EDPB publishes 2024-2027 strategy: The highlights

The European Data Protection Board (EDPB) has published its 2024-2027 strategy.

The EDPB consists of representatives from Data Protection Authorities (DPAs) in each country in the European Economic Area (EEA), so its actions can have a profound impact on many different industries.

Based on a careful reading of this five-page strategy document, here’s an insight into the board’s plans for the next three years.

The EDPB promises plenty of new GDPR guidance

The EDPB promises (or hints at) new guidance in several key areas:

• Vulnerable data subjects: The EDPB plans to provide guidance on the application of the GDPR to particularly vulnerable data subjects, such as children.
• Legitimate interests: The board will issue guidance on “the application of particularly notable provisions, such as legitimate interest.”
• Interplay between GDPR and other laws: The EDPB should provide guidance on the interplay between the application of the GDPR and other EU legal acts, namechecking the EU Artificial Intelligence Act and laws derived from the EU Data Strategy, and the Digital Services Package.
• Data protection implications of new technologies: The board suggests that it will produce guidance on the data protection implications of “new technologies.”

The EDPB’s guidelines and recommendations are not legally binding. However, such guidance is adopted on a consensus basis, and we can expect national DPAs to apply it when enforcing against controllers and processors accused of violating the GDPR.

The EDPB’s previous guidance has been relatively strict. As such, the publication of new guidelines on “legitimate interests” could have a profound impact on many controllers who rely on that legal basis.

Guidance on the processing of children’s data might relate to age verification techniques—an area where some controllers have struggled to balance the principle of data minimization with the obligation to protect children.

Notably, the EDPB intends to publish guidance for non-data protection experts, such as small to medium-sized enterprises (SMEs) and children.

The EDPB is preparing for GDPR reforms

The so-called GDPR Procedural Regulation is currently being considered by the EU’s institutions. This law would reform the GDPR’s enforcement provisions, aiming to streamline complaints and cross-border regulation.

The EDPB says it will “support” this legislative effort, including by “continuing to provide feedback on and suggestions for that proposal during the legislative process, as appropriate”.

The board says it will also prepare for the GDPR Procedural Regulation’s “practical implementation,” including by reviewing its processes and procedures and adjusting them as the law requires.

The EDPB will work across sectors and jurisdictions

The EDPB says it will work with regulators and other authorities in several areas to help promote data protection.

• Cooperation with regulatory authorities: The board says it will secure cooperation with “other regulatory authorities on matters with an impact on data protection”, for example:
  • Consumer protection authorities
  • Competition authorities
  • Authorities competent under other legal acts, including the EU Artificial Intelligence Act or those adopted under the European Data Strategy and the Digital Services Package.
• Role within other bodies: The EDPB says it will take an “active role” in the Digital Markets Act (DMA) high-level group and European Data Innovation Board
• Promoting cooperation on enforcement: The EDPB says it (and its national DPA members) will “continue to promote a global dialogue on privacy and data protection,” including by “supporting cooperation on enforcement amongst EU and non-EU authorities.”
• Participation in “global dialogues”: The EDPB says it will continue to contribute to “the global dialogue” on matters such as data transfers, access to personal data by public authorities, and emerging technologies.

The EDPB will monitor and assess new technologies

Finally, the EDPB says it will continue to “monitor and assess new digital technologies to promote a humancentric approach.”

The board specifically cites “artificial Intelligence and digital identity” as two examples of such “new digital technologies”.

What does “monitoring” and “assessment” mean in this context? The EDPB doesn’t define these terms.

But it might mean AI and digital identity verification services are subject to increased scrutiny over the next three years, which could also mean enforcement action in these sectors.