III. Key regulatory actors
The European Data Protection Supervisor
The European Data Protection Supervisor (EDPS) is one of the key actors in the area of EU privacy and data protection.1 It is responsible for monitoring the EU administration's processing of personal data, advising on policies and legislation that concern or have an impact upon the right to privacy and the right to personal data protection, and co-operating with similar authorities (member states Data protection Authorities mainly through the participation to the WP29).
The Article 29 Working Party
The WP29 serves as a platform for exchange and coordination between the supervisory authorities of the EU member states, and serves also an important role as consultative body.2 The tasks of the WP29 are laid down in Article 30 of the Data Protection Directive and Article 15 of the e-Privacy Directive: examine any question covering the application of the national measures adopted under EU data protection law in order to contribute to their uniform application; provide the European Commission opinions on the level of protection in the Community and in third countries; advise the European Commission on any measures to safeguard the rights and freedoms of natural persons with regard to the processing of personal data and on any other proposed Community measures affecting such rights and freedoms; provide opinions on codes of conduct drawn up at EU level.
The WP29 can make, on its own initiative, recommendations on all matters relating to privacy and data protection in the EU. It has conducted consultations on data protection issues related to different subjects,3 and has published opinions on many different subjects, including the introduction of biometrics into passports and visas, the protection of children's personal data, standard contractual clauses for the transfer of personal data to processors established in third countries, or an industry proposal for a privacy and data protection impact assessment for RFID applications.4 The opinions of the WP29 are a common point of reference for interpretation of EU data protection law.
Other networks of regulators
There exist in Europe various networks of data protection authorities, formed by their own initiative. They include:
- the European Conference of Data Protection Authorities: representatives of data protection authorities of the member states of the EU and of the Council of Europe meet annually, together with sub-national authorities and EU joint supervisory bodies in the field of police, justice, and security. Their 2010 conference, held in Prague, was devoted to a series of issues such as EU/US data protection standards in the area of police and judicial co-operation in criminal matters, the use of body scanners for airport security and the future of privacy and data protection in Europe.
- the Central and Eastern Data Protection Authorities (CEEDPA). In 2001, the Data Protection Commissioners from the Czech Republic, Hungary, Lithuania, Slovakia, Estonia, Latvia, and Poland signed a joint declaration agreeing to closer cooperation and assistance.5 These countries have since been joined by Bulgaria, Romania, Croatia and Macedonia. The 12th Meeting of the Central and Eastern Europe Data Protection Commissioners took place on May 2010 in Sopot (Poland), and was attended by delegations from Albania and Moldova.
European Network and Information Security Agency
The European Network and Information Security Agency (ENISA) is an EU agency, which formally came into being in 2004.6 The agency assists the European Commission, the member states, and the private sector in meeting the requirements of network and information security. ENISA also follows the development of standards, promotes risk assessment activities and interoperable risk management routines, and produces studies on those issues that impact public and private sector organisations.
The European Union Agency for Fundamental Rights (FRA)
The FRA assists EU institutions, and member states in implementing EU law when they take measures or decide courses of action, in order to ensure full compliance with fundamental rights.9 These include the fundamental rights as recognised by the ECHR and the Charter. The Agency is entitled, among other things, to inform the public, develop compatibility standards, conduct surveys, and formulate and publish conclusions or opinions, either on its own initiative or at the request of the European Commission, Council or European Parliament, on issues relating to data protection and privacy.10 To carry out its tasks, it cooperates with an array of EU and international bodies and institutions; especially the Council of Europe, to avoid duplication of work, but also member states and the civil society.11
- 1. See EDPS's homepage at http://www.edps.europa.eu/EDPSWEB/edps/EDPS?lang=en.
- 2. See http://ec.europa.eu/justice/policies/privacy/workinggroup/index_en.htm.
- 3. Such as intellectual property rights, RFID, video surveillance, binding corporate rules, electronic health records and most recently on the protection of children's personal data. WP29 online consultations, available at http://ec.europa.eu/justice/policies/privacy/workinggroup/consultations/....
- 4. Documents adopted by WP29 are available at http://ec.europa.eu/justice/policies/privacy/workinggroup/wpdocs/2010_en....
- 5. Central and Eastern Europe Data Protection Authorities Webpage: http://www.ceecprivacy.org/.
- 6. ENISA's homepage http://www.enisa.europa.eu/index.htm.
- 7. FRA's homepage http://fra.europa.eu/fraWebsite/home/home_en.htm.
- 8. Council Regulation No 168/2007 of 15 February 2007 establishing a European Union Agency for Fundamental Rights, OJ L 53, 22 February 2007, at. 1-14.
- 9. Id., Art. 2.
- 10. Id., Art. 4.
- 11. Id., Art. 7.