European Data Protection Board: A Nascent EU Agency or an ‘Intergovernmental Club’?

Abstract

The adoption of the General Data Protection Regulation (GDPR) gave birth to a new EU body - the European Data Protection Board (EDPB), superseding the former advisory Article 29 Working Party (WP29). The institutional reform was one of the key pillars of the EU data protection overhaul carried out in 2012-2016, but also one of the aspects that proved to be the most difficult to agree upon in the interinstitutional negotiations on the GDPR, in particular in the Council of Ministers internal talks. Differently from the original proposals, the EDPB was entrusted with certain legally-binding powers aligning it with some facets of the EU agencies, but the delegation of these powers was cautious and intended to be triggered only as a last resort avenue ‘in individual cases’. In the light of such dynamics, can the EDPB be viewed as a step towards the EU-level data protection agency building, especially, from the political point of view? How distant is the prospect of having there a fully-fledged EU-level data protection regulator, considering that the current ethos of the EU data protection enforcement puts an emphasis on a decentralised mode of governance with significant amount of decision-making competences remaining at the national level?