The Council of the EU expresses concern over the current one-stop- shop proposal which could make it difficult to challenge the decision of a regulator in another jurisdiction.
The proposed reform of the European data protection legal framework continues to be debated at an EU level, but the most recent developments suggest that its finalisation is still some way off. This article explains why.
On 21 October 2013, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) approved a compromise draft of the European General Data Protection Regulation (the Regulation). This was an important development in the long-running saga of the proposed successor to the 1995 Data Protection Directive (the 1995 Directive) which, if and when enacted, should become the principal law relating to data protection across the EU and, in the UK, would replace the Data Protection Act 1998. Proposals were first brought forward by the European Commission in January 2012, and approval by the LIBE Committee in October 2013 of a compromise text was seen as a significant breakthrough. However, the Regulation requires the approval of both the European Parliament and the Council of the EU (made up of ministers of each EU member state) before it can become law.
The Regulation was proposed in order to harmonise data protection laws across the EU member states, as well as to update those laws to reflect technological developments since 1995. Harmonisation is seen as necessary because member states have implemented the 1995 Directive in different ways, leading to varying levels of data protection and differing requirements across the EU. A key part of the Regulation is the proposal for a ‘one-stop-shop’ regulatory regime, which will allow multinational companies to deal with only one regulator for the whole of their EU operations. Rather than dealing with 28 different regulators across the EU, each applying different data protection laws, a multinational company would only need to comply with one principal data protection law (the Regulation) and would be subject to the jurisdiction of one data protection regulator (being the regulator in the country of the company’s ‘main establishment’). Supporters claimed this would significantly reduce the cost of data protection compliance for larger businesses.
On 6 December 2013, the Council of the EU considered the draft Regulation. The Council had previously indicated its support for the one-stop-shop concept. However, lawyers for the Council argued that the one-stop-shop proposal was potentially unlawful, because it might infringe the rights of data subjects wishing to challenge the decision of a regulator. The Council’s lawyers have claimed that, if the single regulator was outside a data subject’s jurisdiction, it would be difficult for the data subject to challenge that regulator’s decisions, and this could infringe the data subject’s access to justice. The Council also expressed its concern about ‘forum shopping’, which could result in large organisations designating their main establishment in countries with weaker regulators, making it harder for data subjects to enforce their rights. The Commission’s legal team disagrees, but it is clear that the one-stop-shop concept needs further consideration before the Regulation can be finalised and adopted.
The UK Information Commissioner’s Office (the ICO) has recently issued a comparative analysis paper on the European Commission’s original text of the draft Regulation (issued in January 2012) and the compromise text issued by the LIBE Committee. The ICO’s paper considered, among other things, the one-stop-shop principle. While the ICO supports this concept, the ICO is of the view that the data subject’s local regulator should have a say in how the lead regulator deals with a complaint from one of the local regulator’s citizens (although the ICO acknowledges that getting the involvement of the two (or more) regulators right will be challenging).
The Greek presidency of the Council, beginning in January 2014, has data protection reform as a key priority, so the issue will continue to be debated. However, in addition to the disagreements about the one-stop- shop, there are a number of other issues that remain to be resolved. For example, a small number of member states (including the UK) remain sceptical about the need for a regulation at all, and would prefer data protection reform to take the form of a directive, giving member states more control as to how the reforms are enacted. While such fundamental disagreements remain, it seems extremely unlikely that the Regulation will be passed before the EU Parliamentary elections in May 2014 or before the Greece presidency of the Council ends in June 2014. Indeed, the rhetoric from the Commission reflects this. In a memo issued on 27 January 2014 ahead of European Data Protection Day (28 January 2014), the Commission stated that agreement on the data protection reform is “possible” before the end of 2014. However, given that the 1995 Directive took five years to negotiate, a further slip in this timetable would not be surprising.