The European Data Protection Board (EDPB) and Article 29 Working Party (WP29)

In our articles on the GDPR we often mentioned the Article 29 Working Party or WP29 when it publishes another set of guidelines for the implementation and enforcement of the GDPR. We also often refer to the European Data Protection Board, known as EDPB and in the GDPR text ‘the Board’.

For some people it’s a bit confusing so a quick look at the European Data Protection Board and why we report on the guidelines of the WP29.

The European Data Protection Board is composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives (GDPR)

Simply put, in 2018 with the GDPR comes a European Data Protection Board, which has several roles and responsibilities. This European Data Protection Board replaces the Article 29 Working Party or WP29. Yet, at the same time the WP29 also prepares the start of the European Data Protection Board by bringing various national data protection authorities (a.k.a. DPAs) together and transforming itself into the EDPB. One of the tasks of the European Data Protection Board is advising the EU Commission on issues regarding the protection of personal data in the EU.

European Data Protection Board - EDPB in the GDPR and ePrivacy Regulation

The Article 29 Working Party (WP29) and its role in the GDPR, ePrivacy Regulation and own transformation

The Article 29 Working Party is an independent advisory body on data protection and privacy, which was launched with the predecessor of the GDPR, the Data Protection Directive or Directive 95/46/EC.

The reason why we talk so much about the WP29 is because it has done a lot of work in publishing GDPR guidelines on myriad topics, although it has far more tasks. These guidelines are in first instance meant to ensure a good implementation and enforcement of the GDPR by the regulatory authorities or DPAs.

Although often followed they do not change the GDPR: they provide more details, offer examples and tell how to interpret things. The real binding interpretations in case of doubts is a matter of jurisprudence once the first GDPR cases come to court, as tends to be the case with all legal frameworks.

The European Data Protection Board shall act independently when performing its tasks or exercising its powers (GDPR)

Still, it is essential to study the WP29 guidelines. Several have been published in the last 3 months of 2017. When looking at GDPR and explicit consent in a recent text, for instance, we pointed to the overall GDPR consent guidelines the WP29 published in December 2017.

Also our article on the rules and duties regarding Data Protection Impact Assessments (DPIAs) under the GDPR and our small call-to-action for people developing IoT (Internet of Things) projects and IoT applications to check whether their IoT plans include personal data processing requiring such a DPIA, were based upon WP29 Guidelines. Same thing for our text on GDPR fines and penalties.

In other words (there are more WP29) guidelines: a whole body of work across several GDPR-related topics as the WP29 is also ‘becoming’ the EDPB. One of the many tasks of the European Data Protection Board is to examine (on its own initiative or upon request) questions concerning the application of the GDPR. And that’s where those guidelines come in as the EDPB, within this context, also issues guidelines, recommendations and best practices for a consistent application of the GDPR (and later the ePrivacy Regulation) as is stipulated in Article 70 of the GDPR.

The European Data Protection Board (EDPB): tasks and more

All this work, done with several subgroups, was thus part of the transitional period between the old Directive and the GDPR and between the WP29, acting as the EDPB. The work to do during this transitional period was adopted on February 2nd, 2016.

The Article 29 Working Party also had two years in order to become the European Data Protection Board (and in the meantime indeed act as such).

We could point to the duties of the WP29 but there is little sense in doing so as the EDPB is around the corner. What you do need to remember though is that it’s not just important to check out those guidelines (which, as you could read also belong to the tasks of the European Data Protection Board) and that, just as the WP29 was involved in the predecessor of the GDPR it was also involved in the predecessor of the mentioned coming ePrivacy Regulation (as the EDPB is).

The European Data Protection Board, among others, examines question covering the application of the GDPR and issues guidelines, recommendations and best practices in order to encourage its consistent application.

So, back, or better, forward, to the European Data Protection Board, which plays a key role in both the GDPR and that ePrivacy Regulation, which was voted by the European Parliament in October 2017.

The European Data Protection Board itself, as well as its independence, Chair and far more are covered in Section 3 of the GDPR text.

That Section, aptly called ‘Section 3; European data protection board’, starts with Article 68 of the GDPR but the probably most important Article regarding the EDPB is Article 70 of the GDPR which describes the tasks of the board.

The change from WP29 to EDPB isn’t just a name change. There has been quite some restructuring going on and the role of the European Data Protection Board is more important. In that restructuring there is also a more important role for those DPAs.

One of the parties in both WP29 and EDPB on top of the national DPAs is the European Data Protection Supervisor or EDPS (who goes over principles and rules which are applicable to EU bodies and has a voting right in matters regarding those in the EDPB). The European Data Protection Supervisor also must arrange for the Secretariat of the European Data Protection Board.

Articles in the GDPR on the European Data Protection Board

Below is a summary of the Articles in the GDPR text regarding the EDPB.

  • GDPR Article 68 establishes the European Data Protection Board and contains some general rules regarding the composition and functioning of it.
  • GDPR Article 69 emphasizes the independence of the European Data Protection Board, adding that in the performance of its tasks and exercise of its powers it doesn’t seek nor take instructions for anyone.
  • GDPR Article 70, as mentioned, describes the many tasks of the European Data Protection Board and it’s a pretty long list so do check it out indeed.
  • GDPR Article 71 is about the duty of the EDPB to make an annual report on, among others, the personal data protection of data subjects where processing happens in the EU and, where relevant outside of the EU. The report is public.
  • GDPR Article 72 simply says that when the EDPB takes decisions, normally it’s by a simple majority of its members and in some cases by a two-thirds majority.
  • GDPR Article 73 says that, again via a simple majority vote, each five years the European Data Protection Board elects a chair and two deputy chairs. These have to be members of the board and can only be re-elected once (so never one person more than 10 years).
  • GDPR Article 74 expands on what the tasks of the chair of the European Data Protection Board are with, on top of a list of tasks the additional stipulation that the allocation of tasks that need to be executed by the chair and deputy chairs must be in the rules of procedure.
  • GDPR Article 75 then talks about the secretariat of the European Data Protection Board and some rules regarding it (including its tasks).
  • GDPR Article 76, finally, provides a few words on confidentiality in the scope of discussions of the EDPB and access to documents.

There are several other places where the European Data Protection Board, a.k.a. ‘The Board’ is mentioned in the text, when in the scope of a specific Article it has a role to play.

 

Top image: Shutterstock – Copyright: gotphotos. Although our GDPR content has been carefully verified, we are not liable for potential mistakes and advice you to seek assistance in preparing for GDPR.