artikel 28, stk. 8. 36 I henhold til persondataforordningens artikel 64, stk. 2. 37 Se Databeskyttelsesrådets bidrag, s. 15. 9 Kommissionen er tilfreds med, at Databeskyttelsesrådet har meddelt, at det er begyndt at gøre sig overvejelser om, hvordan man kan løse disse problemer. Databeskyttelsesrådet anførte navnlig, at det vil præcisere de proceduremæssige skridt, der er taget i samarbejdet mellem den ledende databeskyttelsesmyndighed og de berørte databeskyttelsesmyndigheder, analysere de nationale administrative procedureregler, arbejde hen imod en fælles fortolkning af nøglebegreber og styrke kommunikation og samarbejde (herunder fælles aktiviteter). Databeskyttelsesrådets overvejelser og analyser bør føre til mere effektive arbejdsordninger i grænseoverskridende sager38 , herunder ved at bygge på medlemmernes ekspertise og ved at styrke inddragelsen af dets sekretariat. Det skal desuden bemærkes, at Databeskyttelsesrådets ansvar med hensyn til at sikre en konsekvent fortolkning af persondataforordningen ikke kan opfyldes ved blot at finde den laveste fællesnævner. Endelig skal Databeskyttelsesrådet som EU-organ også anvende EU's forvaltningsret og sikre gennemsigtighed i beslutningsprocessen. 2.3 Rådgivning og vejledning Databeskyttelsesmyndighedernes oplysningsaktiviteter og rådgivning Flere databeskyttelsesmyndigheder har skabt nye værktøjer, herunder hjælp til enkeltpersoner og virksomheder, og værktøjssæt til virksomheder39 . Mange operatører glæder sig over den pragmatisme, som disse myndigheder har udvist med hensyn til at bistå med anvendelsen af persondataforordningen. Især har flere af dem aktivt kommunikeret og haft et tæt samarbejde med databeskyttelsesrådgivere, bl.a. gennem sammenslutninger af databeskyttelsesansvarlige. Mange myndigheder har også udstedt retningslinjer for de databeskyttelsesansvarliges rolle og forpligtelser med det formål at støtte de databeskyttelsesansvarlige i deres daglige aktiviteter og afholdt seminarer, der var specifikt henvendt til dem. Dette gælder imidlertid ikke for alle databeskyttelsesmyndigheder. Ligeledes peger feedback fra interessenter på en række problemfelter omkring vejledning og rådgivning: manglen på en konsekvent strategi og vejledning mellem de nationale databeskyttelsesmyndigheder om visse forhold (f.eks. om cookies40 , anvendelsen af legitime interesser, anmeldelser af brud på persondatasikkerheden eller konsekvensanalyser vedrørende databeskyttelse) eller endda mellem databeskyttelsesmyndigheder i de samme medlemsstater (f.eks. i Tyskland om begreberne dataansvarlig og databehandler) uoverensstemmelsen mellem de retningslinjer, der vedtages på nationalt plan, og dem, der vedtages af Databeskyttelsesrådet manglende offentlige høringer om visse retningslinjer, der er vedtaget på nationalt plan forskellige niveauer af inddragelse af interessenter blandt databeskyttelsesmyndighederne forsinkelser i modtagelsen af svar på anmodninger om oplysninger vanskeligheder med at få praktisk og værdifuld rådgivning fra databeskyttelsesmyndighederne behovet for at øge den sektorspecifikke ekspertise hos nogle databeskyttelsesmyndigheder (f.eks. inden for sundhedssektoren og lægemiddelindustrien). 38 Som påpeget i Rådets holdning og konklusioner. 39 Se nedenfor under punkt 7. 40 Indtil e-databeskyttelsesforordningen bliver vedtaget, er det vigtigt med et tæt samarbejde med de kompetente myndigheder, der er ansvarlige for håndhævelsen af e-databeskyttelsesdirektivet i medlemsstaterne. I overensstemmelse med dette direktiv er de myndigheder, der er kompetente til at håndhæve artikel 5, stk. 3, i e-databeskyttelsesdirektivet (som fastsætter betingelserne for brug af og adgang til "cookies" på en brugers terminaludstyr), i nogle medlemsstater ikke de samme som tilsynsmyndighederne i henhold til persondataforordningen. 10 Flere af disse forhold hænger også sammen med manglen på ressourcer hos flere databeskyttelsesmyndigheder (se nedenfor). Afvigende praksis med hensyn til anmeldelse af brud på datasikkerheden41 Selv om Rådet fremhæver den byrde, der er forbundet med sådanne anmeldelser, er der betydelige forskelle i antallet af anmeldelser mellem medlemsstaterne: hvor der i perioden fra maj 2018 til udgangen af november 2019 i de fleste medlemsstater samlet set var under 2 000 anmeldelser, og i 7 medlemsstater mellem 2 000 og 10 000, indberettede de nederlandske og tyske databeskyttelsesmyndigheder i perioden hhv. 37 400 og 45 600 anmeldelser42 . Dette kan tyde på, at der savnes en konsekvent fortolkning og gennemførelse, til trods for at der på EU- niveau findes retningslinjer for anmeldelser af brud på datasikkerheden. Retningslinjer fra Det Europæiske Databeskyttelsesråd Hidtil har Databeskyttelsesrådet vedtaget mere end 20 retningslinjer, der dækker centrale aspekter af persondataforordningen43 . Retningslinjerne er et vigtigt redskab til at sikre en ensartet anvendelse af persondataforordningen og er derfor i stort omfang blevet modtaget positivt af interessenterne. Interessenterne har været glade for den systematiske offentlige høring (6-8 uger). De efterspørger imidlertid mere dialog med Databeskyttelsesrådet. I den forbindelse bør praksis med at arrangere workshopper om målrettede emner inden udarbejdelsen af retningslinjer fortsættes og styrkes for at sikre gennemsigtighed, inddragelse og relevans i Databeskyttelsesrådets arbejde. Interessenterne anmoder også om, at fortolkningen af de mest omstridte problemer behandles i retningslinjerne, da disse er genstand for offentlig høring, og ikke i udtalelser i henhold til persondataforordningens artikel 64, stk. 2. Nogle interessenter efterlyser også mere praktiske retningslinjer, der beskriver anvendelsen af begreber og bestemmelser i persondataforordningen44 . Medlemmer af flerpartsgruppen understreger, at der er behov for mere konkrete eksempler, der så vidt muligt skal mindske risikoen for divergerende fortolkninger mellem databeskyttelsesmyndigheder. Samtidig bør anmodningerne om at præcisere, hvordan persondataforordningen skal anvendes, og om at skabe retssikkerhed, ikke føre til yderligere krav eller reducere fordelene ved den risikobaserede tilgang og ansvarlighedsprincippet. De emner, som interessenterne gerne vil have yderligere retningslinjer for i Databeskyttelsesrådet, omfatter: rækkevidden af de registreredes rettigheder (herunder i ansættelsesforhold) ajourføring af udtalelsen om behandling på grundlag af legitime interesser begreberne den dataansvarlige, den fælles dataansvarlige og registerføreren samt de nødvendige aftaler mellem parterne45 anvendelsen af persondataforordningen på nye teknologier (såsom blockchain og kunstig intelligens) behandling i forbindelse med videnskabelig forskning (herunder i forbindelse med internationalt samarbejde) behandling af børns personoplysninger pseudonymisering og anonymisering samt behandling af sundhedsdata. Databeskyttelsesrådet har allerede tilkendegivet, at det vil udstede retningslinjer for mange af disse emner, og det arbejde, der allerede er påbegyndt for fleres vedkommende (f.eks. om anvendelsen af legitim interesse som retsgrundlag for behandling). Interessenterne anmoder Databeskyttelsesrådet om at ajourføre og i givet fald revidere eksisterende retningslinjer under hensyntagen til de erfaringer, der er gjort siden deres offentliggørelse, og under hensyntagen til muligheden for at gå mere i detaljer, når det er nødvendigt. 41 Persondataforordningens artikel 33. 42 Se Databeskyttelsesrådets bidrag, s. 35. 43 Arbejdet med retningslinjer blev allerede indledt inden persondataforordningens ikrafttræden den 25. maj 2018 inden for rammerne af Artikel 29-Gruppen. Se den fulde liste over retningslinjer på https://edpb.europa.eu/our-work-tools/general- guidance/gdpr-guidelines-recommendations-best-practices_en. 44 Dette har også Europa-Parlamentet og Rådet peget på. 45 Databeskyttelsesrådet er i gang med at udforme retningslinjer om dataansvarlige og databehandlere. 11 2.4 Databeskyttelsesmyndighedernes ressourcer Det er en forudsætning for en effektiv udførelse af deres opgaver og udøvelsen af deres beføjelser, at de enkelte databeskyttelsesmyndigheder råder over de nødvendige menneskelige, tekniske og finansielle ressourcer, lokaler og infrastrukturer, og er derfor en væsentlig betingelse for deres uafhængighed46 . De fleste databeskyttelsesmyndigheder har nydt godt af stigende personale og ressourcer, siden persondataforordningen trådte i kraft i 201647 . Mange af dem beretter dog stadig, at de ikke råder over tilstrækkelige ressourcer48 . Antal medarbejdere, der arbejder for nationale databeskyttelsesmyndigheder Det samlede antal medarbejdere hos databeskyttelsesmyndigheder i EØS steg over en kam med 42 % mellem 2016 og 2019 (med 62 %, hvis prognosen for 2020 tages med). Antallet af medarbejdere hos de fleste myndigheder er steget i denne periode med den største stigning (i procent) registreret for myndigheder i Irland (+ 169 %), Nederlandene (+ 145 %), Island (+ 143 %), Luxembourg (+ 126 %) og Finland (+ 114 %). Omvendt faldt antallet af ansatte hos flere databeskyttelsesmyndigheder, med de mest markante fald i Grækenland (-15 %), Bulgarien (-14 %), Estland (-11 %), Letland (-10 %) og Litauen (-8 %). Hos nogle myndigheder skyldes faldet i antallet af medarbejdere også databeskyttelseseksperters fratrædelse til fordel for ansættelse i den private sektor, som kan tilbyde mere attraktive vilkår. Generelt anslår prognosen for 2020, at der har været en stigning i antallet af medarbejdere i forhold til 2019, med undtagelse hos myndighederne i Østrig, Bulgarien, Italien, Sverige og Island (hvor antallet af medarbejdere forventes at forblive stabilt), Cypern og Danmark (hvor antallet af medarbejdere forventes at falde). De tyske databeskyttelsesmyndigheder49 har tilsammen det største antal medarbejdere (888 i 2019/anslået 1002 i 2020), efterfulgt af databeskyttelsesmyndighederne i Polen (238/260), Frankrig (215/225), Spanien (170/220), Nederlandene (179/188), Italien (170/170) og Irland (140/176). De databeskyttelsesmyndigheder, der har det laveste antal medarbejdere, er i Cypern (24/22), Letland (19/31), Island (17/17), Estland (16/18) og Malta (13/15). De nationale databeskyttelsesmyndigheders budget Det samlede budget for databeskyttelsesmyndigheder i EØS er over en kam steget med 49 % mellem 2016 og 2019 (med 64 %, hvis prognosen for 2020 medregnes). De fleste myndigheders budget steg i denne periode, med den største stigning (i procent) registreret for myndigheder i Irland (+ 223 %), Island (+ 167 %), Luxembourg (+ 165 %), Nederlandene (+ 130 %) og Cypern (+ 114 %). Omvendt oplevede nogle myndigheder kun en lille stigning i budgettet, med de mindste stigninger registreret for databeskyttelsesmyndigheder i Estland (7 %), Letland (4 %), Rumænien (3 %) og Belgien (1 %), mens myndigheden i Frankrig oplevede et fald (-2 %). Generelt skønnes det ifølge prognosen for 2020, at der vil være en stigning i budgettet i forhold til 2019, undtagen for myndighederne i Østrig, Bulgarien, Estland og Nederlandene (hvis budgetter forventes at forblive stabile). 46 Se persondataforordningens artikel 52, stk. 4. 47 Forordningen trådte i kraft i maj 2016 og blev taget i anvendelse i maj 2018 efter en overgangsperiode på 2 år. 48 Se Databeskyttelsesrådets bidrag, s. 26-30 49 Der er 18 myndigheder i Tyskland, hvoraf den ene er en føderal myndighed, og 17 er regionale myndigheder (herunder to i Bayern). 12 De databeskyttelsesmyndigheder, der har det største budget, er Tyskland (76,6 mio. EUR i 2019/anslået 85,8 mio. EUR i 2020-prognosen), Italien (29,1/30,1), Nederlandene (18,6/18,6), Frankrig (18,5/20,1) og Irland (15,2/16,9). De myndigheder, der har det laveste budget, er Kroatien (1,2 mio. EUR i 2019/anslået EUR 1,4 mio. EUR i 2020-prognosen), Rumænien (1,1/1,3), Letland (0,6/1,2), Cypern (0,5/0,5) og Malta (0,5/0,6). Tabellen i bilag II giver et overblik over de nationale databeskyttelsesmyndigheders menneskelige og budgetmæssige ressourcer. Ud over at påvirke deres evne til at håndhæve reglerne på nationalt plan begrænser manglen på ressourcer også databeskyttelsesmyndighedernes kapacitet til at deltage i og bidrage til samarbejds- og sammenhængsmekanismen og til det arbejde, der udføres i Databeskyttelsesrådet. Som fremhævet af Databeskyttelsesrådet afhænger den succes, som one-stop-shop-mekanismen har, af den tid og indsats, som databeskyttelsesmyndighederne kan bruge til håndtering af og samarbejde om individuelle grænseoverskridende sager. Ressourceproblemet forstærkes yderligere af myndighedernes øgede rolle i tilsynet med store IT-systemer, der i øjeblikket er under udvikling. Databeskyttelsesmyndighederne i Irland og Luxembourg har desuden specifikke ressourcebehov set i lyset af deres rolle som ledende myndigheder med hensyn til håndhævelsen af persondataforordningen over for store teknologivirksomheder, som befinder sig primært i disse medlemsstater. Mens Rådet peger på virkningen af samarbejdsmekanismen og dens frister på databeskyttelsesmyndighedernes arbejde50 , er medlemsstaterne i henhold til persondataforordningen forpligtet til at tilføre deres nationale databeskyttelsesmyndigheder tilstrækkelige menneskelige, finansielle og tekniske ressourcer51 . Databeskyttelsesrådets sekretariat, som forestås af Den Europæiske Tilsynsførende for Databeskyttelser52 , består i øjeblikket af 20 personer, herunder juridiske eksperter, IT-eksperter og kommunikationseksperter. Det skal vurderes, om dette tal skal udvides fremadrettet, således at det på effektiv vis kan opfylde sin funktion som analytisk, administrativ og logistisk støtte til Databeskyttelsesrådet og dets undergrupper, bl.a. ved forvaltningen af informationsudvekslingssystemet. 3 HARMONISEREDE REGLER, MEN FORTSAT EN VIS GRAD AF FRAGMENTERING OG DIVERGERENDE STRATEGIER Persondataforordningen indeholder bestemmelser om en konsekvent tilgang til databeskyttelsesreglerne i hele EU, som erstatter de forskellige nationale ordninger, der eksisterede inden for rammerne af databeskyttelsesdirektivet af 1995. 3.1 Medlemsstaternes gennemførelse af persondataforordningen Persondataforordningen har været direkte gældende i alle medlemsstater siden 25. maj 2018. Den forpligtede medlemsstaterne til at lovgive, navnlig for at oprette nationale databeskyttelsesmyndigheder og indføre generelle betingelser for deres medlemmer, for at sikre, at hver enkelt myndighed handler i fuld uafhængighed, når den udfører sine opgaver og udøver sine beføjelser i overensstemmelse med persondataforordningen. Retlige forpligtelser og offentlige opgaver kan kun udgøre retsgrundlaget for behandling af personoplysninger, hvis de er nedfældet i (EU-lovgivningen eller) national lovgivning. 50 Persondataforordningens artikel 60. 51 Persondataforordningens artikel 52, stk. 4. 52 Persondataforordningens artikel 75. 13 Desuden skal medlemsstaterne fastsætte regler om sanktioner, navnlig for overtrædelser, der ikke er underlagt administrative bøder, og de skal skabe sammenhæng mellem retten til beskyttelse af personoplysninger og retten til ytrings- og informationsfrihed. National ret kan også fastsætte et retsgrundlag for undtagelsen fra det generelle forbud mod behandling af særlige kategorier af personoplysninger, f.eks. af hensyn til den væsentlige offentlige interesse på folkesundhedsområdet, herunder beskyttelse mod alvorlige grænseoverskridende sundhedstrusler. Desuden skal medlemsstaterne sikre akkreditering af certificeringsorganer. Kommissionen overvåger gennemførelsen af persondataforordningen i national lovgivning. Alle medlemsstater, med undtagelse af Slovenien, har på tidspunktet for udarbejdelsen af denne rapport vedtaget ny databeskyttelseslovgivning eller tilpasset deres lovgivning på dette område. Kommissionen anmodede derfor Slovenien om at redegøre nærmere for de hidtidige fremskridt og opfordrede det indtrængende til at afslutte denne proces53 . Desuden vurderes den nationale lovgivnings overensstemmelse med reglerne om databeskyttelse med hensyn til Schengenreglerne også i forbindelse med den Schengenevalueringsmekanismen, der koordineres af Kommissionen. Kommissionen og medlemsstaterne evaluerer i fællesskab, hvordan landene gennemfører og anvender Schengenreglerne på en række områder. For så vidt angår databeskyttelse vedrører dette store IT-systemer, som f.eks. Schengeninformationssystemet og visuminformationssystemet, og omfatter databeskyttelsesmyndighedernes rolle i forbindelse med overvågning af behandlingen af personoplysninger inden for disse systemer. Arbejdet med at tilpasse sektorlovgivningen er stadig i gang på nationalt plan. Efter persondataforordningens indarbejdelse i aftalen om Det Europæiske Økonomiske Samarbejdsområde blev dens anvendelse udvidet til også at omfatte Norge, Island og Liechtenstein. Disse lande har ligeledes vedtaget nationale databeskyttelseslove. Kommissionen vil gøre brug af alle de redskaber, den har til rådighed, herunder traktatbrudssager, for at sikre, at medlemsstaterne overholder persondataforordningen. De vigtigste problemstillinger i forbindelse med national gennemførelse De vigtigste problemstillinger, der hidtil er blevet afdækket som led i den igangværende vurdering af national lovgivning og de bilaterale udvekslinger med medlemsstaterne, omfatter: Begrænsninger i anvendelsen af persondataforordningen: nogle medlemsstater udelukker f.eks. fuldstændig det nationale parlaments aktiviteter. Forskelle i anvendelsen af nationale specificerende love. Nogle medlemsstater forbinder anvendelsen af deres nationale lovgivning med det sted, hvor varerne eller ydelserne udbydes, andre til den dataansvarliges eller databehandlerens hjemsted. Dette er i strid med den harmoniseringsmålsætning, der forfølges med persondataforordningen. Nationale love, der rejser tvivl om proportionaliteten af indgrebet i retten til databeskyttelse. Kommissionen indledte f.eks. en traktatbrudssag mod en medlemsstat, som havde vedtaget lovgivning, der pålagde dommere at offentliggøre specifikke oplysninger om deres ikke-erhvervsmæssige aktiviteter, hvilket er uforeneligt med retten til respekt for privatlivets fred og retten til beskyttelse af personoplysninger54 53 Det skal bemærkes, at den nationale databeskyttelsesmyndighed i Slovenien er oprettet på grundlag af den nuværende nationale databeskyttelseslovgivning og fører tilsyn med anvendelsen af persondataforordningen i denne medlemsstat. 54 Denne traktatbrudssag vedrører den polske lov om retsvæsenet af 20. december 2019, som griber ind i dommernes uafhængighed, og som bl.a. vedrører videregivelse af oplysninger om dommeres ansættelse i ikke-erhvervsmæssige aktiviteter: https://ec.europa.eu/commission/presscorner/detail/en/ip_20_772. 14 Mangel på et uafhængigt organ til at føre tilsyn med domstolenes behandling af oplysninger ved domstole, der handler i deres egenskab af domstole55 . Lovgivning på områder, der er fuldt reguleret af persondataforordningen, der går videre end manøvremargenen for specifikationer eller begrænsninger. Dette er navnlig tilfældet, når nationale bestemmelser fastsætter betingelser for behandling på grundlag af legitime interesser, ved at give anvisninger for, hvordan der foretages en afvejning mellem den dataansvarliges og de berørte personers respektive interesser, mens persondataforordningen forpligter hver enkelt dataansvarlige til at foretage en sådan afvejning individuelt og påberåbe sig dette retsgrundlag. Specifikationer og yderligere krav ud over behandling med henblik på overholdelse af en lovbestemt forpligtelse eller udførelse af en offentlig opgave (f.eks. videoovervågning i den private sektor eller direkte markedsføring) og for begreber, der anvendes i persondataforordningen (f.eks. "stor skala" eller "sletning"). Nogle af disse spørgsmål kan blive afklaret af Domstolen i fortsat verserende sager56 . Afstemning af retten til beskyttelse af personoplysninger med ytrings- og informationsfrihed Et specifikt forhold vedrører gennemførelsen af medlemsstaternes forpligtelse til ved lov at forene retten til beskyttelse af personoplysninger med ytrings- og informationsfriheden57 . Dette forhold er meget komplekst, idet der ved en vurdering af balancen mellem disse grundlæggende rettigheder også skal tages hensyn til bestemmelser og sikkerhedsforanstaltninger i presse- og medielovgivning. Vurderingen af medlemsstaternes lovgivning viser forskellige tilgange til tilpasningen mellem retten til beskyttelse af personoplysninger og ytrings- og informationsfrihed: Nogle medlemsstater fastsætter princippet om ytringsfrihedens forrang eller fritager i forbindelse med behandling af personoplysninger, der udelukkende finder sted i journalistisk øjemed eller med henblik på akademisk, kunstnerisk eller litterær virksomhed, hele kapitler, der er nævnt i persondataforordningens artikel 85, stk. 2. I en vis udstrækning indeholder medielove bestemmelser om visse garantier, for så vidt angår den registreredes rettigheder. Nogle medlemsstater har fastsat bestemmelser om, at beskyttelsen af personoplysninger har forrang, og giver kun mulighed for ikke at anvende databeskyttelsesreglerne i specifikke situationer, f.eks. hvor en person med offentlig status er berørt. Andre medlemsstater giver mulighed for, at lovgiveren i et vist omfang kan foretage en afvejning, og/eller at der kan foretages en vurdering i det enkelte tilfælde, for så vidt angår undtagelser fra visse bestemmelser i persondataforordningen. Kommissionen vil fortsætte sin vurdering af national lovgivning med afsæt i kravene i chartret. Afstemningen skal være fastlagt i lovgivningen og skal respektere disse grundlæggende rettigheders væsentligste indhold og være proportionel og nødvendig (artikel 52, stk. 1, i chartret). Databeskyttelsesreglerne bør ikke påvirke udøvelsen af ytrings- og informationsfriheden, navnlig ved at skabe en begrænsende virkning eller ved at blive fortolket som et middel til at lægge pres på journalister for at afsløre deres kilder. 55 Se chartrets artikel 8, stk. 3, artikel 16 i TEUF, betragtning 20 i persondataforordningen. 56 F.eks. er fritagelsen af et parlamentarisk udvalg for anvendelsen af persondataforordningen genstand for en verserende retssag (C-272/19). 57 Persondataforordningens artikel 85. 15 3.2 Bestemmelser om fakultativ specifikation og deres begrænsninger Persondataforordningen giver medlemsstaterne mulighed for yderligere at specificere dens anvendelse på et begrænset antal områder. Denne manøvremargen for national lovgivning adskiller sig fra forpligtelsen til at gennemføre visse andre bestemmelser i persondataforordningen som nævnt ovenfor. Bestemmelserne om fakultative specifikationer er anført i bilag I. Manøvremargenerne for medlemsstaternes lovgivning er underlagt de betingelser og begrænsninger, der er fastsat i persondataforordningen, og giver ikke mulighed for en samtidig national databeskyttelsesordning58 . Medlemsstaterne er forpligtet til at ændre eller ophæve den nationale databeskyttelseslovgivning, herunder sektorspecifik lovgivning med databeskyttelsesaspekter. Dertil kommer, at en medlemsstats relaterede lovgivning ikke må indeholde bestemmelser, der kunne skabe forvirring om den direkte anvendelse af persondataforordningen. Når persondataforordningen fastsætter, at der kan indføres specifikationer eller begrænsninger af dens regler ved medlemsstaternes nationale ret, kan medlemsstaterne, i det omfang det er nødvendigt af hensyn til sammenhængen og for at gøre de nationale bestemmelser forståelige for de personer, som de finder anvendelse på, indarbejde elementer af persondataforordningen i deres nationale ret59 . Der er interessenter, der mener, at medlemsstaterne bør begrænse eller undlade at anvende bestemmelser om fakultative specifikationer, da de ikke bidrager til harmonisering. De nationale forskelle i både gennemførelsen af lovene og databeskyttelsesmyndighedernes fortolkning heraf øger omkostningerne ved overholdelse af lovgivningen i hele EU markant. Fragmentering i forbindelse med anvendelse af klausuler om fakultative specifikationer Aldersgrænse for børns samtykke til informationssamfundstjenester En række medlemsstater har gjort brug af muligheden for at fastsætte en lavere aldersgrænse end 16 år for samtykke i forbindelse med informationssamfundstjenester (persondataforordningens artikel 8, stk. 1). Ni medlemsstater anvender aldersgrænsen på 16 år, mens otte medlemsstater har valgt en grænse på 13 år, seks på 14 år og tre på 15 år60 . Som følge heraf skal en virksomhed, der leverer informationssamfundstjenester til mindreårige i hele EU, sondre mellem de potentielle brugeres alder, afhængigt af hvilken medlemsstat de er bosiddende i. Dette er i strid med det generelle mål i persondataforordningen om at sikre ensartet beskyttelse af personer og forretningsmuligheder i alle medlemsstater. Sådanne forskelle fører til situationer, hvor den medlemsstat, hvor den dataansvarlige er etableret, fastsætter en anden aldersgrænse end den medlemsstat, hvor de registrerede er bosiddende. Sundhed og forskning Ved gennemførelsen af undtagelser fra det generelle forbud mod behandling af særlige kategorier af personoplysninger61 følger medlemsstaternes lovgivning forskellige metoder, for så vidt angår specifikationernes og garantiernes niveau, herunder til sundheds- og forskningsformål. De fleste medlemsstater har indført eller opretholdt yderligere betingelser for behandling af genetiske data, 58 Det meget anvendte begreb "åbningsbestemmelser" som udtryk for bestemmelser om specifikation er vildledende, da det kunne give indtryk af, at medlemsstaterne har manøvremargener ud over forordningens bestemmelser. 59 Betragtning 8 i persondataforordningen. 60 13 år for Belgien, Danmark, Estland, Finland, Letland, Malta, Portugal og Sverige 14 år for Østrig, Bulgarien, Cypern, Spanien, Italien og Litauen 15 år for Tjekkiet, Grækenland og Frankrig 16 år for Tyskland, Ungarn, Kroatien, Irland, Luxembourg, Nederlandene, Polen, Rumænien og Slovakiet. 61 Persondataforordningens artikel 9. 16 biometriske data eller sundhedsdata. Det gælder også for undtagelser i forbindelse med de registreredes rettigheder til forskningsmæssige formål62 , både med hensyn til omfanget af undtagelserne og de dertil knyttede garantier. Databeskyttelsesrådets kommende retningslinjer for anvendelse af personoplysninger inden for videnskabelig forskning vil bidrage til en harmoniseret fremgangsmåde på dette område. Kommissionen vil komme med input til Databeskyttelsesrådet, navnlig for så vidt angår sundhedsforskning, herunder i form af konkrete spørgsmål og analyse af konkrete scenarier, som den har modtaget fra forskersamfundet. Det ville være nyttigt, om disse retningslinjer kunne vedtages inden lanceringen af Horisont Europa- rammeprogrammet med henblik på at harmonisere databeskyttelsespraksis og lette udvekslingen af data vedrørende forskningsresultater. Retningslinjer fra Databeskyttelsesrådet om behandling af personoplysninger på sundhedsområdet kunne også være nyttige. Persondataforordningen udgør en solid ramme for national lovgivning på folkesundhedsområdet og omfatter udtrykkeligt grænseoverskridende sundhedstrusler og overvågning af epidemier og deres spredning63 , hvilket var relevant i forbindelse med bekæmpelsen af covid-19-pandemien. På EU-plan vedtog Kommissionen den 8. april 2020 en henstilling om en fælles værktøjskasse med henblik på at udnytte teknik og data i denne forbindelse, herunder mobilapplikationer og anvendelse af anonymiserede mobilitetsdata64 , og den 16. april 2020 en vejledning om apps til støtte for bekæmpelse af pandemien i forbindelse med databeskyttelse65 . I denne forbindelse offentliggjorde Databeskyttelsesrådet den 19. marts 2020 en erklæring om databehandling66 , efterfulgt den 21. april 2020 af retningslinjer om databehandling til forskningsformål og brug af lokaliseringsdata og kontaktopsporingsredskaber i forbindelse hermed67 . Disse henstillinger og retningslinjer præciserer, hvordan principperne og reglerne for beskyttelse af personoplysninger finder anvendelse i forbindelse med bekæmpelsen af pandemien. Omfattende begrænsninger i registreredes rettigheder De fleste nationale databeskyttelseslove, der begrænser den registreredes rettigheder, specificerer ikke de mål af almen offentlig interesse, der er sikret ved disse begrænsninger, og/eller opfylder ikke i tilstrækkelig grad de betingelser og garantier, der kræves i persondataforordningens artikel 23, stk. 268 . Flere medlemsstater giver ikke mulighed for en proportionalitetstest eller udvider restriktionerne selv ud over anvendelsesområdet for persondataforordningens artikel 23, stk. 1. For eksempel giver visse nationale love under henvisning til, at det vil kræve en uforholdsmæssig stor indsats fra den dataansvarliges side, ikke ret til adgang til personoplysninger, der lagres på grundlag af en opbevaringspligt eller i forbindelse med udførelsen af offentlige opgaver, uden at der sker en afgræsning af en sådan begrænsning til formål af generel samfundsinteresse. Yderligere krav til selskaber Selv om kravet om en obligatorisk databeskyttelsesansvarlig er baseret på en risikobaseret tilgang69 , har én medlemsstat70 udvidet den til et kvantitativt kriterium, der forpligter virksomheder, hvor mindst 20 medarbejdere er fast beskæftiget med automatiseret behandling af personoplysninger, til at udpege en 62 Persondataforordningens artikel 89, stk. 2. 63 Se persondataforordningens artikel 9, stk. 2, litra i), og betragtning 46. 64 https://ec.europa.eu/info/sites/info/files/recommendation_on_apps_for_contact_tracing_4.pdf. 65 https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020XC0417 (08) & from = EN. 66 https://edpb.europa.eu/news/news/2020/statement-processing-personal-data-context-covid-19-outbreak_en. 67 https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-practices_en. 68 F.eks. fordi de blot gentager ordlyden af persondataforordningens artikel 23, stk. 1. 69 Persondataforordningens artikel 37, stk. 1. 70 Tyskland. 17 databeskyttelsesansvarlig. uafhængigt af de risici, der er forbundet med behandlingsaktiviteterne71 . Dette har medført yderligere byrder. 4 SÆTTE ENKELTPERSONER I STAND TIL AT KONTROLLERE DERES DATA Persondataforordningen bringer de grundlæggende rettigheder i anvendelse, navnlig retten til beskyttelse af personoplysninger, men også de andre grundlæggende rettigheder, der er anerkendt i chartret, herunder respekten for privatliv og familieliv, ytrings- og informationsfriheden, ikke-forskelsbehandling, retten til at tænke frit, samvittigheds- og religionsfriheden, friheden til at oprette og drive egen virksomhed og adgangen til effektive retsmidler. Disse rettigheder skal vejes op mod hinanden i overensstemmelse med proportionalitetsprincippet72 . Persondataforordningen giver borgerne rettigheder, der kan håndhæves, såsom retten til indsigt, berigtigelse, sletning, indsigelse, portabilitet og øget gennemsigtighed. Det giver også enkeltpersoner ret til at indgive klage til en databeskyttelsesmyndighed, herunder gennem sager til varetagelse af forbrugerinteresser, og til domstolsprøvelse. Borgerne er i stigende grad opmærksomme på deres rettigheder, som det fremgår af resultaterne af Eurobarometerundersøgelsen fra juli 201973 og undersøgelsen fra Agenturet for Grundlæggende Rettigheder74 . Ifølge undersøgelsen om grundlæggende rettigheder foretaget af Agenturet for Grundlæggende Rettigheder: 69 % af befolkningen på 16 år og derover i EU har hørt om persondataforordningen 71 % af respondenterne i EU har hørt om deres nationale databeskyttelsesmyndighed; dette tal varierer fra 90 % i Tjekkiet til 44 % i Belgien 60 % af respondenterne i EU har kendskab til en lov, der gør det muligt for dem at få adgang til personoplysninger, som den offentlige forvaltning har om dem; denne procentsats falder dog til 51 % for private virksomheder mere end én ud af fem respondenter (23 %) i EU ønsker ikke at dele personoplysninger (f.eks. en persons adresse, statsborgerskab eller fødselsdato) med en offentlig administration, og 41 % ønsker ikke at dele disse data med private virksomheder. Borgerne benytter sig i stigende grad af deres ret til at indgive klager til databeskyttelsesmyndigheder, enten individuelt eller gennem sager til varetagelse af forbrugerinteresser75 . Kun nogle få medlemsstater har gjort det muligt for ikke-statslige organisationer at iværksætte foranstaltninger uden mandat i overensstemmelse med den mulighed, der er fastsat i persondataforordningen. Forslaget til direktiv om adgang til indbringelse af sager til varetagelse af forbrugernes kollektive interesser76 vil, når det er vedtaget, styrke rammerne for sager til varetagelse af forbrugerinteresser, også på databeskyttelsesområdet. Klager Det samlede antal klager mellem maj 2018 og udgangen af november 2019 som indberettet af Databeskyttelsesrådet er ca. 275 00077 . Dette tal bør dog tages med et gran salt, idet en klage ikke defineres 71 Gøre brug af specifikationsbestemmelsen i persondataforordningens artikel 37, stk. 4. 72 Jf. betragtning 4 i persondataforordningen. 73 https://ec.europa.eu/commission/presscorner/detail/da/IP_19_2956 74 Den Europæiske Unions Agentur for Grundlæggende Rettigheder (2020): Undersøgelse af grundlæggende rettigheder 2019. Databeskyttelse og teknologi: https://fra.europa.eu/en/publication/2020/fundamental-rights-survey-data-protection 75 Persondataforordningens artikel 80. 76 COM/2018/0184 final - 2018/089 (COD) 77 Både i henhold til persondataforordningens artikel 77 og 80. 18 på samme måde af forskellige myndigheder. Det absolutte antal klager, som databeskyttelsesmyndigheder78 modtager, er meget forskelligt fra medlemsstat til medlemsstat. Det største antal klager blev registreret i Tyskland (67 000), Nederlandene (37 000), Spanien og Frankrig (18 000 hver), Italien (14 000), Polen og Irland (med hver 12 000). To tredjedele af myndighederne rapporterede om mellem 8 000 og 600 klager. Det laveste antal klager blev registreret i Estland og Belgien (med hver ca. 500), Malta og Island (med hver under 200). Antallet af klager modsvarer ikke nødvendigvis befolkningens størrelse eller BNP. F.eks. er der i Tyskland tæt på dobbelt så mange klager end i Nederlandene, og fire gange så mange klager som i Spanien og Frankrig. Feedback fra flerpartsgruppen viser, at organisationer har iværksat en række foranstaltninger for at lette udøvelsen af de registreredes rettigheder, herunder gennemførelsesprocesser, der sikrer individuel behandling af anmodninger og svar fra den dataansvarlige, brug af flere kanaler (post, dedikeret e- mailadresse, websted osv.), ajourførte interne procedurer og politikker for rettidig intern behandling af anmodninger samt uddannelse af medarbejdere. Nogle virksomheder har indført digitale portaler, som kan tilgås via virksomhedens websted (eller selskabets intranet for medarbejdere) for at gøre det lettere for de registrerede at udøve deres rettigheder. Der er dog behov for yderligere fremskridt på følgende punkter: Ikke alle dataansvarlige overholder deres forpligtelse til at lette udøvelsen af de registreredes rettigheder79 . De skal sikre, at de registrerede har et effektivt kontaktpunkt, hvor de kan forklare om deres problemer. Dette kan være den databeskyttelsesansvarlige, hvis kontaktoplysninger skal gives proaktivt til den registrerede80 . Kontaktmåderne må ikke være begrænset til e-mail, men skal også give den registrerede mulighed for at henvende sig til den dataansvarlige med andre midler. Enkeltpersoner støder fortsat på problemer, når de anmoder om adgang til deres data, f.eks. fra platforme, dataformidlere og AdTech-virksomheder. Retten til dataportabilitet udnyttes ikke fuldt ud. I den europæiske strategi for data (i det følgende benævnt "datastrategien")81 , som Kommissionen vedtog den 19. februar 2020, blev det understreget, at der er behov for at lette alle mulige anvendelser af denne ret (f.eks. ved at give mandat til tekniske grænseflader og maskinlæsbare formater, der tillader dataportabilitet i (nær) realtid). Erhvervsdrivende bemærker, at der undertiden er problemer med at levere dataene i et struktureret, almindeligt anvendt maskinlæsbart format (grundet manglende standarder). Det er kun organisationer i bestemte sektorer, f.eks. inden for bankvirksomhed, telekommunikation, vand- og varmemålere, der beretter, at de har oprettet de nødvendige grænseflader82 . Der er udviklet nye teknologiske værktøjer, der skal gøre det lettere for personer at udøve deres rettigheder i henhold til persondataforordningen, der ikke er begrænset til dataportabilitet (f.eks. personlige dataområder og tjenester til forvaltning af personlige oplysninger). Børns rettigheder: Flere medlemmer af flerpartsgruppen understreger behovet for at give oplysninger til børn og det forhold, at mange organisationer ignorerer, at børn kan blive bekymret over behandlingen af deres personoplysninger. Rådet understregede, at man kunne være særlig opmærksom på beskyttelsen af 78 Se Databeskyttelsesrådets bidrag, s. 31-32 79 Persondataforordningens artikel 12, stk. 2. 80 Persondataforordningens artikel 13, stk. 1, litra b), og artikel 14, stk. 1, litra b). 81 https://ec.europa.eu/info/sites/info/files/communication-european-strategy-data-19feb2020_en.pdf. 82 Se flerpartsgruppens rapport. 19 børn ved udarbejdelsen af adfærdskodekser. Beskyttelse af børn er også et fokusområde for databeskyttelsesmyndigheder83 . Ret til information: nogle virksomheder har en meget legalistisk tilgang, idet de anser databeskyttelsesmeddelelser for at være en juridisk øvelse med oplysninger, der er ret komplekse, vanskelige at forstå eller ufuldstændige, hvorimod enhver information ifølge persondataforordningen skal være kortfattet, lettilgængelig og letforståelig84 . Nogle virksomheder følger tilsyneladende ikke Databeskyttelsesrådets anbefalinger, f.eks. med hensyn til navnene på de enheder, som de deler data med. Flere medlemsstater har begrænset de registreredes rettigheder væsentligt gennem national ret, og nogle endda uden for den manøvremargen, der er fastsat i persondataforordningens artikel 23. Udøvelsen af enkeltpersoners rettigheder hindres af og til af nogle få store digitale aktørers praksis, som gør det vanskeligt for enkeltpersoner at vælge de indstillinger, der bedst beskytter deres privatliv (i strid med kravet om databeskyttelse gennem design og databeskyttelse gennem standardindstillinger85 )86 . Interessenterne venter utålmodigt på Databeskyttelsesrådets retningslinjer for registreredes rettigheder. 5 MULIGHEDER OG UDFORDRINGER FOR ORGANISATIONER, NAVNLIG SMÅ OG MELLEMSTORE VIRKSOMHEDER Muligheder for organisationer Persondataforordningen fremmer konkurrence og innovation. Sammen med forordningen om fri udveksling af andre data end personoplysninger87 sikrer den fri udveksling af data inden for EU og skaber lige konkurrencevilkår for virksomheder, der ikke er etableret i EU. Ved at skabe en harmoniseret ramme for beskyttelse af personoplysninger sikrer persondataforordningen, at alle aktører på det indre marked er bundet af de samme regler og nyder samme muligheder, uanset om de er etableret, og hvor databehandlingen finder sted. Persondataforordningens teknologiske neutralitet skaber databeskyttelsesrammen for ny teknologisk udvikling. Principperne om databeskyttelse gennem design og databeskyttelse gennem standardindstillinger tilskynder til innovative løsninger, som fra starten omfatter databeskyttelseshensyn og kan reducere omkostningerne ved overholdelse af databeskyttelsesreglerne. Desuden bliver privatlivets fred en vigtig konkurrenceparameter, som personer i stigende grad tager med i deres overvejelser, når de skal vælge deres tjenester. Personer, der er mere informerede og opmærksomme på overvejelser om databeskyttelse, søger efter produkter og tjenesteydelser, der sikrer en effektiv beskyttelse af personoplysninger. Gennemførelsen af retten til dataportabilitet kan sikre virksomheder, der tilbyder innovative, databeskyttelsesvenlige tjenester, lettere adgang. Virkningerne af en potentielt bredere 83 Se resultaterne af en offentlig høring om børns databeskyttelsesrettigheder, der blev gennemført af den irske databeskyttelsesmyndighed: https://www.dataprotection.ie/sites/default/files/uploads/2019- 09/Whose%20Rights%20Are%20They%20Anyway_Trends%20and%20Hightlights%20from%20Stream%201.pdf. Ligeledes iværksatte den franske databeskyttelsesmyndighed en offentlig høring i april 2020: https://www.cnil.fr/fr/la-cnil-lance-une- consultation-publique-sur-les-droits-des-mineurs-dans-lenvironnement-numerique. 84 Persondataforordningens artikel 12, stk. 1. 85 Persondataforordningens artikel 25. 86 Se rapport fra det norske forbrugerråd, Deceived by Design, som satte fokus på de "mørke mønstre", standardindstillinger og andre funktioner og teknikker, som virksomheder gør brug af for at puffe brugere i retning af indgribende løsninger: https://www.forbrukerradet.no/undersokelse/no-undersokelsekategori/deceived-by-design/ Se også den forskning, der blev offentliggjort i december 2019 af Transatlantic Consumer Dialogue og Heinrich-Böll-Stiftung Brussels European Union, der analyserer praksis på tre store globale platforme: https://eu.boell.org/en/2019/12/11/privacy-eu-and-us-consumer-experiences-across-three-global-platforms. 87 Europa-Parlamentets og Rådets forordning (EU) 2018/1807 af 14. november 2018 om en ramme for fri udveksling af andre data end personoplysninger i Den Europæiske Union (EUT L 303 af 28.11.2018, s. 59). 20 anvendelse af denne ret på markedet i forskellige sektorer bør overvåges. Overholdelse af databeskyttelsesreglerne og gennemskuelig anvendelse heraf vil skabe tillid til brugen af folks personoplysninger og dermed nye muligheder for virksomhederne. I lighed med enhver anden regulering medfører databeskyttelsesreglerne overholdelsesomkostninger for virksomhederne. Disse omkostninger opvejes imidlertid af de muligheder og fordele, der ligger i at styrke tilliden til digital innovation og de samfundsmæssige fordele ved at respektere en grundlæggende rettighed. Ved at sikre lige vilkår og udstyre databeskyttelsesmyndighederne med det, de har brug for til at håndhæve reglerne effektivt, forhindrer persondataforordningen, at virksomheder, der ikke overholder reglerne, kan snylte på den tillid, der opbygges af dem, der følger reglerne. Særlige udfordringer for små og mellemstore virksomheder (SMV'er) Det er en almindelig opfattelse blandt interessenter, som også deles af Europa-Parlamentet, Rådet og databeskyttelsesmyndigheder, at anvendelsen af persondataforordningen skaber særlige udfordringer for mikrovirksomheder og små og mellemstore virksomheder, og for små frivillige og velgørende organisationer. Ifølge den risikobaserede tilgang ville det ikke være hensigtsmæssigt at give mulighed for undtagelser baseret på operatørernes størrelse, da deres størrelse ikke i sig selv er en indikator for, hvilke risici deres databehandling kan medføre for personer. Den risikobaserede tilgang parrer fleksibilitet med effektiv beskyttelse. Den tager hensyn til behovene hos SMV'er, hvis hovedaktivitet ikke er behandling af personoplysninger, og justerer deres forpligtelser især med afsæt i sandsynligheden for og alvoren af de risici, der er forbundet med den specifikke databehandling, de udfører88 . Databehandling, der indebærer en lille eller lav risiko, bør ikke behandles på samme måde som databehandling, der indebærer en høj risiko eller sker hyppigt – uafhængigt af størrelsen af den virksomhed, der udfører den. Derfor konkluderede udvalget, at "den risikobaserede tilgang, som lovgiveren har fremmet i teksten, under alle omstændigheder bør bibeholdes, da risiciene for de registrerede ikke afhænger af de dataansvarliges størrelse"89 . Databeskyttelsesmyndighederne bør fuldt ud tage dette princip til sig, når de håndhæver persondataforordningen, helst med en fælles europæisk tilgang for ikke at skabe hindringer for det indre marked Databeskyttelsesmyndighederne har udviklet flere værktøjer og har understreget, at de har til hensigt at forbedre dem yderligere. Nogle myndigheder har iværksat oplysningskampagner og vil endda afholde gratis "persondataforordningen-klasser" for SMV'er. Eksempler på vejledning og værktøjer, som databeskyttelsesmyndigheder stiller til rådighed specifikt til SMV'er offentliggørelse af oplysninger til SMV'er seminarer for databeskyttelsesansvarlige og arrangementer for SMV'er, der ikke behøver at udpege en databeskyttelsesansvarlig interaktive vejledninger til støtte for SMV'er hotlines til konsultationer modeller for behandlingskontrakter og fortegnelser over behandlingsaktiviteter. Databeskyttelsesrådets bidrag indeholder en beskrivelse af de aktiviteter, der udføres af databeskyttelsesmyndigheder90 . 88 Persondataforordningens artikel 24, stk. 1. 89 Se Databeskyttelsesrådets bidrag, s. 35. 90 Se Databeskyttelsesrådets bidrag, s. 35-45. 21 Flere af de aktioner, der specifikt støtter SMV'er, har modtaget EU-støtte. Kommissionen ydede finansiel støtte i form af tilskud ad tre omgange på i alt 5 mio. EUR, hvor de seneste to specifikt havde til formål at hjælpe de nationale tilsynsmyndigheder i deres bestræbelser på at nå ud til personer og SMV'er. Som følge heraf blev der i 2018 tildelt 2 mio. EUR til ni databeskyttelsesmyndigheder til aktiviteter i 2018-2019 (Belgien, Bulgarien, Danmark, Ungarn, Litauen, Letland, Nederlandene, Slovenien og Island)91 , og i 2019 blev der tildelt 1 mio. EUR til fire databeskyttelsesmyndigheder til aktiviteter i 2020 (Belgien, Malta, Slovenien og Kroatien i partnerskab med Irland)92. Der vil i 2020 blive tildelt yderligere 1 mio. EUR. Trods disse initiativer rapporterer SMV'er og nystartede virksomheder ofte om, at de kæmper med gennemførelsen af princippet om ansvarlighed, der er fastsat i persondataforordningen93 . De gør især opmærksom på, at de ikke altid får tilstrækkelig vejledning og praktisk rådgivning fra de nationale databeskyttelsesmyndigheder, eller at den tid, det tager at få vejledning og råd, er for lang. Der har også været tilfælde, hvor myndighederne har været tilbageholdende med at gå ind i juridiske problemstillinger. Når SMV'er står over for sådanne situationer, henvender de sig ofte til eksterne rådgivere og advokater for at få dem til at tage sig af gennemførelsen af ansvarlighedsprincippet og den risikobaserede tilgang (herunder krav om gennemsigtighed, fortegnelser over databehandling og anmeldelser af brud på datasikkerheden). Dette kan også medføre yderligere omkostninger for dem. Et specifikt problem er registreringen af behandlingsaktiviteter, som SMV'er og små sammenslutninger betragter som en tung administrativ byrde. Undtagelsen fra denne forpligtelse i persondataforordningens artikel 30, stk. 5, er ganske vist meget snæver. De bestræbelser, der er gjort for at overholde denne forpligtelse, bør dog ikke overvurderes. Hvis SMV'ers hovedaktivitet ikke involverer behandling af personoplysninger, kan sådanne fortegnelser være enkle og ikke byrdefulde. Det samme gælder for frivillige og andre foreninger. Det ville blive lettere at udarbejde sådanne forenklede fortegnelser ved hjælp af modeller for registreringer, således som det allerede er praksis hos nogle databeskyttelsesmyndigheder. Et grundlæggende krav i forbindelse med ansvarlighedsprincippet er, at alle, der behandler personoplysninger, under alle omstændigheder bør have et overblik over deres databehandling. Udviklingen af praktiske redskaber på EU-niveau, såsom harmoniserede formularer til brug ved brud på datasikkerheden og forenklede fortegnelser over behandlingsaktiviteter, kan hjælpe SMV'er og små foreninger94 , hvis hovedaktivitet ikke fokuserer på behandling af personoplysninger, til at opfylde deres forpligtelser. Forskellige erhvervssammenslutninger har gjort en indsats for at øge bevidstheden og informere deres medlemmer, f.eks. gennem konferencer og seminarer, der giver virksomheder oplysninger om de tilgængelige retningslinjer, eller ved at udvikle en tjeneste for medlemmerne for hjælp til beskyttelse af privatlivets fred. De melder også om et stigende antal seminarer, møder og arrangementer tilrettelagt af tænketanke og sammenslutninger af SMV'er om forhold, der vedrører persondataforordningen. For at forbedre den frie bevægelighed for alle data i EU og sikre en konsekvent anvendelse af persondataforordningen og forordningen om fri udveksling af andre data end personoplysninger udsendte Kommissionen også en praktisk vejledning om regler for behandling af blandede datasæt, der består af både personoplysninger og andre data end personoplysninger; Den er især rettet mod SMV'er95 . Værktøjskasse for virksomheder 91 https://ec.europa.eu/info/funding-tenders/opportunities/portal/screen/opportunities/topic-details/rec-rdat-trai- ag-2017. 92 https://ec.europa.eu/info/law/law-topic/data-protection/eu-data-protection-rules/eu-funding-supporting-implementation- gdpr_en. 93 Se rapporten fra flerpartsgruppen. 94 Se Rådets bidrag. 95 Meddelelse fra Kommissionen til Europa-Parlamentet og Rådet – Vejledning vedrørende forordningen om en ramme for fri udveksling af andre data end personoplysninger i Den Europæiske Union (COM/2019/250 final). 22 Persondataforordningen stiller værktøjer til rådighed, som kan hjælpe til med at påvise, at reglerne overholdes, f.eks. adfærdskodekser, certificeringsmekanismer og standardkontraktbestemmelser. Adfærdskodekser Databeskyttelsesrådet har udstedt retningslinjer96 , der skal give støtte til og gøre det nemmere for "kodeksindehavere" at udarbejde, ændre eller udvide kodekser, og yde praktisk vejledning og hjælp til fortolkning. Disse retningslinjer præciserer også procedurerne for indgivelse, godkendelse og offentliggørelse af regler på både nationalt plan og EU-plan ved at fastsætte de minimumskrav, der skal opfyldes. Interessenterne mener, at adfærdskodekser er meget nyttige værktøjer. Selv om mange kodekser gennemføres på nationalt plan, er en række EU-adfærdskodekser i øjeblikket under udarbejdelse (f.eks. vedrørende mobile sundhedsapps, sundhedsforskning i genomik, cloud computing, direkte markedsføring, forsikring, behandling gennem forebyggelse og rådgivningstjenester for børn)97 . Erhvervsdrivende mener, at EU-dækkende adfærdskodekser bør indtage en mere fremtrædende plads, da de fremmer en ensartet anvendelse af persondataforordningen i alle medlemsstaterne. Men adfærdskodekser kræver også tid og investeringer fra operatørerne, både i forbindelse med udviklingen af disse og med oprettelsen af de nødvendige uafhængige kontrolorganer. Repræsentanter for SMV'er understreger betydningen og nytten af adfærdskodekser, som er skræddersyet til deres situation, og som ikke medfører uforholdsmæssigt store omkostninger. I konsekvens heraf har erhvervssammenslutninger i en række sektorer gennemført andre former for selvreguleringsværktøjer, såsom kodekser for god praksis eller vejledning. Selv om sådanne værktøjer kan give nyttige oplysninger, er de ikke godkendt af databeskyttelsesmyndigheder og kan ikke tjene som et redskab til at påvise overensstemmelse med persondataforordningen. Rådet understreger, at adfærdskodekser skal lægge særlig vægt på behandlingen af børns data og sundhedsdata. Kommissionen støtter adfærdskodekser, der vil harmonisere strategien inden for sundhed og forskning og lette den grænseoverskridende behandling af personoplysninger98 . Databeskyttelsesrådet er i færd med at godkende et udkast til akkrediteringskrav til organer for tilsyn med adfærdskodekser, således som en række databeskyttelsesmyndigheder har talt for99 . Når tværnationale adfærdskodekser eller EU- adfærdskodekser er klar til at blive forelagt for databeskyttelsesmyndigheder til godkendelse, skal de sendes til høring i Databeskyttelsesrådet. En hurtig indførelse af tværnationale adfærdskodekser er særlig vigtig for områder, der omfatter behandling af betydelige datamængder (f.eks. cloud computing) eller følsomme data (f.eks. sundhed/forskning). Certificering Certificering kan være et nyttigt instrument til at påvise overholdelse af specifikke krav i persondataforordningen. Det kan øge retssikkerheden for virksomheder og fremme persondataforordningen globalt. Som påpeget i undersøgelsen om certificering, der blev offentliggjort i april 2019100 , bør målet være at fremme indførelsen af relevante ordninger. Udviklingen af certificeringsordninger i EU vil blive understøttet 96 https://edpb.europa.eu/our-work-tools/our-documents/wytyczne/guidelines-12019-codes-conduct-and-monitoring-bodies- under_en. 97 Se flerpartsgruppens rapport. 98 Se de foranstaltninger, der er bebudet i den europæiske strategi for data, s. 30. 99 I henhold til persondataforordningens artikel 41, stk. 3. Se Det Europæiske Databeskyttelsesråds udtalelser på: https://edpb.europa.eu/our-work-tools/consistency-findings/opinions_en. 100 https://ec.europa.eu/info/study-data-protection-certification-mechanisms_en. 23 af de retningslinjer, som Databeskyttelsesrådet har udstedt om certificeringskriterier101 og om akkreditering af certificeringsorganer102 . Sikkerhed og databeskyttelse gennem design er vigtige elementer, som skal tages i betragtning i henhold til persondataforordningen, og til hvilke der med fordel kunne anlægges en fælles og ambitiøs tilgang i hele EU. Kommissionen vil fortsat støtte de nuværende kontakter mellem Den Europæiske Unions Agentur for Cybersikkerhed (ENISA), databeskyttelsesmyndighederne og Databeskyttelsesrådet. Med hensyn til cybersikkerhed anmodede Kommissionen efter vedtagelsen af forordningen om cybersikkerhed om, at ENISA udarbejder to certificeringsordninger, herunder en ordning for cloudtjenester103 . Yderligere ordninger, der vedrører cybersikkerhed af tjenester og produkter for forbrugerne, er under overvejelse. Selv om disse certificeringsordninger, der er oprettet i henhold til forordningen om cybersikkerhed, ikke udtrykkeligt omhandler databeskyttelse og privatlivets fred, bidrager de til at øge forbrugernes tillid til digitale tjenester og produkter. Sådanne ordninger kan dokumentere, at principperne om sikkerhed gennem design er overholdt, og at der er gennemført passende tekniske og organisatoriske foranstaltninger vedrørende sikkerheden i forbindelse med behandling af personoplysninger. Standardkontraktbestemmelser Kommissionen arbejder i øjeblikket på standardkontraktbestemmelser mellem dataansvarlige og databehandlere,104 , også i lyset af moderniseringen af standardkontraktbestemmelserne for internationale overførsler (se afsnit 7.2). En EU-retsakt vedtaget af Kommissionen vil have bindende virkning for hele EU, hvilket vil sikre fuld harmonisering og retssikkerhed. 6 ANVENDELSEN AF PERSONDATAFORORDNINGEN PÅ NYE TEKNOLOGIER En teknologineutral ramme åben for nye teknologier Persondataforordningen er teknologineutral, tillidsfremmende og baseret på principper105 . Disse principper, herunder lovlig og gennemskuelig databehandling, formålsbegrænsning og dataminimering, udgør et solidt grundlag for beskyttelse af personoplysninger, uanset hvilken behandlingsaktivitet og hvilke teknikker der anvendes. Medlemmer af flerpartsgruppen rapporterer, at persondataforordningen generelt har en positiv indvirkning på udviklingen af nye teknologier og udgør et godt grundlag for innovation. Persondataforordningen betragtes som et væsentligt og fleksibelt redskab til at sikre udviklingen af nye teknologier i overensstemmelse med de grundlæggende rettigheder. Gennemførelsen af dens hovedprincipper er særlig vigtig i forbindelse med dataintensiv behandling. Persondataforordningens risikobaserede og teknologineutrale tilgang sikrer et databeskyttelsesniveau, der er tilstrækkeligt til at håndtere risikoen ved databehandling, herunder gennem nye teknologier. Interessenter nævner navnlig, at persondataforordningens principper om formålsbegrænsning og yderligere forenelig databehandling, dataminimering, opbevaringsbegrænsning, gennemsigtighed, ansvarlighed og 101 https://edpb.europa.eu/our-work-tools/our-documents/smjernice/guidelines-12018-certification-and-identifying- certification_en. 102 https://edpb.europa.eu/our-work-tools/our-documents/retningslinjer/guidelines-42018-accreditation-certification-bodies_da. Flere tilsynsmyndigheder har allerede indsendt deres akkrediteringskrav til Databeskyttelsesrådet, både for så vidt angår tilsynsorganer for adfærdskodekser og for certificeringsorganer. Se oversigten på: https://edpb.europa.eu/our-work- tools/consistency-findings/opinions_en. 103 https://ec.europa.eu/digital-single-market/en/news/towards-more-secure-and-trusted-cloud-europe 104 Persondataforordningens artikel 28, stk. 7. 105 Som anført af Rådet, Europa-Parlamentet og Databeskyttelsesrådet i deres bidrag til evalueringen. 24 betingelserne for, at automatiske beslutningsprocesser106 kan anvendes lovligt, i stort omfang imødekommer de bekymringer, der er forbundet med brugen af kunstig intelligens. Den fremtidssikrede og risikobaserede tilgang i persondataforordningen vil også blive anvendt i de mulige fremtidige rammer for kunstig intelligens og i forbindelse med gennemførelsen af datastrategien. Datastrategien har til formål at fremme tilgængeligheden af data og oprette fælles europæiske dataområder, der understøttes af centrale cloudinfrastrukturtjenester. Med hensyn til personoplysninger udgør persondataforordningen det vigtigste retsgrundlag, inden for hvilket der kan udvikles effektive løsninger fra sag til sag afhængigt af arten og indholdet af hvert enkelt dataområde. Persondataforordningen har øget bevidstheden om beskyttelsen af personoplysninger både i og uden for EU og har fået virksomhederne til at tilpasse deres praksis for at tage hensyn til databeskyttelsesprincipperne i forbindelse med innovation. Civilsamfundsorganisationer bemærker imidlertid, at selv om persondataforordningen synes at indvirke positivt på udviklingen af nye teknologier, har de store digitale aktørers praksis endnu ikke ændret sig grundlæggende i retning af en databehandling, der bedre sikrer privatlivets fred. En stringent og effektiv håndhævelse af persondataforordningen over for store digitale platforme og integrerede virksomheder, herunder på områder som onlinereklame og mikromålretning, er et væsentligt element i beskyttelsen af enkeltpersoner. Kommissionen er i færd med at analysere de bredere problemstillinger i relation til de store digitale aktørers adfærd på markedet inden for rammerne af pakken om digitale tjenester107 . Med hensyn til forskning inden for sociale medier minder Kommissionen om, at persondataforordningen ikke kan bruges som undskyldning for sociale medieplatforme til at begrænse forskeres og faktatjekkeres adgang til andre data end personoplysninger, f.eks. statistikker, som er brugt som grundlag for målrettede annoncer til visse kategorier af personer, kriterierne for at udforme denne målretning, oplysninger om falske konti osv. Persondataforordningens teknologineutrale og fremtidssikrede tilgang blev sat på prøve under covid-19- pandemien og har vist sig at være en succes. Dens principbaserede regler støttede udviklingen af værktøjer til bekæmpelse og overvågning af spredningen af virusset. Udfordringer Udviklingen og anvendelsen af nye teknologier sætter ikke spørgsmålstegn ved disse principper. Udfordringerne ligger i at præcisere, hvordan man anvender de etablerede principper på brugen af specifikke teknologier såsom kunstig intelligens, blockchain, tingenes internet, ansigtsgenkendelse eller kvantedatabehandling. I denne forbindelse understregede Europa-Parlamentet og Rådet behovet for en løbende overvågning for at præcisere, hvordan persondataforordningen finder anvendelse på nye teknologier og store teknologivirksomheder. Desuden advarer interessenter om, at vurderingen af, hvorvidt persondataforordningen fortsat er egnet til formålet, også kræver konstant overvågning. Interessenter fra industrien understreger, at innovation kræver, at persondataforordningen anvendes på en principbaseret måde i overensstemmelse med dens udformning snarere end på en usmidig og formel måde. De er af den opfattelse, at Databeskyttelsesrådets retningslinjer for anvendelsen af principperne i persondataforordningen, begreber og regler for nye teknologier såsom kunstig intelligens, blockchain eller tingenes internet, hvor der tages hensyn til den risikobaserede tilgang, vil bidrage til at skabe klarhed og skabe større retssikkerhed. Sådanne værktøjer med "blød" lovgivning er velegnede til at følge, hvordan persondataforordningen anvendes på de nye teknologier, da de giver større retssikkerhed og kan revideres i takt med den teknologiske udvikling. Nogle interessenter foreslår også, at sektorspecifik vejledning om, hvordan persondataforordningen skal anvendes på nye teknologier, kan være nyttig. 106 Nogle interessenter bemærker imidlertid, at ikke alle automatiske beslutningsprocesser i forbindelse med kunstig intelligens falder ind under persondataforordningens artikel 22. 107 https://ec.europa.eu/commission/presscorner/detail/da/ip_20_962. 25 Databeskyttelsesrådet har anført, at det fortsat vil tage hensyn til de nye teknologiers indvirkning på beskyttelsen af personoplysninger. Nogle interessenter understreger også, at det er vigtigt for reguleringsmyndighederne at få en grundig forståelse af, hvordan teknologien anvendes, og til at indgå i en dialog med erhvervslivet om udviklingen af nye teknologier. De mener, at en tilgang, hvor forordningen bruges som en "reguleringsmæssig sandkasse" – dvs. som en måde at få en rettesnor for anvendelsen af reglerne – kunne være en interessant mulighed for at afprøve nye teknologier og hjælpe virksomhederne med at anvende princippet om databeskyttelse gennem design og databeskyttelse gennem standardindstillinger i nye teknologier. Med hensyn til yderligere politiske tiltag anbefaler interessenter, at alle fremtidige forslag til en politik om kunstig intelligens bør baseres på de eksisterende retsgrundlag og bringes i overensstemmelse med persondataforordningen. Potentielle specifikke forhold bør vurderes nøje på grundlag af relevant dokumentation, før der stilles nye forslag om konkrete forskrifter. Kommissionens hvidbog om kunstig intelligens foreslår en række politiske løsningsmodeller, som interessenter blev bedt om at forholde sig til frem til den 14. juni 2020. For så vidt angår ansigtsgenkendelse, som er en teknologi, der kan påvirke den enkelte persons rettigheder væsentligt, mindede hvidbogen om det eksisterende retsgrundlag og iværksatte en offentlig debat om, hvorvidt der eventuelt er særlige omstændigheder, der kan berettige anvendelsen af kunstig intelligens med henblik på biometrisk fjernidentifikation på offentlige steder, og om fælles garantier. 7 INTERNATIONALE OVERFØRSLER OG GLOBALT SAMARBEJDE 7.1 Privatlivets fred: et globalt problem Kravet om beskyttelse af personoplysninger kender ingen grænser, da fysiske personer i hele verden i stigende grad værdsætter og værner om privatlivets fred og sikkerhed for deres data. Samtidig er betydningen af overførsel af oplysninger for enkeltpersoner, regeringer, virksomheder og mere generelt samfundet som helhed en uundgåelig kendsgerning i vores indbyrdes forbundne verden. De er en fast bestanddel af samhandelen, samarbejdet mellem offentlige myndigheder og de sociale interaktioner. I den forbindelse sætter den aktuelle covid-19-pandemi også fokus på, hvor kritisk overførsel og udveksling af personoplysninger er for mange vigtige aktiviteter, herunder sikring af kontinuitet i de offentlige og erhvervslivets aktiviteter – ved at muliggøre fjernarbejde og andre løsninger, der er stærkt afhængige af informations- og kommunikationsteknologier, udvikling af samarbejde om videnskabelig forskning i diagnosticering, behandlinger og vacciner og bekæmpelse af nye former for cyberkriminalitet, herunder onlinesvindel, hvor der tilbydes falske lægemidler, der hævder at forebygge eller helbrede covid-19. På denne baggrund skal beskyttelsen af privatlivets fred og fremme af overførsel af oplysninger mere end nogensinde gå hånd i hånd. EU står med sin databeskyttelsesordning, der kombinerer åbenhed over for internationale overførsler med et højt beskyttelsesniveau for enkeltpersoner, godt rustet til at fremme sikre overførsel af oplysninger. Persondataforordningen er allerede blevet et centralt referencepunkt på internationalt plan og har fået mange lande i hele verden til at overveje at indføre moderne regler for beskyttelse af privatlivets fred. Det er i sandhed en universel tendens, der pågår, for blot at nævne nogle eksempler fra Chile til Sydkorea, fra Brasilien til Japan, fra Kenya til Indien, fra Tunesien til Indonesien og fra Californien til Taiwan. Denne udvikling er bemærkelsesværdig ikke blot i en mængdemæssig, men også kvalitativ synsvinkel: mange af de bestemmelser om privatlivets fred, der for nylig er blevet vedtaget, eller som er ved at blive vedtaget, er baseret på et sæt fælles garantier, rettigheder og håndhævelsesmekanismer, der deles af EU. I en verden, som alt for ofte er kendetegnet ved forskellige, endog afvigende, reguleringsmæssige tilgange, udgør denne tendens i retning af global konvergens en meget positiv udvikling, som giver nye muligheder for bedre 26 beskyttelse af enkeltpersoner i Europa, samtidig med at der sikres lettere overførsel af oplysninger, og operatørernes transaktionsomkostninger reduceres. For at gribe disse muligheder og gennemføre den strategi, der er beskrevet i meddelelsen fra 2017 om udveksling og beskyttelse af personoplysninger i en globaliseret verden"108 , har Kommissionen i væsentlig grad optrappet sit arbejde vedrørende den internationale dimension af privatlivets fred ved at gøre fuld brug af den tilgængelige "værktøjskasse", jf. nedenfor. Dette omfattede aktivt samarbejde med vigtige partnere med henblik på at nå frem til en "afgørelse om et tilstrækkeligt beskyttelsesniveau", og der blev opnået vigtige resultater såsom skabelsen af verdens største område med frie og sikre overførsler af oplysninger mellem EU og Japan. Ud over indsatsen for at sikre et tilstrækkeligt beskyttelsesniveau har Kommissionen arbejdet tæt sammen med databeskyttelsesmyndighederne i Databeskyttelsesrådet samt med andre interessenter for at udnytte det fulde potentiale i persondataforordningen for internationale overførsler. Dette vedrører modernisering af instrumenter såsom standardkontraktbestemmelser, udvikling af certificeringsordninger, adfærdskodekser eller administrative ordninger for dataudveksling mellem offentlige myndigheder, samt en præcisering af nøglebegreber vedrørende f.eks. det territoriale anvendelsesområde for EU's databeskyttelsesregler eller anvendelsen af såkaldte "undtagelser" til overførsel af personoplysninger. Endelig har Kommissionen intensiveret sin dialog i en række bilaterale, regionale og multilaterale fora for at fremme en global kultur med respekt for privatlivets fred og udvikle en række elementer, der skal sikre konvergens mellem forskellige private systemer til beskyttelse af privatlivets fred. Kommissionen har i sin indsats kunnet støttet sig til aktiv støtte fra EU-Udenrigstjenesten og nettet af EU-delegationer i tredjelande og missioner ved internationale organisationer. Dette har også gjort det muligt at skabe større sammenhæng og komplementaritet mellem de forskellige aspekter af den eksterne dimension af EU's politikker – fra handel til det nye partnerskab mellem EU og Afrika. 7.2 Værktøjskassen for overførsler i persondataforordningen I takt med at flere og flere private og offentlige operatører er afhængige af internationale overførsler af oplysninger som led i deres rutineoperationer, er der et stigende behov for fleksible instrumenter, der kan tilpasses forskellige sektorer, forretningsmodeller og overførselssituationer. For at afspejle disse behov giver persondataforordningen mulighed for en moderniseret værktøjskasse til at lette overførslen af personoplysninger fra EU til et tredjeland eller en international organisation, samtidig med at det sikres, at oplysningerne fortsat er omfattet af et højt beskyttelsesniveau. Denne kontinuitet i beskyttelse er vigtig i betragtning af, at det i dag er let at flytte data på tværs af grænserne, og den beskyttelse, der sikres ved persondataforordningen, ville være ufuldstændig, hvis den var begrænset til behandling inden for EU. Med kapitel V i persondataforordningen bekræftede lovgiveren arkitekturen i de overførselsregler, der allerede eksisterede i henhold til direktiv 95/46: dataoverførsler kan finde sted, hvis Kommissionen har truffet en afgørelse om et tilstrækkeligt beskyttelsesniveau over for et tredjeland eller en international organisation, eller, hvis dette ikke er sket, hvis den dataansvarlige eller databehandleren i EU ("dataeksportør") har stillet tilstrækkelige garantier, f.eks. gennem en kontrakt med modtageren ("dataimportøren"). Desuden er de lovmæssige begrundelser for overførsler (såkaldte "undtagelser") fortsat tilgængelige i særlige situationer, hvor lovgiveren har besluttet, at afvejningen mellem interesser gør det muligt at overføre data på visse betingelser. Samtidig har reformen præciseret og forenklet de eksisterende regler, f.eks. ved at præcisere betingelserne for en afgørelse om tilstrækkeligt beskyttelsesniveau eller bindende virksomhedsregler, ved at begrænse godkendelseskravene til meget få, specifikke tilfælde og 108 Meddelelse fra Kommissionen til Europa-Parlamentet og Rådet om udveksling og beskyttelse af personoplysninger i en globaliseret verden", (COM (2017) 7 final af 10.1.2017). 27 fuldstændigt ophæve anmeldelseskravene. Desuden er der indført nye overførselsværktøjer såsom adfærdskodekser eller certificeringsordninger, og mulighederne for at anvende eksisterende instrumenter (f.eks. standardkontraktbestemmelser) er blevet udvidet. Den digitale økonomi i dag giver udenlandske operatører mulighed for (på afstand, men) direkte at deltage i EU's indre marked og konkurrere om europæiske kunder og deres personoplysninger. Hvis de specifikt er rettet mod europæere gennem udbud af varer eller tjenester eller overvågning af deres adfærd, bør de overholde EU-retten på samme måde som EU-operatører. Dette afspejles i persondataforordningens artikel 3, som udvider den direkte anvendelse af EU's databeskyttelsesregler til visse dataansvarliges eller databehandleres behandlingsaktiviteter uden for EU. Dette sikrer de nødvendige garantier og desuden lige vilkår for alle virksomheder, der opererer på EU-markedet. Dens brede rækkevidde er en af grundene til, at virkningerne af persondataforordningen også er blevet mærkbare i andre dele af verden. Den detaljerede vejledning, der udsendes af Databeskyttelsesrådet efter en omfattende offentlig høring, er derfor vigtig for at hjælpe udenlandske operatører med at afgøre, om og hvilke behandlingsaktiviteter der er direkte underlagt dens garantier, herunder ved at give konkrete eksempler 109 . Udvidelsen af EU-databeskyttelseslovgivnings anvendelsesområde er imidlertid ikke i sig selv tilstrækkelig til at sikre, at den overholdes i praksis. Som Rådet også har fremhævet110 , er det afgørende at sikre, at udenlandske operatører overholder reglerne, og at de er omfattet af en effektiv håndhævelse. Udpegelsen af en repræsentant i EU (persondataforordningens artikel 27, stk. 1, stk. 2), som enkeltpersoner og tilsynsmyndigheder kan henvende sig til ud over eller i stedet for den ansvarlige virksomhed, der arbejder fra udlandet111 , bør spille en central rolle i denne forbindelse. Denne fremgangsmåde, som også tages mere og mere i brug i andre sammenhænge112 , bør følges mere energisk for at sende et klart budskab om, at manglende etablering i EU ikke fritager udenlandske operatører for deres ansvar i henhold til persondataforordningen. Hvis disse operatører ikke opfylder deres forpligtelse til at udpege en repræsentant113 , bør tilsynsmyndighederne gøre brug af den fulde håndhævelsesværktøjskasse i persondataforordningens artikel 58 (f.eks. offentlige advarsler, midlertidige eller endelige forbud mod behandling i EU, håndhævelse over for fælles dataansvarlige, der er etableret i EU). Endelig er det meget vigtigt, at Databeskyttelsesrådet færdiggør sit arbejde med yderligere præcisering af forholdet mellem artikel 3 om den direkte anvendelse af persondataforordningen og reglerne om internationale overførsler i kapitel V114 . Afgørelser om tilstrækkeligheden af beskyttelsesniveauet Input fra interessenter bekræfter, at afgørelser om tilstrækkeligheden af beskyttelsesniveauet fortsat er et vigtigt værktøj for EU's operatører til at overføre personoplysninger til tredjelande på en sikker måde115 . 109 Databeskyttelsesrådet, Retningslinjer 2/2018 om det territoriale anvendelsesområde for databeskyttelsesforordningen, 12.11.2019. Retningslinjerne omhandler flere af de punkter, der blev rejst under den offentlige høring, f.eks. fortolkningen af målretningen og overvågningskriterierne. 110 Se Rådets holdning og resultater, stk. 34, 35 og 38. 111 Se artikel 27, stk. 4, og betragtning 80 i persondataforordningen ("Den udpegede repræsentant bør være underlagt håndhævelsesforanstaltninger i tilfælde af manglende overholdelse fra den dataansvarliges eller databehandlerens side"). 112 Forslag til Europa-Parlamentets og Rådets direktiv om harmoniserede regler for udpegning af retlige repræsentanter med henblik på indsamling af bevismateriale i straffesager (COM(2018) 226 final), artikel 3. Forslag til Europa-Parlamentets og Rådets forordning om forebyggelse af udbredelse af terrorrelateret onlineindhold (COM(2018) 640 final), artikel 16, stk. 2, stk. 3. 113 Ifølge ét indlæg til den offentlige høring er et af de hovedpunkter, der skal behandles, "effektiv håndhævelse og reelle konsekvenser for dem, der har valgt at ignorere dette krav [...]. Det bør navnlig tages i betragtning, at dette også stiller virksomheder, der er etableret i Unionen, ringere i konkurrencen end virksomheder, der ikke opfylder kravene, og som er etableret uden for EU og handler i Unionen." Se EU Business Partners, indlæg af 29. april 2020. 114 Flere indlæg i den offentlige høring har rejst dette spørgsmål, f.eks. for så vidt angår videregivelse af personoplysninger til modtagere uden for EU, men omfattet af persondataforordningen. 28 Sådanne afgørelser sikrer den mest omfattende, enkle og omkostningseffektive løsning for dataoverførsler, da de sidestilles med overførsler inden for EU, hvilket sikrer sikker og fri udveksling af personoplysninger uden yderligere betingelser eller krav om tilladelse. Afgørelser om tilstrækkeligheden af beskyttelsesniveauet åbner derfor de kommercielle kanaler for EU-operatører og letter samarbejdet mellem offentlige myndigheder, samtidig med at der gives privilegeret adgang til EU's indre marked. Med udgangspunkt i praksis ifølge direktivet fra 1995 giver persondataforordningen udtrykkeligt mulighed for at træffe en afgørelse om tilstrækkelighed med hensyn til et bestemt område i et tredjeland eller til en bestemt sektor eller industri i et tredjeland (den såkaldte "delvise" tilstrækkelighed). Persondataforordningen bygger på erfaringerne fra de seneste år og på de præciseringer, som Domstolen har givet, ved at udarbejde et detaljeret katalog over elementer, som Kommissionen skal tage hensyn til i sin vurdering. Tilstrækkelighedsstandarden kræver et beskyttelsesniveau, der er sammenligneligt (eller "i det væsentlige svarer til") det beskyttelsesniveau, der sikres i EU116 . Dette indebærer en omfattende vurdering af det pågældende tredjelands system som helhed, herunder indholdet af beskyttelse af privatlivets fred, effektiv gennemførelse og håndhævelse samt regler om offentlige myndigheders adgang til personoplysninger, navnlig med henblik på retshåndhævelse og den nationale sikkerhed117 . Dette afspejles også i den vejledning, der blev vedtaget af den tidligere artikel 29-Gruppe (og godkendt af Databeskyttelsesrådet), navnlig "referencen vedrørende et tilstrækkeligt beskyttelsesniveau", som yderligere præciserer de elementer, som Kommissionen skal tage hensyn til, når den foretager en tilstrækkelighedsvurdering, herunder ved at give et overblik over "væsentlige garantier" for offentlige myndigheders adgang til personoplysninger118 . Sidstnævnte bygger navnlig på Den Europæiske Menneskerettighedsdomstols retspraksis. Selv om standarden "væsentlig ækvivalens" ikke indebærer en ordret kopiering ("fotokopi") af EU's regler, fordi midlerne til at sikre et sammenligneligt beskyttelsesniveau kan variere mellem forskellige privatlivssystemer, der ofte afspejler forskellige retstraditioner, kræver det ikke desto mindre et stærkt beskyttelsesniveau. Denne standard er begrundet i, at en afgørelse om tilstrækkeligheden af beskyttelsesniveauet i alt væsentligt udvider fordelene ved det indre marked til et tredjeland, for så vidt angår den frie udveksling af data. Det betyder dog også, at der undertiden vil være relevante forskelle mellem det beskyttelsesniveau, der sikres i det pågældende tredjeland, og persondataforordningen, der skal udlignes, f.eks. gennem forhandling af yderligere garantier. Sådanne garantier bør behandles positivt, da de yderligere styrker den beskyttelse, der findes for enkeltpersoner i EU. Samtidig er Kommissionen enig med Databeskyttelsesrådet i betydningen af løbende at overvåge deres anvendelse i praksis, herunder effektiv håndhævelse fra tredjelandes databeskyttelsesmyndigheds side119 . I persondataforordningen præciseres det, at afgørelser om tilstrækkeligheden af beskyttelsesniveauet er "levende instrumenter", som løbende bør overvåges og revideres med jævne mellemrum120 . I 115 Rådets holdning og resultater, stk. 17 Databeskyttelsesrådets bidrag, s. 5-6. Flere indlæg i den offentlige høring, herunder fra en række erhvervssammenslutninger (f.eks. den franske sammenslutning af store selskaber, Digital Europe, Global Data Alliance/BSA, Computer & Communication Industry Association (CCIA) eller det amerikanske handelskammer), har opfordret til at intensivere indsatsen, hvad angår afgørelser om tilstrækkelighed, især med vigtige handelspartnere. 116 EU-Domstolens dom af 6.10.2015, sag C-362/14, Maximillian Schrems mod Data Protection Commissioner (herefter "Maximillian Schrems "), præmis 73, 74 og 96. Se ligeledes betragtning 104 i persondataforordningen, som henviser til standarden for grundlæggende ækvivalens. 117 Artikel 45, stk. 2, og betragtning 104 i persondataforordningen. Se ligeledes Schrems, præmis 75, 91-91. 118 Reference vedrørende et tilstrækkeligt beskyttelsesniveau, WP 254, rev. 01, 6.2.2018 (findes på: https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614108). 119 Se Databeskyttelsesrådets bidrag, s. 5-6. 120 I henhold til persondataforordningens artikel 45, stk. 4, og 5, overvåger Kommissionen løbende udviklingen i tredjelande og gennemgår regelmæssigt – mindst hvert fjerde år – afgørelser om tilstrækkeligheden af beskyttelsesniveauet. De giver også Kommissionen beføjelse til at ophæve, ændre eller suspendere en afgørelse om tilstrækkeligheden af beskyttelsesniveauet, hvis den finder, at det pågældende land eller den pågældende internationale organisation ikke længere sikrer et tilstrækkeligt beskyttelsesniveau. I henhold til persondataforordningens artikel 97, stk. 2, litra a), skal Kommissionen desuden forelægge en 29 overensstemmelse med disse krav fører Kommissionen regelmæssige drøftelser med de relevante myndigheder for proaktivt at følge op på nye udviklinger. Siden vedtagelsen af afgørelsen om EU's og USA's værn om privatlivets fred i 2016121 har Kommissionen sammen med repræsentanter for Databeskyttelsesrådet foretaget tre årlige revisioner for at evaluere alle aspekter af rammens funktion122 . Disse undersøgelser er baseret på oplysninger indhentet gennem udvekslinger med de amerikanske myndigheder samt input fra andre interessenter, f.eks. EU's databeskyttelsesmyndigheder, civilsamfundet og brancheorganisationer. De har gjort det muligt at forbedre den praktiske anvendelse af forskellige elementer i rammen. I et bredere perspektiv bidrog de årlige gennemgange til at etablere en bredere dialog med de amerikanske myndigheder om beskyttelse af privatlivets fred i almindelighed og de begrænsninger og garantier, der gælder med hensyn til den nationale sikkerhed i særdeleshed. Som led i sin første evaluering af persondataforordningen skal Kommissionen også revidere de afgørelser om tilstrækkeligheden af beskyttelsesniveauet, der blev vedtaget i henhold til direktivet fra 1995123 . Kommissionens tjenestegrene er gået i intens dialog med hvert af de 11 berørte lande og territorier med henblik på at vurdere, hvordan deres systemer for beskyttelse af personoplysninger har udviklet sig, siden afgørelsen om tilstrækkeligheden af beskyttelsesniveauet blev vedtaget, og om de opfylder den standard, der er fastsat i persondataforordningen. Behovet for at sikre kontinuitet i sådanne afgørelser, da de er et vigtigt redskab for handel og internationalt samarbejde, er en af de faktorer, der har fået flere af disse lande og territorier til at modernisere og styrke deres lovgivning om privatlivets fred. Dette er helt klart en positiv udvikling. Der drøftes yderligere beskyttelsesforanstaltninger med nogle af disse lande og territorier for at tage højde for relevante forskelle i beskyttelsen. Da Domstolen imidlertid kan tænkes at give nærmere anvisninger i en dom, der forventes afsagt den 16. juli i en sag, og som kan være relevante for visse elementer af tilstrækkelighedsstandarden, vil Kommissionen særskilt aflægge rapport om evalueringen af de nævnte 11 afgørelser om tilstrækkeligheden af beskyttelsesniveauet, efter at Domstolen har afsagt dom i denne sag124 . Kommissionen gennemførte også den strategi, der blev fastlagt i meddelelsen fra 2017 om udveksling og beskyttelse af personoplysninger i en globaliseret verden125 . evalueringsrapport for Europa-Parlamentet og Rådet senest i 2020. Se også EU-Domstolens dom af 6.10.2015, sag C-362/14, Maximillian Schrems mod Data Protection Commissioner, præmis 76. 121 Kommissionens gennemførelsesafgørelse (EU) 2016/1250 af 12. juli 2016 i henhold til Europa-Parlamentets og Rådets direktiv 95/46/EF om tilstrækkeligheden af den beskyttelse, der opnås ved hjælp af EU's og USA's værn om privatlivets fred. Denne afgørelse om tilstrækkeligheden af beskyttelsesniveauet er et specifikt tilfælde, som i mangel af en generel databeskyttelseslovgivning i USA er afhængigt af tilsagn fra deltagende virksomheder (som kan håndhæves under amerikansk lovgivning) om anvendelse af de databeskyttelsesstandarder, der er fastsat i denne ordning. Desuden bygger værnet om privatlivets fred på de specifikke udredninger og garantier, som den amerikanske regering har afgivet med hensyn til adgang til nationale sikkerhedsformål, som understøtter konstateringen af et tilstrækkeligt beskyttelsesniveau. 122 Revisionen fandt sted i 2017 (Rapport fra Kommissionen til Europa-Parlamentet og Rådet om den første årlige evaluering af EU's og USA's værn om privatlivets fred (COM (2017) 611 final), 2018 (Rapport fra Kommissionen til Europa-Parlamentet og Rådet om den anden årlige evaluering af EU's og USA's værn om privatlivets fred (COM (2018) 860 final) og 2019 (Rapport fra Kommissionen til Europa-Parlamentet og Rådet om den tredje årlige evaluering af EU's og USA's værn om privatlivets fred (COM (2019) 495 final). 123 Disse eksisterende afgørelser om tilstrækkeligheden af beskyttelsesniveauet vedrører lande, der er tæt integreret med Den Europæiske Union og dens medlemsstater (Schweiz, Andorra, Færøerne, Guernsey, Jersey, Isle of Man), vigtige samhandelspartnere (f.eks. Argentina, Canada og Israel) og lande, der har spillet en pionerrolle i udviklingen af databeskyttelseslove i deres område (New Zealand, Uruguay). 124 Sag C-311/18, Data Protection Commissioner mod Facebook Ireland Limited, Maximillian Schrems ("Schrems II"), vedrører en anmodning om en præjudiciel afgørelse om de såkaldte standardkontraktbestemmelser. Der er dog visse elementer af tilstrækkelighedsstandarden, der også kan blive afklaret yderligere af Domstolen. Retsmødet i denne sag fandt sted den 9.7.2019, og dommen er blevet offentliggjort den 16.7.2020. 125 Se fodnote 109 ovenfor. Kommissionen forklarede , at der vil blive taget hensyn til følgende kriterier ved vurderingen af, med hvilke lande der bør indledes en dialog om tilstrækkeligheden: i) omfanget af EU's (faktiske eller potentielle) handelsforbindelser med tredjelandet, herunder eksistensen af en frihandelsaftale eller igangværende forhandlinger ii) omfanget af strømmene af personoplysninger fra EU, der afspejler geografiske og/eller kulturelle bånd iii) tredjelandets 30 Dette arbejde har allerede givet betydelige resultater, der involverer vigtige partnere i EU. I januar 2019 vedtog Kommissionen sin afgørelse om tilstrækkeligheden af beskyttelsesniveauet for Japan, som er baseret på en høj grad af konvergens, herunder gennem specifikke beskyttelsesforanstaltninger, f.eks. med hensyn til videreoverførsel, og gennem oprettelsen af en mekanisme til at undersøge og løse borgeres klager vedrørende statens adgang til personoplysninger til retshåndhævelsesformål og til nationale sikkerhedsformål. Som den første afgørelse om tilstrækkeligheden af beskyttelsesniveauet, der blev vedtaget i henhold til persondataforordningen, danner de rammer, der er aftalt med Japan, en nyttig præcedens for fremtidige afgørelser126 . Dette omfatter det forhold, at det blev gengældt fra japansk side med en afgørelse om tilstrækkeligheden af beskyttelsesniveauet for EU. Tilsammen skaber disse gensidige afgørelser om tilstrækkelighed det største område med sikker og fri overførsel af oplysninger i verden og supplerer den økonomiske partnerskabsaftale mellem EU og Japan. Ordningen er hvert år til støtte for handel med varer for omkring 124 mia. EUR og for handel med tjenesteydelser for 42,5 mia. EUR. Tilstrækkelighedsprocessen er også kommet langt i Sydkorea. Et vigtigt resultat heraf er Sydkoreas nylige lovgivningsreform, der førte til oprettelsen af en uafhængig databeskyttelsesmyndighed, der er udstyret med omfattende håndhævelsesbeføjelser. Dette illustrerer, hvordan en dialog om tilstrækkelighed kan bidrage til øget konvergens mellem EU's og et tredjelands databeskyttelsesregler. Kommissionen er helt enig i opfordringen fra interessenter til at intensivere dialogen med udvalgte tredjelande med henblik på eventuelle nye afgørelser om tilstrækkeligheden af beskyttelsesniveauet127 . Den er aktivt gået i gang med at undersøge denne mulighed med andre vigtige partnere på grundlag af den nuværende tendens til en opadgående global konvergens inden for databeskyttelsesstandarder. F.eks. er den omfattende lovgivning om privatlivets fred blevet vedtaget eller er langt fremme i lovgivningsprocessen i Latinamerika (Brasilien, Chile), og udviklingen tegner lovende i Asien (f.eks. Indien, Indonesien, Malaysia, Sri Lanka, Taiwan og Thailand), Afrika (f.eks. Etiopien og Kenya) samt i de østeuropæiske og sydlige nabolande (f.eks. Georgien og Tunesien). Hvor det er muligt, vil Kommissionen arbejde på at opnå omfattende afgørelser om tilstrækkelighed, der omfatter både den private og den offentlige sektor128 . Desuden blev Kommissionens mulighed for at vedtage afgørelser om tilstrækkeligheden af beskyttelsesniveauet for internationale organisationer også indført i persondataforordningen. Nu, hvor nogle internationale organisationer er i færd med at modernisere deres databeskyttelsesordninger ved at indføre omfattende regler, samt mekanismer, der sikrer uafhængig kontrol og klageadgang, kunne denne mulighed undersøges for første gang. pionerrolle inden for beskyttelse af privatlivets fred og databeskyttelse, der kunne tjene som model for andre lande i regionen og iv) de overordnede politiske forbindelser med tredjelandet, navnlig i forbindelse med fremme af fælles værdier og fælles mål på internationalt plan. 126 Europa-Parlamentets beslutning af 13. december 2018 om tilstrækkeligheden af den beskyttelse af personoplysninger, der gives af Japan (2018/2979 (RSP)), punkt 27 Databeskyttelsesrådets bidrag, s. 5-6. 127 Se f.eks. Europa-Parlamentet, beslutning af 12. december 2017 om udvikling af en digital handelsstrategi (2017/2065 (INI)), punkt 8 og 9 Rådets holdning og resultater vedrørende anvendelse af den generelle forordning om databeskyttelse (GDPR), 19.12.2019 (14994/1/19), punkt 17 Databeskyttelsesrådets bidrag, s. 5. 128 Jf. også Rådets anmodning herom, se Rådets holdning og resultater vedrørende anvendelse af den generelle forordning om databeskyttelse (GDPR), 19.12.2019 (14994/1/19), punkt 17 og 40. Dette kræver dog, at betingelserne for en afgørelse om tilstrækkeligheden af beskyttelsesniveauet vedrørende dataoverførsler til offentlige myndigheder er opfyldt, herunder med hensyn til et uafhængigt tilsyn. 31 Tilstrækkelighed spiller ligeledes en vigtig rolle i sammenhæng med forholdet til Det Forenede Kongerige efter brexit, forudsat at de gældende betingelser opfyldes. Den udgør en faktor for fremme af handel, herunder digital handel, og er en afgørende forudsætning for et tæt og ambitiøst samarbejde om retshåndhævelse og sikkerhed129 . I betragtning af betydningen af overførsel af oplysninger til Det Forenede Kongerige og landets nærhed til EU-markedet er en høj grad af konvergens mellem databeskyttelsesreglerne på begge sider af Kanalen desuden et vigtigt element for at sikre lige konkurrencevilkår. I overensstemmelse med den politiske erklæring om det fremtidige forhold mellem EU og Det Forenede Kongerige foretager Kommissionen i øjeblikket en tilstrækkelighedsvurdering i henhold til både persondataforordningen og direktivet om retshåndhævelse130 . I betragtning af den selvstændige og ensidige karakter af en tilstrækkelighedsvurdering følger disse forhandlinger et særskilt spor i forhold til forhandlingerne om en aftale om det fremtidige forhold mellem EU og Det Forenede Kongerige. Endelig har Kommissionen med tilfredshed bemærket, at andre lande er i færd med at indføre mekanismer til dataoverførsel, der minder om en afgørelse om tilstrækkeligheden af beskyttelsesniveauet. I den forbindelse anerkender de ofte EU og de lande, for hvilke Kommissionen har vedtaget en afgørelse om tilstrækkeligheden af beskyttelsesniveauet, som sikre destinationer for overførslers131 . Det stigende antal lande, der drager fordel af EU's afgørelser om tilstrækkeligheden af beskyttelsesniveauet på den ene side og denne form for anerkendelse fra andre lande på den anden side, har potentiale til at skabe et netværk af lande, hvor data kan flyde frit og sikkert. Kommissionen anser dette for at være en velkommen udvikling, der yderligere vil øge fordelene ved en afgørelse om tilstrækkeligheden af beskyttelsesniveauet for tredjelande og bidrage til global konvergens. Denne type synergier kan også med fordel bidrage til at udvikle rammer for sikker og fri udveksling af data, f.eks. i forbindelse med initiativet "Data Free Flow with Trust" (se nedenfor). Fornødne garantier Persondataforordningen indeholder bestemmelser om en række andre overførselsinstrumenter ud over den omfattende løsning med en afgørelse om tilstrækkeligheden af beskyttelsesniveauet. Fleksibiliteten i denne "værktøjskasse" fremgår af persondataforordningens artikel 46, som regulerer dataoverførsler baseret på "passende garantier", herunder rettigheder, der kan håndhæves, og effektive retsmidler. For at sikre passende sikkerhedsforanstaltninger er der forskellige instrumenter til rådighed til at imødekomme både kommercielle aktørers og offentlige organers behov for overførsler. Standardkontraktbestemmelser Den første gruppe af disse instrumenter vedrører aftalemæssige redskaber, der kan være enten skræddersyede, ad hoc-databeskyttelsesklausuler aftalt mellem en dataeksportør i EU og en dataimportør uden for EU, der er godkendt af den kompetente databeskyttelsesmyndighed (persondataforordningens artikel 46, stk. 3, litra a)), eller standardbestemmelser, som Kommissionen har godkendt (persondataforordningens artikel 46, stk. 2, litra c), d)132 ). De vigtigste af disse instrumenter er såkaldte 129 Se forhandlingsdirektiverne i bilaget til Rådets afgørelse om bemyndigelse til at indlede forhandlinger med Det Forenede Kongerige Storbritannien og Nordirland om en ny partnerskabsaftale (ST 5870/20 ADD 1 REV 3), punkt 13 og 118. 130 Se den reviderede politiske erklæring om rammen for de fremtidige forbindelser mellem Den Europæiske Union og Det Forenede Kongerige, som der var opnået enighed om på forhandlerniveau den 17. oktober 2019, punkt 8-10 (findes på https://ec.europa.eu/commission/sites/beta-political/files/revised_political_declaration.pdf). 131 F.eks. fra Argentina, Colombia, Israel, Schweiz eller Uruguay. 132 Standardkontraktbestemmelser for internationale overførsler kræver altid Kommissionens godkendelse, men kan udarbejdes af Kommissionen selv eller af en national databeskyttelsesmyndighed. Alle eksisterende standardkontraktbestemmelser falder ind under den første kategori. 32 standardkontraktbestemmelser, dvs. standardbestemmelser om databeskyttelse, som dataeksportøren og dataimportøren kan indarbejde i deres aftalemæssige ordninger (f.eks. en tjenesteydelseskontrakt, der kræver videregivelse af personoplysninger) på frivillig basis, og som fastsætter de krav, der er forbundet med de fornødne garantier. Standardkontraktbestemmelser udgør langt den mest udbredte dataoverførselsmekanisme133 . Tusindvis af virksomheder i EU er afhængige af standardkontraktbestemmelser for at levere en bred vifte af tjenester til deres kunder, leverandører, partnere og ansatte, herunder tjenesteydelser, der er af afgørende betydning for, at økonomien kan fungere. Deres brede anvendelse tyder på, at de er meget nyttige for virksomhederne i deres bestræbelser på at sikre deres overholdelse, og at de især er til fordel for virksomheder, der ikke har ressourcerne til at forhandle individuelle kontrakter med hver enkelt af deres samhandelspartnere. Gennem standardisering og forhåndsgodkendelse giver standardkontraktbestemmelser virksomhederne adgang til et værktøj, der er let at gennemføre for at opfylde databeskyttelseskravene i forbindelse med en overførsel. De eksisterende standardkontraktbestemmelser134 er blevet vedtaget og godkendt på grundlag af direktivet fra 1995. Disse standardkontraktbestemmelser forbliver i kraft, indtil de ændres, erstattes eller ophæves, om nødvendigt ved en kommissionsafgørelse (persondataforordningens artikel 46, stk. 5). Persondataforordningen udvider mulighederne for at anvende standardkontraktbestemmelser både i EU og i forbindelse med internationale overførsler. Kommissionen arbejder sammen med interessenterne for at udnytte disse muligheder og ajourføre eksisterende bestemmelser135 . For at sikre, at den fremtidige udformning af standardkontraktbestemmelser er egnet til formålet, har Kommissionen indsamlet feedback om interessenternes erfaringer med standardkontraktbestemmelser gennem flerpartsgruppen vedrørende persondataforordningen og en særlig workshop, der blev afholdt i september 2019, men også via flere kontakter med virksomheder, der anvender standardkontraktbestemmelser, samt civilsamfundsorganisationer. Databeskyttelsesrådet ajourfører ligeledes en række retningslinjer, der kunne være relevante for revisionen af standardkontraktbestemmelser, f.eks. med hensyn til begreberne dataansvarlig og databehandler. På grundlag af den modtagne feedback arbejder Kommissionens tjenestegrene i øjeblikket på at revidere standardkontraktbestemmelserne. I den forbindelse er der fundet en række områder, hvor der er behov for forbedringer, navnlig med hensyn til følgende aspekter: 1. Ajourføring af standardkontraktbestemmelserne i lyset af de nye krav, der er indført ved persondataforordningen, f.eks. vedrørende forholdet mellem dataansvarlig og databehandler i henhold til persondataforordningens artikel 28(navnlig databehandlerens forpligtelser), dataimportørens gennemsigtighedsforpligtelser (med hensyn til de påkrævede oplysninger til den registrerede) osv. 2. Håndtering af en række overførselsscenarier, som ikke er omfattet af de nuværende standardkontraktbestemmelser, f.eks. overførsel af data fra en databehandler i EU til en 133 Ifølge rapporten IAPP-EY Annual Privacy Governance Report 2019 er de mest populære af disse værktøjer [for overførsler] – år for år – i helt overvældende omfang standardkontraktbestemmelser: 88 % af respondenterne i dette års undersøgelse berettede, at standardkontraktbestemmelser var den bedste metode til eksterritoriale dataoverførsler, efterfulgt af overensstemmelse med EU's og USA's værn om privatlivets fred (60 %). Med hensyn til data, der overføres fra EU til Det Forenede Kongerige (52 %), har 91 % af respondenterne til hensigt at bruge standardkontraktbestemmelser til dataoverførsel efter 134 Der findes i dag tre standardkontraktbestemmelser, som Kommissionen har vedtaget vedrørende overførsel af personoplysninger til tredjelande: to for overførsler fra en dataansvarlig i EØS til en dataansvarlig uden for EØS og én for overførsler fra en dataansvarlig EØS til en databehandler uden for EØS. De blev ændret i 2016 efter Domstolens dom i Schrems I-sagen (C-362/14), der fjernede enhver begrænsning af de kompetente tilsynsmyndigheders beføjelser til at føre tilsyn med dataoverførsler. Se https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data- protection/standard-contractual-clauses-scc_en. 135 Se også Databeskyttelsesrådets bidrag, s. 6-7. Tilsvarende har Rådet opfordret Kommissionen til i nær fremtid at gennemgå og revidere [standardkontraktbestemmelserne] for at tage hensyn til dataansvarliges og databehandleres behov. Se Rådets holdning og resultater. 33 (under-)databehandler uden for EU, men også situationer, hvor den dataansvarlige befinder sig uden for EU136 . 3. Bedre hensyntagen til de faktiske forhold i forbindelse med databehandling i den moderne digitale økonomi, hvor sådanne operationer ofte involverer flere dataimportører og -eksportører, lange og ofte komplekse behandlingskæder, nye forretningsforbindelser osv. For at tage højde for sådanne situationer omfatter de løsninger, der undersøges i øjeblikket, f.eks. muligheden for, at flere parter underskriver standardkontraktbestemmelser, eller at nye parter får adgang i kontraktens løbetid. Ved behandlingen af disse punkter overvejer Kommissionen også, hvordan den nuværende "arkitektur" kan gøres mere brugervenlig, f.eks. ved at erstatte flere sæt standardkontraktbestemmelser med et enkelt omfattende dokument. Udfordringen består i at finde en god balance mellem på den ene side behovet for klarhed og en vis grad af standardisering og på den anden side den nødvendige fleksibilitet, der gør det muligt for operatører med forskellige krav at anvende bestemmelserne i forskellige sammenhænge og for forskellige typer af overførsler. Et andet vigtigt aspekt, der skal tages i betragtning, er, at der i lyset af de verserende retssager ved Domstolen137 , kan blive behov for yderligere at præcisere garantierne for udenlandske offentlige myndigheders adgang til oplysninger, der videregives på grundlag af standardkontraktbestemmelser, navnlig af hensyn til den nationale sikkerhed. Dette kan omfatte krav om, at dataimportøren eller dataeksportøren, eller begge, skal træffe foranstaltninger, og at databeskyttelsesmyndighedernes rolle i den forbindelse præciseres. Selv om revisionen af standardkontraktbestemmelserne er langt fremme, vil det være nødvendigt at afvente Domstolens dom for at tage hensyn til eventuelle yderligere krav i de reviderede bestemmelser, før et udkast til afgørelse om et nyt sæt standardkontraktbestemmelser kan forelægges for Databeskyttelsesrådet til udtalelse og derefter foreslås vedtaget gennem "udvalgsproceduren"138 . Sideløbende hermed er Kommissionen i kontakt med internationale partnere, der er i færd med at udvikle lignende værktøjer139 . Denne dialog, der gør det muligt at udveksle erfaringer og bedste praksis, kan i væsentlig grad bidrage til udvikling af yderligere konvergens i praksis og derved lette overholdelsen af reglerne om grænseoverskridende overførsler for virksomheder, der opererer på tværs af forskellige regioner i verden. Bindende virksomhedsregler Et andet vigtigt instrument er de såkaldte bindende virksomhedsregler. Her er der tale om juridisk bindende politikker og ordninger, der gælder for medlemmerne af en koncern, herunder dennes ansatte (persondataforordningens artikel 46, stk. 2, litra b), og artikel 47). Anvendelsen af bindende virksomhedsregler tillader fri bevægelighed for personoplysninger mellem de forskellige koncernmedlemmer globalt – idet behovet for at indgå kontraktordninger mellem hver enkelt juridisk enhed undgås – samtidig med at det sikres, at det samme høje beskyttelsesniveau for personoplysninger overholdes i hele koncernen. De udgør en særlig god løsning for komplekse og store koncerner og for et tæt samarbejde 136 Flere indlæg til den offentlige høring indeholder kommentarer til dette sidste scenario, og der er ofte udtrykt bekymring over, at et krav om, at databehandlere i EU sikrer passende garantier i deres forhold til dataansvarlige uden for EU, ville stille dem ringere i konkurrencen i forhold til udenlandske databehandlere, der tilbyder lignende tjenester. 137 Se Schrems II-sagen. 138 I overensstemmelse med artikel 46, stk. 2, litra c), i persondataforordningen skal standardkontraktbestemmelser vedtages efter undersøgelsesproceduren i artikel 5 i Europa-Parlamentets og Rådets forordning (EU) nr. 182/2011 af 16. februar 2011 om de generelle regler og principper for, hvordan medlemsstaterne skal kontrollere Kommissionens udøvelse af gennemførelsesbeføjelser (EUT L 55 af 28.2.2011, s. 13). Dette indebærer navnlig en positiv afgørelse fra et udvalg sammensat af repræsentanter for medlemsstaterne. 139 Dette omfatter f.eks. det arbejde, der i øjeblikket udføres af ASEAN's medlemsstater for at udvikle "ASEAN- standardkontraktbestemmelser". Se ASEAN, Key Approaches for ASEAN Cross Border Data Flows Mechanism (findes på: https://asean.org/storage/2012/05/Key-Approaches-for-ASEAN-Cross-Border-Data-Flows-Mechanism.pdf). 34 mellem virksomheder, der udveksler data på tværs af flere jurisdiktioner. I modsætning til direktivet fra 1995 kan bindende virksomhedsregler anvendes af en gruppe af virksomheder, der udøver en fælles økonomisk aktivitet, men som ikke indgår i samme koncern. Proceduremæssigt skal de bindende virksomhedsregler godkendes af de kompetente databeskyttelsesmyndigheder på grundlag af en ikkebindende udtalelse fra Databeskyttelsesrådet140 . For at styre denne proces har Databeskyttelsesrådet gennemgået referencedataene for de bindende virksomhedsregler (fastsættelse af materielle standarder) for dataansvarlige141 og databehandlere142 i lyset af persondataforordningen og ajourfører disse dokumenter fortløbende på grundlag af tilsynsmyndighedernes praktiske erfaringer. Det har ligeledes vedtaget forskellige vejledninger for hjælpe ansøgere og for at strømline ansøgnings- og godkendelsesprocessen for bindende virksomhedsregler143 . Ifølge Databeskyttelsesrådet er der i øjeblikket over 40 bindende virksomhedsregler på vej til godkendelse, hvoraf halvdelen forventes at blive godkendt inden udgangen af 2020144 . Det er vigtigt, at databeskyttelsesmyndighederne fortsætter arbejdet med at strømline godkendelsesprocessen yderligere, da varigheden af sådanne procedurer ofte nævnes af interessenterne som en praktisk hindring for en bredere anvendelse af bindende virksomhedsregler. Hvad angår bindende virksomhedsregler, der er godkendt af den britiske databeskyttelsesmyndighed, Information Commissioner Office, vil virksomheder kunne fortsætte med at anvende dem som en gyldig overførselsmekanisme i henhold til persondataforordningen efter udløbet af overgangsperioden under udtrædelsesaftalen mellem EU og Det Forenede Kongerige, men kun hvis de ændres, således at enhver forbindelse til Det Forenede Kongeriges retsorden erstattes med passende henvisninger til juridiske enheder og kompetente myndigheder i EU. Der bør indhentes godkendelse af nye bindende virksomhedsregler af en af tilsynsmyndighederne i EU. Certificeringsordninger og adfærdskodekser Ud over at modernisere og udvide anvendelsen af de allerede eksisterende overførselsværktøjer er der ved persondataforordningen også indført nye instrumenter, hvilket har udvidet mulighederne for internationale overførsler. Dette omfatter, på visse betingelser, anvendelse af godkendte adfærdskodekser og certificeringsmekanismer (f.eks. datasikkerhedsmærkninger) med henblik på at sikre passende garantier. Dette er bottom-up-værktøjer, der giver mulighed for skræddersyede løsninger – som en generel ansvarlighedsmekanisme (se persondataforordningens artikel 40-42) og specifikt for internationale overførsler af oplysninger – og afspejler f.eks. de specifikke karakteristika og behov i en given sektor eller industri, eller med hensyn til overførsel af oplysninger. Adfærdskodekser kan også være en meget nyttig og omkostningseffektiv måde for små og mellemstore virksomheder at leve op til deres forpligtelser på i henhold til persondataforordningen. Databeskyttelsesrådet har vedtaget retningslinjer, der skal fremme brugen af certificeringsmekanismer i EU, samtidig med at det fortsætter sit arbejde med at udvikle kriterier for godkendelse af disse som internationale overførselsværktøjer. Det samme gælder adfærdskodekser, hvor Databeskyttelsesrådet i øjeblikket arbejder på retningslinjer for anvendelsen af disse som overførselsværktøj. I betragtning af betydningen af at give operatører en bred vifte af overførselsværktøjer, der er tilpasset deres behov, og det potentiale der ligger i navnlig certificeringsmekanismer, der gør det lettere at foretage 140 Se https://edpb.europa.eu/our-work-tools/consistency-findings/opinions_en for en oversigt over de udtalelser, som Databeskyttelsesrådet har afgivet til dato. 141 https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614109. 142 https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614110. 143 Disse dokumenter blev vedtaget (af den tidligere artikel 29-Gruppe) efter persondataforordningens ikrafttræden, men før overgangsperiodens udløb. Se WP263 (https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623056); WP264 (https://edpb.europa.eu/sites/edpb/files/files/file2/wp264_art29_wp_bcr-c_application_form.pdf); WP265 (https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623848). 144 Databeskyttelsesrådets bidrag, s. 7. 35 dataoverførsler, samtidig med at der sikres et højt databeskyttelsesniveau, opfordrer Kommissionen indtrængende Databeskyttelsesrådet til så hurtigt som muligt at færdiggøre sin vejledning herom. Dette vedrører både materielle (kriterier) og proceduremæssige aspekter (godkendelse, overvågning osv.). Interessenter har udtrykt stor interesse for disse overførselsmekanismer og burde være i stand til at gøre fuld brug af persondataforordningen. Databeskyttelsesrådets retningslinjer vil også bidrage til at fremme EU's model for databeskyttelse på globalt plan og fremme konvergens, da andre systemer til beskyttelse af privatlivets fred anvender lignende instrumenter. Der kan drages nyttige erfaringer fra eksisterende standardiseringsbestræbelser inden for privatlivets fred, både på europæisk og internationalt plan. Et interessant eksempel er den nyligt offentliggjorte internationale standard ISO 27701145 , som har til formål at hjælpe virksomheder med at leve op til krav om privatlivsbeskyttelse og med at håndtere risici i forbindelse med behandling af personoplysninger ved hjælp af informationsforvaltningssystemer for privatlivsbeskyttelse. Selv om certificering i henhold til standarden ikke opfylder kravene i persondataforordningens artikel 42 og 43, kan anvendelsen af informationsstyringssystemer bidrage til ansvarlighed, herunder i forbindelse med internationale dataoverførsler. Internationale aftaler og administrative ordninger Persondataforordningen gør det også muligt at sikre de fornødne garantier for dataoverførsler mellem offentlige myndigheder eller organer på grundlag af internationale aftaler (artikel 46, stk. 2, litra a)) eller administrative ordninger (artikel 46, stk. 3, litra b)). Selv om begge instrumenter skal sikre samme resultat med hensyn til garantier, herunder tilgængelighed af rettigheder, som kan håndhæves, for registrerede og effektive retsmidler, er de forskellige med hensyn til deres retlige karakter og vedtagelsesproceduren. I modsætning til internationale aftaler, som skaber bindende forpligtelser i henhold til folkeretten, er administrative ordninger (f.eks. i form af et aftalememorandum) typisk ikkebindende og kræver derfor forudgående tilladelse fra den kompetente databeskyttelsesmyndighed (se også betragtning 108 i persondataforordningen). Et tidligt eksempel er den administrative ordning for overførsel af personoplysninger mellem tilsynsmyndigheder inden for EØS og tilsynsmyndigheder uden for EØS, der samarbejder inden for rammerne af Den Internationale Børstilsynsorganisation (IOSCO), som Databeskyttelsesrådet afgav udtalelse146 om i begyndelsen af 2019. Siden da har Databeskyttelsesrådet videreudviklet sin fortolkning af de "minimumsgarantier", som internationale (samarbejds-)aftaler og administrative ordninger mellem offentlige myndigheder eller organer (herunder internationale organisationer) skal sikre for at opfylde kravene i persondataforordningens artikel 46. Den 18. januar 2020 vedtog det et udkast til retningslinjer147 , der behandler medlemsstaternes anmodning om yderligere præcisering og vejledning om, hvad der kan betragtes som fornødne garantier for overførsler mellem offentlige myndigheder148 . Udvalget anbefaler stærkt, at offentlige myndigheder anvender disse retningslinjer som referencepunkt for deres forhandlinger med tredjeparter149 . 145 Listen over specifikke krav, der indgår i denne ISO-standard, findes på: https://www.iso.org/standard/71670.html. 146 Det Europæiske Databeskyttelsesråd, Udtalelse 4/2019 om udkast til administrativ ordning for overførsel af personoplysninger mellem Det Europæiske Økonomiske Samarbejdsområde (EØS) og de finansielle tilsynsmyndigheder uden for EØS, 12.2.2019. 147 Det Europæiske Databeskyttelsesråd, Retningslinjer 2/2020 om artikel 46 (2), litra a), og artikel 46 (3), litra b), i forordning (EF) nr. 2016/679 om overførsel af personoplysninger mellem myndigheder i EØS og offentlige myndigheder og organer uden for EØS (udkast findes på: https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-22020-articles- 46-2-and-46-3-b_en). Ifølge Det Europæiske Databeskyttelsesråd vil den kompetente tilsynsmyndighed basere sin undersøgelse på de generelle anbefalinger i disse retningslinjer, men kan også anmode om flere garantier afhængigt af den konkrete sag. Databeskyttelsesrådet fremsendte disse udkast til retningslinjer i offentlig høring, der sluttede den 18. maj 2020. 148 Rådets holdning og resultater, punkt 20. 149 Med hensyn til valget af instrument understreger Databeskyttelsesrådet samtidig, at offentlige myndigheder fortsat frit kan henholde sig til andre relevante værktøjer, der giver de fornødne garantier i overensstemmelse med persondataforordningens artikel 46. Med hensyn til valg af instrument understreger Databeskyttelsesrådet, at det bør vurderes nøje, om der skal gøres 36 Retningslinjerne demonstrerer, hvor fleksibel udformningen af sådanne instrumenter er, herunder vigtige aspekter som f.eks. tilsyn150 og klageadgang151 . Dette burde give de offentlige myndigheder mulighed for at overvinde vanskelighederne ved f.eks. at sikre, at de registreredes rettigheder kan håndhæves ved hjælp af ikkebindende ordninger. Et vigtigt element i sådanne ordninger er den kompetente databeskyttelsesmyndigheds fortsatte overvågning – understøttet af oplysnings- og registreringskrav – og suspension af overførsel af oplysninger, hvis der ikke længere kan sikres de fornødne garantier i praksis. Undtagelser Endelig præciseres det i persondataforordningen, at der anvendes såkaldte "undtagelser". Der er tale om særlige grunde til videregivelse af oplysninger (f.eks. udtrykkeligt samtykke152 , opfyldelse af en kontrakt eller af hensyn til vigtige samfundsinteresser), der er anerkendt ved lov, og som enheder kan henholde sig til, hvis der ikke findes andre overførselsværktøjer, og på visse betingelser. For at præcisere anvendelsen af sådanne retlige grunde har Databeskyttelsesrådet udstedt specifikke retningslinjer153 og har fortolket artikel 49 i en række tilfælde med hensyn til specifikke overførselsscenarier154 . På grund af deres usædvanlige karakter mener Databeskyttelsesrådet, at undtagelserne skal fortolkes restriktivt i hvert enkelt tilfælde. Trods en streng fortolkning dækker disse begrundelser en bred vifte af overførselsscenarier. Dette omfatter navnlig overførsel af oplysninger både fra offentlige myndigheder og private enheder af hensyn til "vigtige samfundsinteresser", f.eks. mellem konkurrencemyndigheder, skatte- eller toldforvaltninger, finansielle tilsynsmyndigheder eller socialsikringsmyndigheder eller med henblik på folkesundhed (f.eks. i tilfælde af kontaktopsporing i forbindelse med smitsomme sygdomme eller for at nedbringe og/eller afskaffe doping inden for sport)155 . Et andet område er grænseoverskridende samarbejde med henblik på strafferetlig håndhævelse, navnlig hvad angår grov kriminalitet156 . brug af administrative ordninger, der ikke er juridisk bindende, for at tilvejebringe garantier i den offentlige sektor, i betragtning af formålet med behandlingen og arten af de foreliggende oplysninger. Hvis databeskyttelsesrettigheder og klageadgang for borgere i EØS ikke er forankret i tredjelandets nationale ret, bør indgåelsen af en juridisk bindende aftale fremmes. Uanset hvilken type retsakt der er tale om, skal de gældende foranstaltninger være effektive for at sikre passende gennemførelse, håndhævelse og tilsyn (punkt 67). 150 Dette kan f.eks. omfatte en kombination af intern kontrol (med en forpligtelse til at underrette den anden part om tilfælde af manglende overholdelse, med uafhængigt tilsyn gennem eksterne eller i det mindste ved hjælp af funktionelt uafhængige mekanismer, samt muligheden for at det overførende offentlige organ kan suspendere eller afslutte overførslen. 151 Dette kan for eksempel omfatte kvasiretlige, bindende mekanismer (f.eks. voldgift) eller alternative tvistbilæggelsesmekanismer, kombineret med muligheden for at den overførende offentlige myndighed kan suspendere eller afslutte overførslen af personoplysninger, hvis det ikke lykkes parterne at bilægge en tvist i mindelighed, plus et tilsagn fra det modtagende offentlige organ om at returnere eller slette personoplysningerne. Ved valget af alternative klagemekanismer, som er bindende og kan håndhæves, fordi der ikke er mulighed for at sikre en effektiv retlig prøvelse, anbefaler Databeskyttelsesrådet, at den kompetente tilsynsmyndighed høres, inden disse instrumenter indgås. 152 Dette er en ændring i forhold til direktiv 95/46, som kun krævede "utvetydigt" samtykke. Desuden gælder de generelle krav til samtykke i henhold til persondataforordningens artikel 4, stk. 11. 153 Det Europæiske Databeskyttelsesråd, Retningslinjer 2/2018 vedrørende undtagelser i artikel 49 i forordning (EF) nr. 2016/679, 25.5.2018 (findes på: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf). 154 Dette omfatter f.eks. internationale overførsler af sundhedsdata til forskningsformål i forbindelse med covid-19-udbruddet. Se Det Europæiske Databeskyttelsesråd, Retningslinjer 03/2020 om behandling af helbredsoplysninger med henblik på videnskabelig forskning i forbindelse med covid-19-udbruddet, 21.4.2020 (findes på: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202003_healthdatascientificresearchcovid19_en.pdf). 155 Se betragtning 112. 156 Se amicus curiae-indlæg fra Europa-Kommissionen på vegne af Den Europæiske Union til støtte for ingen af parterne i sag US mod Microsoft, s. 15: Generelt anerkender EU-lovgivningen såvel som medlemsstaternes lovgivning betydningen af at bekæmpe grov kriminalitet og dermed strafferetlig håndhævelse og internationalt samarbejde på det pågældende område, som et mål af almen interesse. [...] artikel 83 i TEUF identificerer flere kriminalitetsområder, der er særligt alvorlige og har grænseoverskridende dimensioner, såsom ulovlig narkotikahandel.(findes på: (findes på: https://www.supremecourt.gov/DocketPDF/17/17-2/23655/20171213123137791_17- 2%20ac%20European%20Commission%20for%20filing.pdf). 37 Databeskyttelsesrådet har præciseret, at selv om den relevante samfundsinteresse skal anerkendes i EU- retten eller en medlemsstats nationale ret, kan dette også fastslås på grundlag af, at "en international aftale eller konvention, der anerkender et bestemt formål og indeholder bestemmelser om internationalt samarbejde til fremme af dette formål, kan være en indikator ved vurderingen af eksistensen af samfundsinteresser i henhold til artikel 49, stk. 1, litra d), når EU eller medlemsstaterne er part i den pågældende aftale eller konvention"157 . Afgørelser truffet af udenlandske domstole eller myndigheder: ingen grund til overførsler Ud over en positiv fastsættelse af grundene til overførsel af oplysninger præciseres det kapitel V i persondataforordningen ligeledes, i artikel 48, at retsafgørelser eller administrative myndigheders afgørelser uden for EU ikke i sig selv er legitime grunde til overførsler, medmindre de anerkendes eller kan håndhæves på grundlag af en international aftale (f.eks. en traktat om gensidig retshjælp). Enhver videregivelse fra den ansøgte instans til den udenlandske domstol eller myndighed som svar på en sådan dom eller afgørelse udgør en international overførsel af oplysninger, der skal baseres på et af de nævnte overførselsinstrumenter158 . Persondataforordningen udgør ikke en "blokerende bestemmelse" og vil på visse betingelser tillade en overførsel som reaktion på en passende anmodning om håndhævelse fra et tredjeland. Det vigtige er, at det er EU-retten, der bør afgøre, om dette er tilfældet, og på grundlag af hvilke garantier sådanne overførsler kan finde sted. Kommissionen redegjorde for, hvordan persondataforordningens artikel 48 fungerer, herunder den mulige anvendelse af undtagelsen vedrørende samfundsinteresser i forbindelse med en editionskendelse (warrant) af en udenlandsk retshåndhævende myndighed i Microsoft-sagen ved den amerikanske højesteret159 . Kommissionen understregede i sit indlæg EU's interesse i at sikre, at retshåndhævelsessamarbejdet foregår "inden for en retlig ramme, hvorved der undgås lovkonflikter, og som bygger på [...] respekt for hinandens grundlæggende interesser, både med hensyn til privatlivets fred og retshåndhævelse"160 . "[n]år en offentlig myndighed kræver, at en virksomhed, der er etableret i dens egen jurisdiktion, fremlægger elektroniske data, der er lagret på en server i en udenlandsk jurisdiktion, er det navnlig territorialprincippet og princippet om anerkendelse af domme under folkeretten, der finder anvendelse"161 . 157 Det Europæiske Databeskyttelsesråd, Retningslinjer vedrørende undtagelser (fodnote 153 ovenfor), s. 10. Det Europæiske Databeskyttelsesråd præciserede yderligere, at selv om dataoverførsler baseret på undtagelsen om samfundsinteresser ikke må finde sted "i stor skala" eller "systematisk", men skal "begrænses til særlige situationer og [...] opfylder den strenge nødvendighedstest", er der ikke noget krav om, at de skal være "lejlighedsvise". 158 Dette fremgår klart af ordlyden af persondataforordningens artikel 48 ("uden at det berører andre grunde til overførsel i henhold til dette kapitel") og den ledsagende betragtning 115 ("[O]verførsel af oplysninger bør kun tillades, hvis denne forordnings betingelser for overførsel til tredjelande er opfyldt. Det kan være tilfældet, bl.a. hvis videregivelse er nødvendig af hensyn til vigtige samfundsinteresser, der anerkendes i EU-retten eller medlemsstaternes nationale ret, som den dataansvarlige er omfattet af"). Det anerkendes også af Databeskyttelsesrådet, jf. Retningslinjer vedrørende undtagelser (fodnote 153 ovenfor, s. 5). Som for alle behandlinger skal også de øvrige garantier i forordningen overholdes (f.eks. at data overføres til et specifikt formål, er relevante, begrænset til, hvad der er nødvendigt for at imødekomme anmodningen osv.). 159 Indlæg fra Microsoft (fodnote 156 ovenfor). Som Kommissionen har forklaret, betyder persondataforordningen, at traktater om gensidig retshjælp "foretrækkes" frem for overførsler, da sådanne traktater "giver mulighed for indsamling af bevismateriale ved samtykke, og er udtryk for en nøje forhandlet balance mellem de forskellige staters interesser, der har til formål at imødegå de konflikter om jurisdiktion, der ellers kan opstå." Se også Det Europæiske Databeskyttelsesråds Retningslinjer vedrørende undtagelser (fodnote 153 ovenfor), s. 5 ("I situationer, hvor der er en international aftale, f.eks. en traktat om gensidig retshjælp, bør virksomheder i EU generelt afvise direkte anmodninger og henvise den anmodende myndighed i tredjelandet til en eksisterende traktat om gensidig retshjælp eller aftale"). 160 Indlæg fra Microsoft (fodnote 156 ovenfor), s. 4. 161 Indlæg fra Microsoft (fodnote 156 ovenfor), s. 6. 38 Dette afspejles også i Kommissionens forslag til forordning om europæiske editions- og sikringskendelser om elektronisk bevismateriale i straffesager162 , som indeholder en særlig bestemmelse om anerkendelse af domme, der gør det muligt at gøre indsigelse mod en editionskendelse, hvis overholdelsen af lovgivningen i et tredjeland forbyder videregivelse, navnlig med den begrundelse, at dette er nødvendigt for at beskytte de berørte personers grundlæggende rettigheder163 . Det er vigtigt at sikre anerkendelse af domme i betragtning af, at retshåndhævelse – som f.eks. kriminalitet og navnlig cyberkriminalitet – i stigende grad er grænseoverskridende og derfor ofte rejser jurisdiktionsspørgsmål og skaber potentielle lovkonflikter164 . Ikke overraskende er den bedste måde at behandle disse spørgsmål på gennem internationale aftaler, der fastsætter de nødvendige begrænsninger og garantier for grænseoverskridende adgang til personoplysninger, herunder ved at sikre et højt databeskyttelsesniveau hos den anmodende myndighed. Kommissionen, der handler på vegne af EU, deltager i øjeblikket i multilaterale forhandlinger om anden tillægsprotokol til Europarådets konvention om IT-kriminalitet ("Budapestkonventionen"), der har til formål at styrke de eksisterende regler for at opnå grænseoverskridende adgang til elektronisk bevismateriale i strafferetlige efterforskninger, samtidig med at der sikres passende databeskyttelsesgarantier som en del af protokollen165 . Ligeledes er der indledt bilaterale forhandlinger om en aftale mellem EU og USA om grænseoverskridende adgang til elektronisk bevismateriale med henblik på retligt samarbejde i straffesager166 . Kommissionen regner med Europa-Parlamentets og Rådets støtte og Det Europæiske Databeskyttelsesråds vejledning under disse forhandlinger. Mere generelt er det vigtigt at sikre, at når virksomheder, der er aktive på det europæiske marked, på basis af en legitim anmodning opfordres til at dele oplysninger med henblik på retshåndhævelse, kan de gøre dette uden at opleve lovkonflikter og i fuld respekt for EU's grundlæggende rettigheder. For at forbedre sådanne overførsler forpligter Kommissionen sig til at udvikle passende retlige rammer med sine internationale 162 Europa-Kommissionen, Forslag til Europa-Parlamentets og Rådets forordning om europæiske editions- og sikringskendelser om elektronisk bevismateriale i straffesager (COM (2018) 225 final af 17.4.2018). Rådet vedtog sin generelle indstilling til den foreslåede forordning den 7.12.2018 (findes på: https://www.consilium.europa.eu/en/press/press- releases/2018/12/07/regulation-on-cross-border-access-to-eevidence-council-agrees-its-position/#). Se også EDPS, Udtalelse 7/19 om forslag vedrørende europæiske editions- og sikringskendelser om elektronisk bevismateriale i straffesager (findes på: https://edps.europa.eu/data-protection/ourwork/publications/opinions/electronic-evidence-criminal-matters_en). 163 I den forklarende note, s. 21, præciseres det, at ud over at sikre anerkendelse af domme i forhold til tredjelandes suveræne interesser for derved at beskytte den pågældende person og undgå lovkonflikter for tjenesteydere, er gensidighed, dvs. sikring af respekt for EU's regler, herunder beskyttelse af personoplysninger (persondataforordningens artikel 48), en vigtig motivation for bestemmelsen om anerkendelse af domme. Se også erklæringen fra Artikel 29-Gruppen af 29.11.2017, aspekter vedrørende databeskyttelse og privatlivets fred i forbindelse med grænseoverskridende adgang til elektronisk bevismateriale (WP29-erklæringen) (findes på: file:///C:/Users/ralfs/AppData/Local/Packages/Microsoft.MicrosoftEdge_8wekyb3d8bbwe/TempState/Downloads/20171207_ e-Evidence_Statement_FINALpdf%20(1).pdf), p. 9. 164 Se udtalelse fra Artikel-29-Gruppen (fodnote 163 ovenfor), s. 6. 165 Se henstilling med henblik på Rådets afgørelse om bemyndigelse til at deltage i forhandlinger om anden tillægsprotokol til Europarådets konvention om IT-kriminalitet (CETS nr. 185), 5.2.2019 (COM (2019) 71 final). Jf. også EDPS, Udtalelse 3/2019 om deltagelse i forhandlingerne med henblik på anden tillægsprotokol til Budapestkonventionen om IT-kriminalitet, 2.4.2019 (findes på: https://edps.europa.eu/sites/edp/files/publication/19-04-02_edps_opinion_budapest_convention_en.pdf); Databeskyttelsesrådet, Bidrag til høringen om udkast til anden tillægsprotokol til Europarådets konvention om IT-kriminalitet (Budapestkonventionen), 13.11.2019 (findes på: https://edpb.europa.eu/sites/edpb/files/files/file1/edpbcontributionbudapestconvention_en.pdf). 166 Se henstilling med henblik på Rådets afgørelse om bemyndigelse til at indlede forhandlinger med henblik på en aftale mellem EU og Amerikas Forenede Stater om grænseoverskridende adgang til elektronisk bevismateriale inden for strafferetligt samarbejde (COM (2019) 70 final af 5.2.2019). Se også EDPS, Udtalelse 2/2019 om forhandlingsmandatet til en aftale mellem EU og USA om grænseoverskridende adgang til elektronisk bevismateriale (findes på: https://edps.europa.eu/sites/edp/files/publication/19-04-02_edps_opinion_on_eu_us_agreement_on_e-evidence_en.pdf). 39 partnere for at undgå lovkonflikter og støtte effektive samarbejdsformer, navnlig ved at tilvejebringe de nødvendige garantier for databeskyttelse, og derved bidrage til en mere effektiv bekæmpelse af kriminalitet. 7.3 Internationalt samarbejde på databeskyttelsesområdet Fremme af konvergens mellem forskellige systemer for privatlivsbeskyttelse betyder også, at man lærer af hinanden gennem udveksling af viden, erfaring og bedste praksis. Sådanne udvekslinger er afgørende for at imødegå de nye udfordringer, der i stigende grad er af global karakter og rækkevidde. Kommissionen har derfor intensiveret sin dialog om databeskyttelse og overførsel af oplysninger med en bred vifte af aktører og i forskellige fora på bilateralt, regionalt og multilateralt plan. Den bilaterale dimension Efter vedtagelsen af persondataforordningen har der været en stigende interesse for EU's erfaringer med udformning, forhandling og gennemførelse af moderne regler for beskyttelse af privatlivets fred. Dialogen med lande, der gennemlever lignende processer, har antaget forskellige former. Kommissionens tjenestegrene er kommet med indlæg til en række offentlige høringer arrangeret af udenlandske regeringer, der overvejer lovgivning om beskyttelse af privatlivets fred, f.eks. af USA167 , Indien168 , Malaysia og Etiopien. I nogle tredjelande havde Kommissionens tjenestegrene den ære at få lov til at afgive forklaring til de kompetente parlamentariske organer, f.eks. i Brasilien169 , Chile170 , Ecuador, og Tunesien171 . Endelig blev der i forbindelse med de igangværende reformer af databeskyttelseslovene afholdt særlige møder med regeringsrepræsentanter eller parlamentariske delegationer fra mange regioner i verden (f.eks. Georgien, Kenya, Taiwan, Thailand og Marokko). Dette omfattede tilrettelæggelse af seminarer og studiebesøg, f.eks. med repræsentanter for den indonesiske regering og en delegation af medarbejdere fra den amerikanske kongres. Dette gav mulighed for at præcisere vigtige begreber i persondataforordningen, forbedre den gensidige forståelse af anliggender om privatlivets fred og illustrere fordelene ved konvergens for at sikre et højt niveau af beskyttelse af individuelle rettigheder, handel og samarbejde. I nogle tilfælde har det også gjort det muligt at mane til forsigtighed med hensyn til visse fejlopfattelser af databeskyttelse, som kan føre til indførelse af protektionistiske foranstaltninger såsom krav om obligatorisk beliggenhed. 167 Se indlægget fra GD Retlige Anliggender og Forbrugere af 9.11.2018 som svar på en anmodning om kommentarer fra offentligheden om en foreslået tilgang til beskyttelse af forbrugernes privatliv [sag nr. 180821780-8780-01] fra USA's National Telecommunications and Information Administration (findes på: https://ec.europa.eu/info/sites/info/files/european_commission_submission_on_a_proposed_approach_to_consumer_privacy.p df). 168 Se indlægget fra GD Retlige Anliggender og Forbrugere af 19.11.2018 om udkastet til lov om beskyttelse af personoplysninger i Indien 2018 til ministeriet for elektronik og informationsteknologi (findes på: https://eeas.europa.eu/delegations/india/53963/submission-draft-personal-data-protection-bill-india-2018-directorate-general- justice_en). 169 Se plenarmødet den 17.4.2018 i det brasilianske senat (https://www25.senado.leg.br/web/atividade/sessao-plenaria/- /pauta/23384), mødet den 10.4.2019 i Det Blandede Udvalg om MP 869/2018 under den brasilianske kongres (https://www12.senado.leg.br/ecidadania/visualizacaoaudiencia?id=15392), og mødet den 26.11.2019 i det brasilianske Deputeretkammers særlige udvalg (https://www.camara.leg.br/noticias/616579-comissao-discutira-protecao-de-dados-no- ambito-das-constituicoes-de-outros-paises/). 170 Se mødet den 29.5.2018 (https://senado.cl/appsenado/index.php?mo=comisiones&ac=asistencia_sesion&idcomision=186&idsesion=12513&idpunto=1 5909&sesion=29/05/2018&listado=1) og den 24.4.2019 (https://www.senado.cl/appsenado/index.php?mo=comisiones&ac=sesiones_celebradas&idcomision=186&tipo=3&legi=485 &ano=2019&desde=0&hasta=0&idsesion=13603&idpunto=17283&listado=2) og Udvalget om Konstitutionelle Anliggender, Lovgivningsmæssige og Retlige Anliggender i det chilenske senat. 171 Se mødet den 2.11.2018 i den tunesiske forsamling af repræsentanter for folket for rettigheder, frihedsrettigheder og eksterne forbindelser (https://www.facebook.com/1515094915436499/posts/2264094487203201/). 40 Siden vedtagelsen af persondataforordningen har Kommissionen også været i kontakt med flere internationale organisationer, bl.a. i lyset af betydningen af dataudveksling med disse organisationer på en række politikområder. Der er navnlig etableret en specifik dialog med De Forenede Nationer med henblik på at lette drøftelserne med alle involverede interessenter for at sikre problemfri overførsel af oplysninger og udvikle yderligere konvergens mellem de respektive databeskyttelsesordninger. Som led i denne dialog vil Kommissionen arbejde tæt sammen med Databeskyttelsesrådet om at få yderligere præciseret, hvordan offentlige og private operatører i EU kan overholde deres databeskyttelsesforpligtelser, når de udveksler oplysninger med internationale organisationer som FN. Kommissionen er parat til fortsat at dele erfaringerne fra sin reformproces med interesserede lande og internationale organisationer, på samme måde som den lærte det fra andre systemer, da den udarbejdede sit forslag til nye databeskyttelsesregler i EU. Denne form for dialog er til gensidig gavn for EU og dets partnere, da den gør det muligt at opnå en bedre forståelse af den nuværende situation med hensyn til beskyttelse af privatlivets fred og udveksle synspunkter om nye retlige og teknologiske løsninger. Det er også i denne ånd, at Kommissionen opretter et "databeskyttelsesakademi", der skal fremme udvekslinger mellem tilsynsmyndigheder i Europa og i tredjelande, og dermed forbedre samarbejdet i praksis. Derudover er der behov for, at der udarbejdes hensigtsmæssige retsforskrifter med henblik på tættere samarbejde og gensidig bistand, bl.a. ved at tillade de nødvendige udvekslinger af oplysninger i forbindelse med undersøgelser. Kommissionen vil derfor gøre brug af de beføjelser, den har fået tillagt på dette område i medfør af persondataforordningens artikel 50, og navnlig anmode om bemyndigelse til at indlede forhandlinger om indgåelse af samarbejdsaftaler vedrørende håndhævelse med relevante tredjelande. I denne forbindelse vil den også tage hensyn til Databeskyttelsesrådets holdninger med hensyn til, hvilke lande der bør prioriteres i lyset af omfanget af overførsler af oplysninger, den håndhævende myndigheds rolle og beføjelser i tredjelandet vedrørende beskyttelse af privatlivets fred, samt behovet for samarbejde om håndhævelse af sager af fælles interesse. Den multilaterale dimension Ud over bilaterale udvekslinger deltager Kommissionen også aktivt i en række multilaterale fora for at fremme fælles værdier og skabe konvergens på regionalt og globalt plan. Det stadig mere universelle medlemskab af Europarådets konvention 108, som er det eneste retligt bindende multilaterale instrument for beskyttelse af personoplysninger, er et klart tegn på denne tendens i retning af (stigende) konvergens172 . Konventionen, som også er åben for ikkemedlemmer af Europarådet, er allerede ratificeret af 55 lande, herunder en række afrikanske og latinamerikanske stater173 . Kommissionen bidrog væsentligt til det vellykkede resultat af forhandlingerne om modernisering af konventionen174 og sikrede, at den afspejlede de samme principper som dem, der er forankret i EU's databeskyttelsesregler. De fleste EU- medlemsstater har nu undertegnet ændringsprotokollen, selv om der fortsat mangler underskrifter fra Danmark, Malta og Rumænien. Kun fire medlemsstater (Bulgarien, Kroatien, Litauen og Polen) har 172 Hvad der er vigtigt, er, at den moderniserede konvention ikke blot er en traktat, der fastsætter strenge databeskyttelsesgarantier, men også skaber et netværk af tilsynsmyndigheder med værktøjer til håndhævelse af reglerne og, med konventionsudvalget, et forum for drøftelser, udveksling af bedste praksis og udvikling af internationale standarder. 173 Se den fuldstændige liste over medlemmer: https://www.coe.int/en/web/conventions/full-list/- /conventions/treaty/108/signatures. Lande fra Afrika omfatter Kap Verde, Mauritius, Marokko, Senegal og Tunesien, fra Latinamerika Argentina, Mexico og Uruguay. Burkina Faso er blevet opfordret til at tiltræde konventionen. 174 Se teksten til den moderniserede konvention: https://search.coe.int/cm/Pages/result_details.aspx?ObjectId=09000016807c65bf. 41 ratificeret ændringsprotokollen. Kommissionen opfordrer de tre resterende medlemsstater til at undertegne den moderniserede konvention og alle medlemsstaterne til hurtigt at ratificere konventionen, så den kan træde i kraft i den nærmeste fremtid175 . Derudover vil den fortsætte med proaktivt at tilskynde tredjelande til tiltrædelse. Overførsel af oplysninger og databeskyttelse er ligeledes for nylig blevet behandlet i G20 og G7. I 2019 anerkendte verdens ledere for første gang betydningen af databeskyttelse for at skabe tillid til den digitale økonomi og fremme udvekslingen af oplysninger. Med Kommissionens aktive støtte176 tilsluttede lederne sig begrebet "Data Free Flow with Trust" (DFFT), som oprindeligt blev foreslået af Japans premierminister Abe i erklæringen fra G20-topmødet i Osaka177 og G7-topmødet i Biarritz 178 . Denne tilgang afspejles også i Kommissionens meddelelse fra 2020 om en europæisk strategi for data179 hvori den understreger sin intention om at fortsætte med at fremme dataudveksling med pålidelige partnere, samtidig med at misbrug bekæmpes, f.eks. (udenlandske) offentlige myndigheders uforholdsmæssige adgang til data. I den forbindelse vil EU også kunne anvende en række værktøjer på forskellige politikområder, der i stigende grad tager hensyn til konsekvenserne for privatlivets fred: F.eks. giver EU's første rammer for screening af udenlandske investeringer, som vil finde fuld anvendelse fra oktober 2020, EU og dets medlemsstater mulighed for at screene investeringstransaktioner, der har indvirkning på "adgang til følsomme oplysninger, herunder personoplysninger, eller muligheden for at kontrollere sådanne oplysninger", hvis de påvirker sikkerheden eller den offentlige orden180 . Kommissionen arbejder sammen med ligesindede lande i flere andre multilaterale fora for aktivt at fremme sine værdier og standarder. Et vigtigt forum er OECD's nyligt oprettede Working Party on Data Governance and Privacy (DGP), som har iværksat en række vigtige initiativer vedrørende databeskyttelse, dataudveksling og dataoverførsel. Dette omfatter evaluering af OECD's retningslinjer for beskyttelse af privatlivets fred fra 2013. Desuden bidrog Kommissionen aktivt til OECD-Rådets henstilling om kunstig intelligens181 og sikrede, at EU's menneskecentrerede tilgang, dvs. at AI-applikationerne skal overholde de grundlæggende rettigheder og navnlig databeskyttelse, blev afspejlet i den endelige tekst. Hvad der er nok så vigtigt er, at henstillingen om kunstig intelligens – som efterfølgende er blevet indarbejdet i G20's principper for kunstig intelligens, der er knyttet som bilag til erklæringen fra lederne på G20-topmødet i Osaka182 – fastsætter principperne om gennemsigtighed og forklarlighed med henblik på at gøre det muligt for dem, der 175 Ifølge dens beslutning vedrørende ændringsprotokollen af 18.5.2018 tilskyndede Ministerkomitéen medlemsstater og andre af konventionens parter til ufortøvet at træffe de nødvendige foranstaltninger til at tillade protokollens ikrafttræden inden for tre år fra dens åbning for undertegnelse og til straks, men under ingen omstændigheder senere end ét år efter den dato, på hvilken protokollen er blevet åbnet for undertegnelse, at indlede ratificeringsprocessen i medfør af deres nationale lovgivning. Den anmodede ligeledes medlemmerne til halvårligt, og første gang ét år efter datoen for åbningen af protokollen for undertegnelse, at undersøge fremskridtene mod ratificering på basis af de oplysninger, som vil blive tilstillet generalsekretæren af hver af medlemsstaterne og andre af konventionens parter, senest én måned forud for denne undersøgelse. Se https://search.coe.int/cm/pages/result_details.aspx?objectid=09000016808a3c9f. 176 I forbindelse med topmødet mellem EU og Japan i april 2019 udtrykte kommissionsformand, Jean-Claude Juncker, sin støtte til Japans initiativ "Data Free Flow with Trust" og lanceringen af "Osaka-sporet" og forpligtede Kommissionen til at spille en aktiv rolle i begge initiativer. 177 Se teksten til erklæringen fra lederne på G20-topmødet i Osaka: https://www.consilium.europa.eu/media/40124/final_g20_osaka_leaders_declaration.pdf. 178 Se teksten til strategien fra lederne på G7-topmødet i Biarritz om en åben, fri og sikker digital omstilling: https://www.elysee.fr/admin/upload/default/0001/05/62a9221e66987d4e0d6ffcb058f3d2c649fc6d9d.pdf. 179 Meddelelse fra Kommissionen til Europa-Parlamentet, Rådet, Det Europæiske Økonomiske og Sociale Udvalg og Regionsudvalget, En europæisk strategi for data (COM(2020) 66 final af 19.2.2020) (https://ec.europa.eu/info/sites/info/files/communication-european-strategy-data-19feb2020_da.pdf), s. 23-24. 180 Artikel 4, stk. 1, litra d), i Europa-Parlamentets og Rådets forordning (EU) 2019/452 af 19. marts 2019 om et regelsæt for screening af udenlandske direkte investeringer i Unionen (EUT L 79 I af 21.3.2019). 181 https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0449. 182 G20-ministererklæring om handel og digital økonomi: https://g20trade- digital.go.jp/dl/Ministerial_Statement_on_Trade_and_Digital_Economy.pdf. 42 påvirkes negativt af et AI-system, at anfægte dens resultater på grundlag af klar og letforståelig information om de faktorer og den logik, der lå til grund for forudsigelsen, henstillingen eller beslutningen, og dermed nøje afspejle principperne i persondataforordningen med hensyn til automatisering af beslutningsprocessen183 . Endelig optrapper Kommissionen sin dialog med regionale organisationer og netværk, der i stigende grad spiller en central rolle i udformningen af fælles databeskyttelsesstandarder184 , fremme udvekslingen af bedste praksis og samarbejdet mellem håndhævende myndigheder. Dette gælder navnlig Sammenslutningen af Sydøstasiatiske Nationer (ASEAN) – herunder i forbindelse med det igangværende arbejde med dataoverførselsværktøjer – Den Afrikanske Union, forummet Asia Pacific Privacy Authorities (APPA) og Ibero-American Data Protection Network, der alle har iværksat vigtige initiativer på dette område og udgør fora for en frugtbar dialog mellem tilsynsmyndigheder for privatlivets fred og andre interessenter. Afrika er et godt eksempel, der illustrerer komplementariteten mellem de nationale, regionale og globale privatlivsdimensioner. Digitale teknologier er hastigt og gennemgribende ved at transformere det afrikanske kontinent. Dette kan fremskynde opfyldelsen af målene for bæredygtig udvikling ved at fremme økonomisk vækst, bekæmpe fattigdom og forbedre menneskers liv. En moderne databeskyttelsesramme, der tiltrækker investeringer og fremmer udviklingen af et konkurrencedygtigt erhvervsliv og samtidig bidrager til respekten for menneskerettigheder, demokrati og retsstatsprincippet, er et centralt element i denne omstilling. Harmoniseringen af databeskyttelsesreglerne i Afrika vil gøre det muligt at integrere digitale markeder, samtidig med at konvergens med globale standarder vil lette udvekslingen af data med EU. Disse forskellige aspekter af databeskyttelsen er indbyrdes forbundne og gensidigt forstærkende. Der er nu en stigende interesse for databeskyttelse i mange afrikanske lande, og antallet af afrikanske lande, der har vedtaget eller er i færd med at vedtage moderne databeskyttelsesregler, har ratificeret konvention 108185 , eller Malabokonventionen186 , stiger fortsat187 . Samtidig er lovrammen fortsat meget uensartet og fragmenteret på hele det afrikanske kontinent. Mange lande har stadig kun få eller ingen garantier for databeskyttelse. Foranstaltninger til begrænsning af overførsel af oplysninger er stadig udbredte og hæmmer udviklingen af en regional digital økonomi. For at udnytte de gensidige fordele ved konvergerende regler for databeskyttelse vil Kommissionen samarbejde med sine afrikanske partnere både bilateralt og i regionale fora188 . Den bygger på det arbejde, der er udført af EU-AU Digital 183 Se persondataforordningens artikel 13, stk. 2, litra f), artikel 14, stk. 2, litra g), og artikel 22. 184 Se f.eks. Den Afrikanske Unions Convention on Cyber Security and Personal Data Protection ("Malabokonventionen") og Standards for Data Protection for the Ibero-American States, der er udviklet af Ibero-American Data Protection Network. 185 Europarådets konvention om beskyttelse af det enkelte menneske i forbindelse med elektronisk databehandling af personoplysninger https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108/signatures?p_auth=DW5jevqD. 186 African Union Convention on Cyber Security and Personal Data Protection https://au.int/en/treaties/african-union-convention- cyber-security-and-personal-data-protection. Desuden har flere af de regionale økonomiske fællesskaber (REC) udviklet databeskyttelsesregler, f.eks. Det Økonomiske Fællesskab af Vestafrikanske Stater (ECOWAS) og Det Sydlige Afrikas Udviklingsfællesskab (SADC). Se hhv. http://www.tit.comm.ecowas.int/wp-content/uploads/2015/11/SIGNED-Data-Protection- Act.pdf and http://www.itu.int/ITU-D/projects/ITU_EC_ACP/hipssa/docs/SA4docs/data%20protection.pdf. 187 188 Bl.a. gennem Policy and Regulation Initiative for Digital Africa (PRIDA), se oplysninger på: https://www.africa-eu- partnership.org/en/projects/policy-and-regulation-initiative-digital-africa-prida. 43 Economy Task Force inden for rammerne af New Africa-Europe Digital Economy Partnership189 . Det er også til fremme af sådanne mål, at anvendelsesområdet for Kommissionens partnerskabsinstrument "Enhanced Data Protection and Data Flows" udvides til også at omfatte Afrika. Projektet vil blive mobiliseret for at støtte afrikanske lande, der har til hensigt at udvikle moderne databeskyttelsesrammer, eller som ønsker at styrke deres tilsynsmyndigheders kapacitet gennem uddannelse, vidensdeling og udveksling af bedste praksis. Endelig er Kommissionen også fast besluttet på at bekæmpe digital protektionisme, som det for nylig blev fremhævet i datastrategien, samtidig med at konvergensen mellem databeskyttelsesstandarder på internationalt plan fremmes som et middel til at lette overførsel af oplysninger og dermed samhandelen190 . Med henblik herpå har den udviklet specifikke bestemmelser om overførsel af oplysninger og databeskyttelse i handelsaftaler, som den systematisk stiller forslag om i sine bilaterale (senest med Australien, New Zealand og Det Forenede Kongerige) og multilaterale forhandlinger, som f.eks. de nuværende WTO-forhandlinger om e-handel. Disse horisontale bestemmelser udelukker rent protektionistiske foranstaltninger, såsom tvungne datalokaliseringskrav, samtidig med at parternes reguleringsmæssige autonomi bevares for at beskytte den grundlæggende ret til databeskyttelse. Dialogerne om databeskyttelse og handelsforhandlinger skal følge forskellige spor, men de kan samtidig godt supplere hinanden. Konvergens, baseret på høje standarder og en effektiv håndhævelse, udgør faktisk det stærkeste grundlag for udveksling af personoplysninger, hvilket i stigende grad anerkendes af vores internationale partnere. Eftersom virksomheder i stigende grad opererer på tværs af grænserne og foretrækker at anvende lignende regelsæt i alle deres forretningsaktiviteter i hele verden, bidrager en sådan konvergens til at skabe et miljø, der fremmer direkte investeringer, samhandel og øger tilliden mellem handelspartnere. Synergier mellem samhandel og instrumenter for databeskyttelse bør således udforskes nærmere for at sikre fri og sikker overførsel af oplysninger, hvilket er afgørende for forretningsaktiviteter, konkurrencedygtighed og vækst for europæiske virksomheder, herunder SMV'er, i vores stadig mere digitaliserede økonomi. 189 Se fælles meddelelse fra Europa-Kommissionen og Unionens Højtstående Repræsentant for Udenrigsanliggender og Sikkerhedspolitik "Frem mod en omfattende strategi for samarbejdet med Afrika" (findes på: https://ec.europa.eu/international- partnerships/system/files/communication-eu-africa-strategy-join-2020-4-final_en.pdf); Digital Economy Task Force, New Africa- Europe Digital Economy Partnership: Accelerating the Achievement of the Sustainable Development Goals (findes på: https://www.africa-eu-partnership.org/sites/default/files/documents/finaldetfreportpdf.pdf). 190 https://ec.europa.eu/info/sites/info/files/communication-european-strategy-data-19feb2020_en.pdf, s. 23. 44 Bilag I – Bestemmelser vedrørende fakultative specifikationer i national lovgivning Genstand Anvendelsesområde Persondataforordningens artikler Specifikationer vedrørende retlige forpligtelser og offentlige opgaver Tilpasning af anvendelsen af bestemmelser med hensyn til behandling med henblik på overholdelse af en retlig forpligtelse eller en offentlig opgave, herunder i særlige behandlingssituationer i henhold til kapitel IX Artikel 6, stk. 2, og artikel 6, stk. 3 Aldersgrænse for samtykke i forbindelse med informationssamfundstjenester Fastsættelse af minimumsalderen mellem 13 og 16 år Artikel 8, stk. 1 Behandling af særlige kategorier af oplysninger Opretholdelse eller indførelse af yderligere betingelser, herunder begrænsninger, for behandling af genetiske data, biometriske data eller helbredsoplysninger. Artikel 9, stk. 4 Undtagelse fra oplysningskrav Indsamling eller videregivelse af oplysninger, der er udtrykkeligt lovfæstet eller med henblik på lovbestemt tavshedspligt Artikel 14, stk. 5, litra c) og d) Automatisk individuel beslutningstagning Bemyndigelse til automatisk beslutningstagning som undtagelse fra det generelle forbud Artikel 22, stk. 2, litra b) Begrænsninger af den registreredes rettigheder Begrænsninger i henhold til artikel 12 og 22, artikel 34 og tilsvarende bestemmelser i artikel 5, når det er nødvendigt og forholdsmæssigt for at sikre udtømmende opregnede vigtige mål Artikel 23, stk. 1 Høring og godkendelseskrav Krav om, at dataansvarlige skal høre eller indhente tilladelse fra databeskyttelsesmyndigheden for behandling af en opgave i samfundets interesse Artikel 36, stk. 5 Udpegelse af en databeskyttelsesansvarlig i yderligere tilfælde Udpegelse af en databeskyttelsesansvarlig i andre tilfælde end dem, der er omhandlet i artikel 37, stk. 1 Artikel 37, stk. 4 45 Begrænsninger i overførsler Begrænsning af overførsler af specifikke kategorier af personoplysninger Artikel 49, stk. 5 Klager og søgsmål fra organisationer på egne vegne Bemyndigelse af organisationer for beskyttelse af privatlivets fred til at indgive klager og anlægge søgsmål uafhængigt af en bemyndigelse fra de registrerede Artikel 80, stk. 2 Aktindsigt i officielle dokumenter Afstemning af aktindsigt i officielle dokumenter med retten til beskyttelse af personoplysninger Artikel 86 Behandling af nationalt identifikationsnummer Særlige betingelser for behandling af det nationale identifikationsnummer Artikel 87 Behandling i forbindelse med ansættelsesforhold Mere specifikke regler for behandling af arbejdstageres personoplysninger Artikel 88 Undtagelser for behandling til arkivformål i samfundets interesse, til forskningsmål eller til statistiske formål Undtagelser fra den angivne registreredes rettigheder, i det omfang sådanne rettigheder sandsynligvis vil gøre det umuligt eller i alvorlig grad hindre opfyldelse af de specifikke formål Artikel 89, stk. 2 og stk. 3 Afstemning af databeskyttelse med tavshedspligt Særlige bestemmelser om databeskyttelsesmyndighedernes undersøgelsesbeføjelser over for dataansvarlige eller databehandlere, der er omfattet af tavshedspligt Artikel 90 46 Bilag II – Oversigt over databeskyttelsesmyndighedernes ressourcer Nedenstående tabel indeholder en oversigt over databeskyttelsesmyndighedernes ressourcer (personale og budget) pr. EU/EØS-land191 . Ved sammenligning af tallene mellem medlemsstaterne er det vigtigt at huske på, at myndighederne kan have opgaver, der er pålagt dem ud over kravene i persondataforordningen, og at disse kan variere fra medlemsstat til medlemsstat. Forholdet mellem personale ansat af myndighederne pr. million indbyggere og myndighedernes budget pr. mio. EUR af BNP er kun medtaget for at tilvejebringe yderligere elementer i sammenligningen mellem medlemsstater af samme størrelse og bør ikke ses isoleret. De absolutte tal, forhold og udvikling over de seneste år bør ses i sammenhæng ved vurderingen af en given myndigheds ressourcer. PERSONALE (Fuldtidsækvivalenter) BUDGET (EUR) EU/EØS- medlemsstater 2019 Prognose 2020 % vækst 2016- 2019 % vækst 2016-2020 (prognose) Antal medarbejdere pr. mio. indbyggere (2019) 2019 Prognose 2020 % vækst 2016-2019 % vækst 2016- 2020 (prognose) Budget pr. mio. EUR af BNP (2019) Østrig 34 34 48 % 48 % 3,8 2 282 000 2 282 000 29 % 29 % 5,7 Belgien 59 65 9 % 20 % 5,2 8 197 400 8 962 200 1 % 10 % 17,3 Bulgarien 60 60 -14 % -14 % 8,6 1 446 956 1 446 956 24 % 24 % 23,8 Kroatien 39 60 39 % 114 % 9,6 1 157 300 1 405 000 57 % 91 % 21,5 Cypern 24 22 ikke oplyst ikke oplyst 27,4 503 855 ikke oplyst 114 % ikke oplyst 23,0 Tjekkiet 101 109 0 % 8 % 9,5 6 541 288 6 720 533 10 % 13 % 29,7 Danmark 66 63 106 % 97 % 11,4 5 610 128 5 623 114 101 % 101 % 18,0 Estland 16 18 -11 % 0 % 12,1 750 331 750 331 7 % 7 % 26,8 Finland 45 55 114 % 162 % 8,2 3 500 000 4 500 000 94 % 150 % 14,6 Frankrig 215 225 9 % 14 % 3,2 18 506 734 20 143 889 -2 % 7 % 7,7 Tyskland 888 1002 52 % 72 % 10,7 76 599 800 85 837 500 48 % 66 % 22,3 Grækenland 33 46 -15 % 18 % 3,1 2 849 000 3 101 000 38 % 50 % 15,2 Ungarn 104 117 42 % 60 % 10,6 3 505 152 4 437 576 102 % 155 % 24,4 Island 17 17 143 % 143 % 47,6 2 272 490 2 294 104 167 % 170 % 105,2 Irland 140 176 169 % 238 % 28,5 15 200 000 16 900 000 223 % 260 % 43,8 Italien 170 170 40 % 40 % 2,8 29 127 273 30 127 273 46 % 51 % 16,3 Letland 19 31 -10 % 48 % 9,9 640 998 1 218 978 4 % 98 % 21,0 Litauen 46 52 -8 % 4 % 16,5 1 482 000 1 581 000 40 % 49 % 30,6 Luxembourg 43 48 126 % 153 % 70,0 5 442 416 6 691 563 165 % 226 % 85,7 Malta 13 15 30 % 50 % 26,3 480 000 550 000 41 % 62 % 36,3 Nederlandene 179 188 145 % 158 % 10,4 18 600 000 18 600 000 130 % 130 % 22,9 Norge 49 58 2 % 21 % 9,2 5 708 950 6 580 660 27 % 46 % 15,9 Polen 238 260 54 % 68 % 6,3 7 506 345 9 413 381 66 % 108 % 14,2 Portugal 25 27 -4 % 4 % 2,4 2 152 000 2 385 000 67 % 86 % 10,1 Rumænien 39 47 -3 % 18 % 2,0 1 103 388 1 304 813 3 % 22 % 4,9 Slovakiet 49 51 20 % 24 % 9,0 1 731 419 1 859 514 47 % 58 % 18,4 Slovenien 47 49 42 % 48 % 22,6 2 242 236 2 266 485 68 % 70 % 46,7 Spanien 170 220 13 % 47 % 3,6 15 187 680 16 500 000 8 % 17 % 12,2 Sverige 87 87 81 % 81 % 8,5 8 800 000 10 300 000 96 % 129 % 18,5 I ALT 2 966 3 372 42 % 62 % 6,6 249 127 139 273 782 870 49 % 64 % 17,4 Kilde til rådata: Databeskyttelsesrådets bidrag. Beregninger foretaget af Kommissionen. 191 Undtagen Liechtenstein.