The European Data Protection Board Unveils Its Work Program Until 2020

The European Data Protection Board Unveils Its Work Program Until 2020

Blog WilmerHale Privacy and Cybersecurity Law

The European Data protection Board (“EDPB”), which is composed of representatives of the national data protection authorities and the European Data Protection Supervisor, unveiled a two-year work program on February 12, 2019. This program provides an outlook and a roadmap regarding the EDPB’s priorities for the coming two years.

Guidelines. The EDPB plans to release 17 sets of guidelines by 2020, including on the following topics.

  • The interplay between European payment services rules (“PSD2”) and data protection laws.
  • Certification and Codes of Conduct as a tool for transferring personal data outside the EU (these will be distinct guidelines from the general certification guidelines adopted by the EDPB on January 23, 2019 and the general code of conduct guidelines adopted by the EDPB on February 12, 2019). Codes of conduct are particularly interesting for organizations as they allow them to reduce their compliance costs by combining their efforts, but this is still a new instrument under the EU General Data Protection Regulation (“GDPR”), so further clarification will certainly be welcome.
  • Connected vehicles, which is a growing area of interest in the EU, as it has ambitions to become a world leader in the deployment of connected and automated mobility (see our client alert).
  • Data protection by design and by default, which require organizations to integrate data protection principles into their processing activities, services, products and business practices from the design stage right through the lifecycle.
  • Legitimate interests. Hopefully, the EDPB is planning to update the 2010 Article 29 Working Party document on the topic and will hopefully clarify in what circumstances and to what extent organizations will be able to rely on legitimate interests to justify their processing activities. The existing guidelines on this issue are particularly strict, and there is reason to fear that the updated version will miss the opportunity to provide useful guidance.
  • Territorial scope of the GDPR. The EDPB has already published a draft opinion on this topic in December 2018.
  • Guidelines on reliance on Art. 6(1)(b) (“contractual necessity”) in the context of online services.
  • Guidelines on targeting of social media users.
  • Individuals’ rights.

Consistency Opinions. The EDPB also plans to release two consistency opinions on the following topics.

Other Type of Activities. The EDPB identified 11 other activities it will work on, including the following topics.

  • Follow-up of the EU-US Privacy Shield review (see our blog post on the EDPB’s second report on the Privacy Shield). 
  • Discussions regarding the adoption of the ePrivacy Regulation, which should replace the ePrivacy Directive although its adoption is currently bogged down. 
  • Clinical Trials (see our blog post on the EDPB’s advisory opinion on this issue). 
  • EDPB’s enforcement strategy.
  • Personal data breach notifications.

Recurrent Activities. The EDPB will of course exercise the powers vested in it by the GDPR. The EDPB will therefore act as an advisory body and issue opinions regarding relevant draft decisions from national data protection authorities. It will also act as an appellate body and adopt binding decisions, for example where there is a disagreement on a draft decision or jurisdiction between national data protection authorities. Finally, the EDPB issues opinions, statements or advices following the adoption of legislative proposals that are of particular importance for individuals’ data protection rights.

Possible Topics. The EDPB identified 13 other topics it may work on through 2020, including the following.

  • Transfers of personal data outside the EU based on non-EU judicial decisions. Under the GDPR, non-EU courts’ decisions requiring an organization to transfer personal data outside the EU may only justify such a transfer if based on an international agreement in force between the requesting non-EU country and the EU or an EU country.
  • Cross-border requests for e-evidence.
  • Enforcement against organizations in non-EU countries.
  • Blockchain.
  • Use of new technologies, such as AI and IoT.
  • In addition, Art. 97 of the GDPR obliges the European Commission to submit a report on the evaluation and review of the GDPR by May 25, 2020. The EDPB is planning to provide a consultation document for this purpose.


The EDPB appears ready to provide more specific guidance for real-world scenarios across a substantial number of topics. Hopefully, the EDPB will manage to combine a thorough analysis and clarification on complex topics so that industry can continue to hone its compliance efforts under the GDPR.


More from this series


Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.