EU: EDPB forms Schrems II taskforces and adopts guidelines on controllers and processors and on targeting social media users
The European Data Protection Board ('EDPB') announced, on 4 September 2020, that it had formed a taskforce on complaints lodged following the Court Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'), as well as a further taskforce to provide recommendations on supplementary measures data exporters and importers can be required to take to ensure adequate protection when transferring data in light of the judgment. Moreover, the EDPB adopted guidelines on the concepts of controller and processor under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and guidelines on the targeting of social media users.
Schrems II complaints taskforce
The EDPB noted that, in formulating its taskforce to examine complaints filed following the Schrems II case, 101 complaints had been by None of your business – European Center for Digital Rights ('NOYB'), and that the taskforce would analyse the matter and ensure a close cooperation amongst Member State supervisory authorities.
Schrems II guidance taskforce
Additionally, in order to provide additional recommendations to assist controllers and processors with their duty to identify and implement appropriate supplementary measures to ensure adequate protection when transferring data to third countries, the EDPB noted that a separate taskforce had been created, though no date for such recommendations has yet to be advised.
Andrea Jelinek, Chair of the EDPB, noted, "The EDPB is well aware that the Schrems II ruling gives controllers an important responsibility. In addition to the statement and the FAQ we put out shortly following the judgment, we will prepare recommendations to support controllers and processors regarding their duty in identifying and implementing appropriate supplementary measures of a legal, technical and organizational nature to meet the essential equivalence standard when transferring personal data to third countries. However, the implications of the judgment are wide-ranging, and the contexts of data transfers to third countries very diverse. Therefore, there cannot be a one-size-fits-all, quick fix solution. Each organisation will need to evaluate its own data processing operations and transfers and take appropriate measures."
Guidelines on controller-processor
The EDPB noted that, "Since the entry into application of the GDPR, questions have been raised as to what extent the GDPR brought changes to these concepts, particularly regarding the concept of joint controllership (as laid down in Article 26 of the GDPR and following several CJEU rulings), as well as the obligations for processors (in particular Article 28 of the GDPR) laid down in Chapter IV of the GDPR." The Guidelines will include a flow chart to provide further practical guidance and will be subject to public consultation.
Guidelines on targeting of social media users
According to the EDPB, these guidelines aim to clarify the roles and responsibilities of the social media provider and the targeted individual, and identify the potential risks to the freedoms of individuals, the main actors and their roles, the application of key data protection requirements, such as lawfulness and transparency and Data Protection Impact Assessments, as well as key elements of arrangements between social media providers and the targeted individuals. The guidelines will be submitted for public consultation.
You can read the press release here.
UPDATE (7 September 2020)
The EDPB launched, on 7 September 2020, a public consultation on the Controller-Processor Guidelines and the Social Media Targeting Guidelines.
In particular, the Controller-Processor Guidelines seek to provide guidance on the concepts of controller and processor based on Article 4 of the GDPR and the provisions on obligations in Chapter IV, as well as to clarify the meaning of the concepts and to clarify the different roles and the distribution of responsibilities between these actors. In addition, the Controller-Processor Guidelines highlight that the Article 29 Working Party issued guidance on the concepts of controller/processor in its Opinion 1/2010 (WP169) ('the WP29 Opinion') in order to provide clarifications and concrete examples with respect to definitions of the same and joint controllers but that the concrete application of the concepts needs further clarification, with the EDPB now deeming it necessary to provide more developed and specific guidance in order to ensure a consistent and harmonised approach throughout the EU and the EEA. Furthermore, the Controller-Processor Guidelines outline that they would replace the WP29 Opinion as to these concepts.
Moreover, the Controller-Processor Guidelines highlight that, in the absence of control arising from legal provisions, the qualification of a party as a controller must be established on the basis of an assessment of the factual circumstances surrounding the processing, and that all relevant factual circumstances must be taken into account in order to reach a conclusion as to whether a particular entity exercises a determinative influence with respect to the processing of personal data in question. In addition, the Controller-Processor Guidelines note that the need for factual assessment also means that the role of a controller is not rooted in the nature of an entity that is processing data but from its concrete activities in a specific context and that the same entity may act at the same time as controller for certain processing operations and as processor for others, further outlining that the qualification as controller or processor has to be assessed with regard to each specific data processing activity.
The Social Media Targeting Guidelines offer guidance concerning the targeting of social media users, in particular as regards the responsibilities of targeters and social media providers, and seek to clarify what the distribution of responsibilities might look like between targeters and social media providers on the basis of practical examples. Furthermore, the Social Media Targeting Guidelines stresses that the main aim of their issuance is therefore to clarify the roles and responsibilities among the social media provider and the targeter, to identify the potential risks for the rights and freedoms of individuals, to identify the main actors and their roles (section 4), and to tackle the application of key data protection requirements (such as lawfulness and transparency, DPIA, etc.) as well as key elements of arrangements between social media providers and the targeters.
Comments on the Controller-Processor Guidelines must be submitted to the EDPB via an online form here and comments on the Social Media Targeting Guidelines must be submitted to the EDPB via an online form here by 19 October 2020.