The European Data protection Board (“EDPB”), which is composed of representatives of the national data protection authorities and the European Data Protection Supervisor, unveiled a two-year work program on February 12, 2019. This program provides an outlook and a roadmap regarding the EDPB’s priorities for the coming two years.

Guidelines. The EDPB plans to release 17 sets of guidelines by 2020, including on the following topics.

• The interplay between European payment services rules (“PSD2”) and data protection laws.
• Certification and Codes of Conduct as a tool for transferring personal data outside the EU (these will be distinct guidelines from the general certification guidelines adopted by the EDPB on January 23, 2019 and the general code of conduct guidelines adopted by the EDPB on February 12, 2019). Codes of conduct are particularly interesting for organizations as they allow them to reduce their compliance costs by combining their efforts, but this is still a new instrument under the EU General Data Protection Regulation (“GDPR”), so further clarification will certainly be welcome.
• Connected vehicles, which is a growing area of interest in the EU, as it has ambitions to become a world leader in the deployment of connected and automated mobility (see our client alert).
• Data protection by design and by default, which require organizations to integrate data protection principles into their processing activities, services, products and business practices from the design stage right through the lifecycle.
• Legitimate interests. Hopefully, the EDPB is planning to update the 2010 Article 29 Working Party document on the topic and will hopefully clarify in what circumstances and to what extent organizations will be able to rely on legitimate interests to justify their processing activities. The existing guidelines on this issue are particularly strict, and there is reason to fear that the updated version will miss the opportunity to provide useful guidance.
• Territorial scope of the GDPR. The EDPB has already published a draft opinion on this topic in December 2018.
• Guidelines on reliance on Art. 6(1)(b) (“contractual necessity”) in the context of online services.
• Guidelines on targeting of social media users.
• Individuals’ rights.

Consistency Opinions. The EDPB also plans to release two consistency opinions on the following topics.

• Administrative arrangement between EU and non-EU financial market authorities. This will particularly concerns transfers of personal data between European financial supervisory authorities and their non-EU counterparts. The EDPB has recently published Opinion 04/2019 on the draft Administrative Arrangement for the transfer of personal data between European Economic Area (“EEA”) Financial Supervisory Authorities and non-EEA Financial Supervisory Authorities.
• Interplay between the GDPR and ePrivacy, which complements the GDPR and is meant to provide more specific rules that apply to providers of electronic communications services (see our client alert on the intersections between these instruments regarding cybersecurity).

Other Type of Activities. The EDPB identified 11 other activities it will work on, including the following topics.

• Follow-up of the EU-US Privacy Shield review (see our blog post on the EDPB’s second report on the Privacy Shield). 
• Discussions regarding the adoption of the ePrivacy Regulation, which should replace the ePrivacy Directive although its adoption is currently bogged down. 
• Clinical Trials (see our blog post on the EDPB’s advisory opinion on this issue). 
• EDPB’s enforcement strategy.
• Personal data breach notifications.

Recurrent Activities. The EDPB will of course exercise the powers vested in it by the GDPR. The EDPB will therefore act as an advisory body and issue opinions regarding relevant draft decisions from national data protection authorities. It will also act as an appellate body and adopt binding decisions, for example where there is a disagreement on a draft decision or jurisdiction between national data protection authorities. Finally, the EDPB issues opinions, statements or advices following the adoption of legislative proposals that are of particular importance for individuals’ data protection rights.

Possible Topics. The EDPB identified 13 other topics it may work on through 2020, including the following.

• Transfers of personal data outside the EU based on non-EU judicial decisions. Under the GDPR, non-EU courts’ decisions requiring an organization to transfer personal data outside the EU may only justify such a transfer if based on an international agreement in force between the requesting non-EU country and the EU or an EU country.
• Cross-border requests for e-evidence.
• Enforcement against organizations in non-EU countries.
• Blockchain.
• Use of new technologies, such as AI and IoT.
• In addition, Art. 97 of the GDPR obliges the European Commission to submit a report on the evaluation and review of the GDPR by May 25, 2020. The EDPB is planning to provide a consultation document for this purpose.

Conclusion

The EDPB appears ready to provide more specific guidance for real-world scenarios across a substantial number of topics. Hopefully, the EDPB will manage to combine a thorough analysis and clarification on complex topics so that industry can continue to hone its compliance efforts under the GDPR.