Out-Law / Your Daily Need-To-Know

Businesses could be 'left in limbo' if regulation of data protection becomes talking shop, warns expert

Out-Law News | 17 Nov 2014 | 3:29 pm | 3 min. read

The ability of EU businesses to innovate could be dented if the data protection reforms include a bureaucratic framework where decisions on issues of enforcement are taken by committee, an expert has said.

Data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, warned that "regulators could lose their effectiveness" if enforcement matters are not addressed in a timely fashion under the new EU data protection regime.

EU law makers are currently negotiating a new General Data Protection Regulation to replace the existing Data Protection Directive that has been in force since 1995. According to Reuters, the Italian presidency of the Council of Ministers has made new recommendations on how the system of regulating organisations subject to the proposed new legal framework should work.

Under the plans, individual data protection authorities (DPAs) in the EU would have a greater say on enforcement matters in cross-border cases and it would fall to a new European Data Protection Board (EDPB) to determine what action should be taken where there is a dispute between DPAs on what the appropriate action should be, Reuters reported. It is envisaged that the EDPB would replace the existing pan-EU committee of DPAs, the Article 29 Working Party, under the new Regulation.

"The regulation and enforcement of data protection must not be a bureaucratic process," Wynn said. "Without strict time limits on the various stages of decision making envisaged under the Italian presidency's plans, there is the potential for cases to drag on many months and even years."

"Such a drawn out process could not only deprive individuals of a quick remedy for unlawful data protection practices they are the victims of, but also deprive businesses operating in the EU of much needed clarity on which practices are lawful and which are not. In the fast moving digital age, businesses cannot afford to be in limbo awaiting regulatory clarity. Businesses cannot afford to make significant investments in particular projects or developments where there is a risk that it could lead them down the wrong track legally so there is a risk of stagnation and to innovation if the regulatory and enforcement process for data protection in the EU is an overly bureaucratic one," she said.

The Italian presidency's proposals would, if introduced, represent a significant re-modelling of the 'one stop shop' mechanism that the European Commission originally proposed should be adopted for the regulation and enforcement of data protection under the new Regulation.

Under the Commission's original plans, businesses operating in the EU would have to answer to just one DPA within the trading bloc, even if they processed personal data of citizens based across the 28 member states. Whether DPAs would be responsible for regulating companies would be determined on the basis of whether businesses had their 'main establishment' in their jurisdiction.

'Main establishment' refers to the premises in which companies take their main decisions about personal data processing, according to the Commission plans. If companies took those decisions outside of the EU a 'main establishment' would be taken as any "place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place", according to the draft.

Under the proposed regime authorities would be required to provide one another with "mutual assistance" so as not to inconsistently apply the laws in different countries. If individuals in more than one member state are likely to be affected by decisions taken by one authority, other authorities in those countries have the right to participate in joint operations. However, only the authorities in countries where organisations have their 'main establishment' would take regulatory action.

The EDPB would have oversight of DPAs' proposed regulatory action and could issue an opinion on whether the responsible DPA's actions are appropriate. Under the Commission's plans, it would be able to to step in and seek changes to the measures proposed and, in extreme case, suspend the implementation of the measures for a year if DPAs ignore its suggested revisions.

However, those plans were heavily criticised and have been the subject of intense debate and negotiation for nearly three years. Lawyers at the Council of Ministers questioned the legality of the Commission's 'one stop shop' plans. They said its proposals might not appropriately recognise individuals' rights to an effective remedy under EU laws.

The Council of Ministers is one of the law making bodies that must agree on the wording of the draft General Data Protection Regulation before it can become law. The European Parliament agreed on its version of the text earlier this year.

Three-way negotiations between the Council, Parliament and European Commission on the final wording of the reforms will take place once the Council reaches a consensus on the proposals. To-date, the Council has reached only provisional agreement on some parts of the draft Regulation.