Dutch regulator questions likelihood of June agreement on data protection reforms

Out-Law News | 08 May 2014 | 5:09 pm | 3 min. read

The head of the data protection authority (DPA) in the Netherlands, Jacob Kohnstamm, has cast doubt on whether EU ministers will reach even partial agreement on reforms to EU data protection laws which they are due to scrutinise by June.

The European Parliament has voted in support of a new General Data Protection Regulation and a new directive which would set rules around personal data processing by law enforcement bodies specifically. MEPs and the European Commission had hoped that the EU's Council of Ministers would also reach internal consensus on the proposals at a meeting of justice ministers scheduled for June, with a view to that agreement triggering negotiations between the three bodies on the final wording of the reforms.

However, speaking at an event in London on Thursday morning, Kohnstamm said he doubted whether the EU ministers would reach agreement on the reforms by then.

"I hope that the Council, under the Greek presidency, will at least reach partial agreement on parts of the Regulation so that the trialogue [negotiations] could start in the summer but I'm not sure that it is going to happen," Kohnstamm said.

The European Commission officially proposed data protection reforms in January 2012 but there are question marks over whether the wording of a final package will be agreed upon by EU law makers before the end of the year. Once finalised at EU level, the reforms would not kick in for a further two years, meaning it may not be until 2017 until businesses have to comply with the new rules.

Kohnstamm, a former chairman of the Article 29 Working Party committee which represents DPAs from across the EU, said that there were "battles" going on within the Council of Ministers about two aspects of the proposed reforms in particular.

He said that agreeing to a 'one-stop shop' regulator and overcoming differences of opinion as to the extent to which businesses should bear greater administrative burden to protect personal data were the main issues still to be resolved by the Council. The failure to agree on those issues could hold up the other reforms contained in the proposals, he said.

"In Council there is only one agreement - that nothing is agreed until everything is agreed," Kohnstamm said.

The 'one stop shop' regulatory regime under the draft General Data Protection Regulation would mean that organisations operating across the EU would have to engage with just one DPA, in the country of their 'main establishment', rather than every DPA in the EU member states they are active in.

The European Commission's original proposals, though, contained a 'consistency mechanism' to allow DPAs outside of a business' main establishment to have their say in cases where individuals in their jurisdiction are affected by the actions of that company. Under those plans only the lead authority, in countries where organisations have their main establishment, would take regulatory action, unless the authority in question confers power to a sister regulator in another state.

However, EU Ministers are torn about whether or not there should be a mechanism for involving more DPAs in decisions affecting consumers local to them. DPAs in Germany recently set out their position on the 'one stop shop' proposals. At the time, Munich-based data protection law specialist Kirsten Wolgast of Pinsent Masons, the law firm behind Out-Law.com, said the German DPAs had outlined some objections to a pure 'one stop shop' regime.

Kohnstamm, though, said he was in favour of the plans: "Such a system will not only greatly simplify all our lives, both for business, data subjects and supervisory authorities it will also ensure consistency and uniformity of interpretation and application of the law."

Kohnstamm compared the proposals for a one-stop system to that which governs exchange rates across Europe. The same level of co-operation can be found "in the treaty of Lisbon governing the relationship between the Council and the European Central Bank with regard to exchange rate systems, so that's a text that already  exists and gives I think a good example of how we should be doing things", he said.

If DPAs had complaints about how a lead authority was handling a matter under the one-stop shop system they will be able to submit a complaint to the European Data Protection Board, which is set to succeed the Article 29 Working Party under the new Regulation, and the EDPB would be able to adopt an opinion on the matter, Kohnstamm said.

The regulator said that he shared the wish of organisations that "as few administrative burdens as possible" should apply under the new data protection law framework.  However, he said that data protection was a fundamental right enjoyed by individuals within the EU and that member states were "obliged to protect personal data, even proactively". Data protection law should not reflect business models, but rather businesses should have to reshape the way they do things to ensure they comply with the law's requirements.

"I agree that data protection should be offered on the ground rather than on paper but in the end business models should not determine how the law is shaped and to what extent the fundamental to data protection will be upheld," Kohnstamm said. "It is a fundamental right and business models should be adapted to that fundamental right instead of the other way around."

Kohnstamm said that organisations need to offer "real protection" to individuals' privacy and not treat data protection as "simply ... a box-ticking exercise". He said there was a need for "ground rules on what is and what is not allowed" and that those rules must ensure that a lawful basis for processing personal data is obtained for each purpose of processing that an organisation wishes to pursue.