On Friday, the ministers will vote on a proposed new framework on the oversight of organisations' handling of personal data. The draft framework is intended to set out dividing lines for when data protection authorities (DPAs) would be responsible for handling complaints and taking enforcement action, where they could get involved in cases being examined by other DPAs in the trading bloc and when they would have no jurisdiction to do so.
The justice ministers are considering a remodelled 'one stop shop' mechanism (58-page / 574KB PDF). The European Commission originally proposed the mechanism as a way to streamline the administration and procedures involved for businesses in engaging with DPAs in the EU. Instead of having to answer to up to 28 different DPAs, as is currently the case, businesses would instead engage with the DPA in the country of their 'main establishment', under the Commission's plans.
However, legal advisors to the Council of Ministers, the body bringing together all the justice ministers to debate the proposed reforms, previously said that the Commission's plans fail the 'proximity' test, which is the need under EU law to ensure that legal decisions affecting individuals are taken as locally as possible to them.
Some countries within the EU have also been concerned that a true 'one stop shop' framework for data protection would promote 'forum shopping' by companies. They feel that companies could elect to base themselves in countries where there is not as strong a history of stringent application of data protection rules as there are in other areas of the EU. DPAs in Germany and the Netherlands, for example, have previously been frustrated in their attempts to regulate technology companies based in Ireland and Luxembourg.
Earlier this week, the Council of Ministers confirmed that the proposed 'one stop shop' mechanism to be voted on on Friday would only apply to "important cross-border cases". In practice it could see several DPAs cooperate on enforcement cases and take a joint decision on what action to take against businesses. However, decision making could be deferred to a new European Data Protection Board where there is disagreement between the DPAs.
"The proposal clarifies that the jointly agreed decision will be adopted by the data protection authority best placed to deliver the most effective protection from the perspective of the data subject," the Council said.
Data protection law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said that the proposals were "a mess".
"Compromises of this sort are a fact of legislative life and by definition tend to fall short of stakeholders’ expectations, but the remodelled mechanism here has something to disappoint nearly everyone: for businesses operating cross-border, it seems to fall far short of the proper one-stop shop originally proposed; for the DPAs responsible for enforcement, how much time will be spent distinguishing 'important' cross-border cases from the rest, as this might not necessarily always be obvious when a matter is first raised with a DPA?; and for data subjects, the mechanism seems bound to increase delay in obtaining redress," Dautlich said.