The Council of the EU failed to make any progress towards the adoption of an agreed negotiating position on the Data Protection Regulation at its meeting on Friday, 6 December 2013. While momentum had begun to build following the vote by the EU Parliament’s LIBE Committee in October, expectations of progress within the Council were dampened by the formal agenda circulated before the Justice and Home Affairs (JHA) Committee met, which tabled a review of the current state of play and detailed discussion of the one-stop-shop issue.

The one-stop-shop concept is a key element of the European Commission’s reform proposal, designed to bring simplicity and cost-savings to pan-European data controllers and processors, who would deal with a single supervisory authority, not 28.  However, reports of debate at the recent JHA meeting refer to German intransigence over consumer protection in the context of the one-stop-shop proposal, with ministers from the Czech Republic, Denmark, and Hungary also expressing unease.

Although the Commission, in its briefings, refers to the Council having reached agreement on the one-stop-shop issue at its meeting in October 2013, in fact Member States struggled to find common ground on the extent of the powers to be exercised by any single supervisory authority beyond authorization, notwithstanding the strong cooperation and consistency mechanism provided for in the draft Regulation. A note from the Lithuanian Presidency of the Council circulated in late November 2013 revealed how Member States were unable to agree on the concentration in the hands of the main establishment authority of the power to order fines and other penalties and on a practical mechanism for consumer redress.

The same sticking points were encountered at the meeting of the Council on Friday, 6 December, which concluded that further consideration should be given to granting the European Data Protection Board the power to adopt binding decisions regarding corrective measures.

The output from the Council negotiations under both Irish and Lithuanian Presidencies shows that the one-stop-shop issue is not the only stumbling block within the Council.  Debate continues on the form of the legislation (regulation or directive), with the UK and Sweden preferring a Directive to allow more flexibility in local implementation. Members of the Council have expressed a desire to see a reduction in the regulatory burden on controllers/processors where the processing contemplated is low risk.  Discussions have focused on the use of pseudonymous data in order to trigger lesser obligations, plus the use of a risk-based approach to the application of the more rigorous provisions.

For the moment, the pace of reform that the Commission has called for repeatedly (including in its recent review of EU-U.S. data flows) seems to be flagging.

Biddy Wyles