The Council of the EU expresses concern over the current one-stop- shop proposal which could make it difficult to challenge the  decision of a regulator in another jurisdiction.

The proposed reform of the European data protection legal framework continues to be debated at an  EU level, but the most recent developments suggest that its finalisation is still some way off. This article explains why.

On 21 October 2013, the European Parliament’s Committee on Civil Liberties, Justice and Home  Affairs (LIBE) approved a compromise draft of the European General Data Protection Regulation (the  Regulation). This was an important development in the long-running saga of the proposed successor  to the 1995 Data Protection Directive (the 1995 Directive) which, if and when enacted, should  become the principal law relating to data protection across the EU and, in the UK, would replace  the Data Protection Act 1998. Proposals were first brought forward by the European Commission in  January 2012, and approval by the LIBE Committee in October 2013 of a compromise text was seen as a  significant breakthrough. However, the Regulation requires the approval of both the European  Parliament and the Council of the EU (made up of ministers of each EU member state) before it can  become law.

The Regulation was proposed in order to harmonise data protection laws across the EU member states, as well as to update those  laws to reflect technological developments since 1995. Harmonisation is seen as necessary because  member states have implemented the 1995 Directive in different ways, leading to varying levels of  data protection and differing requirements across the EU. A key part of the Regulation is the  proposal for a ‘one-stop-shop’ regulatory regime, which will allow multinational companies to deal  with only one regulator for the whole of their EU operations. Rather than dealing with 28 different regulators across the EU, each applying different data protection laws, a  multinational company would only need to comply with one principal data protection law (the  Regulation) and would be subject to the jurisdiction of one data protection regulator (being the  regulator in the country of the company’s ‘main establishment’). Supporters claimed this would  significantly reduce the cost of data protection compliance for larger businesses.

On 6 December 2013, the Council of the EU considered the draft Regulation. The Council had previously indicated its support for the  one-stop-shop concept. However, lawyers for the Council argued that the one-stop-shop proposal was  potentially unlawful, because it might infringe the rights of data subjects wishing to challenge the decision of a regulator. The Council’s lawyers have  claimed that, if the single regulator was outside a data subject’s jurisdiction, it would be  difficult for the data subject to challenge that regulator’s decisions, and this could infringe the  data subject’s access to justice. The Council also expressed its concern about ‘forum shopping’,  which could result in large organisations designating their main establishment in countries with  weaker regulators, making it harder for data subjects to enforce their rights. The Commission’s  legal team disagrees, but it is clear that the one-stop-shop concept needs further consideration  before the Regulation can be finalised and adopted.

The UK Information Commissioner’s Office (the ICO) has recently issued a comparative analysis paper  on the European Commission’s original text of the draft Regulation (issued in January 2012) and the  compromise text issued by the LIBE Committee. The ICO’s paper considered, among other things, the  one-stop-shop principle. While the ICO supports this concept, the ICO is of the view that the data  subject’s local regulator should have a say in how the lead regulator deals with a complaint from  one of the local regulator’s citizens (although the ICO acknowledges that getting the involvement  of the two (or more) regulators right will be challenging).

The Greek presidency of the Council, beginning in January 2014, has data protection reform as a key priority, so the issue will continue  to be debated. However, in addition to the disagreements about the one-stop- shop, there are a  number of other issues that remain to be resolved.  For example, a small number of member states  (including the UK) remain sceptical about the need for a regulation at all, and would prefer data protection reform to take the form of a directive,  giving member states more control as to how the reforms are enacted. While such fundamental  disagreements remain, it seems extremely unlikely that the Regulation will be passed before the EU  Parliamentary elections in May 2014 or before the Greece presidency of the Council ends in June  2014. Indeed, the rhetoric from the Commission reflects this. In a memo issued on 27 January 2014  ahead of European Data Protection Day (28 January 2014), the Commission stated that agreement on  the data protection reform is “possible” before the end of 2014. However, given that the 1995  Directive took five years to negotiate, a further slip in this timetable would not be surprising.