Clarifying the nature and role of the new european data protection board

AutorCristina Blasi Casagran

Page 161

I Introduction

In April 2016 the new General Data Protection Regulation (GDPR) was finally approved by the European Parliament and the Council of the European Union. Member States have now until mid-2018 to adapt this instrument in their legal orders. In its 99 sections, the GDPR includes many new data protection features and concepts, some of which have already been questioned and criticized by the pro-privacy community.

Page 162

That very same month when the GDPR was enacted, the EU also adopted the EUROPOL Regulation, which includes many new data protection clauses. EUROPOL is one of the EU agencies in exchanging large amounts of data within and beyond the EU. Similarly, EUROJUST is known to collect and store person information regularly. Therefore it should not come as a surprise that a proposal for a EUROJUST Regulation, which conforms with the EUROPOL Regulation, is in the last phase of the negotiations, and expected to be approved in the upcoming months1.

In the context of this new legal paradigm, two bodies will be in charge of supervising that EU institutions, EU bodies and private entities within the EU comply with the European data protection framework: the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB).

This article will first examine the extended role of the EDPS, which is now entitled to monitor data processing activities of all AFSJ agencies, including EUROPOL and EUROJUST. Second, this piece will seek to clarify the role of the new EDPB in the GDPR. This board enhances the competences of the former art. 29 Working Party in many aspects. For instance, the EDPB’s most distinctive new role is to conciliate divergences among national Data Protection Authorities (DPAs) on deciding individual complaints through the «one-stop shop» mechanism. This procedure will be studied in detailed below.

This study will finally examine the potential difficulties that both the EDPS and the EDPB may experience in executing their new tasks. Although there is no doubt that the EDPS and the EDPB will enormously reinforce the existing data protection guarantees in the terms found in art. 16 TFEU and art. 8 of the Charter of Fundamental Rights, their new tasks are not out of question.

II The EDPS and art. 29 Working party under the former directive 95/46/EC

When the European Parliament and the Council adopted Directive 95/46/ EC2 and Regulation 45/20013, these legal instruments required the creation of two EU bodies on the field of data protection: the European Data Protection Supervisor (EDPS)4 and the art. 29 Data Protection Working Party

Page 163

(hereinafter, the art. 29 WP)5. Both the EDPS and the art. 29 WP have a crucial role in controlling the compliance of data protection rules among EU institutions and bodies.

Regarding the nature of these two bodies it is important to highlight that they do not qualify as EU agencies. Mainly because, despite being set up by an EU act, these bodies do not aim at accomplishing technical, scientific, or managerial tasks for EU institutions, but rather supervise such institutions; and as a result, EU agencies cannot supervise EU institutions6.

In December 2009, with the entry into force of the Treaty of Lisbon, the EDPS and the art. 29 WP enhanced their scope and competences. As a result, the former three pillars (European Communities, Common Foreign and Security Policy, and Justice and Home Affairs) were abolished. Consequently, not only EU institutions and bodies of the former first pillar were then monitored by these two bodies, but ex-third pillar bodies fell under the scope as well. Hence, data processed by agencies like EUROPOL or EURO-JUST (which used to belong to the former third pillar) are now supervised by the EDPS.

Both art. 29 WP and the EDPS are supervisory bodies, but they have slightly different tasks. On the one hand, the EDPS is composed of EU personnel (permanent or temporary) and has three main functions: supervision, consultation and cooperation7. Regarding supervision, the EDPS is in charge of carrying out prior-checks of data processing operations that could put individual rights at risk. Moreover, it investigates complaints issued by EU citizens on the processing of personal data by any EU institution (except for the CJEU). As for consultation duties, the EDPS can be consulted by other EU institutions or bodies on any matter relating to the field of data protection. For example, it is common that the Commission asks for an EDPS opinion before launching a proposal that tackles data protection issues. Finally, regarding the cooperation tasks of the EDPS, it participates in activities developed by national data protection authorities (DPAs) and also in the art. 29 WP meetings8. In fact, the EDPS is allowed to vote on decisions taken by the art. 29 WP.

On the other hand, art. 29 WP is composed of representatives of the national DPAs, and its duties exclusively focus on advising the Commission and promoting compliance of former Directive 95/46/EC among Member States. This working party releases opinions and reports on questions within the scope of Directive 95/46/EC; it advises the Commission on proposed

Page 164

amendments of the Directive; it makes recommendations on matters relating to data protection and draws up annual reports, among other issues9.

Although the EDPS and the art. 29 WP are two separate EU bodies, the relationship between them is actually very close. According to art. 46(g) of Regulation (EC) 45/2001, the EDPS participates in many of the activities conducted by the art. 29 WP. Also, as stated above, the EDPS has been given the right to vote on the decisions taken by the art. 29 WP10. Both bodies often draft common positions and joint opinions, but their tasks rarely overlap11 since the scope of the EDPS is much greater than the role of the art. 29 WP.

III Data protection supervisory bodies of AFSJ agencies

EDPS competences have increased over the last fifteen years, since Regulation (EC) 45/2001 was enacted. As stated above, one of the duties of this body is to monitor and give advice to the EU institutions, bodies and EU Member States on data protection matters. All these actors have multiplied in number over the years and it has had an impact on the EDPS’ role.

The nature of the EU agencies is particularly interesting, since initially this type of EU bodies would rarely collect and process personal data. If we look at the oldest EU decentralised agencies12, it can be concluded that the boom started after the Maastricht Treaty came into force. Before 1992 the former European Communities had only established two agencies; but in only two years after the adoption of the Maastricht Treaty it added up to nine. Yet, none of these nine agencies processed personal data at the time, and they were mostly dealing with anonymous numbers and statistical information.

However, this changed in 1999, when the so-called Area of Freedom, Security and Justice (AFSJ) was included in the Treaty of Amsterdam. This policy had a big impact on the creation of new EU agencies that process personal data. Interestingly, the AFSJ has no recognised definition to date, although numerous scholars have tried to make sense of this new concept in their studies. In that sense, Wolf, Wichmann & Mounier define it as:

Page 165

An attempt to provide an overall strategic orientation to punctual measures adopted in the policy area of JHA, such as border management, the fight against terrorism and the fight against organized crime


The Treaty of Amsterdam established in art. 61(e) TEU that the Council needed to adopt measures in the area of police and judicial cooperation that would enshrine high level of security and would conform the Treaty on the European Union. The Treaty of Amsterdam amended then the previous Justice and Home Affairs (JHA) policy area. It moved some competences from the former third pillar to the first, enhancing the Community’s jurisdiction to adopt measures on criminal matters.

Consequently, the EDPS became competent to decide on the AFSJ legislation that fell under the scope of the first pillar. This is the case, for instance, with FRONTEx and EASO, two agencies that handle border control and asylum issues respectively, and it was from that moment all personal data processed by FRONTEx and EASO were supervised by the EDPS. However, it was different for agencies that still remained as ex-former third pillar bodies. Particularly, EUROPOL and EUROJUST fell outside the EDPS’ control until very recently. The reason for it is that both EUROPOL and EUROJUST were originally created as intergovernmental bodies, rather than EU agencies.

Regarding EUROPOL, its establishment took place in 1992, the year in which the Treaty of Maastricht was signed. It started functioning as the EUROPOL Drugs Unit (EDU), which mainly dealt with drug-trafficking and money-laundering cases; however, EDU did not have competence to store personal data, and the information collected could not be transferred to third countries or international bodies.

EUROPOL extended its competences in 1995 by covering also counter-terrorism investigations14. Rules governing this body were first enclosed in the EUROPOL Convention, which was ratified by all EU Member States in 1999. From that moment, EUROPOL became the European law enforcement organization in charge of assisting 24/7 the competent authorities in Member States and third countries for the prevention and combat of serious forms of crimes. EUROPOL Convention was then replaced...

Para continuar leyendo

Solicita tu prueba

VLEX utiliza cookies de inicio de sesión para aportarte una mejor experiencia de navegación. Si haces click en 'Aceptar' o continúas navegando por esta web consideramos que aceptas nuestra política de cookies. ACEPTAR