The new European Data Protection Board increased international cooperation

The European data protection authorities consolidated their cooperation further in 2018. The authorities prepared for the implementation of the EU's General Data Protection Regulation by drawing up guidelines and planning the activities of the European Data Protection Board.

The founding meeting of the EDPB convened on 25 May, the date of the GDPR’s implementation. At the same time, the data protection authorities’ cooperation body preceding the EDPB, the Article 29 Working Party, was dissolved. The Chairwoman of the Art. 29 WP, Andrea Jelinek, was appointed to continue as the chair of the European Data Protection Board. Jelinek’s term will last for five years.

EU and EEA countries as members

The European Data Protection Board is an independent EU body consisting of the Union's national data protection authorities and the representatives of the European Data Protection Supervisor. The EEA member states Iceland, Norway and Liechtenstein are also members of the EDPB by virtue of the EFTA Convention. The Commission has the right to participate in the activities of the EDPB and attend its meetings, but not to vote in them.

The European Data Protection Board is responsible for the uniform application of the EU's General Data Protection Regulation and the Data Protection Directive applying to police and criminal justice authorities. It issues clarifying guidelines and decisions on data protection legislation. A key task of the EDPB is to promote cooperation between the EU's data protection authorities.

In its first plenary session, the EDPB decided to support the guidelines drawn up by the Art. 29 WP on the application of the GDPR, and the preparation of the guidelines was subsequently continued by the EDPB. In the autumn, the EDPB published guidelines on, for example, the GDPR's geographical scope and certifications.

Before the establishment of the European Data Protection Board, the Article 29 Working Party served as the cooperation body for data protection authorities in the EU.

The first statements issued by the EDPB through the consistency mechanism were also finalised in September. The EDPB approved 22 statements applying to common requirements for data protection impact assessment lists. The statements were based on the national data protection authorities’ lists of processing activities that are likely to cause a high risk and thus require a data protection impact assessment. Agreeing on common criteria is important to ensure the consistent application of the GDPR everywhere in the EU. The purpose of the GDPR was to harmonise data protection regulations, improve the protection of personal data and privacy rights, respond to new data protection questions related to digitalisation and globalisation, and to promote the development of the digital single market.

From the Office of the Data Protection Ombudsman, Data Protection Ombudsman Reijo Aarnio and Senior Adviser Anna Hänninen participated in the work of the Art. 29 WP and European Data Protection Board. Other staff also took part in the work of the sub-committees in their respective areas of expertise. In addition to the existing sub-committees, the Art. 29 WP established a new working group for data protection in the social media. The Office of the Data Protection Ombudsman is also represented in this working group.

Cooperation in cross-border matters

The EU's General Data Protection Regulation contains detailed rules on cooperation between the supervisory authorities of EU Member States in cross-border matters. The general definition of a cross-border matter is that it has an impact on more than one EU Member State. The processing of such matters is conducted according to the one-stop-shop mechanism. This means that, in the future, controllers operating in more than one Member State can manage their cross-border matters through the supervisory authority of a single Member State. It is the task of this lead supervisory authority to coordinate the processing of the matter and draw up a proposal for a decision. The other supervisory authorities whom the matter concerns also participate in the handling of the case. EU authorities have a joint information exchange system, the IMI, for exchanging information on cross-border matters.

In 2018, total number of 591 cross-border cases were registered. Finland acted as supervisory authority concerned in 106 cases and as lead supervisory authority in five cases.

In the Office of the Data Protection Ombudsman, the coordination of cross-border and international matters was centralised with one senior adviser, supported by one adviser. They also take part in the work of the EDPB. In the spring of 2018, a process working group was also established for describing the processes related to cross-border matters.