The European Data Protection Board (EDPB) has recently (re)positioned itself on several controversial topics and published three new guidelines and opinions. Although not legally binding, they do have a significant influence on proceedings before the supervisory authorities and courts.
1. EDPB Revises Guidelines on Application of ePrivacy Directive
On Oct. 16, 2024, the EDPB published the final guidelines 02/2023 on the application of Art. 5(3) of the ePrivacy Directive 2002/58/EC (ePrivacy Directive) to various technical solutions (following the public consultations).
According to Art. 5(3) ePrivacy Directive, with two narrowly defined exceptions, the storage of information or access to information already stored in a user’s terminal equipment is only permitted if the user has given prior consent in accordance with the strict standards of the GDPR.
The new EDPB Guidelines describe the technical operations that, in the view of the European data protection authorities, are covered by Art. 5(3) of the ePrivacy Directive, and in particular address new tracking methods developed to replace existing tools such as cookies. In this context, the EDPB emphasizes the importance of consent and interprets Art. 5(3) of the ePrivacy Directive very broadly. The Guidelines also analyze the key criteria for the applicability of the ePrivacy Directive, including the terms information, terminal equipment and access to stored information, and examine various use cases such as URL tracking or IP tracking.
As a result, the (already broad) scope of Art. 5(3) ePrivacy Directive is further extended and almost every form of user tracking is made subject to the requirement of consent. In the future, companies will have to examine the practical implementation of legally compliant tracking methods even more critically.
2. EDPB Issues Statement on the Use of Processors
On Oct. 7, 2024, the EDPB published its Opinion 22/2024, which deals with the scope of the obligations that arise for controllers when using processors and sub-processors.
The statement clarifies the requirements of Art. 24 and 28 GDPR and places greater responsibility on controllers to continuously ensure an adequate level of protection, and to ensure this through periodic reviews. In doing so, the EDPB clearly rejects the common practice of finalizing a data processing agreement and then considering the matter closed.
Specifically, the opinion emphasizes the ongoing obligations of controllers, regardless of the processing risk, to always have up-to-date information on (sub-)processors and to ensure that they provide sufficient guarantees for the rights and freedoms of data subjects. The extent of the necessary review of the measures taken by processors should vary depending on the risk.
In the EDPB’s view, the final decision on the use of a sub-processor should remain with the controller, who should also be able to check and demonstrate that the sub-processor's data protection measures are sufficient. This heightens the level of oversight controllers need to have over what could be a large number of sub-processors. However, the intensity of the control should also vary depending on the risk. This should also apply to data transfers between (sub-)processors outside the European Economic Area, according to the EDPB. In this case, the controllers should ensure that all data transfers are carried out in compliance with the GDPR and – in case of doubt – should be liable for this together with the processors: The EDPB emphasizes that while the controller holds ultimate responsibility for a sub-processor’s obligations, the initial processor remains liable to the controller for ensuring data protection obligations are properly passed down in sub-processing contracts. Therefore, the controller may seek redress from the initial processor.
In this context, contracts with processors should contain clear instructions and differentiate how to deal with the laws of third countries relevant to the processing in order to ensure GDPR compliance. In particular, the EDPB recommends including language in data processing agreements similar to Art. 28(3)(a) GDPR, according to which mandatory national law takes precedence in the event of a conflict.
For companies that are controllers, this results in increased auditing and documentation requirements – both when selecting and when subsequently working with processors. Processors, on the other hand, should work on their internal documentation in order to be able to answer to controllers accordingly.
3. New EDPB Guidelines on the Determination of ‘Legitimate Interests’
In Guidelines 1/2024 for the processing of personal data on the basis of a legitimate interest (Art. 6(1)(f) GDPR), the EDPB presents its views on this particularly practice-relevant basis for permission. This is currently still a preliminary version, which is open for public consultation until Nov. 20, 2024.
First, the guidelines summarize the three well-known criteria of Art. 6(1)(f) GDPR: First, the controller or a third party must have a legitimate interest in the planned processing that is lawful, specifically formulated, real and present. Secondly, the processing must be necessary to achieve the legitimate interest, i.e., there must be no less invasive alternatives available. Thirdly, the controller must assess whether the legitimate interest overrides the interests, rights and freedoms of the individual, taking into account the impact of the processing, the expectations of the data subjects and possible safeguards.
The EDPB emphasizes in the guidelines that a corresponding assessment should be made for each processing operation. Before any processing begins, the controller should check and document whether the necessary conditions are met. It also emphasizes that controllers are obliged to inform data subjects of the legitimate interests they pursue when applying this legal basis.
The guidelines also remind us that public bodies cannot, in principle, invoke the legitimate interest under Art. 6(1)(f) of the GDPR when they are acting in the exercise of their official authority (see Recital 47 of the GDPR). This is often interpreted as a general exclusion of the legitimate interest for public bodies, since public authorities are not allowed to perform any other activity than the fulfillment of their tasks. However, the EDPB allows for exceptions in its guidelines and points out that in limited and specific cases, public bodies may also invoke legitimate interests. In practice, this could be relevant to, for example, the administration of benefits or the organization of internal events. We will be watching how these exceptions develop during the consultation phase.