As discussed in our blog posting today available here, following a meeting of the Justice and Home Affairs ministers of the Council of the European Union on 6 December 2013, the new EU Data Protection Regulation looks set to be plagued with delays as members failed to reach agreement on various legal aspects. The main area for concern is the proposed one-stop-shop regulatory regime, under which a the supervisory authority of a single member state (that in which the data controller or processor is primarily established) has responsibility for monitoring and taking decisions in respect of processing across member state borders.
While this approach is intended to increase consistency and certainty, and reduce the time and administration required to reach a decision in all relevant territories, Council members have indicated that they require further time to consider the proposals. Concerns include the fact that controllers operating in regions where existing authorities have established rules and practices may find themselves in breach by the standards of another regulator. The proposed changes also risk denying data subjects effective access to justice, as it is likely to be more difficult to identify and complain to the appropriate authority under the new system.
The Council has suggested that in some circumstances it may be appropriate for the central European Data Protection Board to wield limited powers to present a simpler approach for data subjects. However, neither this nor the one-stop-shop proposal could be agreed on, so “work should continue at technical level”.