Out-Law News 4 min. read

Intended data protection reforms could be undermined if 'one-stop shop' regulators lack enforcement powers, warns expert

Data protection authorities (DPAs) should have the power to issue binding enforcement decisions that apply across the entirety of the EU under a new data protection law framework, an expert has said.

If the proposed new General Data Protection Regulation was to bar or significantly limit the powers of regulators to fine companies or take other enforcement action for breaches of the rules then a "considerable part" of the benefits envisaged under the draft Regulation would "fall away", data protection law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said.

Earlier this week, Justice Ministers from the 28 EU Member States provisionally agreed to back the 'one-stop shop' principle for the regulation of data protection which would see businesses able to engage with just one DPA – the one based in the country of their main establishment – instead of each DPA in every EU country in which they operate.

However, the Lithuanian Presidency of the Council of Ministers said that several details of how the 'one-stop shop' regime would work in practice have yet to be agreed on, with further "expert discussions" on the subject set to take place.

Among the matters to be ironed out include the extent to which DPAs in countries other than where businesses have their 'main establishment' could have a say in what action those businesses should face where individuals in the country in which they are based are affected by the actions of those businesses.

According to a report by legal news service M-Lex, some EU member states want DPAs in the countries of businesses' 'main establishment' to have the power to issue binding decisions on matters of enforcement that would apply across the entire EU trading bloc. However, other member states are keen to restrict the 'one-stop shop' regime to decisions about administrative functions, it said.

In a statement, the Lithuanian Presidency also confirmed that the "role and powers" of the European Data Protection Board, a new privacy watchdog which would be established under the reformed data protection framework, has also still to be clarified.

Dautlich said that consensus on the 'one-stop shop' regulatory system appears to be a long way off, and warned that there is now "a race against time" for EU Ministers, and MEPs too, to agree on a reform package.

"If you do not have centralised enforcement then a considerable part of the benefit of the Regulation would fall away," Dautlich said. "The 'on-stop shop' regulatory system must serve more than coordinated or administrative functions. Yes, there ought to be a process through which DPAs can consult with one another to achieve proportionate and sensible decisions, but businesses should not be subject to enforcement action by each DPA in every different EU state that they operate. DPAs should be able to issue binding EU-wide decisions, and those powers should include the terms of enforcement."

"There is now a real race against time for the final terms of the General Data Protection Regulation to be agreed before the European Parliament elections in May next year. If the wording is not agreed on before then the efforts to reform EU data protection law will face very significant delays. There is a broad consensus that change is needed as the existing Data Protection Directive from 1995 does not adequately cater for technological advances since then, but as some of the disagreements around how the 'one-stop shop' regime would work in practice shows, there remain significant barriers to overcome before consensus is achieved," he said.

In January last year the European Commission set out plans to replace the 1995 EU Data Protection Directive with a new General Data Protection Regulation. If enforced it would introduce a single data protection law across all 28 EU member states, in contrast to the Directive, which does not require word-for-word implementation into national law.

Under the draft Regulation DPAs would be responsible for regulating companies that have their "main establishment" in the country in which they conduct their regulatory activities. 'Main establishment' refers to the premises in which companies take their main decisions about personal data processing. If companies take those decisions outside of the EU a main establishment will be taken as any "place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place", according to the draft.

Under the proposed regime authorities would be required to provide one another with "mutual assistance" so as not to inconsistently apply the laws in different countries. If individuals in more than one member state are likely to be affected by decisions taken by one authority, other authorities in those countries have the right to participate in joint operations. However, only the authorities in countries where organisations have their "main establishment" will take regulatory action, unless the authority in question confers power to a sister regulator in another state.

Authorities would have to communicate proposed measures they intend to take following regulatory investigations to a new independent European Data Protection Board. The Board would replace privacy watchdog the Article 29 Working Party and would have a month in which to issue its opinion on whether the responsible DPA's actions are appropriate.

After the EDPB has issued its opinion, the European Commission could step in and seek changes to the measures proposed and, in extreme case, suspend the implementation of the measures for a year if DPAs ignore its suggested revisions.

Two separate draft Regulations are currently being put together by EU Ministers and MEPs. Only once a consensus is reached would a new Regulation come into force.

According to a report by the New York Times, one proposed amendment currently being considered would require businesses to notify individuals about the transfer of their data from being stored in EU cloud computing infrastructure to clouds based in the US or elsewhere. The businesses would have to include details about the "legal effects" of such a transfer within its notification.

An alternative amendment proposed would expressly prohibit such data transfers unless individuals consent. Businesses would have to make individuals aware of "the possibility of the personal data being subject to intelligence gathering or surveillance by third-country authorities" through the use of "clear, unambiguous and warning language" in a "separate and prominently visible reference", under the plans, according to the report.

The amendments follow on from revelations about US and UK intelligence-gathering and surveillance methods disclosed to newspaper groups by the whistleblower Edward Snowden.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.