Article 76 GDPR: Difference between revisions

From GDPRhub
Line 196: Line 196:
== Commentary ==
== Commentary ==


Article 76 GDPR presents an interesting example of how the GDPR balances different interests at stake. On the one hand, European authorities must act transparently to ensure that their actions can be verified. On the other hand, a space of confidentiality must be preserved to allow them to act effectively. The result is Article 76 GDPR which seeks to regulate this issue, partly through its own provisions, partly through reference to other areas of legislation, including the EDPB's rules of procedure.
Article 76 GDPR subjects the Board's discussions to confidentiality, only in circumstances where the Board deems it necessary.<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 76 GDPR, margin number 1 (C.H. Beck 2020, 3rd edition).</ref> The deliberations of the Board's predecessor, the Article 29 Working Party (“''WP29''”), were wholly privileged. Under Article 11(1) of WP29's Rules of Procedure, any minutes and draft documents were confidential, except in circumstances where the WP29 decided to make any such information public.<ref>''Docksey'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 76 GDPR, p. 1111-1112 (Oxford University Press 2020).</ref>
 
European legislators thought it necessary to provide for a more transparent approach in regards to the EDPB. Article 42 of the Charter and Article 15(3) TFEU establish a right of transparency, ensuring the public accessibility of documents. In respect of these provisions, Article 76 GDPR reverses the confidentiality rules applicable to the WP29. The Regulation establishes that for the EDPB, transparency regarding deliberations is to be the norm, except in instances where confidentiality is warranted.<ref>''Docksey'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 76 GDPR, p. 1112 (Oxford University Press 2020).</ref>
 
The provision presents an insight into how the Regulation attempts to balance different interests at stake. On the one hand, European authorities must act transparently to ensure accountability is maintained - and to ensure compliance with the wider institutional legal framework. While on the other hand, a space of confidentiality must be preserved to allow them to act effectively.  


=== (1) Confidentiality, Where Necessary ===
=== (1) Confidentiality, Where Necessary ===
Under Article 76(1) GDPR, “[t]''he discussions of the Board shall be confidential where the Board deems it necessary''”. Therefore, the rule is that EDPB discussions are publicly accessible unless it is necessary to impose secrecy on them. In turn, the criteria for defining cases of secrecy are laid down in the EDPB's internal rules (“''as provided for in its rules of procedure''”).
The wording of Article 76(1) GDPR makes it clear that the Board's deliberations are only to be confidential in exceptional circumstances, where the Board considers that confidentiality is specifically required. Consequently, the general norm is that the Board's discussions are to be publicly accessible unless it is necessary to impose secrecy on them. In turn, the criteria for defining cases of secrecy are laid down in the EDPB's Rules of Procedure (“''RoP''”).


==== Confidentiality in the EDPB Rules of Procedure. ====
==== Confidentiality in the EDPB Rules of Procedure. ====
Article 33(1) of the Rules of procedure (“''RoP''”) stipulates that in “''accordance with Art 76 (1) GDPR''”, discussions of the Board and of expert subgroups shall be confidential when: “''a. they concern a specific individual; b. they concern the consistency mechanism; c. the Board decides that the discussions on a specific topic shall remain confidential for instance when the discussions concern international relations and/or where the absence of confidentiality would seriously undermine the institution's decision-making process, unless there is an overriding public interest in disclosure.''”  
Article 33(1) RoP stipulates that in “''accordance with Art 76 (1) GDPR''”, discussions of the Board and of expert subgroups shall be confidential when: “''a. they concern a specific individual; b. they concern the consistency mechanism; c. the Board decides that the discussions on a specific topic shall remain confidential for instance when the discussions concern international relations and/or where the absence of confidentiality would seriously undermine the institution's decision-making process, unless there is an overriding public interest in disclosure.''”  


=== (2) Access to Documents ===
=== (2) Access to Documents ===
Article 76(2) GDPR provides that access to documents submitted to members of the EDPB, experts and representatives of third parties shall be governed by Regulation (EC) No 1049/2001 on public access to EU documentation. Under Article 2(3) of that Regulation, all documents held by an institution, that is to say, “''documents drawn up or received by it''” are under the scope of the access. In this regard, Article 76(2) GDPR significantly reduces the scope of the access only to “''documents submitted to'' [and therefore, ‘received by’] ''members of the Board, experts and representatives of third parties''”. It follows that documents drawn up by the EDPB itself are not intended to be covered by the access right unless other more specific GDPR provisions apply. For instance, opinions and resolutions of the Board are published under Article 64(5)(b) and Article 65(5) and Article 70(3) and (4) GDPR.
Article 76(2) GDPR provides that access to documents submitted to members of the EDPB, experts and representatives of third parties shall be governed by Regulation (EC) No 1049/2001 which lays down the general principles and limits to public access of Union documents. The scope of what falls under Regulation (EC) No 1049/2001 is fairly broad. Article 2(3) of Regulation (EC) No 1049/2001 provides that documents which fall under its scope are any “''documents drawn up or received by it'' [Union bodies]''.''”  
 
In this regard, Article 76(2) GDPR significantly reduces the scope of the access only to “''documents submitted to'' ''members of the Board, experts and representatives of third parties''”. It follows that documents drawn up by the EDPB itself are not included in the right of access unless other more specific provisions of the GDPR apply, only documents received by the Board fall under the governance of Regulation (EC) No 1049/2001. More specific provisions include Articles 64(5)(b), 65(5), 70(3) and 70(4) GDPR, which regulate the publication of opinions and resolutions of the Board.


== Decisions ==
== Decisions ==

Revision as of 09:12, 18 October 2023

Article 76 - Confidentiality
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 76 - Confidentiality

1. The discussions of the Board shall be confidential where the Board deems it necessary, as provided for in its rules of procedure.

2. Access to documents submitted to members of the Board, experts and representatives of third parties shall be governed by Regulation (EC) No 1049/2001 of the European Parliament and of the Council (21).

Relevant Recitals

Recital 164: Professional and Other Equivalent Secrecy Obligations of the Controller
As regards the powers of the supervisory authorities to obtain from the controller or processor access to personal data and access to their premises, Member States may adopt by law, within the limits of this Regulation, specific rules in order to safeguard the professional or other equivalent secrecy obligations, in so far as necessary to reconcile the right to the protection of personal data with an obligation of professional secrecy. This is without prejudice to existing Member State obligations to adopt rules on professional secrecy where required by Union law.

Commentary

Article 76 GDPR subjects the Board's discussions to confidentiality, only in circumstances where the Board deems it necessary.[1] The deliberations of the Board's predecessor, the Article 29 Working Party (“WP29”), were wholly privileged. Under Article 11(1) of WP29's Rules of Procedure, any minutes and draft documents were confidential, except in circumstances where the WP29 decided to make any such information public.[2]

European legislators thought it necessary to provide for a more transparent approach in regards to the EDPB. Article 42 of the Charter and Article 15(3) TFEU establish a right of transparency, ensuring the public accessibility of documents. In respect of these provisions, Article 76 GDPR reverses the confidentiality rules applicable to the WP29. The Regulation establishes that for the EDPB, transparency regarding deliberations is to be the norm, except in instances where confidentiality is warranted.[3]

The provision presents an insight into how the Regulation attempts to balance different interests at stake. On the one hand, European authorities must act transparently to ensure accountability is maintained - and to ensure compliance with the wider institutional legal framework. While on the other hand, a space of confidentiality must be preserved to allow them to act effectively.

(1) Confidentiality, Where Necessary

The wording of Article 76(1) GDPR makes it clear that the Board's deliberations are only to be confidential in exceptional circumstances, where the Board considers that confidentiality is specifically required. Consequently, the general norm is that the Board's discussions are to be publicly accessible unless it is necessary to impose secrecy on them. In turn, the criteria for defining cases of secrecy are laid down in the EDPB's Rules of Procedure (“RoP”).

Confidentiality in the EDPB Rules of Procedure.

Article 33(1) RoP stipulates that in “accordance with Art 76 (1) GDPR”, discussions of the Board and of expert subgroups shall be confidential when: “a. they concern a specific individual; b. they concern the consistency mechanism; c. the Board decides that the discussions on a specific topic shall remain confidential for instance when the discussions concern international relations and/or where the absence of confidentiality would seriously undermine the institution's decision-making process, unless there is an overriding public interest in disclosure.

(2) Access to Documents

Article 76(2) GDPR provides that access to documents submitted to members of the EDPB, experts and representatives of third parties shall be governed by Regulation (EC) No 1049/2001 which lays down the general principles and limits to public access of Union documents. The scope of what falls under Regulation (EC) No 1049/2001 is fairly broad. Article 2(3) of Regulation (EC) No 1049/2001 provides that documents which fall under its scope are any “documents drawn up or received by it [Union bodies].

In this regard, Article 76(2) GDPR significantly reduces the scope of the access only to “documents submitted to members of the Board, experts and representatives of third parties”. It follows that documents drawn up by the EDPB itself are not included in the right of access unless other more specific provisions of the GDPR apply, only documents received by the Board fall under the governance of Regulation (EC) No 1049/2001. More specific provisions include Articles 64(5)(b), 65(5), 70(3) and 70(4) GDPR, which regulate the publication of opinions and resolutions of the Board.

Decisions

→ You can find all related decisions in Category:Article 76 GDPR

References

  1. Dix, in Kühling, Buchner, DS-GVO BDSG, Article 76 GDPR, margin number 1 (C.H. Beck 2020, 3rd edition).
  2. Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 76 GDPR, p. 1111-1112 (Oxford University Press 2020).
  3. Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 76 GDPR, p. 1112 (Oxford University Press 2020).