In a piece that may engender some debate, Adam Finlay and Katie O’Leary question the extended role adopted by the Article 29 Working Party
As the application date of the GDPR draws near, the Article 29 Working Party continues to produce guidelines on various key concepts and requirements. While these guidelines are largely helpful, they contain some questionable views that arguably amount to the WP29 purporting to make, as opposed to interpret, the law. By overreaching, the WP29 risks undermining its own credibility and giving organisations an excuse to decline to follow elements of its guidelines as being activist statements of policy rather than legal requirements.
What is the Article 29 Working Party, and what weight should be given to its guidelines?
The WP29 is made up of European data protection authorities. It has an advisory role; its guidelines are not legally binding, although the European Court of Justice has on recent occasions cited WP29 opinions as being of persuasive authority. When the GDPR becomes applicable, the WP will cease to exist and will be replaced by the European Data Protection Board (the EDPB).
Unlike the WP29, in addition to having an explicit regulatory power to issue guidelines, recommendations and best practice to encourage consistent application of the GDPR (which are likely to be applied by national data protection authorities), the EDPB will have the power to make legally binding decisions in limited circumstances. Any such decisions are likely to be informed by EDPB guidelines (which may be guidelines that were published by the WP29 before 25 May 2018 and adopted by the EDPB or new guidelines adopted after 25 May 2018). As a result, while any guidelines published by the WP29 or its future successor will be important indications of how national data protection authorities are expected to apply the GDPR, they are not directly legally binding. The European Commission’s recently published guidelines on the direct application of the GDPR subtly emphasised this point by noting that ‘where questions regarding the interpretation and application of the Regulation arise, it will be for courts at a national and EU level to provide the final interpretation of the Regulation’.
Some issues with recent guidelines
Recently-issued WP29 guidelines have provided some useful elaborations on the application of the GDPR. However, the WP29 has occasionally adopted interpretations that are, at best, purposive and arguably are not supported by the explicit wording of the GDPR or legal principles that apply to its interpretation. For example:
1. According to the data protection officer guidelines, when an organisation appoints a DPO on a voluntary basis, the provisions in the GDPR relating to DPOs will apply to that person and their role, as if the organisation had been obliged to appoint a DPO. The text of the GDPR does not support this view. It elevates ‘DPO’ to the status of a legally protected and loaded term and, among other things, purports to give any person with this title protected employment status, even if their organisation does not intend them to perform the DPO role envisaged by the GDPR.
2. The statement in the guidelines on the right to data portability (ie the right for a data subject to receive personal data that he or she provided to the controller in a structured, commonly-used and machine-readable format) that ‘observed data’ is within the scope of this right is not supported by the express wording of the GDPR.
3. The recently published draft transparency guidelines require a level of detail to be provided in data protection/privacy notices that goes far beyond what is explicitly required under Articles 13 and 14 of the GDPR.
At a time when many organisations are struggling to prepare for the application of the GDPR and are searching for pragmatic guidance on what they are required to do, official guidelines that go beyond what is clearly mandatory are unhelpful, not only for the purposes of legal certainty but also as a tool for encouraging behavioural change. If the WP29 continues to push the boundaries of legally robust interpretations of the GDPR then it risks failing to seize its opportunity to influence behaviours by issuing convincing guidelines as to what is required, as opposed to what the WP29 would like the law to require.
Adam Finlay is a Partner at McCann FitzGerald in Dublin
Katie O'Leary is an Associate at McCann FitzGerald