The political machinations continue at EU level and predictions for publication of a final form Data Protection Regulation increasingly refer to 2016 as the likely date. But to read behind the headlines continues to be a useful exercise for corporates who need to give real consideration now to what their regulatory landscape might look like in the not too distant future.
A key issue will be determining the place of "main establishment" which in turn will determine the appropriate lead authority. If that isn't clear, or there is disagreement, it is being proposed that an EU Data Protection Board (EDPB) would have power to make a binding determination.
In addition to the correct determination of the lead authority, the interplay between local authorities and the EDPB will be a complex and interesting feature of any formalised one stop shop structure. The EDPB will have competence over a range of issues including enforcement (or resolving disagreements between regulators over what the right enforcement measure should be).
The recent submission of the Irish delegation to the Working Group on Information Exchange and Data Protection highlights the practical complexity of implementing the 'one stop shop' and in particular suggests:
- The more reliance that is placed on a EDPB, the more complex, costly and time consuming regulation will be;
- EDPB referrals should only take place where a majority of data protection authorities agree and where reasoned grounds have been advanced for the referral e.g. that there is a significant risk to the freedoms of data subjects;
- The ability to administer sanctions should remain at local level and not be imposed on local regulators at EDPB level, not least because it ensures local data protection authorities are best placed to defend challenges, which would most likely arise at a local level;
- Interaction between "concerned" Data Protection Authorities (the basis on which other regulators could become involved as interested parties, in local data protection matters in a particular Member State), should be limited to "areas of high risk processing";
- There is a need for greater clarity as to how individual data subjects can have redress where decisions in relation to the processing of their personal data are being made at EDPB level and then implemented locally.
So one big risk is that the system becomes weighed down by cross jurisdictional bureaucracy or too much centralised decision making. Another is that the ease with which individuals can appeal decisions is reduced not enhanced. These are big questions still to be resolved.