As from 2018, under the newly adopted General Data Protection Regulation (EU) 2016/679 (GDPR), the Article 29 Working Party (WP29), bringing together the European Union’s national data protection authorities, will become the European Data Protection Board (EDPB). The Working Party recently published its work programme for 2016 – 2018. The plan reflects the significant changes to the regulatory landscape arising from the adoption of the GDPR, and indeed was accompanied by a supplementary statement drilling down on GDPR-specific priorities. Both documents illustrate the important institutional implications of the new Regulation, which the WP29 will need to manage while continuing to perform its advisory role on substantive matters.
So what have the DPAs identified as their priority tasks for the coming two years?
The Work Plan for 2016 – 2018
The work plan for 2016 to 2018 is laid out according to Working Party’s structure of eight sub-groups.
The eight subgroups cover a range of substantive topics, and includes one cooperation sub-group which is tasked with overseeing any coordinated actions by DPAs, specifically those around the consequences of the CJEU case which invalidated the Safe Harbour arrangement.
The other seven subgroups focus on these substantive issues: the future of privacy, key provisions, technology, international transfers, law enforcement (as well as borders and travel), E-government, and financial matters. All of the subgroups will be re-examining the opinions relevant to them in light of the new legislation, to hammer out any inconsistencies. Particularly interesting for the TYPES project are the Technology and Key Provisions subgroups.
The Technology subgroup looks at technological developments and their impact on privacy – for example the Do not Track standard. It also works on the topic of user friendly and privacy-complaint was of informing and expressing consent by way of smart devices, the e-Privacy Directive, and the Digital Single Market. The Key Provisions subgroup, on the other hand, will be looking at interpreting all the key concepts contained in the new legislative framework, which could have some interesting results.
The Action Plan on the Implementation of the GDPR
In the action plan on implementing the GDPR, issued on 2 February 2016, the WP29 indicates it will add new objectives and deliverables to the action plan in 2017, and also states that it will regularly consult relevant stakeholders (where appropriate) about the implementation of the GDPR.
The plan has four priorities, two of them being directly related to the creation of the EDPB. One such priority is setting up a Task Force dedicated to creating a structure for the EDPB in terms of its administrative aspects, such as IT, human resources, and budget. Another priority is focusing on communications around the EDPB – making it “visible and identifiable as a key player which legitimacy stems from the DPA”. As a part of this it aims to create an online communication tool.
The other two priorities set out are largely based around continuing to fulfil its role as the EU-level privacy watchdog; issuing guidance on new concepts introduced by the GDPR, and preparing the consistency mechanism. This includes designating a lead data protection authority, the one-stop shop that was promised for enforcement cooperation, and creating the vaguely termed ‘EDPB consistency mechanism’.
This consistency mechanism is a reference to Article 63 of the GDPR, a mechanism through which DPAs cooperate to contribute to the consistent application of the GDPR. There are several references throughout the GDPR to this consistency mechanism so it will be quite an important issue for the EDPB to get right. The recitals explain it a bit further – the mechanism should apply in any cases where national DPAs may adopt a decision that affects a large number of people in multiple Member States.
Rebranding or transformation?
The question still remains whether becoming the EDPB is more than simply rebranding. The work plan seems to indicate that the WP29’s subgroups will be continuing their work as usual, but the action plan indicates that some substantive changes will need to happen in the coming year and a half. Particularly, the administrative restructuring of the WP29 and the focus on improving its communications indicate that the EDPB wants to have a louder voice and become a more prominent body. This makes sense given the GDPR assigning a stronger role to DPAs. Added to that are several provisions in the GDPR where the EDPB gets to have the final say. Based on this, it’s safe to say that the EDPB is not simply a rebranded Working Party, but a larger and more important body.