News

GA4GH GDPR Brief: The Role of the European Data Protection Board in Interpreting the GDPR


2 August 2021

GDPR, regulatory and ethics

Avid readers of the GA4GH GDPR Forum will have likely noticed that past briefs have mentioned GDPR interpretations by the European Data Protection Board (‘the Board’) and the Article 29 Working Party (WP29). This Brief aims to clarify their roles in interpreting the GDPR, against the backdrop of their development as well as their most important tasks, powers, and competences, particularly about the Board’s mandate to contribute to the consistent application of the GDPR throughout the EU.

Overview of the European Data Protection Board

The Board is an independent body that has been established to promote the effective and consistent interpretation and application of the GDPR across the EU. The Board is the successor organization to the WP29 since the coming-into-force of the GDPR. The Board has larger powers than its predecessor, especially with regard to dispute resolution and consensus building related to the consistency mechanism introduced by the GDPR where it has co-decision-making powers with SAs, even though its role remains principally an advisory one. The Board may exceptionally work with the European Data Protection Supervisor, which is a SA for EU institutions with certain advisory functions

Guidance from the European Data Protection Board

The Board can issue guidance related to the interpretation of the GDPR. In a non-closed list, the GDPR lists 25 areas, including advising the European Commission, and related to the circumstances in which a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, as well as related to international transfers and particularly to codes of conduct, to list the most relevant advisory tasks for data processing for genomic research.

As was the case with its predecessor, the Board solicits public feedback before issuing guidance, which consists of issuing draft guidance and then giving stakeholders six weeks to comment. (List of open and closed public consultations.)

Opinions from the European Data Protection Board

Within the frame of the consistency mechanism, the Board can issue opinions on draft decisions of SAs and on matters of general application. An example for such an opinion is the case where a draft code of conduct implicates data processing activities in multiple EU Member States. Before a SA approves such a code, it must ask the Board to provide an opinion. The opinion is not binding for the subsequent decision of the European Commission to approve the general validity of a code within the EU. Nevertheless, only a code that has first received an opinion of the Board stating that the code complies with the GDPR’s rigorous standards can be submitted to the Commission. The Board may also issue opinions on other matters, such as determinations from SAs regarding when a data protection impact assessment is required. Any SA or the European Commission may further seize the Board to issue an opinion regarding matters that affect more than one Member State.

Further to this, the Board can issue decisions that bind SAs pursuant to the dispute resolution procedure and the urgency procedure.

Binding Nature of the Guidelines and Opinions

The interpretive guidance in the guidelines and opinions of the Board are not binding for SAs (cf. binding decisions) and for courts. They are better thought of as interpretive aids rather than a bona fide source of law. However, they may have a binding effect on the Board itself, especially where the Board issues a binding decision that is informed by the Board’s own guidelines and opinions. This is why it has particular relevance that the Board has endorsed some WP29 guidelines such as those on consent and transparency. The endorsement of guidelines of the WP29, particularly related to issues that are subject to technological development and their changing legal assessment, risks overlooking the state-of-the-art and becoming ‘frozen in time’ instead of being replaced.

Exceptionally, even non-binding guidelines may come to represent a leading, authoritative interpretation on data protection law when cited with approval by the Court of Justice of the European Union. Although not frequent, we have seen the Court cite the Board in approval of their interpretation.

We have compiled a list of guidelines that are indeed relevant for readers below.

Article 29 Working Party / European Data Protection Board Guidelines Relevant to the GA4GH Community

Relevant GDPR Provisions

  • Recital 136 – Consistency mechanism
  • Recital 139 – EDPB to replace WP29
  • Article 64 – Opinions from the EDPB regarding certain measures taken by national supervisory authorities (consistency mechanism)
  • Article 65 – Dispute resolution from the EDPB (consistency mechanism)
  • Section 3 of Chapter VII
    • Article 68 – Nature, status, and composition of the EDPB
    • Article 69 – Independence of the EDPB
    • Article 70 – Tasks of the EDPB
    • Article 71 – Reports of the EDPB
    • Article 72 – Procedures of the EDPB
    • Article 73 – Chair of the EDPB
    • Article 74 – Tasks of the Chair of the EDPB
    • Article 75 – EDPB Secretariat
    • Article 76 – Confidentiality of the EDPB

Michael Beauvais is an academic associate at McGill University’s Centre of Genomics and Policy.

Fruzsina Molnar-Gabor is research group leader at the Heidelberg Academy of Sciences and Humanities and lecturer at the Legal Faculty of Heidelberg University.

For a list of previous briefs, please consult here.

Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.