Article 92 GDPR: Difference between revisions
No edit summary |
No edit summary |
||
Line 201: | Line 201: | ||
== Commentary == | == Commentary == | ||
This provision outlines the limits to the Commission's power to adopt delegated acts pursuant to Article 290 TFEU, ''within the scope'' of the GDPR.<ref name=":0">''Herbst'' in Kühling, Buchner, DS-GVO BDSG, Article 92 GDPR, margin number | This provision outlines the limits to the Commission's power to adopt delegated acts pursuant to Article 290 TFEU, ''within the scope'' of the GDPR.<ref name=":0">''Herbst'' in Kühling, Buchner, DS-GVO BDSG, Article 92 GDPR, margin number 1 (C.H. Beck 2020, 3rd Edition).</ref> The function of Article 92 GDPR is to lay down conditions for the delegation of power as necessitated by Article 290 TFEU, such as its duration (Article 290(1) TFEU), its revocability (Article 290(2)(a) TFEU), and the dependence of the entry of force of individual delegated acts on the absence of objections by the Parliament and the Council (Article 290(2)(b) TFEU). Delegated acts are distinguishable from other types of acts which the Commission may adopt in relation to the GDPR, in particular the implementing acts found in [[Article 93 GDPR]].<ref>''Herbst'' in Kühling, Buchner, DS-GVO BDSG, Article 92 GDPR, margin number 2 (C.H. Beck 2020, 3rd Edition). See also, ''Sydow'' in Sydow, Marsch, DS-GVO BDSG, Article 92 GDPR, margin number 26. </ref> | ||
=== (1) Delegated acts === | === (1) Delegated acts === | ||
Line 216: | Line 216: | ||
=== (3) The delegation of power may be revoked === | === (3) The delegation of power may be revoked === | ||
The delegation of power provided for by Article 92(2) GDPR is for an 'indeterminate' period of time. Nonetheless, the wording of Article 290(1) TFEU requires that the 'duration' of the delegation must be provided for in the legislative act which confers the delegation of power. At first glance, Article 92 GDPR's wording seems to be in conflict with Article 290(1) TFEU, but in actuality it is not. Article 92(2) GDPR must be read in line with Article 92(3) GDPR, which provides that the Parliament and the Council may revoke the conferral of power at any time. This provision ensures that there can be no unlimited conferral.<ref | The delegation of power provided for by Article 92(2) GDPR is for an 'indeterminate' period of time. Nonetheless, the wording of Article 290(1) TFEU requires that the 'duration' of the delegation must be provided for in the legislative act which confers the delegation of power. At first glance, Article 92 GDPR's wording seems to be in conflict with Article 290(1) TFEU, but in actuality it is not. Article 92(2) GDPR must be read in line with Article 92(3) GDPR, which provides that the Parliament and the Council may revoke the conferral of power at any time. This provision ensures that there can be no unlimited conferral.<ref>''Herbst'' in Kühling, Buchner, DS-GVO BDSG, Article 92 GDPR, margin number 8 (C.H. Beck 2020, 3rd Edition).</ref> | ||
In the instance that a revocation is made, it shall take effect the day following that of its publication in the Official Journal of the European Union or at a later date specified therein. Should it be used to revoke the delegations granted in Articles 12(8) and 43(8) GDPR, the revocation will not affect the validity of any of the delegated acts that the Commission may have already adopted and which are in force up to that point. This, of course, does not preclude the possibility that the legislators (once the power has been resumed following revocation) may remove or amend the act issued by the Commission by an ordinary legislative act. | |||
=== (4) Notification of delegated acts === | === (4) Notification of delegated acts === | ||
As soon as it adopts a delegated act, the Commission shall notify it | As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council. This notification triggers the start of the three month period in which Parliament and the Council may raise objections pursuant to Article 92(5) GDPR.<ref>''Herbst'' in Kühling, Buchner, DS-GVO BDSG, Article 92 GDPR, margin number 13 (C.H. Beck 2020, 3rd Edition).</ref> | ||
=== (5) Entry into force of delegated acts === | === (5) Entry into force of delegated acts === |
Revision as of 09:27, 29 September 2023
Legal Text
1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.
2. The delegation of power referred to in Article 12(8) and Article 43(8) shall be conferred on the Commission for an indeterminate period of time from 24 May 2016.
3. The delegation of power referred to in Article 12(8) and Article 43(8) may be revoked at any time by the European Parliament or by the Council. A decision of revocation shall put an end to the delegation of power specified in that decision. It shall take effect the day following that of its publication in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
4. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.
5. A delegated act adopted pursuant to Article 12(8) and Article 43(8) shall enter into force only if no objection has been expressed by either the European Parliament or the Council within a period of three months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by three months at the initiative of the European Parliament or of the Council.
Relevant Recitals
Commentary
This provision outlines the limits to the Commission's power to adopt delegated acts pursuant to Article 290 TFEU, within the scope of the GDPR.[1] The function of Article 92 GDPR is to lay down conditions for the delegation of power as necessitated by Article 290 TFEU, such as its duration (Article 290(1) TFEU), its revocability (Article 290(2)(a) TFEU), and the dependence of the entry of force of individual delegated acts on the absence of objections by the Parliament and the Council (Article 290(2)(b) TFEU). Delegated acts are distinguishable from other types of acts which the Commission may adopt in relation to the GDPR, in particular the implementing acts found in Article 93 GDPR.[2]
(1) Delegated acts
Under Article 290(1) TFEU, an EU legislative act may delegate the power to adopt non-legislative acts of general application to supplement or amend certain non-essential elements of the legislative act to the Commission. Article 290(1) TFEU provides that “the objectives, content, scope and duration of the delegation of power” must be explicitly defined within the legislative act, which Article 92 GDPR does through Articles 12(8) and 43(8) GDPR. Nonetheless, the Article 290(1) TFEU restricts the delegation of power to 'non-essential' areas of the legislative provision in question.
The “essential elements of an area” shall be reserved for the legislative act, and cannot be delegated to the Commission. In regard to the GDPR, the 'essential' legislative areas are the regulation and enforcement of data protection. The Commission may not legislate in these core areas, but is permitted to legislate for periphery matters which fall outside of the scope of areas considered 'essential.' In accordance with the framework established through Article 290 TFEU, Article 92 GDPR provides that the commission may make use of its delegated powers solely through Articles 12(8) and 43(8) GDPR.
(2) Delegation of power under Article 12(8) and 43(8) GDPR
The first delegation is provided for in Article 12(8) GDPR. This provision permits the Commission to adopts delegated acts in accordance with Article 92 for the purpose of determining the procedures for providing standardised icons and to determine the information to be displayed by icons.
The second delegation is provided for through Article 43(8) GDPR, which empowers the Commission to adopt delegated acts in accordance with Article 92 for the purpose of specifying the requirements to be taken into account for the data protection certification mechanisms referred to in Article 42(1).
Any delegated acts made under these provisions are inherently subject to the general principles governing delegated acts under Article 92 GDPR, as well as to the principles of the Articles under which any delegated act is made. A delegated act may not contradict the GDPR's fundamental principles and objectives.
(3) The delegation of power may be revoked
The delegation of power provided for by Article 92(2) GDPR is for an 'indeterminate' period of time. Nonetheless, the wording of Article 290(1) TFEU requires that the 'duration' of the delegation must be provided for in the legislative act which confers the delegation of power. At first glance, Article 92 GDPR's wording seems to be in conflict with Article 290(1) TFEU, but in actuality it is not. Article 92(2) GDPR must be read in line with Article 92(3) GDPR, which provides that the Parliament and the Council may revoke the conferral of power at any time. This provision ensures that there can be no unlimited conferral.[3]
In the instance that a revocation is made, it shall take effect the day following that of its publication in the Official Journal of the European Union or at a later date specified therein. Should it be used to revoke the delegations granted in Articles 12(8) and 43(8) GDPR, the revocation will not affect the validity of any of the delegated acts that the Commission may have already adopted and which are in force up to that point. This, of course, does not preclude the possibility that the legislators (once the power has been resumed following revocation) may remove or amend the act issued by the Commission by an ordinary legislative act.
(4) Notification of delegated acts
As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council. This notification triggers the start of the three month period in which Parliament and the Council may raise objections pursuant to Article 92(5) GDPR.[4]
(5) Entry into force of delegated acts
After the Commission has notified the act (and the relevant documents), the Parliament and the Council have three months to express objections (or waive their intention to object). When this period expires, the delegated act “pursuant to Article 12(8) and Article 43(8) shall enter into force”.
Possible scenarios
(a) The Parliament and Council inform the Commission of their intention not to object to the delegated act. In this case, the delegated act can be published in the Official Journal of the European Union, and can enter into force before the end of the three-month period.
(b) The Parliament and Council express the same objection. In this case, the Commission will most likely amend its act.
(c) Either the Parliament or the Council expresses an objection while the other remains silent. In this case, the Commission will probably amend the act as requested, and await a reaction from the other legislator. If there is no reaction within three months, the act is published in the Official Journal.
(d) Parliament and Council express separate objections, or different positions, on the same issue. This can be resolved either by the Commission renouncing the power of delegation, or by a dialogue between the two legislators.
(e) The Parliament and the Council do not express any objections within three months of the date on which the act is notified to them. In this case, the act shall enter into force.
Decisions
→ You can find all related decisions in Category:Article 92 GDPR
References
- ↑ Herbst in Kühling, Buchner, DS-GVO BDSG, Article 92 GDPR, margin number 1 (C.H. Beck 2020, 3rd Edition).
- ↑ Herbst in Kühling, Buchner, DS-GVO BDSG, Article 92 GDPR, margin number 2 (C.H. Beck 2020, 3rd Edition). See also, Sydow in Sydow, Marsch, DS-GVO BDSG, Article 92 GDPR, margin number 26.
- ↑ Herbst in Kühling, Buchner, DS-GVO BDSG, Article 92 GDPR, margin number 8 (C.H. Beck 2020, 3rd Edition).
- ↑ Herbst in Kühling, Buchner, DS-GVO BDSG, Article 92 GDPR, margin number 13 (C.H. Beck 2020, 3rd Edition).