On Friday morning, justice ministers from the 28 EU countries debated the proposed new 'one stop shop' framework (58-page / 575KB PDF) at a meeting of the Council of Ministers in Brussels. Most countries reached agreement on the "partial general approach" outlined in the new mechanism but some reservations were raised. Agreement on the plans is qualified on the basis that "nothing is agreed until everything is agreed". The one stop shop mechanism is just part of wider reforms to EU data protection laws still being negotiated.
Ahead of the vote, data protection law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said that the proposals were "a mess" and that they fell short of the original one-stop shop that had been proposed.
The one stop shop regime is aimed at streamlining oversight of data protection in the EU. Currently, businesses operating across the trading bloc can be forced to answer to data protection authorities (DPAs) in each EU country. This can lead to multiple investigations on the same issue and even different conclusions and decisions on enforcement action.
To address this issue, the European Commission proposed the one stop shop regime to enable data protection cases to be handled by a single regulator based in the EU country where the business has its 'main establishment', with an associated mechanism built on to allow for other DPAs to have a say in cases where the privacy rights of citizens in their country was at issue.
However, concerns were raised with whether those plans would pass the 'proximity test' - which is the need under EU law to ensure that legal decisions affecting individuals are taken as locally as possible to them. Further concerns were also raised about whether the plans would lead to businesses setting up in EU countries that are perceived to have a less stringent approach to enforcing data protection rules than others.
A compromise system has subsequently been outlined. Under the plans, only important cross border cases would be handled in accordance with the one stop shop regime. The regime itself would involve greater cooperation between DPAs and would allow cases to be referred to a new European Data Protection Board (EDPB) to be resolved in the event of disagreement between the DPAs on what action to take.
However, justice ministers from the UK and Ireland expressed their concern about how the new system would work in practice.
Dara Murphy, Ireland's minister for European affairs and data protection, said it would be wrong if objections by one DPA about what action to take in important cross border cases could lead to a referral of those cases to the EDPB. He said DPAs should have to seek and obtain support from other DPAs for their arguments before cases are referred to the EDPB to prevent "capricious referrals".
Murphy warned that, even with timeframes set out for cooperation and decision making under the one stop shop mechanism, it could take up to four months for cases to be resolved if they are referred to the EDPB. Legal certainty for businesses and consumers would be further delayed if decisions taken by the EDPB were subject to legal challenge before the courts, he said.
The proposed new framework would be too cumbersome and lengthy and risks sending a message that Europe is "bureaucratic", Murphy said, as he called for there to be a "review clause" included in the General Data Protection Regulation to ensure that the effectiveness of the one stop shop mechanism is assessed after the Regulation comes into force.
The UK's justice minister Lord Faulks said he was "not content" with the one stop shop proposals and said he was "disappointed" that there were no "quantitative filters" included in the draft to restrict the referral of cases to the EDPB.
Lord Faulks said the mechanism, if introduced, would be confusing and slow down and complicate decision making on data protection matters. He said neither of the dual aims of the plans - achieving proximity for data subjects and speeding up decision making - would be fulfilled, and warned the "bureaucratic process" would lead to delays and expense. The UK supports Ireland's proposal for a review clause on the one stop shop mechanism to be included in the new Regulation, he said.
At their meeting, the justice ministers also gave their provisional support for new rules on the principles for personal data processing (30-page / 451KB PDF) that organisations will need to adhere to under the new Regulation. The rules, if introduced, would mean businesses seeking to rely on individuals' consent to process personal data would need to ensure the consent provided is unambiguous. The provisions could allow processing to be carried out on the basis of internet users' browser settings.
The EU's justice commissioner Věra Jourová said that it is important that the Council of Ministers reach consensus on the planned new General Data Protection Regulation when they meet in June. Final negotiations on the precise wording of the Regulation can only take place if the Council agrees to give their presidency a mandate to open those talks with the European Parliament. MEPs have separately reached consensus on an alternative version of the planned reforms.