On February 22, 2023, the European Data Protection Board (“EDPB”) released its Work Program for 2023-2024 (“the Program”), outlining the key priority areas for the next two years.  The Program is divided into four pillars, which largely reflect the priorities already set out in its Strategy 2021-2023.

1. Advancing harmonization and facilitating compliance with the GDPR

The EDPB will continue to publish guidance on key concepts of EU data protection law.  It intends to release guidelines on the following topics:

  • The concept of legitimate interest;
  • Processing children’s data; and
  • Processing of data for medical and scientific research purposes.

2. Supporting effective enforcement and efficient cooperation among supervisory authorities

The EDPB aims to facilitate and streamline the cooperation and consistency mechanisms with national supervisory authorities, and further strengthen the EDPB’s role as a forum for the exchange of information.  Accordingly, the EDPB intends to:

  • Publish guidelines on mutual assistance, the urgency procedure, and templates for data subject complaints;
  • Implement the Coordinated Enforcement Framework (i.e., a structure set up in 2020 to coordinate supervisory authorities’ recurring annual activities and facilitate joint actions) to support coordinated actions on selected topics, for instance, on the designation and position of the DPO (see our blogpost on the first Coordinated Enforcement Framework’s report on the public sector’s use of cloud-based services here), and the Support Pool of Experts;
  • Provide support in cases of strategic importance; and
  • Create taskforces where cooperation is required (see our blogpost on the Cookie Taskforce here).

3. Adopting a fundamental rights approach to new technologies

The EDPB is committed to supporting industry and authorities by advising on data protection as it relates to emerging technologies, such as blockchain, telemetry and diagnostic data, and on the interplay between the upcoming AI Act and the GDPR (see our blogpost here).  The EDPB will also publish its revised position on anonymization and pseudonymization techniques.

4. Setting and promoting high EU and global standards on international data transfers

International transfers continue to be central to the EDPB’s work.  The EDPB will continue to advise on the Commission’s adequacy proposals.  In particular, Japan’s adequacy decision is undergoing a periodic review, and the EDPB’s opinion on the proposed EU-U.S. adequacy finding, to replace the invalidated Privacy Shield, is expected on or around February 28, 2023 (see our blogpost here).  

Moreover, the EDPB will release guidance on the following topics:

  • Transfers or disclosures not authorized by Union law (Article 48 GDPR); and
  • The referential for the approval of BCR Processors.

The EDPB also aims to strengthen engagement with international partners to promote EU data protection rules globally and ensure the protection of fundamental rights, for instance, in the context of the recently launched EU Digital Partnerships with Japan, South Korea and Singapore (see our blogpost here), and in other international fora (see our blogpost on the OECD and EU Declaration on Government Access to Personal Data here).

***

Covington’s Data Privacy and Cybersecurity Team regularly monitors regulatory guidance, legal and policy developments.  Our team is happy to assist with any inquiries related to data protection and cybersecurity.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Read more about Dan Cooper
Show more Show less
Photo of Laura Somaini Laura Somaini

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules…

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules as well as data protection contracts and policies.

Read more about Laura Somaini
Show more Show less
Diane Valat

Diane Valat is a trainee who attended IE University.