Is the Article 29 Working Party Undermining Itself?

January 31, 2018

As the application date of the GDPR draws near, the Article
29 Working Party continues to produce guidelines on various key concepts and
requirements. While these guidelines are largely helpful, they contain some
questionable views that arguably amount to the WP29 purporting to make, as
opposed to interpret, the law.  By overreaching, the WP29 risks
undermining its own credibility and giving organisations an excuse to decline
to follow elements of its guidelines as being activist statements of policy
rather than legal requirements.

What is the Article 29 Working Party, and what weight should
be given to its guidelines?

The WP29 is made up of European data protection authorities.
It has an advisory role; its guidelines are not legally binding, although the
European Court of Justice has on recent occasions cited WP29 opinions as being
of persuasive authority. When the GDPR becomes applicable, the WP will cease to
exist and will be replaced by the European Data Protection Board (the EDPB).

Unlike the WP29, in addition to having an explicit
regulatory power to issue guidelines, recommendations and best practice to
encourage consistent application of the GDPR (which are likely to be applied by
national data protection authorities), the EDPB will have the power to make
legally binding decisions in limited circumstances. Any such decisions are
likely to be informed by EDPB guidelines (which may be guidelines that were
published by the WP29 before 25 May 2018 and adopted by the EDPB or new guidelines
adopted after 25 May 2018). As a result, while any guidelines published by the
WP29 or its future successor will be important indications of how national data
protection authorities are expected to apply the GDPR, they are not directly
legally binding. The European Commission’s recently published guidelines on the
direct application of the GDPR subtly emphasised this point by noting that ‘where
questions regarding the interpretation and application of the Regulation arise,
it will be for courts at a national and EU level to provide the final
interpretation of the Regulation’.

Some issues with recent guidelines

Recently-issued WP29 guidelines have provided some useful
elaborations on the application of the GDPR. However, the WP29 has occasionally
adopted interpretations that are, at best, purposive and arguably are not
supported by the explicit wording of the GDPR or legal principles that apply to
its interpretation.  For example:

1. According to the data protection officer guidelines, when an organisation
appoints a DPO on a voluntary basis, the provisions in the GDPR relating to
DPOs will apply to that person and their role, as if the organisation had been
obliged to appoint a DPO. The text of the GDPR does not support this view. It
elevates ‘DPO’ to the status of a legally protected and loaded term and, among
other things, purports to give any person with this title protected employment
status, even if their organisation does not intend them to perform the DPO role
envisaged by the GDPR.

2. The statement in the guidelines on the right to data portability (ie the right
for a data subject to receive personal data that he or she provided to the
controller in a structured, commonly-used and machine-readable format) that ‘observed
data’ is within the scope of this right is not supported by the express wording
of the GDPR.

3. The recently published draft transparency guidelines require a level of detail to
be provided in data protection/privacy notices that goes far beyond what is
explicitly required under Articles 13 and 14 of the GDPR.

At a time when many organisations are struggling to prepare
for the application of the GDPR and are searching for pragmatic guidance on
what they are required to do, official guidelines that go beyond what is
clearly mandatory are unhelpful, not only for the purposes of legal certainty
but also as a tool for encouraging behavioural change. If the WP29 continues to
push the boundaries of legally robust interpretations of the GDPR then it risks
failing to seize its opportunity to influence behaviours by issuing convincing
guidelines as to what is required, as opposed to what the WP29 would like the
law to require.  

Adam Finlay is a Partner at McCann FitzGerald in Dublin

Katie O’Leary is an Associate at McCann FitzGerald