Section 3

European data protection board

 

Author:Stephanie Schiedermair

 

1. The European Data Protection Board (the ‘Board’) is hereby established as a body of the Union and shall have legal personality.
2. The Board shall be represented by its Chair.
3. The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives.
4. Where in a Member State more than one supervisory authority is responsible for monitoring the application of the provisions pursuant to this Regulation, a joint representative shall be appointed in accordance with that Member State’s law.
5. The Commission shall have the right to participate in the activities and meetings of the Board without voting right. The Commission shall designate a representative. The Chair of the Board shall communicate to the Commission the activities of the Board.
6. In the cases referred to in Art. 65, the European Data Protection Supervisor shall have voting rights only on decisions which concern principles and rules applicable to the Union institutions, bodies, offices and agencies which correspond in substance to those of this Regulation.

 

I. Legal background

The GDPR creates a central data protection authority for the EU, the EDPB, to which the entire third section of Chapter VII is dedicated. The structure of the SA was one of the most controversial matters raised in the course of the Council negotiations on the GDPR. A topic continually raised by the Council at the ministerial level, the Council only managed to reach an agreement on Chapters VI and VII of the GDPR in March 2015. The Comm, too, always considered the powers of, and collaboration between, the SAs in data protection matters to be a particularly key element of the legislative process. With regard to the consistent application and enforcement of the GDPR, the Comm took a two-pronged approach. On the one hand, it called for measures to strengthen the national authorities and to step up their collaboration. On the other hand, it wanted to create a situation in which companies operating in the European market only had to come into contact with one Member State SA in each case (the ‘one-stop-shop’ principle). This is the SA in the Member State in which the company has its main establishment. Despite this principle, however, the SAs can only exercise their powers within the jurisdiction of their Member State.

In addition to the introduction of the consistency mechanism, the expansion of the Art. 29 WP to create an “independent European Data Protection Board” is also, according to the Commission, designed to promote the more coherent application of the data protection provisions and, at the same time, provide a basis for collaboration among the individual data protection authorities in the Member States and with the EDPS. In order to establish an efficient structure at the European level, the Comm proposed a structure in which the EDPB would be able to use the resources of the secretariat of the EDPS, a proposal that was, in fact, implemented.

II. Analysis

The EDPB replaces the former Art. 29 WP, but unlike the Art. 29 WP, it is not restricted to an advisory function. Rather, it has a broad, varied range of duties, including the option of adopting binding decisions within the context of dispute resolution (Art. 70 para. 1 lit. a in conjunction with Art. 65 para. 1 GDPR). In particular, the Board is supposed to ensure the consistent application of the GDPR in the EU Member States. Promoting the consistent application of the DPD had already been one of the objectives of the Art. 29 WP.

The dissatisfaction with the inconsistent application of the DPD was, however, one of the main reasons behind the creation of the new GDPR. The central objective of the GDPR, namely to ensure the effective enforcement of the provisions set out therein, becomes particularly apparent in the detailed provisions of the GDPR on the structure of the authorities, distribution of duties and cooperation between the different authorities. In this respect, the EDPB is assigned a key coordinating function, e.g. in supporting cooperation between the SAs. In addition, the EDPB is supposed to advise the Comm, particularly on whether a third country or an international organisation offers a sufficient level of protection. The EDPB has been equipped with much further-reaching powers and is to play an enhanced role in European data protection than the previous Art. 29 WP.

In line with the proposal made by the EP and the Art. 29 WP, the GDPR gives the EDPB the status of a body of the Union with legal personality. This means that the Board can independently contact other EU institutions via its Chair, who is the Board’s legal representative, and can also take legally binding action vis-à-vis these institutions. The conferral of legal personality strengthens the Board’s status and is designed to allow it to better fulfil its role of promoting the consistent application of the GDPR. The fact that the Board has its own legal personality and the decision-making powers as set out in Art. 70 para. 1 in conjunction with Art. 65 para. 1 make it comparable to institutions, such as the European Central Bank and the European Investment Bank.

 

 

 

[…]