On 7 October 2013, the Ministries for Justice and Home Affairs of the 28 Member States of the European Union met in Luxembourg to further discuss the draft General Data Protection Regulation that is intended to replace the current European data protection framework.
For several months now, one of the most discussed issues has been that of the “one-stop-shop” principle. Current European data protection legislation requires that multinationals established in several European Union Member States comply with the local requirements of each jurisdiction in which they are established. The new draft framework aims at simplifying the regime and lowering the administrative burden. For that purpose, current Chapter VI of the draft Regulation provides that: “where the processing takes place in the context of activities by a controller or a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority of the main establishment of the controller or processor shall be competent for supervision of the processing activities” in all Member States. This principle has been called the “one-stop-shop” and has been criticized by a number of national data protection authorities concerned about the potential for forum shopping for the jurisdiction offering the lowest level of protection. In the words of Stefan Verschuere, Vice-President of the Belgian data protection authority, a one-stop-shop would lead “data subjects to fly to Dublin to plead their case.”
At the 7 October Council meeting, the French Minister for Justice, Christiane Taubira, proposed an evolution of the proposed one-stop-shop mechanism. Underlining the fact that the necessary tools for application of the one-stop-shop were not available and defined, she refused the idea that a single authority would have the decision power and suggested creating a co-decision mechanism whereby all data protection authorities would be involved.
Reports indicate that this proposition has met little success and that the Irish government has fought it vehemently, arguing that co-decision would “increase complexity and paralyse the decision process” (Alan Shatter, Irish Minister of Justice and Equality and Minister for Defence).
The German Government has suggested a third way out, which would consist of creating a European data protection authority which would act independently and have a number of powers. However, this proposal has met the opposition of Ireland, the United Kingdom, Sweden, and Denmark.
At the end of this meeting, the Council issued a press release that reflected these discussions. The press release indicates that “expert work” towards finding a compromise will continue, notably around the scope of the powers to be granted to the competent supervisory authority (potentially limiting the scope of its powers), the involvement of other “local” data protection authorities in the decision making process, and the evolution of the role and powers of the European Data Protection Board.
The way to a consensus therefore seems to still be long and puts the initial calendar for adoption of the new text in jeopardy. Nevertheless, Viviane Reading, the European Commissioner responsible for Justice, Fundamental Rights and Citizenship has indicated that she hopes to see a compromise text presented in December and a decision taken before May 2014, when the European elections will take place.
For the Council Presidency’s briefing document on the one-stop-shop mechanism, click here.