European Data Protection Board Tries to Sort Out the DPIA Disaccord
Article 35(4) of the EU General Data Protection Regulation (“GDPR”) states that the supervisory authorities of the EU Member States (“SAs”) shall establish, publish and communicate to the European Data Protection Board (“EDPB”) a list of processing operations that are subject to a requirement for a data protection impact assessment (“DPIA”) under the GDPR.
On 3 October 2018, the EDPB published a series of opinions on the proposed lists of processing activities subject to DPIA, as submitted by the SAs of the following 22 EU Member States: Austria, Belgium, Bulgaria, Czech Republic, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Sweden and the United Kingdom. The EDPB assessed the consistency of the proposed lists under Article 35 of the GDPR as interpreted in its Guidelines on DPIAs (WP248 rev.01). The EDPB provided recommendations for changes. In some cases, the EDPB requested clarifications as to the non-exhaustive nature of the list to be added, in others it recommended to indicate that certain processing activities require DPIA to be carried out only when done in conjunction with at least one other criterion.
Pursuant to Article 64 of the GDPR, the EDPB shall issue an opinion on the proposed draft lists. The so-called consistency mechanism (i.e., in order to contribute to the consistent application of the GDPR throughout the EU, the SAs shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism set out in Section 2 of the GDPR) applies where the lists relate to certain cross-border processing operations or may substantially affect the free movement of personal data within the EU. Pursuant to Article 64(7) of the GDPR, the SAs, within two weeks after receiving the EDPB’s opinions, must communicate to the Chair of the EDPB (Ms. Andrea Jelinek) whether they will maintain or amend their draft lists and, if any, the amendments they adopted. If a SA fails to respect the EDPB opinion, the EDPB may adopt a binding decision.
The EDPB does not aim at arriving at a single EU list of processing activities that are subject to a DPIA. Rather, the opinions are intended to create a harmonized and consistent approach and to avoid significant inconsistencies that may affect the equivalent protection of the data subjects. It is hoped that the SAs will take the recommendations on board as the publication of disparate lists results in unjustified inconsistencies and fragmentation, which render the uniform application of the GDPR in a group of companies impossible and which is contrary to the objectives of the GDPR.