The new European Data Protection Board (EDPB) – tasks, composition, role and binding decision making

The European Data Protection Board (EDPB) replaces the Article 29 Working Party (WP29) under the GDPR. What you need to know about the tasks, roles, composition, management, binding decision making, opinions and guidelines of the EDPB.

In our articles on the GDPR we often mentioned the Article 29 Working Party or WP29 when it publishes another set of guidelines for the implementation and enforcement of the GDPR. We also often refer to the European Data Protection Board, known as EDPB and in the GDPR text ‘the Board’.

For some people it’s a bit confusing so a quick look at the European Data Protection Board and why we report on the guidelines of the WP29.

The European Data Protection Board is composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives (GDPR)

Simply put, with the GDPR comes a European Data Protection Board, which has several roles and responsibilities. This European Data Protection Board replaces the Article 29 Working Party or WP29. Yet, at the same time the WP29 also prepares the start of the European Data Protection Board by bringing various national data protection authorities (a.k.a. DPAs) together and transforming itself into the EDPB. One of the tasks of the European Data Protection Board is advising the EU Commission on issues regarding the protection of personal data in the EU.

European Data Protection Board - EDPB in the GDPR and ePrivacy Regulation

The Article 29 Working Party (WP29) and its role in the GDPR, ePrivacy Regulation and own transformation

The Article 29 Working Party is an independent advisory body on data protection and privacy, which was launched with the predecessor of the GDPR, the Data Protection Directive or Directive 95/46/EC.

The reason why we talk so much about the WP29 is because it has done a lot of work in publishing GDPR guidelines on myriad topics, although it has far more tasks. These guidelines are in first instance meant to ensure a good implementation and enforcement of the GDPR by the regulatory authorities or DPAs.

Although often followed they do not change the GDPR: they provide more details, offer examples and tell how to interpret things. The real binding interpretations in case of doubts is a matter of jurisprudence once the first GDPR cases come to court, as tends to be the case with all legal frameworks.

The European Data Protection Board shall act independently when performing its tasks or exercising its powers (GDPR)

Still, it is essential to study the WP29 guidelines. Several have been published in the last 3 months of 2017. When looking at GDPR and explicit consent in a recent text, for instance, we pointed to the overall GDPR consent guidelines the WP29 published in December 2017.

Also our article on the rules and duties regarding Data Protection Impact Assessments (DPIAs) under the GDPR and our small call-to-action for people developing IoT (Internet of Things) projects and IoT applications to check whether their IoT plans include personal data processing requiring such a DPIA, were based upon WP29 Guidelines. Same thing for our text on GDPR fines.

In other words (there are more WP29) guidelines: a whole body of work across several GDPR-related topics as the WP29 is also ‘becoming’ the EDPB. One of the many tasks of the European Data Protection Board is to examine (on its own initiative or upon request) questions concerning the application of the GDPR. And that’s where those guidelines come in as the EDPB, within this context, also issues guidelines, recommendations and best practices for a consistent application of the GDPR (and later the ePrivacy Regulation) as is stipulated in Article 70 of the GDPR.

The European Data Protection Board (EDPB): tasks and more

All this work, done with several subgroups, was thus part of the transitional period between the old Directive and the GDPR and between the WP29, acting as the EDPB. The work to do during this transitional period was adopted on February 2nd, 2016.

The Article 29 Working Party also had two years in order to become the European Data Protection Board (and in the meantime indeed act as such).

We could point to the duties of the WP29 but there is little sense in doing so as the EDPB is around the corner. What you do need to remember though is that it’s not just important to check out those guidelines (which, as you could read also belong to the tasks of the European Data Protection Board) and that, just as the WP29 was involved in the predecessor of the GDPR it was also involved in the predecessor of the mentioned coming ePrivacy Regulation (as the EDPB is).

The European Data Protection Board, among others, examines question covering the application of the GDPR and issues guidelines, recommendations and best practices in order to encourage its consistent application.

So, back, or better, forward, to the European Data Protection Board, which plays a key role in both the GDPR and that ePrivacy Regulation, which was voted by the European Parliament in October 2017.

The European Data Protection Board itself, as well as its independence, Chair and far more are covered in Section 3 of the GDPR text.

That Section, aptly called ‘Section 3; European data protection board’, starts with Article 68 of the GDPR but the probably most important Article regarding the EDPB is Article 70 of the GDPR which describes the tasks of the board.

The change from WP29 to EDPB isn’t just a name change. There has been quite some restructuring going on and the role of the European Data Protection Board is more important. In that restructuring there is also a more important role for those DPAs.

One of the parties in both WP29 and EDPB on top of the national DPAs is the European Data Protection Supervisor or EDPS (who goes over principles and rules which are applicable to EU bodies and has a voting right in matters regarding those in the EDPB). The European Data Protection Supervisor also must arrange for the Secretariat of the European Data Protection Board.

Articles in the GDPR on the European Data Protection Board

Below is a summary of the Articles in the GDPR text regarding the EDPB.

  • GDPR Article 68 establishes the European Data Protection Board and contains some general rules regarding the composition and functioning of it.
  • GDPR Article 69 emphasizes the independence of the European Data Protection Board, adding that in the performance of its tasks and exercise of its powers it doesn’t seek nor take instructions for anyone.
  • GDPR Article 70, as mentioned, describes the many tasks of the European Data Protection Board and it’s a pretty long list so do check it out indeed.
  • GDPR Article 71 is about the duty of the EDPB to make an annual report on, among others, the personal data protection of data subjects where processing happens in the EU and, where relevant outside of the EU. The report is public.
  • GDPR Article 72 simply says that when the EDPB takes decisions, normally it’s by a simple majority of its members and in some cases by a two-thirds majority.
  • GDPR Article 73 says that, again via a simple majority vote, each five years the European Data Protection Board elects a chair and two deputy chairs. These have to be members of the board and can only be re-elected once (so never one person more than 10 years).
  • GDPR Article 74 expands on what the tasks of the chair of the European Data Protection Board are with, on top of a list of tasks the additional stipulation that the allocation of tasks that need to be executed by the chair and deputy chairs must be in the rules of procedure.
  • GDPR Article 75 then talks about the secretariat of the European Data Protection Board and some rules regarding it (including its tasks).
  • GDPR Article 76, finally, provides a few words on confidentiality in the scope of discussions of the EDPB and access to documents.

There are several other places where the European Data Protection Board, a.k.a. ‘The Board’ is mentioned in the text, when in the scope of a specific Article it has a role to play.

The composition, management, role and means of the EDPB

The illustration below shows how the European Data Protection Board is composed, how its management (Chair and 2 Deputy Chairs) looks like and gets elected as previously explained, what role it plays and how it can perform that role.

So, to summarize: the European Data Protection Board consists of:

  • The head of each national DPA of each member state (remember that there can be several supervisory authorities per member state but there can only be one in the EDPB, this is in particular de facto the case for Germany).
  • The European Data Protection Supervisor or EDPS.
  • The European Commission which has no voting rights in the EDPB though.

The main role of the EDPB is to:

  • Ensure consistent application of the GDPR (and other data protection laws in the framework of the data protection law reformation in the EU).
  • Make sure that DPAs cooperate (de facto also with that consistency in mind but also as in several cases cooperation simply is needed).

The key means the European Data Protection Board has to fulfil its role are:

  • Binding decisions (which is a new mechanism in the GDPR, for example in the scope of settling disputes regarding international personal data transfers).
  • Opinions (e.g. regarding the compliance of a draft code of conduct on a sector level).
  • Guidelines (so, WP29 Guidelines in the future simply are EDPB Guidelines).
The European Data Protection board - composition management role and means of the EDPB which replaces the Article 29 Working Party under the GDPR
The European Data Protection board – composition, management, role and means of the EDPB which replaces the Article 29 Working Party under the GDPR – source European Commission PDF

The European Data Protection Board and binding decision making

As just mentioned, binding decisions are a new instrument in the GDPR. They are the subject of a second graphic from the European Commission, depicted below, which further elaborates on the one above and is part of the same EDPB factsheet as the Commission published it in January 2018.

The binding decision is subject of GDPR Article 65 which explicitly covers dispute resolution by the European Data Protection Board in case of conflicting views and disputes on the levels of DPAs and lead DPAs. Article 65 explains how this conflict resolution works and what the process looks like (again: it is for the EPDB).

The graphic shows how binding decision making by the European Data Protection Board looks like in practice, summarizing Article 65 and taking similar data protection issues in several countries (for which there are cooperation rules and mechanisms for consistency and more) as an example.

How the binding decision making by the European Data Protection Board of GDPR Article 65 will look in practice - source European Commission - PDF opens
How the binding decision making by the European Data Protection Board of GDPR Article 65 will look in practice – source: European Commission – PDF

 

 

Top image: Shutterstock – Copyright: gotphotos. Although our GDPR content has been carefully verified, we are not liable for potential mistakes and advice you to seek assistance in preparing for GDPR.