The European Data Protection Board starts its operations
By Nikolaos Theodorakis
The European Data Protection Board (EDPB) started its operations the same date the General Data Protection Regulation (GDPR) entered into force, 25 May 2018. The GDPR creates a harmonized set of rules applicable to all personal data processing taking place in the EU. The GDPR established the EDPB so that it contributes to the consistent application of data protection rules throughout the European Union, and promote cooperation between the EU’s data protection authorities.
The EDPB is the transformation of the Article 29 Working Party, under the previous legal regime. The EDPB is composed of representatives of the national data protection authorities and the European Data Protection Supervisor (EDPS). The EDPB also comprises a secretariat provided by the EDPS and working under the instructions of the EDPB. The secretariat will have an important role in administering the One-Stop-Shop and the consistency mechanism, as explained below. The European Commission has the right to participate in the activities and meetings of the Board, without however having a voting right.
The EDPB aims to ensure the consistent application of the GDPR and of the European Law Enforcement Directive. In doing so, the EDPB is expected to adopt general guidance to clarify the terms of European data protection laws and provide a consistent interpretation regarding their options and obligations. It can also make binding decisions towards national supervisory authorities to ensure a consistent application of the GDPR.
In brief, the EDPB:
- Provides general guidance (e.g. guidelines and recommendations) to clarify the law;
- Advises the European Commission on personal data issues and proposed legislation;
- Adopts consistency findings for cross-border data protection issues; and
- Promotes cooperation and the effective exchange of information and best practice between national supervisory authorities.
The EDPB’s principles are independence and impartiality, good governance, collegiality, cooperation, transparency, efficiency, and proactivity.
Program and future actions
The EDPB acknowledged the continuity of its predecessor, the Article 29 Working Party, and endorsed a series of important guidelines on the first day of operations:
- the guidelines on consent;
- the guidelines on transparency;
- the automated individual decision-making and profiling Guidelines on Automated individual decision-making and Profiling for the purposes of the GDPR;
- the personal data breach notification guidelines on personal data breach notification under the GDPR;
- the right to data portability guidelines;
- the data protection impact assessment guidelines determining whether processing is “likely to result in a high risk”;
- the Data Protection Officers guidelines;
- the Lead Supervisory Authority guidelines;
- the paper on the derogations from the obligation to maintain records of processing activities;
- the working document for the approval of “Binding Corporate Rules” for controllers and processors;
- the recommendation on the standard application for approval of Controller and Processor Binding Corporate Rules, and the elements and principles to be found in said Rules; and
- the guidelines on the application and setting of administrative fines for the purposes of the GDPR.
Moving forward, it is expected that the EDPB will issue guidance for a number of important privacy related issues, like the data portability right, Data Protection Impact Assessments, certifications, the extraterritorial applicability of the GDPR and the role of Data Protection Officers. In doing so, the EDPB plans to regularly consult business representatives and civil society representatives regarding their views on how to implement the GDPR.
One-Stop-Shop and Consistency Mechanism
Apart from the guidelines and binding decisions, the EDPB will be instrumental in assisting with the One-Stop-Shop mechanism and the consistency mechanism. The One-Stop-Shop relates to designating a lead Data Protection Authority to resolve data protection issues involving more than one EU Member State. This innovative GDPR framework will allow for better cooperation for processing activities that span across different states.
The EDPB consistency mechanism is a reference to Article 63 of the GDPR, a mechanism through which DPAs cooperate to contribute to the consistent application of the GDPR. The GDPR makes several references to this mechanism and it is expected that it will be an important issue for the EDPB to regulate and interpret. In essence, the EDPB should ensure that where a national data protection authority decision affects a large number of individuals in several EU member states, there is prior collaboration and consistency in the interpretation and application of said decision. This is in line with the EU’s digital single market agenda that tries to bring consistent application of EU laws throughout the single market.
A true transformation?
It is too early to tell whether the EDPB will prove to be a transformed body, or whether it is a rebranded version of the Article 29 Working Party. Even though it seems that the WP29 subgroups will continue their work as usual, the action plan indicates that the EDPB will undergo significant changes and that it aspires to be in the epicenter of data protection developments in the European Union. The first indications demonstrate that the EDPB wants to become a prominent body through administrative restructuring and a more clear communication strategy. The GDPR enforcement brought data protection in the spotlight, and the EDPB will certainly have a chance, if it so desires, to prove that it is larger, more influential, and more important body than its predecessor.