This paper examines the extensive powers and tasks of the European Data Protection Board (EDPB), highlighting its role as an independent administrative authority with major influence over data protection law and policy in the European Union. The paper critically analyses the procedural legitimacy of the EDPB's regulatory powers, emphasizing the need for prior consultation and discussion with stakeholders to ensure democratic legitimacy. The EDPB's decisions, which often imply assessments of the necessity of technological deployments and innovations involving personal data processing, are scrutinized for their possible lack of participatory tools and consultation with interested parties. The document argues that the EDPB's regulatory powers should be balanced, among other accountability measures, through participatory procedures, in compliance with the principle of due and fair administrative procedure. From an Italian administrative law perspective, the paper underscores the importance of prior consultation and discussion with stakeholders to ensure the procedural legitimacy of the EDPB's decisions. It criticizes the current framework for not mandating such consultations, which undermines the democratic legitimacy of the EDPB's regulatory actions. More in general, the paper highlights the existence of a risk of inadequate due process guarantees on EDPB decision-making process, which could also include a possible deficiency of transparency of the Board’s working groups/task forces as well as of plenary meeting discussions, clear appeal avenues against EDPB decisions, opinions and guidelines before the CJEU, explicit incorporation of the right to be heard in EDPB processes, etc. – even though this derives from the GDPR insufficient specification of stringent constraints for EDPB’s procedures. Overall, the document provides a comprehensive analysis of the EDPB's "super-powers" and their implications for data protection law and policy in the European Union, with a particular focus on the procedural aspects and the need for greater stakeholder consultation. The Authors of this paper, in their conclusions, also explore some possible solutions - both interpretative or amending the GDPR and the internal functioning rules of the EDPB and the national Data Protection Authorities - in order to overcome the deficit of participation and consultation in the administrative procedures for binding and non-binding opinions, guidelines, and other decisions to be adopted.
Bolognini, L., Bonetti, T., Guarnieri, E. (2025). The "super-powers" of the European Data Protection Board (EDPB) and the principle of due administrative procedure. DIRITTO, ECONOMIA E TECNOLOGIE DELLA PRIVACY, 1, 1-25.
The "super-powers" of the European Data Protection Board (EDPB) and the principle of due administrative procedure
Tommaso Bonetti;Enrico Guarnieri
2025
Abstract
This paper examines the extensive powers and tasks of the European Data Protection Board (EDPB), highlighting its role as an independent administrative authority with major influence over data protection law and policy in the European Union. The paper critically analyses the procedural legitimacy of the EDPB's regulatory powers, emphasizing the need for prior consultation and discussion with stakeholders to ensure democratic legitimacy. The EDPB's decisions, which often imply assessments of the necessity of technological deployments and innovations involving personal data processing, are scrutinized for their possible lack of participatory tools and consultation with interested parties. The document argues that the EDPB's regulatory powers should be balanced, among other accountability measures, through participatory procedures, in compliance with the principle of due and fair administrative procedure. From an Italian administrative law perspective, the paper underscores the importance of prior consultation and discussion with stakeholders to ensure the procedural legitimacy of the EDPB's decisions. It criticizes the current framework for not mandating such consultations, which undermines the democratic legitimacy of the EDPB's regulatory actions. More in general, the paper highlights the existence of a risk of inadequate due process guarantees on EDPB decision-making process, which could also include a possible deficiency of transparency of the Board’s working groups/task forces as well as of plenary meeting discussions, clear appeal avenues against EDPB decisions, opinions and guidelines before the CJEU, explicit incorporation of the right to be heard in EDPB processes, etc. – even though this derives from the GDPR insufficient specification of stringent constraints for EDPB’s procedures. Overall, the document provides a comprehensive analysis of the EDPB's "super-powers" and their implications for data protection law and policy in the European Union, with a particular focus on the procedural aspects and the need for greater stakeholder consultation. The Authors of this paper, in their conclusions, also explore some possible solutions - both interpretative or amending the GDPR and the internal functioning rules of the EDPB and the national Data Protection Authorities - in order to overcome the deficit of participation and consultation in the administrative procedures for binding and non-binding opinions, guidelines, and other decisions to be adopted.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
