On 25 May 2018 the European Data Protection Board (EDPB) formally replaced the Article 29 Working Party as the European advisory committee on data protection issues. In addition to taking over Article 29 Working Party’s responsibilities in issuing guidelines, recommendations and statements of best practice, the EDPB, which operates as an independent body of the European Union with its own separate legal personality, also takes on a far broader set of responsibilities:
- examining – on its own initiative or on the request of one of its members or the European Commission (Commission) – any question covering the application of the GDPR;
- advising the Commission on any issue related to data protection in the EU, including on any proposed amendment of the General Data Protection Regulation (GDPR) and any EU legislative proposal;
- advising the Commission on the format and procedures for the exchange of information in the framework of the Binding Corporate Rules;
- providing the Commission with an opinion on the assessment of the adequacy of the level of protection in a third country;
- providing opinions on draft decisions of the supervisory authorities; and
- issuing binding decisions in certain instances, mostly about dispute resolution among supervisory authorities.
In its first plenary meeting, which took place on 25 May 2018, the EDPB agreed the final version of Guidelines 2/2018 on the derogations under Article 49 GDPR in the context of international data transfers (Article 49 Guidelines), as well as a set of draft Guidelines 1/2018 on certification in accordance with Articles 42 and 43 GDPR (Certification Guidelines).
Article 49 Guidelines
Article 49 GDPR sets out the limited exemptions from the general principle that personal data may only be transferred to countries outside of the European Economic Area (EEA) where an adequate level of data protection is provided for the country or by the recipient international organisation, or where appropriate safeguards have been implemented.
The Article 49 Guidelines emphasise the importance of taking a two-step approach to the transferring of personal data to third countries: first, a legal basis must apply to the data processing; and as a second step, the provisions around transfers contained within Chapter V of the GDPR must be complied with. They also confirm that the Article 49 derogations should be interpreted restrictively, and should only be used when the mechanisms in Article 45 and 46 cannot be relied upon.
In addition to dissecting each of the various derogations under Article 49, the Article 49 Guidelines provide some helpful examples around the interpretation of the references to “occasional” and “not repetitive” transfers. Such transfers are described as those that take place, for example, under “random, unknown circumstances and within arbitrary time intervals.”
Guidelines on certification mechanisms
Article 42 provides the legal basis for a set of rules to establish data protection certification mechanisms and data protection seals and marks to enable companies to demonstrate their compliance with the GDPR. The draft Certification Guidelines provide some insight into the interpretation of the concept of “certification”, which is absent from the text of the GDPR, aligning it with the idea of “third party attestation” by a “conformity assessment body”.
The Certification Guidelines also consider the idea of introduction a “European Data Protection Seal”, approved by the EDPB, the intention of which would be to avoid fragmentation of the data protection certification market.
Comment
It will be interesting to observe in the coming months and years how differently the EDPB operates in practice when compared with its predecessor, given the significantly broader remit it has been granted, along with its enhanced independence. No doubt we will see businesses and data protection lawyers alike eagerly awaiting any clarity that the EDPB can offer on those areas of the GDPR where there remains a lack of consensus in relation to its meaning and application.