The EU Council of Ministers made progress on 4 December 2014 on the draft Data Protection Regulation (the “Regulation”), agreeing a partial general approach on data processing in the public sector. This would allow for some flexibility in the application of the Regulation by each Member State as set out in Articles 1, 6(2), 6(3), 21 and Chapter IX in limited circumstances. These relevant provisions allow for national law to further define the conditions of lawful processing, set out derogations to safeguard a number of public interests including national security and judicial independence, and apply modified processing requirements in certain contexts such as journalism, public access to official documents, and employment. Some Members have expressed reservations over whether these provisions allow for too much leeway considering that the aim of the Regulation was to harmonize data protection within the EU.
Final consensus has yet to be reached on this and on the technical details and practical application of the “one-stop-shop” mechanism for dealing with cross-border cases. The principle envisages a joint decision be reached between the various potentially concerned data protection authorities (“DPAs”) with the aim of providing legal certainty through a single supervisory decision and ensuring consistent application of the Regulation. The existing Directive (95/46/EC) does not require coordination between potentially concerned DPAs in multiple Member States and this has led to inconsistent protection of data subjects’ rights when dealing with companies operating internationally, and, similarly, uncertainty on the part of companies over whether they are sufficiently compliant with their data protection obligations.
The present model of application has been criticized as presenting an overly-complex system to data subjects which would be incompatible with their right to an effective remedy. The main areas of debate focus around methods of enhancing “proximity” between individuals and the decision-making body by involving local supervisory authorities, and the possibility of providing the European Data Protection Board with the power to adopt binding decisions in certain cases. The current proposal provides some clarification on this point in its confirmation that the jointly agreed decision would be adopted by the DPA best placed to deliver the most effective protection from the perspective of the data subject, i.e. allowing for the decision of the DPA to be reviewed by the data subject’s own court. In the event that the DPAs were unable to agree, the case would be referred to a newly created European Data Protection Board (“EDPB”) comprised of representatives of all national DPAs in the EU. This new body would act as an arbitrator, with the power to adopt a binding decision on the basis of a two-thirds majority vote. Appeals from the EDPB would to go the Court of Justice of the EU (“CJEU”) or national courts. Processing situations affecting only one Member State, or persons in only one Member State, would, however, continue to be dealt with by the local DPA.
The proposed structure may encourage businesses to engage in ‘forum shopping’ such that they base their main operations in the EU in countries whose DPAs do not apply data protection rules as strictly as others. It also has the potential to delay the resolution of disputes if a backlog of cases develops at either the EDPB or the CJEU. It remains to be seen whether these pitfalls will be addressed prior to the final wording of the GDPR.