European Data Protection Board: a nascent EU agency or an ‘intergovernmental club’?

Abstract

... The coming into force of the General Data Protection Regulation (GDPR)1 in May 2018 gave birth to a new EU body—the European Data Protection Board (EDPB)2—upgrading the former Article 29 Working Party (WP29) that had functioned as an advisory group of national regulators3 ‘to contribute to the uniform application of’ Directive 95/46/EC4—the main previous EU data protection instrument. Differently from the original proposals, the EDPB was granted legal personality and endowed with some legally binding powers. These developments have prompted some discussions regarding the ‘nature of the beast’ of this new EU body, ie whether it qualifies as an EU agency.5 This article is dedicated to exploring this theme and is informed by political science and policy research perspective. ‘EU agencies are distinct bodies from the EU institutions’, which operate as separate legal entities.6 They perform a wide range of delegated specific technical and scientific tasks to support decision-making and to contribute to the efficient implementation of EU policies.7 They ‘help enhance the cooperation between Member States and the EU in important policy areas’ by pooling expertise from the different levels of governance.8 It is understood that assignment of such specialist tasks to these entities allows ‘all the institutions, in particular the Commission, to concentrate on core policy-making tasks’.9 EU agencies have now become ‘an important part of the EU’s institutional machinery’ and how it ‘does its business’.10