EDPB Strategy 2024-2027: Setting the course for the next 4 years

Adapting the EDPB strategy to the data protection needs of today

This week, the EDPB adopted its new strategy - the first strategy since I was elected as EDPB Chair. The strategy charts the direction the EDPB will take in the next four years.

Since the entry into application of the GDPR in 2018, the European data protection landscape has undergone an evolution. Awareness of data protection rights has risen significantly among data subjects. Controllers and processors in both the public and private sectors have become increasingly aware of their obligations and a new spate of digital legislations has seen the light of day. Similarly, the EDPB’s focus has continued to evolve, shifting from a more guidance-based approach to an increased focus on enforcement cooperation. All these evolutions have given rise to new needs and priorities that need to be reflected in the EDPB’s strategy.

It’s from this mind-set that we set out to develop the new strategy. After several initial brainstorm sessions, we invited all data protection authorities (DPAs) to submit their views on what the EDPB’s priorities should be and set to work. After many meetings, we collectively agreed on a final list of priorities. The new strategy builds on the priorities of the previous strategy, but takes the existing vision in a new direction.

Laying the foundation for the EDPB’s activities

The new strategy is built around a set of pillars which lay the foundation for the EDPB’s upcoming activities and will help prioritise the resources allocated to these in the following four years.

An important aspect of the strategy is the interplay with the new regulatory framework. New EU laws which will affect data protection and individuals’ data protection rights have been, or will be, introduced in the context of digitalisation. Taking into account the cross-regulatory dimension of the digital economy, the EDPB will also enhance cooperation with other regulatory authorities on matters which have an impact on data protection, with a view to embedding the right to data protection in the overall regulatory architecture. We will continue our existing work on the interplay between those laws and the GDPR, while also promoting supervision of data protection issues.

Next, reinforcing enforcement cooperation will remain a priority for the EDPB. We will continue building on the vision set out in our so-called Vienna Statement, and further develop EDPB initiatives and actions in this area, such as the coordinated actions. The EDPB will keep supporting the development of cooperation and enforcement tools, and the sharing of expertise to increase the robustness of our common procedures, methodologies and decisions. In this regard, the EDPB will also prepare for the practical implementation of the EU Regulation laying down additional procedural rules relating to the enforcement of the GDPR.

In addition to enforcement, the EDPB will continue to promote compliance with data protection law by developing clear, concise and practical guidance on important topics. The EDPB will develop additional tools for a wider audience, such as its data protection guide for small business, with content that is accessible and easy to understand for non-experts. Among others, the EDPB will look into developing a tool dedicated to children and communicate in an easy to understand language on a guideline’s core messages.

The EDPB will also continue to address the challenges raised by new technologies, such as artificial intelligence. The EDPB will keep monitoring and assessing new digital technologies and will provide guidance which promotes a human-centric approach to these topics. In this respect, the EDPB will develop and promote easily-available material, to help guide controllers and processors to be GDPR compliant in the fast developing digital landscape. In addition, the EDPB will engage on these issues with the international community to promote high legal standards and cooperation amongst data protection and privacy authorities, and other regulators globally.

Furthermore, the EDPB will continue to promote a global dialogue on privacy and data protection, endorsing the effective protection of data subjects’ rights and recognising that data does not stop at the EU border.

From vision to reality

Now that the strategy is in place, it is time to start putting it into practice. To this effect, the strategy will be complemented by two two-year work programmes, which will contain concrete actions to make the vision set out in the strategy a reality.

Looking back at the past six years, I am proud of all that we have achieved so far, because it makes me confident that the EDPB is ready to face the immense challenges that lie before it. In the next four years, together with all the European DPAs, I want to ensure the best possible outcome for both citizens and organisations.

Anu Talus

EDPB Chair