Introduction

This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent European advisory body on data protection and privacy.

Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC.
The secretariat is provided by Directorate C (Fundamental Rights and Union Citizenship) of the European Commission, Directorate General Justice and Consumers, B-1049 Brussels, Belgium, Office No MO-59 02/013

Tasks
The Working Party was set up under Article 29 of Directive 95/46/EC and its tasks are to (Art. 30.1):
(a) examine any question covering the application of the national measures adopted under this
Directive in order to contribute to the uniform application of such measures;
(b) give the Commission an opinion on the level of protection in the Community and in third countries;
(c) advise the Commission on any proposed amendment of this Directive, on any additional or specific
measures to safeguard the rights and freedoms of natural persons with regard to the processing of
personal data and on any other proposed Community measures affecting such rights and freedoms; and
(d) give an opinion on codes of conduct drawn up at Community level.
These tasks also apply with regard to the electronic communications sector (Art. 15.3 of Directive
2002/58/EC).

Activities for 2016-2018
The General Data Protection Regulation (hereafter “the Regulation”) and the Directive on Police and
Justice will significantly change the structure and the way the WP29 works today.
Upon the adoption of this package, the WP29 will have two years to be ready to become and act as the
European Data Protection Board (hereafter “EDPB”). The work programme takes into account this
transitional period which will require from all subgroups the issuance of guidelines, tools and procedures
to organize the future cooperation between data protection authorities guide the relevant stakeholders in
the application of the new framework (e.g. controllers, processors, data subjects) and ensure consistency
in its implementation. A yearly action plan translates operationally the work to be done and will be
revised regularly.
The Working Party will continue to analyze and provide its opinion on relevant subject matters under the
current Directive 95/46/EC which either have already been on the previous work programme and should
be maintained or are new topics to be dealt with in the two upcoming years.
Furthermore, the Working Party will work on increasing its interaction with international data protection
authorities and other organisations and stakeholders, both within the European Union and outside.
The Working Party will regularly monitor the implementation of its work programme which should be
periodically revised and updated as necessary.

Subgroups

The activities of all subgroups of the WP29 will take into account the transitional period between the
adoption of the Data Protection package and its entry into force. Given the large amount of work needed,
this special period requires an important involvement of all subgroups and an efficient coordination
between them.

Future of Privacy subgroup

Before the entry into force of Regulation, the WP29 will continue to work on the basis of the current
framework. However, during this transitional phase, the WP29 will anticipate the application of the new
legal framework and should prepare its new governance model. The WP29 has elaborated an action plan
to do so which will be regularly revised.
The Future of Privacy subgroup will be primarily in charge of piloting, managing and monitoring this
action plan by developing the new governance model, organizing issuance of appropriate tools and
guidelines and proposing key decisions to the WP29 in relation with the action plan.
To fulfill these tasks that will be transversal and implicate other subgroups, the Future of Privacy
subgroup will ensure coordination tasks and consistency checks for a coherent implementation of the
WP29 strategy regarding the new framework.

Key Provisions subgroup

In light of the Regulation, the subgroup will examine the need to update previous opinions ( e.g.the opinions
on personal data, consent, controller/processor, applicable law, purpose limitation or legitimate interests).
The Key Provisions subgroup will in addition be dealing with the interpretation of key concepts of the
new legal framework (e.g. scope, definitions, general provisions, rights of the data subject, obligations of
data controllers and processors, specific data processing situations).

Technology subgroup

The subgroup will continue its works together with other subgroup(s) when appropriate on the following
topics: Do not Track standard, data portability, Wi-Fi location analytics and bluetooth beacons, minimum
technical specifications, e-voting, electronic monitoring of employees, user friendly and
privacy-compliant ways of informing and expressing consent by way of smart devices, the e-Privacy
Directive, Digital Single Market, smart meters and smart grids, data protection impact assessments and
data breach impact assessment.
The subgroup will consider whether previous opinions need to be updated in light of the Regulation and
also deal with the new topics (e.g. certification).

International Transfers subgroup

The CJEU ruling on the Schrems vs. Facebook case has become a crucial point on the WP29 and on the
International Transfers subgroup’s agenda. In coordination with other subgroups, the International
Transfers subgroup has been tasked to analyze the consequences of the ruling on transfers’ tools (e.g.
Standard Contractual Clauses, BCR, ad-hoc clauses, other adequacy decisions) and on derogations for
transfers.

The International Transfers subgroup will also analyze and deliver an opinion on the new Safe Harbor
arrangement once released.
In addition, the subgroup will examine the impact of the Regulation on existing transfers’ tools and the
current cooperation procedure. More generally, the subgroup will consider whether previous opinions
need to be updated in light of the Regulation.
The International Transfers subgroup will continue its work on the possible « interoperability » with
Convention 108 and the OECD Guidelines and on the BCR-CBPR project with APEC.

Borders, Travel and Law Enforcement subgroup

The subgroup will continue its work on the following topics: the Directive Police and Justice, PNR
Terrorist Finance Tracking Program, Data retention, Transatlantic Cable Interception (together with the
international transfers subgroup), the Cybercrime Convention, the proposals following the European
Commission’s European Agenda on Security and the consequences of the CJEU judgement “Schrems
vs. Facebook”, including the analysis of relevant EU and US surveillance law.
The subgroup will also analyse the following legislative proposals: the revised Smart Borders package,
the proposal to adopt the EU-US Umbrella Agreement, the proposal for a European Police Record Index
System, the new counter-terrorism proposals and the European agenda on migration and the Electronic
Criminal Record Information System (ECRIS) for third country nationals and stateless people (TCN).
The subgroup will consider whether previous opinions need to be updated in light of the Regulation.

E-government subgroup

The subgroup will continue its work on the following topics: the implementing acts for the Regulation on
electronic identification and trust services for electronic transactions in the internal market (EIDAS),
Mobile Apps used in the public sector, the cloud services for e-Government services, the Research and
Education network Code of conduct, the online publication of personal data of government officials, the
E-Voting and the Digital Single Market Strategy for Europe.
The subgroup will work on the topic linked to E-health network. It will also consider whether previous
opinions need to be updated in light of the Regulation.

Financial matters subgroup

The subgroup will continue its work on the following topics: automatic exchange of data for tax purposes,
OECD Common Reporting Standards, FATCA, the implications on data protection of International
Organisation of Securities Commissions and Multilateral Memorandum of Understanding concerning
consultation and cooperation and the exchange of Information, and the implications on data protection
of Directive 2014/65/EU (so-called “MIFID 2”) and Regulation (EU) 600/2014 (so-called “MAR”).
The subgroup will also analyse the following topics: Account aggregators, the vast use by banks of data
related to their clients for commercial profiling and the draft Regulation of the European Central Bank
concerning the collection of granular credit and credit risk.
The subgroup will consider whether previous opinions need to be updated in light of the Regulation.

Cooperation subgroup

The subgroup will organize workshops on practical issues and tools of common interest, continue its
work on the improvement of the WP29 website, on the follow up of the preparations of the International
Conference and of the Spring Conference (focus on the question of enforcement cooperation). It will
elaborate a data protection vocabulary, examine the list of activities of the DPAs.
The subgroup will also be involved in the analysis of the consequences of the CJEU judgement
“Schrems vs. Facebook”, including on coordinated actions to handle complaints and to organise
enforcement operations if needed.
Finally, the subgroup will work on common tools and standard forms to implement the Regulation in a
consistent manner (e.g. templates for designating a lead DPA, complaints forms).

Ressources: http://ec.europa.eu/justice/data-protection/index_en.htm

Descarca Work programme 2016 – 2018