The European Council approved the “one-stop-shop” privacy rule which might cause relevant issues to companies operating in different EU countries, including large American Internet and technology companies, where separate disputes might arise.

As part of the process that should lead to the introduction of the new EU Privacy Regulation, the EU Council of Ministries gave their green light to one of the backbones of the new regime, the so called “one-stop-shop” mechanism.

The current privacy regime

The EU Privacy Directive at the moment provides that companies established in the European Union are subject just to the privacy laws of their country of establishment.  And only the data protection authority of such country has jurisdiction on them.  But, according to the position of the European Union, this mechanism has been deemed unfair in some instances since individuals are forced to face a dispute in a country different from their country of residence.

The new privacy regime

The new privacy regime to be introduced by means of the EU Privacy Regulation will provide that the data protection authority of each EU Member State has jurisdiction on the activities of not only the companies locally established, but also of non-established entities targeting data subjects residing in its own territory.

In order to minimize the risk of inconsistent approaches by different privacy regulators, the data protection authority of the country where there is the sole or the main establishment of the challenged company will act as “lead authority” on the disputes.  But such authority shall cooperate in any case with the other privacy authorities involved in the matter.

Additionally, for the most relevant cases which mainly relate to the infringement of the EU Privacy Regulation and in case of conflicting views by the authorities involved, the matter shall be escalated by a newly established European Data Protection Board.

The consequence of the one-stop-shop rule

This new rule has been considerably criticised since its implementation is very complex and because it may oblige the same entity to face privacy related disputes in all the European countries where it operates.  The purpose of the new EU Privacy Regulation is to ensure a higher level of consistency on privacy laws across the European Union.  But this new rule risks just to create a higher level of bureaucracy.

It is still no time to get worried though.  The general principle is that on the EU privacy regulation

nothing is agreed until everything is agreed

Therefore, up until there is the final approval of the whole EU Privacy Regulation, any provision of the current draft might be amended.  This is true, but it is also true that the Privacy Regulation is heading towards a dangerous field for multinational companies and especially Internet companies.  The draft EU Privacy Regulation has been around for a while and there are a number of uncertainties which are coupled with much more stringent fines that can reach up to 5% of the global turnover.