For non-lawyers trying to navigate their way through the sea of information out there on the web relating to data protection, one thing that can be rather confusing is working out who is who in terms of authorities.
In the field of data protection, there are a few key names you need to know.
The Information Commissioner’s Office
The Information Commissioner’s Office, or ICO, is the UK’s independent authority set up to uphold information rights in the public interest and they have a variety of functions.
Under the Data Protection Act 1998 every organisation that processes personal information has to register with the ICO (unless they are exempt). The ICO publish the name and address of all registered data controllers and provide a description of the kind of processing that they do. They also cover and have various powers under the following pieces of legislation: the Data Protection Act, the Freedom of Information Act, the Privacy and Electronic Communications Regulations, the INSPIRE Regulations, the eIDAS Regulation and the Re-use of Public Sector Information Regulations. They will also be the UK’s lead authority for the purposes of GDPR. Beyond this, they address any concerns raised by members of the public in relation to an organisation’s handling of and practices relating to information rights. They advise organisations on best practices and how to comply with the law, and also have a number of enforcement powers under the above mentioned legislation. Their powers include criminal prosecution, non-criminal enforcement and audits.
The main actions that they can take under the Data Protection Act are as follows:
The powers they have under the Privacy and Electronic Communications Regulations include:
They also have a big role to play in relation to follow the Freedom of Information Act, Environmental Information Regulations, INSPIRE Regulations, Re-use of Public Sector Information Regulations and associated codes of practice.
Specifically, where authorities or public sector bodies repeatedly or seriously fail to meet the requirements of the legislation, or conform to the associated codes of practice, the ICO can take action.
The Article 29 Working Party
The Article 29 Data Protection Working Party was established by the Data Protection Directive in 1996. It is an independent European advisory body on data protection and privacy, whose main tasks are to:
It is composed of:
The European Data Protection Board
The European Data Protection Board (EDPB) will replace the Article 29 Working Party under the GDPR. The European Data Protection Board has a more enhanced status than the Article 29 Working Party, and has instead the status of an EU body with legal personality and extensive powers to determine disputes between national supervisory authorities, to give legal advice and guidance and to approve EU wide codes and certification. It will be similarly be made up of the heads of national supervisory authorities, or their representatives, and the European Data Protection Supervisor.
The independence of the EDPB has very much been emphasised. It will adopt its own rules of procedure and organise its own affairs. It will have its own Secretariat provided by the EDPS, but which acts solely under the direction of the chair of the EDPB (in comparison to the Article 29 Working Party whose Secretary was a Commission official).
It will have a variety of tasks with the main one being to contribute to the consistent application of the GDPR throughout the European Union. Other tasks will include advising the Commission, in particular on the level of protection offered by third countries or international organisations, and promoting cooperation between national supervisory authorities. Furthermore it will issue guidelines, recommendations and statements of best practice.
A new function for the EDPB will be to conciliate and determine disputes between national supervisory authorities. Notably, it will be required to consult interested parties “where appropriate” which should benefit those who may be affected by opinions, guidelines, advice and proposed best practice.