It is worth noting this time that the General Data Protection Regulation and the Directive on Police and Justice will change the structure and the way WP29 works today. It has indeed 2years to become the European Data Protection Board (EDPB). Some guidelines and procedures will be adopted to organize the future cooperation between data protection authorities and relevant stakeholders.
The WP29 subgroups will be focused on:
Future of Privacy subgroup
It will deal with the application of the new legal framework and will prepare its governance model. We have already mentioned in previous news that an action plan has been recently adopted, and will be regularly updated.
Key Provisions subgroup
It will update previous opinions on personal data, consent, controller/processor, applicable law, purpose limitation or legitimate interests. Some key concepts of the new legal framework will also be implemented, like the scope, definitions, general provisions, rights of the data subject, obligations of data controllers and processors, and specific data processing situations.
This subgroup will work on Do not Track standard, data portability, Wi-Fi, location analytics and bluetooth beacons, minimum technical specifications, e-voting, electronic monitoring of employees, user friendly and privacy-compliant ways of informing and expressing consent by way of smart devices, the e-Privacy Directive, Digital Single Market, smart meters and smart grids, data protection impact assessments and data breach impact assessment and certification.
International Transfers subgroup
Following the CJEU ruling on the Schrems vs. Facebook, this subgroup will analyse the consequences of the ruling on transfer tools (e.g. Standard Contractual Clauses, BCR, ad-hoc clauses), and on derogation for transfers. The Safe Harbor arrangement, the “interoperability” with Convention n 108 and the OECD Guidelines, and the BCR-CBPR project with APEC will also be crucial.
Borders, Travel and Law Enforcement subgroup
The topics here discussed will be: the Directive Police and Justice, PNR Terrorist Finance Tracking Program, Data retention, Transatlantic Cable Interception (together with the international transfers subgroup), the Cybercrime Convention, the proposals following the European Commission’s European Agenda on Security and the consequences of the CJEU judgement “Schrems vs. Facebook”, including the analysis of relevant EU and US surveillance law. It will also pay attention to the legislative proposals on the revised Smart Borders package, the proposal to adopt the EU-US Umbrella Agreement, the proposal for a European Police Record Index System, the new counter-terrorism proposals and the European agenda on migration and the Electronic Criminal Record Information System (ECRIS) for third country nationals and stateless people (TCN).
It will deal with the e implementing acts for the Regulation on electronic identification and trust services for electronic Transactions in the internal market (EIDAS), Mobile Apps used in the public sector, the cloud services for e-Government services, the Research and Education network Code of conduct, the online publication of personal data of government officials, the E-Voting, the Digital Single Market Strategy for Europe and E-Health.
Financial matters subgroup
It will work on automatic exchange of data for tax purposes, OECD Common Reporting Standards, FATCA, the implications on data protection of International Organisation of Securities Commissions and Multilateral Memorandum of Understanding concerning consultation and cooperation and the exchange of Information, and the implications on data protection of Directive 2014/65/EU (so-called "MIFID 2") and Regulation (EU) 600/2014 (so-called "MAR").
Some of the topics are account aggregators, the vast use by banks of data related to their clients for commercial profiling and the draft Regulation of the European Central Bank concerning the collection of granular credit and credit risk.
It is in charge of WP29 website, on the follow up of the preparations of the International Conference and of the Spring Conference (focus on the question of enforcement cooperation). It will also elaborate a data protection vocabulary and examine the list of activities of the DPAs.
Another topic will be common tools and standard forms to implement the Regulation in a consistent manner (e.g. templates for designating a lead DPA, complaints forms).