EDPB clarifies notion of main establishment and calls on EU legislators to make sure CSAM Regulation respects rights to privacy and data protection

Today, on February 14, 2024, the EDPB made two important announcements that could impact businesses and individuals across the EU:

Clarification on Main Establishment: The EDPB has provided new guidelines about what counts as a company’s “main establishment” in the EU. This is important for businesses that operate in more than one EU country because it helps determine which country’s data protection authority they primarily deal with. The guidance helps ensure that businesses know how to comply with EU data protection laws, especially if they make decisions about data processing outside the EU.

Child Safety Online: The EDPB also discussed new rules being proposed to combat child sexual abuse material (CSAM) online. While they support efforts to protect children, they’re concerned about privacy and the risk of monitoring private communications too broadly. The EDPB is advocating for measures that protect children while also respecting everyone’s privacy rights.

🔍 Why It Matters: The EDPB’s clarification on the GDPR’s main establishment concept underscores strict compliance for businesses operating in the EU. Key points include the necessity for EU-based decision-making on data processing to qualify for the One Stop Shop (OSS) mechanism, the detailed criteria to prove an establishment’s role in decision-making, and the specific assessment of processing activities. This prevents companies from exploiting regulatory gaps and ensures a consistent application of data protection laws, commitment to data privacy across the EU.