Data Protection Report - Norton Rose Fulbright

On February 11, 2016, the Article 29 Working Party (WP29) issued a statement setting out its 2016 action plan for implementation of the General Data Protection Regulation (GDPR) and its work programme for 2016-2018. WP29 will have 8 working groups leading the implementation of the 2016-2018 work programme.

The statement highlights the following points:

  • WP29 will develop guidelines, tools and procedures for the GDPR framework to be effective for the first semester of 2018.
  • The GDPR will have a distributed governance model with three key pillars (i) “a higher role” for national data protection authorities (DPAs); (ii) enhanced cooperation between DPAs; and (iii) the European Data Protection Board (EDPB) providing consistency.
  • WP29 is prioritising four areas in its action plan:
  • Setting up the EDPB – setting up the IT system, human resources, budget, rules and procedures.
  • Preparing for the “one-stop-shop” and consistency mechanism – WP29- offers three examples of building blocks for this effort, including deciding (i) how to designate a lead authority; (ii) how enforcement cooperation will work; and (iii) how the consistency mechanism will work.
  • Issuing guidance for data controllers and processors – WP29 has selected four areas of the GDPR to prioritise: (i) the data portability right; (ii) the notion of high risk processing and privacy impact assessments; (iii) certification schemes; and (iv) the role of the data protection officer.
  • Communication around the EDPB/ GDPR” – WP29 wants to ensure that the EDPB is seen as a key player through (i) the creation of an online communication tool; (ii) strengthening relationships with EU institutions, agencies or other supervision groups; and (iii) participation in external events to promote the new governance model.
  • WP intends to consult regularly and where appropriate with stakeholders such as business and civil society representatives, and review the plan periodically, including new objectives and deliverables in 2017.The other sub-groups that reveal WP29’s potential future priorities are: (i) technology; (ii) international transfers; (iii) borders, travel and law enforcement; (iv) e-government; (v) financial matters. The EU Commission, EDPB and DPAs will have their work cut out to flesh out the ambitious requirements of the GDPR, and it comes as no surprise that preparations have started before the regulation has been officially approved by the European Parliament or Council.

Our take

As part of the effort, WP29 will also consider whether previous WP29 opinions need updating (including opinions on personal data, consent, controller/processor, applicable law, purpose limitation or legitimate interests). In addition, WP29 will consider whether it should issue opinions on key GDPR concepts, such as scope, definitions, general provisions, rights of the data subject, obligations of data controllers and processors, and specific data processing situations.

WP29 (and subsequently EDPB) guidance will be vitally important in understanding the limits of what is expected under the GDPR, particularly as it should trump any divergent DPA guidance. It will be keenly anticipated. We will update you through this blog as the GDPR is finalised and guidance emerges.