Flawed 'one stop shop' regulatory regime for data protection could reduce quality of guidance for businesses, says expert

Out-Law News | 10 Dec 2013 | 11:55 am | 3 min. read

If data protection authorities (DPAs) are not free to take their own decisions on enforcement of data protection law and engage with businesses on other regulatory matters without consulting with other DPAs the result could be more confusing, theoretical guidance rather than clear, practical guidance, an expert has warned. 

Data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said that businesses would be the ultimate losers unless problems with the planned 'one stop shop' approach to data protection regulation are solved.

The 'one stop shop' regulatory regime envisaged under a new General Data Protection Regulation would mean that businesses operating across the EU would have to engage with just one DPA, in the country of their 'main establishment'. However, EU Ministers are torn about whether or not there should be a mechanism for involving more DPAs in decisions affecting consumers local to them.

If DPAs can no longer act independently, said Wynn, then those that currently offer clear guidance would have to compromise on that and issue EU-wide guidance which would be likely to be less clear and the result of compromise and negotiation.

According to a statement issued following a meeting held by Justice Ministers in Brussels last week, lawyers from the Council of Ministers have raised concern that consumers across the EU would not be able to have sufficient access to justice under the 'one stop shop' proposals.

"It was established that there are limits to guarantee proximity for data subjects while at the same time guaranteeing one-stop-shop supervision for businesses operating in the internal market," the statement said. "The need to reconcile these two important goals was the core issue in today's debate."

"The Legal Service of the Council indicated that the model as it resulted from the technical work so far would confront data subjects with such a complicated system that it would be incompatible with the right to an effective remedy. This could be mitigated by conferring certain powers to the European Data Protection Board in certain transnational cases where control by local authorities is not effective enough," it said.

The Presidency of the Council of Ministers said that further work would be undertaken at "technical level" to determine whether DPAs based in the main establishment of businesses "should be given limited exclusive powers to adopt corrective measures". Further work is also to be undertaken to determine whether powers should be given to the European Data Protection Board, which would represent all DPAs across the trading bloc, "to adopt binding decisions regarding corrective measures" in some cases.

The Council of Ministers had announced in October that it provisionally backed the 'one stop shop' regulatory regime and EU Justice Commissioner Viviane Reding has now criticised the Ministers for "moving backwards" on the issue following last week's meeting. She said that lawyers at the European Commission had "clarified that there is no issue of legality or of compliance with fundamental rights" presented by the 'one stop shop' proposals.

"In theory, a system that allows businesses trading across the EU to engage with one DPA instead of 28 for regulatory approvals and on matters of enforcement is attractive," Wynn said. "Such a system promises less administration and quicker decisions and would therefore be less expensive for businesses to engage with."

"The problem, though, is that there are differences in the way the individual DPAs operate and the kind of advice, guidance and decisions they have offered and their interpretation of certain parts of the law. A new Regulation is likely to offer more consistency than currently exists by the mere fact that the various DPAs will be interpreting a single text rather than a myriad of different laws. However, not all DPAs have practice in issuing clear, practical guidance and have preferred instead to used equivocal, theoretical guidance when informing businesses what steps to take to achieve compliance."

"If the regulatory regime removes the freedom of regulators to act independently of others due to an obligation to act consistently then there is a danger that clear, practical guidelines for businesses could be replaced by more conservative advice that is of limited use. DPAs could be prompted into issuing decisions and guidelines that set steps that go above and beyond what businesses need to do to comply with the law because of the fear that there may not be agreement by other DPAs on more granular and helpful practical steps they might otherwise have recommended," Wynn said.

"Even if agreement is reached on the practicalities of the 'one stop shop' regime, it is likely to be imperfect. The onus would then be on the DPAs themselves to develop best practices to negate problems," she said.

Marc Dautlich, another expert in data protection law at Pinsent Masons, said in October that the intentions behind data protection reform could be undermined unless DPAs are given enforcement powers under the 'one stop shop' framework.