As the application date of the General Data Protection Regulation (“GDPR”) draws near, the Article 29 Working Party (“WP”) continues to produce guidelines on various key concepts and requirements. While these guidelines are largely helpful, they contain some questionable views that arguably amount to the WP purporting to make, as opposed to interpret, the law. By overreaching, the WP risks undermining its own credibility and giving organisations an excuse to decline to follow elements of its guidelines as being activist statements of policy rather than legal requirements.
What is the WP, and what weight should be given to its guidelines?
The WP is made up of European data protection authorities, including the Irish Data Protection Commissioner. The WP has an advisory role and its guidelines are not legally binding, although the European Court of Justice has on recent occasions cited WP opinions as being of persuasive authority. When the GDPR becomes applicable the WP will cease to exist and will be replaced by the European Data Protection Board (“EDPB”). Unlike the WP, in addition to having an explicit regulatory power to issue guidelines, recommendations and best practice to encourage consistent application of the GDPR (which are likely to be applied by national data protection authorities), the EDPB will have the power to make legally binding decisions in limited circumstances. Any such decisions are likely to be informed by EDPB guidelines (which may be guidelines that were published by the WP before 25 May 2018 and adopted by the EDPB or new guidelines adopted after 25 May 2018). As a result, while any guidelines published by the WP or its future successor the EDPB will be important indications of how national data protection authorities are expected to apply the GDPR, they are not directly legally binding. The European Commission’s recently published guidelines on the direct application of the GDPR subtly emphasised this point by noting that “where questions regarding the interpretation and application of the Regulation arise, it will be for courts at a national and EU level to provide the final interpretation of the Regulation”.
Some issues with recent WP guidelines
Recently-issued WP guidelines have provided some useful elaborations on the application of the GDPR. However the WP has occasionally adopted interpretations that are, at best, purposive and arguably are not supported by the explicit wording of the GDPR or legal principles that apply to its interpretation. For example:
1. According to the WP’s data protection officer guidelines, when an organisation appoints a DPO on a voluntary basis, the provisions in the GDPR relating to DPOs will apply to that person and their role, as if the organisation had been obliged to appoint a DPO. The text of the GDPR does not support this view. It elevates ‘DPO’ to the status of a legally protected and loaded term and, among other things, purports to give any person with this title protected employment status, even if their organisation does not intend them to perform the DPO role envisaged by the GDPR.
2. The statement in the WP’s guidelines on the right to data portability (i.e. the right for a data subject to receive personal data that he or she provided to the controller in a structured, commonly-used and machine-readable format) that “observed data” is within the scope of this right is not supported by the express wording of the GDPR.
3. The recently published draft transparency guidelines require a level of detail to be provided in data protection/privacy notices that goes far beyond what is explicitly required under Articles 13 and 14 of the GDPR.
At a time when many organisations are struggling to prepare for the application of the GDPR and are searching for pragmatic guidance on what they are required to do, official guidelines that go beyond what is clearly mandatory are unhelpful, not only for the purposes of legal certainty but also as a tool for encouraging behavioural change. If the WP continues to push the boundaries of legally robust interpretations of the GDPR, then it risks failing to seize its opportunity to influence behaviours by issuing convincing guidelines as to what is required, as opposed to what the WP would like the law to require.