With Great Power Comes Great Responsibility

Posted by John Jolliffe, Head of EMEA Government Relations

Late in 2015, EU legislators reached an agreement on a new EU General Data Protection Regulation (GDPR), updating the existing EU Directive which dates from 1994. The new text will come into effect sometime in mid-2018.

A lot has been written about what’s in the new Regulation. (See useful summaries here from Bird&Bird and Hunton & Williams). But while there are important changes on many substantive questions (for example the definition of personal data) there are perhaps even more significant changes in the way EU data protection law will be governed and enforced going forward.

Consider the status quo: Article 29 of the current EU Directive established a Working Party (WP) of national supervisory authorities with “advisory status” to, among other things, “make recommendations on all matters relating to the protection of persons with regard to the processing of personal data in the Community.” The Working Party has fully exploited this prerogative down the years by issuing a series of Opinions on points of law which, while technically non-binding, carry enormous weight and which data controllers ignore at their peril. In doing so the WP emerged as a leading player in the interpretation of EU data protection law, and became one of the most active advocates in the recent negotiations on the new GDPR.

Under the new GDPR, the Article 29 Working Party will be renamed the European Data Protection Board (EDPB). Its Opinions will no longer be merely “advisory” but will be binding on data controllers and national supervisory authorities. Its sole mandate will be to “ensure the consistent application of this Regulation”, with the power to issue a series of “opinions, guidelines, recommendations, and best practices”.

Of course, a body able to ensure consistent application of law is a must and will hopefully provide clarity for both citizens and the companies that serve them. But it should be remembered that not only are EDPB Opinions to be binding on data controllers – and therefore only challenged before a court – but they are linked to significant new powers to fine companies and halt data processing. What’s more, the deliberations of the EDPB (as with its predecessor the Art 29 WP) are likely to be held in camera, with little outside consultation with the technical experts of the companies that they oversee.

While the GDPR does state that the EDPB should “consult interested parties”, the law is silent on how this consultation should be established, how extensive it needs to be and how frequent, leaving the whole question to the discretion of the Board. Given that the current Article 29 WP is not notably dialogue inclined, and given the presumption that all EDPB deliberations will be internal, legitimate questions can be asked about the Board’s willingness to access relevant expertise or entertain outside ideas. It matters a great deal to companies like Adobe how the EDPB will interpret new concepts like “imbalance” between consenting parties, or where it will draw the line on “risky processing”, what it will consider to be a “compelling legitimate interest” for a controller to override a data subject’s objection. Will companies’ voices be adequately heard?

We hope so. But the limited mandate of the EDPB – whereby it is bound to consider only matters relating to the interpretation of data protection law to the exclusion of other highly relevant factors such as the economic impact of their decisions – risks being too narrow. Data processing and data protection are not just a part of the economy, they ARE the modern economy and cannot be examined in isolation.

In short, the EDPB will have enormous influence over the EU economy. We hope it exercises this power responsibly and with the utmost consideration for the world beyond the one outlined in its official mandate.