The following Work Programme lays out the groundwork required to prepare national data protection authorities (DPAs) for their new role under the General Data Protection Regulation (GDPR) and to ensure a smooth transition as the Article 29 Working Party (WP29) is superseded by the European Data Protection Board (EDPB) which will be tasked with ensuring a coordinated and consistent application of the GDPR throughout the European Union.
As the GDPR is close to adoption, WP29 must develop guidelines, tools and procedures to allow the new legal framework to be effective for the first semester of 2018.
WP29 was set up under Article 29 of Directive 95/46/EC and its tasks are to:
• Examine any question covering the application of the national measures adopted under this Directive in order to contribute to the uniform application of such measures;
• Give the Commission an opinion on the level of protection in the Community and in third countries;
• Advise the Commission on any proposed amendment of this Directive, on any additional or specific measures to safeguard the rights and freedoms of natural persons with regard to the processing of personal data and on any other proposed Community measures affecting such rights and freedoms; and
• Give an opinion on codes of conduct drawn up at Community level.
The following action plan has been designed for 2016 and aims to draw the priorities for the WP29 in preparing the transition into the new legal framework, in particular the EDPB.
A brand new governance model on its way
A new governance model is on its way giving a higher role to the DPAs. It is a distributed governance model built on three pillars:
1. National data protection authorities;
2. Enhanced cooperation between authorities;
3. EDPB level for consistency.
The WP29 wants to show and anticipate this new organisation as far as it is possible.
The main lines of the action plan are based on 4 priorities:
1. Setting up the EDPB structure in terms of administration (e.g. IT, human resources, service level agreements and budget)
A WP29-EDPB task force has been set up with the Chair, the Vice-Chairs and the European Data Protection Supervisor (EDPS), as the secretariat will be ensured by the EDPS under the instructions of the Chair of the EDBP. A key element will be the development of the IT systems for the EDPB in the context of the one stop shop. The task force will also work on human resources, budget implications and the future rules of procedure of the EDPB.
2. Preparing the one-stop-shop and the consistency mechanism
It requires developments on several building blocks of the GDPR such as:
• The designation of lead data protection authority;
• The one-stop -shop on enforcement cooperation;
• The EDPB consistency mechanism.
3. Issuing guidance for controllers and processors
Priority subjects have been selected by the WP29 to provide guidelines or processes to help and accompany controllers and processors to get prepared for the entry into force. They will relate to the following topics:
• New portability right;
• Notion of high risk, and Data Protection Impact Assessment (DPIA);
• Data Protection Officer.
4. Communication around the EDPB/GDPR
It is essential to make this new legal body of the EU already visible and identifiable as a key player which legitimacy stems from the DPA.
• Creation of an online communication tool;
• Strengthening relationships with EU institutions agencies or other supervision groups;
• Participation in external events to promote the new governance model.
This action plan will be reviewed periodically and will be complemented in 2017 with new objectives and deliverables.
The WP29 will consult regularly and where appropriate, the relevant stakeholders (e.g.: business representatives and civil society representatives), in order to exchange views on the implementation of the GPDR.
The activities of all Subgroups of the WP29 will take into account the transitional period between the adoption of the Data Protection package and its entry into force. Given the large amount of work needed, this special period requires an important involvement of all Subgroups and an efficient coordination between them.
The Subgroups are:
• Future of Privacy Subgroup
• Key Provisions Subgroup
• Technology Subgroup
• International Transfers Subgroup
• Borders, Travel and Law Enforcement Subgroup
• E-Government Subgroup
• Financial Matters Subgroup
• Co-operation Subgroup
The GDPR will significantly change the structure and the way the WP29 works today. Upon the adoption of this package, the WP29 will have two years to be ready to become and act as the EDPB. The work programme takes into account this transitional period which will require from all subgroups the issuance of guidelines, tools and procedures to organise the future cooperation between data protection authorities guide the relevant stakeholders in the application of the new framework (e.g. controllers, processors, data subjects) and ensure consistency in its implementation. A yearly action plan translates operationally the work to be done and will be revised regularly.
The Working Party will continue to analyse and provide its opinion on relevant subject matters under the current Directive 95/46/EC which either have already been on the previous work programme and should be maintained or are new topics to be dealt with in the two upcoming years.
Furthermore, the Working Party will work on increasing its interaction with international data protection authorities and other organisations and stakeholders, both within the European Union and outside.
The Working Party will regularly monitor the implementation of its work programme which should be periodically revised and updated as necessary.