In a new explanatory note, the Commission has sought to justify the enforcement role it would fulfil under a proposed new EU data protection law framework. It said that there is no way to "reconcile" decisions made by the various data protection authorities (DPAs) based in the trading bloc under the existing regime, and said that the role it would perform under the proposed new system would change that.
In January last year the European Commission set out plans to replace the 1995 EU Data Protection Directive with a new General Data Protection Regulation. If enforced it would introduce a single data protection law across all 27 EU member states, in contrast to the Directive, which does not require word-for-word implementation into national law.
Under the draft Regulation DPAs would be responsible for regulating companies that have their "main establishment" in the country in which they conducts their regulatory activities. 'Main establishment' refers to the premises in which companies take their main decisions about personal data processing. If companies take those decisions outside of the EU a main establishment will be taken as any "place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place", according to the draft.
Under the proposed regime authorities would be required to provide one another with "mutual assistance" so as not to inconsistently apply the laws in different countries. If individuals in more than one member state are likely to be affected by decisions taken by one authority, other authorities in those countries have the right to participate in joint operations. However, only the authorities in countries where organisations have their "main establishment" will take regulatory action, unless the authority in question confers power to a sister regulator in another state.
Authorities would have to communicate proposed measures they intend to take following regulatory investigations to a new independent European Data Protection Board. The Board would replace privacy watchdog the Article 29 Working Party and would have a month in which to issue its opinion on whether the responsible DPA's actions are appropriate.
After the EDPB has issued its opinion, the European Commission could step in and seek changes to the measures proposed and, in extreme case, suspend the implementation of the measures for a year if DPAs ignore its suggested revisions.
The Commission said that the role it would perform under the proposed new 'consistency mechanism' would not interfere with the independence of DPAs.
"The Commission is the guardian of the internal market and is responsible for the proper implementation of EU law," it said. "The Regulation will not be properly applied based on knowledge of data protection laws alone. The internal market must be brought about and the consistency mechanism, with the Commission as backstop, is the only way to do this; allowing the Board to take binding decisions, an alternative which has been proposed, would be illegal."
"Under the [EU] Treaties, only the Commission can take decisions that are binding on the member states; the alternative would be the creation of a data protection super-agency. This would entail enormous costs; the role of the Commission does not interfere with the independence of DPAs who remain competent to tackle individual cases. The proposed Regulation strengthens DPAs by making sure they act in concert," the Commission added.
"The Commission’s role is to ensure coherence and build the single market. During this mandate, the Commission has fought hard with several member states over the independence of national data protection authorities," it said.
The Commission pointed to the way that EU DPAs have handled their inquiries into Google's unauthorised collection of personal data using technology associated with its Street View programme as an example of the current regulatory framework not working.
"The flaws of the present system were illustrated in the Google Street View case," the Commission said. "The actions of a single company affected individuals in several member states in the same way. Yet they prompted uncoordinated and divergent responses from DPAs."