Privacy & Information Security Law Blog

On January 22, 2013, the Article 29 Working Party released Opinion 01/2013 (the “Opinion”) on the implementing acts contained in the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”).

As previously reported, the Working Party has already adopted two Opinions on the Proposed Regulation (Opinion 01/2012 and Opinion 08/2012). In Opinion 08/2012, the Article 29 Working Party provided an article-by-article analysis of the provisions of the Proposed Regulation on possible delegated acts. The Working Party’s most recent Opinion provides a similar article-by-article analysis of all provisions on possible implementing acts.

Implementing Acts

Under Article 290 of the Treaty on the Functioning of the European Union, the Commission can adopt delegated acts to supplement or amend non-essential parts of a legal act (in this case the Proposed Regulation). Under Article 291, the Commission can adopt implementing acts where uniform conditions are needed to ensure legal certainty and to avoid discrepancies between the laws in the 27 EU Member States.

The Working Party recognizes that there are “situations in which a binding EU instrument which specifies a provision of the Regulation will be the most appropriate way to create legal certainly, protect the data subject and avoid distorting discrepancies between the Member States.” In other situations, however, it calls for a “flexible approach and room for cultural differences.” In such cases, the Working Party recommends the use of guidelines issued by the European Data Protection Board (“EDPB”), the proposed successor to the Article 29 Working Party, which accommodates “the need for flexibility and supports the introduction of the principle of accountability.” The Working Party emphasizes that the authority to adopt implementing acts should only be conferred on the Commission where they “are needed,” and that implementing acts increase the “prescriptive nature” of the Proposed Regulation, which may not be consistent with the principle of accountability.

Article-by-Article Analysis

The Opinion considers 22 article-by-article assessments and concludes that:

• in six cases, no implementing act is required as the provisions of the Proposed Regulation are already sufficiently clear and further guidance is not required;
• in five instances, a delegated act would be more appropriate than an implementing act, allowing minimum requirements to be prescribed, instead of detailed and complete technical instructions;
• in four cases, no implementing act is required, as the EDPB could take the required action; and
• in three cases, guidance issued by national regulators or the EDPB would be more appropriate than an implementing act.

In the four remaining articles, the Working Party agrees that an implementing act would be appropriate, but recommends a far more significant role for the EDPB. In relation to Article 38 (codes of conduct), the Working Party explicitly notes that “it would have been most logical if such power was granted to the EDPB” and not to the Commission. Further, with respect to Articles 41 (adequacy decision) and 42 (standard contractual clauses), the Working Party recommends that the Commission be obliged to consult the EDPB during the decision-making process. Finally, for Article 62 (general validity of standard contractual clauses), the Working Party interprets the provision to mean that the Commission would only declare clauses valid once they have been approved by the EDPB, and, that once declared generally valid, the Commission could not alter the content of the clauses.

Overall, the Working Party recommends a greatly reduced role for the Commission, and a strengthening of the EDPB’s role with regard to the implementing acts suggested by the Proposed Regulation.