Greetings from Brussels!
We are now one full week into the GDPR era, and it’s safe to say the sky hasn’t fallen on our heads — well, not just yet anyway. Following on from last week’s inaugural European Data Protection Board news conference, I was fortunate — even privileged — to be one of the first external visitors to the new offices of the EDPB, which now occupy an entire floor provided by — and in the same building — as the European Data Protection Supervisor. Incidentally, the European Ombudsman also has its visitor office at this address, a stone’s throw from our own IAPP European office. I think this speaks to an important distinction, that the newly formed EDPB will be autonomous to the EDPS and will take its direction solely from the EDPB chair. Moreover, the EDPB has a much-enhanced status. It is not merely an advisory committee, as the Article 29 Working Party was, but an independent body of the European Union with its own legal personality.
In other words, it has teeth.
To recap, the WP29, as established by the 95 Directive, was retired by the incoming EU General Data Protection Regulation with the creation of the EDPB, which will be similarly made up of the EU heads of the national regulatory authorities (and/or their representatives) and the EDPS.
The EDPB has been given a long and detailed list of tasks (too many to cite here), but its primary role is to contribute to the consistent application of the GDPR throughout the EU. It will also advise the European Commission, in particular, on the level of protection (and adequacy) offered by third countries or international organizations and promote cooperation between national supervisory authorities. One of the EDPB’s most distinctive new roles is to conciliate and arbitrate disputes or differing positions between national supervisory authorities.
I was meeting with Isabelle Vereecken, the newly appointed head of the EDPB Secretariat, who reports to Andrea Jelinek, the EDPB chair. Vereecken is a seasoned privacy and regulatory professional and has worked with both the Belgian data protection authority, as well as the EDPS, before taking on this new and forward-looking role. Her knowledge of the regulatory environment from multiple perspectives is vast and experienced. In many respects, her appointment makes sense: She spearheaded the implementation efforts while at the EDPS to get the EDPB office and its working processes up and running, coordinating the consultative exercise with member state regulatory bodies and institutional stakeholders up until its inauguration on 25 May. Vereecken said, "It’s been an efficient drive by all parties concerned, and now we are ready, and we will have all a lot of work to do." As Vereecken inferred, the EDPB is truly in start-up mode, and I sense an environment with a lot of positive energy. The office currently employees 13 staff members and will be 18 full-time employees by the end of 2018 with plans for further expansion beyond.
Laurence de Richemont of DG Grow at the European Commission, head of unit for the Single Market Service Centre, was also present at the meeting. The EDPS has been working closely with DG Grow to implement the "tried and tested" IMI system at the EDPB, which will enable online cross-border administrative cooperation between the regulatory authorities. This will go a long way toward streamlining the administrative processes at the EDPB. The multilingual service already connects more than 8,000 public authorities and 19,000 registered users across the EU in 12 different single market policy areas at both national and local levels — the GDPR will become the 13th policy area to be managed through the system. Laurence de Richemont stated, “E-government is already happening at EU level, and the IMI system is designed to cater to 21st century requirements, as it should."
The level of preparation that has gone into the system's designs has been impressive: To cite a few initiatives, DG Grow and the EDPS have jointly organized three workshops with the DPAs to review the new procedures; two training sessions have been conducted to train the DPA users on the system; and a technical help desk has been installed to assist the national authorities as they work with the system. The DPAs were also consulted throughout the process, participating in user workgroups, to design the system workflows.
By all accounts, the readiness undertaken to launch the EDPB has been extensive and diligent. I think we can expect to see an active and effective body as the GDPR plays out across the EU.
If you want to comment on this post, you need to login.