Mastodon Kuan0: May 2016

Tuesday, 17 May 2016

Article 93(2) GDPR comitology - flowchart

Under the General Data Protection Regulation (Regulation (EU) 2016/679), the European Commission has the power to make decisions in certain areas by way of "implementing acts", subject to approval of the relevant act by a committee under Art. 93(2) of the GDPR - which will no doubt become known as the Article 93(2) Committee (or Article 93 Committee).

When considering proposals by the European Commission, this Committee must use the "examination procedure" under the EU "comitology" process, governed by Regulation (EU) No 182/2011 - the same procedure that the Article 31 Committee under the current Data Protection Directive must use.

Flowchart

Below is a flowchart I prepared showing the Article 93(2) procedure. Click on the small image below to download the full PDF flowchart (note: amended 2 June 2016 to expand on what "positive", "negative" and "no opinion" mean).

Article 93(2) GDPR

The areas where the Article 93(2) Committee procedure applies are as follows; some are quite significant so it's important to know how the procedure works.

International transfers

Most of these areas relate to "international transfers" of personal data to third countries outside the European Economic Area or to international organisations:

  • Making decisions on the adequacy of protection of third country, territory or one or more specified sectors within a third country, or an international organisation – Art. 45(3) – or conversely on inadequacy, and repealing, amending or suspending previous adequacy decisions – Art. 45(5)
  • Adopting standard data protection clauses for allowing international transfers (the successor to the current model clauses or standard contractual clauses)– Art. 46(2)(c)
  • Approving standard data protection clauses adopted by national data protection supervisory authorities (SAs) for allowing international transfers - Art. 46(2)(d)
  • Specifying the format and procedures for the exchange of information between controllers, processors and SAs for binding corporate rules (BCRs) – Art. 47(3).

Other areas

The Art. 93(2) procedure also applies to certain other areas:

  • Laying down standard contractual clauses for controller/processor and processor/sub-processor contracts - Art. 28(7)
  • Giving EU-wide validity to an approved code of conduct, amendment or extension submitted to it (following its approval by an SA and the European Data Protection Board) - Art. 40(9)
  • Laying down technical standards for certification mechanisms and data protection seals and marks, and mechanisms to promote and recognise those certification mechanisms, seals and marks - Art. 43(9)

    (Note that the last two are relevant to international transfers also, in that transfers may be permitted to recipients who adhere to an approved code or obtain an approved certification, and who also make legally-binding commitments to apply the "appropriate safeguards" - Art. 46(2)(f).)
  • Specifying the format and procedures for mutual assistance betwee SAs and arrangements for the electronic exchange of information between SAs, and between SAs and the Board, in particular the standardised electronic format for SAs to supply information requested by other SAs – Art. 61(9)
  • Implementing acts of general scope to specify arrangements for exchange of information by electronic means between SAs and between SAs and the European Data Protection Board - Art. 67.

Article 31 Committee flowchart - Privacy Shield

The proposed EU-US Privacy Shield, intended to replace the Safe Harbour regime invalidated by the Court of Justice of the EU in Schrems, is currently being considered by a committee of representatives of EU Member States under Article 31 of the Data Protection Directive - known, of course, as the "Article 31 Committee".

When considering proposals by the European Commission, such as its draft adequacy decision to approve the Privacy Shield, this Committee must use the "examination procedure" under the EU "comitology" process, governed by Regulation (EU) No 182/2011.

Comitology is somewhat convoluted, so I've produced a flowchart explaining the different options, depending on what opinion the Article 31 Committee issues - expected to be in June 2016, but at this rate it may be later!

Explanatory paragraph added 13 June 2016: Note that the Data Protection Directive was amended from November 2003 by Regulation (EC) No 1882/2003. That changed the Article 31 Committee procedure from the one in the original Data Protection Directive, that gave the Council the final say, to the procedure set out in Decision 1999/468/EC. The 1999 Decision was itself amended a couple of times, and eventually replaced by Regulation (EU) No 182/2011. My flowchart reflects the Regulation 182/2011 procedure, which is now the applicable procedure for comitology under Article 31 of the Data Protection Directive.

There are other flowcharts on comitology, but mine just shows what's relevant to the Article 31 Committee and not other areas of law, and I believe it's clear but still informative.

Click on the small image below to download the full PDF flowchart (note: amended 2 June 2016 to expand on what "positive", "negative" and "no opinion" mean).