Out-Law News 3 min. read

German data watchdogs set out position on 'one stop shop' privacy regulation in the EU

Data protection authorities (DPAs) should have powers to protect the privacy of people in the country in which they are based even if organisations serving those people are based elsewhere, DPAs in Germany have said.

The watchdogs outlined their position on the proposed 'one stop shop' mechanism that is envisaged under proposed new data protection laws in a statement published by the Hamburg DPA.

The 'one stop shop' regulatory regime under the draft General Data Protection Regulation would mean that organisations operating across the EU would have to engage with just one DPA, in the country of their 'main establishment', rather than every DPA in the EU member states they are active in.

The European Commission's original proposals, though, contained a 'consistency mechanism' to allow DPAs outside of a business' main establishment to have their say in cases where individuals in their jurisdiction are affected by the actions of that company. However, only the lead authority, in countries where organisations have their main establishment, would take regulatory action, unless the authority in question confers power to a sister regulator in another state.

The German DPAs stated their belief that privacy regulators in the EU should be able to exercise their regulatory duties in cases relevant to people based in their country even if organisations do not have a branch within their member state.

Munich-based data protection law expert Kirsten Wolgast of Pinsent Masons, the law firm behind Out-Law.com, said that the German watchdogs had made it clear that they do not want a lead authority to have the power to decide what action to take in cases that have cross border relevance without consulting with the DPAs in other EU member states.

In cases where there is a disagreement among DPAs over the action that should be taken, the German DPAs said that it should be up to the proposed new European Data Protection Board to issue binding guidelines or decisions in the case.

The German authorities also set out their opposition to having the regulatory decision making process bound to a set timeframe.

"The German DPAs are against a true 'one stop shop' mechanism and instead back quite a complex framework that has the potential to drag out regulatory decision making," Wolgast said. "They seem to be worried that the level of data protection could be set lower if decisions are left in the hands of other authorities in the EU and that major organisations will essentially shop around to base their main establishment in countries where the DPAs are perceived to be weaker."

"Under the model backed by the German DPAs, the whole regulatory process would need to be defined, down to which kind of decisions should be subject to the 'one stop shop' regime and what others can be handled individually by DPAs. There would also need to be a timeline created so that, for example, there is clarity over how long lead authorities have to cooperate with other DPAs in cross border cases, and so that there is a timeframe for resolving cases where there is a disagreement between DPAs about what action is appropriate to take, particularly where matters would be handed over to the European Data Protection Board to resolve," she said.

"Without the process being clear, there is the potential that businesses could be left in limbo, not knowing whether their practices are permitted. Businesses need to know if they are in compliance with the law and it is the role of regulators to give them that clarity in a timely fashion. Such uncertainty would be bad for people' privacy rights too, since there would be no timeframe within which action against practices deemed to be unlawful would have to be taken."

Wolgast said that the German DPAs may take a more relaxed approach to how the 'one stop shop' regime would work in practice if the draft General Data Protection Regulation, when finalised, provides for strong privacy rights to individuals.

The Regulation, if introduced as currently intended, would see a single data protection law framework apply across the EU and to organisations based outside of the trading bloc that provide services to people within the member states. Currently each EU member state implements the existing EU Data Protection Directive within national laws slightly differently from one another.

MEPs have already given their backing to an amended version of the original draft General Data Protection Regulation. However, the EU's Council of Ministers also needs to vote through proposed changes before they can become law. Currently, though, EU Ministers have been unable to reach a consensus on the data protection reforms, with a particular sticking point being agreement over how the 'one stop shop' regime should work in practice and whether it would provide individuals with sufficient access to justice.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.