Entschließung: Rules and Procedures of the Conference of European Data Protection Authorities
Preamble
At the Spring Conference of Data Protection Authorities hosted in Budapest (Hungary) in May 2016, delegations agreed to “launch a working group to consider the future membership criteria of the Conference, in view of the fact that the Conference Guidelines for Admission to the Conference of European Data Protection Authorities have become rather outdated and moreover to be able to cut a clearer path for resolving disputes over membership to the Conference in future"1. To this end, a Working Group was set up with appointed representatives of the Cypriot, Hungarian and the United Kingdom Data Protection Authorities (DPAs), with the mandate to propose new draft accreditation rules. Included in this mandate was the invitation to review the lack of clarity surrounding the automatic accreditation of authorities which were already members of the International Conference.
Within the 2004 accreditation rules, Members of the Conference can be either national, sub-national or supra-national authorities with or without voting rights. The 2017 Conference considered it to be of equal importance to additionally propose a set of rules and procedures for the Conference, with the aim to regulate, inter alia, voting rights and to stipulate a mission and a strategic direction of the Conference. As the Conference grows larger, both in members and content, the need for formal rules and procedures becomes more evident to ensure an effective delivery of impactful resolutions and declarations.
It is similarly essential to identify a mission and a strategic direction for the Conference in the arena of international cooperation, to effectively complement the aims and functions of the International Conference, the Article 29 Working Party and those of the Committee of Convention 108.
The Conference has been organised annually since 1991, which in itself is remarkable since it is hosted by members on a voluntary basis and there are no common funds for its organisation. As the cost of the event is covered by the host authority, it is felt that the host should have the ability to proceed with a certain degree of flexibility on the basis of the means available for organising the meeting.
While the original participants were DPAs from EU Member States, other participants have been invited to join the Conference over the years, either as a member or as an observer. To belong to the conference as an accredited member, the applicant has always been expected to be a European supervisory authority with independent status and adequate functions and powers.
The 2017 Conference also acknowledges that the field of data protection has undoubtedly changed since 1991. In the past five years, the most important endeavour of the European privacy and data protection regulatory community has been to contribute to the re-defining of the framework of European data protection legislation – the new EU General Data Protection Regulation and Directive - and the modernisation of the Council of Europe Convention 108.
The new European data protection regime sets out stronger duties and obligations for controllers and rights for individuals. It also fundamentally develops the relationship between the authorities and the rules of their cooperation. Individuals benefit from stronger rights including the right to data portability. It strengthens existing rights, for example, by enhancing the principles of accountability and transparency, reinforcing the right of erasure, and introduces more robust obligations on controllers such as mandatory data breach notification.
Cooperation is being further developed and organised. The European DPAs are already well accustomed to the mechanisms of cross-border cooperation at different levels. Examples include the Article 29 Working Party, the Committee of Convention 108, the Conference case- handling workshops, cross-border networks focussed on common language or culture and enforcement networks such as GPEN. Global cooperation within the International Conference of Data Protection and Privacy Commissioners has developed tools, resources and a dedicated annual event for cooperation on cross-border cases.
The Resolution on the “New frameworks of cooperation” adopted at the 2016 European Conference hosted in Budapest reminded the European Data Protection Authorities of the necessity for a practical and innovative approach, including greater dialogue and information sharing with other regulatory bodies responsible for safeguarding the rights and interests of the individuals in the digital society and economy. The Resolution recommended that future Conferences report on the achievements in the field of cooperation and joint efforts.
Mindful that the cooperation between data protection authorities is essential to enforce data subjects’ rights in cross-border cases, accreditation rules for membership to the Conference remain consistent with the 2004 accreditation guidelines.
In light of the above considerations, the conference adopts the rules and procedures outlined in Appendix I.
1 Report of the accreditation Committee on the application for accreditation by the Gibraltar Regulatory Authority (27 May 2016)
Preamble
At the Spring Conference of Data Protection Authorities hosted in Budapest (Hungary) in May 2016, delegations agreed to “launch a working group to consider the future membership criteria of the Conference, in view of the fact that the Conference Guidelines for Admission to the Conference of European Data Protection Authorities have become rather outdated and moreover to be able to cut a clearer path for resolving disputes over membership to the Conference in future"1. To this end, a Working Group was set up with appointed representatives of the Cypriot, Hungarian and the United Kingdom Data Protection Authorities (DPAs), with the mandate to propose new draft accreditation rules. Included in this mandate was the invitation to review the lack of clarity surrounding the automatic accreditation of authorities which were already members of the International Conference.
Within the 2004 accreditation rules, Members of the Conference can be either national, sub-national or supra-national authorities with or without voting rights. The 2017 Conference considered it to be of equal importance to additionally propose a set of rules and procedures for the Conference, with the aim to regulate, inter alia, voting rights and to stipulate a mission and a strategic direction of the Conference. As the Conference grows larger, both in members and content, the need for formal rules and procedures becomes more evident to ensure an effective delivery of impactful resolutions and declarations.
It is similarly essential to identify a mission and a strategic direction for the Conference in the arena of international cooperation, to effectively complement the aims and functions of the International Conference, the Article 29 Working Party and those of the Committee of Convention 108.
The Conference has been organised annually since 1991, which in itself is remarkable since it is hosted by members on a voluntary basis and there are no common funds for its organisation. As the cost of the event is covered by the host authority, it is felt that the host should have the ability to proceed with a certain degree of flexibility on the basis of the means available for organising the meeting.
While the original participants were DPAs from EU Member States, other participants have been invited to join the Conference over the years, either as a member or as an observer. To belong to the conference as an accredited member, the applicant has always been expected to be a European supervisory authority with independent status and adequate functions and powers.
The 2017 Conference also acknowledges that the field of data protection has undoubtedly changed since 1991. In the past five years, the most important endeavour of the European privacy and data protection regulatory community has been to contribute to the re-defining of the framework of European data protection legislation – the new EU General Data Protection Regulation and Directive - and the modernisation of the Council of Europe Convention 108.
The new European data protection regime sets out stronger duties and obligations for controllers and rights for individuals. It also fundamentally develops the relationship between the authorities and the rules of their cooperation. Individuals benefit from stronger rights including the right to data portability. It strengthens existing rights, for example, by enhancing the principles of accountability and transparency, reinforcing the right of erasure, and introduces more robust obligations on controllers such as mandatory data breach notification.
Cooperation is being further developed and organised. The European DPAs are already well accustomed to the mechanisms of cross-border cooperation at different levels. Examples include the Article 29 Working Party, the Committee of Convention 108, the Conference case- handling workshops, cross-border networks focussed on common language or culture and enforcement networks such as GPEN. Global cooperation within the International Conference of Data Protection and Privacy Commissioners has developed tools, resources and a dedicated annual event for cooperation on cross-border cases.
The Resolution on the “New frameworks of cooperation” adopted at the 2016 European Conference hosted in Budapest reminded the European Data Protection Authorities of the necessity for a practical and innovative approach, including greater dialogue and information sharing with other regulatory bodies responsible for safeguarding the rights and interests of the individuals in the digital society and economy. The Resolution recommended that future Conferences report on the achievements in the field of cooperation and joint efforts.
Mindful that the cooperation between data protection authorities is essential to enforce data subjects’ rights in cross-border cases, accreditation rules for membership to the Conference remain consistent with the 2004 accreditation guidelines.
In light of the above considerations, the conference adopts the rules and procedures outlined in Appendix I.
1 Report of the accreditation Committee on the application for accreditation by the Gibraltar Regulatory Authority (27 May 2016)