The European Data Protection Board and the consistency mechanism
To ensure the consistent application of the GDPR throughout the EU an important role will be played by the European Data Protection Board (the Board).
Even though the denomination looks new, the Board in itself is the continuation of the existing Article 29 Working Party which was established under the old Data Protection Directive 95/46/EC. Similarly with the Article 29 Working Party, the Board is composed of the heads of national supervisory authorities and the European Data Protection Supervisor (EDPS), or their representatives. The EDPS’s voting powers are restricted to those decisions that would be applicable to the EU institutions.
The Board also includes a representative of the European Commission who, however, does not have a right to vote so as to ensure the independence of the Board. There seems to be an implicit suggestion that the European Commission has exercised too much influence over the Article 29 Working Party in the past and the GDPR wants to ensure that this will not be the case in the future.
In comparison to the Article 29 Working Party, the Board has a more enhanced status. It is designed as an independent body with its own legal personality. Besides its primary role in ensuring the consistent application of the GDPR, the Board also has other powers. It advises the Commission, in particular on the level of protection offered by third countries or international organisations. In addition, the Board promotes cooperation between national supervisory authorities and it also plays a role in conciliation procedures for disputes between national supervisory authorities. In exercising its powers, the Board issues guidelines, recommendations and statements of best practice.
The old Article 29 Working Party was often criticised for not adequately consulting stakeholders before taking decisions. In reaction to this criticism, the Board is required to consult interested parties where appropriate. This would of course benefit data controllers or processors that might be affected by the decisions adopted.
Next to that, the Board plays a prominent role with regards to the consistency mechanism. This is a new system of supervision in those situations in which data processing activities take place simultaneously in more than one Member State or have an EU-wide impact.
Under the old legal regime, a company operating in more than one EU Member State had to deal with several Data Protection Authorities. This lead to uncertainties for companies and to situations where different rules applied. For example, the Google Street View case was based on actions of a single company (Google), but similarly affected individuals in several Member States got different responses from national Data Protection Authorities.
Together with the establishment of the Lead Supervisory Authority presented in the previous step, the consistency mechanism is intended to avoid such situations. When it is clear that the decision of a supervisory authority will have an EU-wide impact, or when a request comes from a national supervisory authority, the Chair of the European Data Protection Board or from the European Commission, the Board issues a non-binding decision on a specific case. The national supervisory authority dealing with the case shall take utmost account of the decision of the Board or shall inform the Board in the case in which it does not intend to follow its opinion.
If the national supervisory authority does not follow the opinion of the Board, the latter, in order to ensure the correct and consistent application of the GDPR, adopts a binding decision addressed to the lead supervisory authority and all the other national authorities concerned.
© University of Groningen