Out-Law News 4 min. read

Plans unveiled to remodel proposed 'one stop shop' regulation of data protection in the EU

A new system for regulating businesses' data protection in the EU is being considered by EU ministers, with plans that would allow companies to engage with just one data protection authority (DPA) in the trading bloc set to be heavily amended.

The Presidency of the Council of Ministers has outlined plans to involve national DPAs more in cases where businesses' data protection compliance is in question and where the issues affect consumers within their jurisdiction.

In particular, the Presidency has proposed that the 'one stop shop' mechanism for regulating data protection in the EU, as envisaged under draft reforms to EU data protection laws, be entirely disregarded "if the subject matter of the specific processing concerns only processing carried out in a single member state and involving only data subjects in that single member state".

In such circumstances, the local DPA would have the power to investigate and resolve cases on their own without having to engage with other DPAs across the trading bloc on the handling of those cases.

Under previous proposals considered by the Council, local DPAs may have found themselves marginalised as responsibility for handling data protection investigations and making decisions on what actions to take against businesses would have fallen to the DPA based in the country where that company had their 'main establishment' in the EU.

This proposed 'one stop shop' approach was suggested by the European Commission as a way to cut down on the number of regulators investigating the same cases and to allow businesses to engage with just a single DPA.

The Commission's plans, however, do contain a consistency or cooperation mechanism to allow DPAs outside of a business' main establishment to have their say in cases where individuals in their jurisdiction are affected by the actions of that company. However, under those plans it would still fall to the lead authority to take regulatory action.

Last year, however, lawyers at the Council of Ministers warned that the 'one stop shop' regime, as envisaged by the Commission, may not appropriately recognise individuals' rights to an effective remedy under EU laws.

The Presidency's revised plans therefore seek to build a regulatory system that allows local DPAs to have a say in cases that impact on consumers in their country, even if the case is handled predominantly by a lead authority based elsewhere in the EU.

"The Presidency has endeavoured to ensure the proximity [between individuals and the decision-making supervisory authority] by involving all concerned supervisory authorities in deciding on the draft measure," it said. "The 'local' concerned supervisory authority can trigger the cooperation mechanism by referring the matter to the lead authority. When the 'local' authority which investigates a case, finds that the faulty processing needs to be addressed through corrective, authorisation or advisory measures, it will transmit the case to the lead authority."

"The lead authority cannot adopt a 'go-it-alone' attitude but needs to cooperate with the data protection authorities of other member states concerned by the processing in question in an endeavour to reach consensus. After having investigated the subject matter and having communicated the relevant information on the matter to the data protection authorities concerned, the lead supervisory authority must, where appropriate, draw up a draft decision on the (corrective, authorisation or advisory) measure to be taken and submit it to all authorities concerned for their opinion and take due account of their views," the proposals said.

"The co-operation mechanism thus allows the supervisory authorities concerned to have input in the decision-making process regarding the decision adopted by the lead authority," it said.

The system suggested by the Presidency would enable individuals to raise data protection complaints with their local regulator and give that authority the power to seek a settlement of cases between individuals and businesses where only local issues are in question.

In addition, the local DPAs would have the power to issue a "draft decision" in cases where complaints have been raised with it at the time that it refers those cases to the lead authority based elsewhere in the EU.

Local DPAs would similarly be able to object to draft decisions issued by lead authorities. In those circumstances, a new European Data Protection Board would be asked to give its opinion on the case which, under proposals previously put forward by DPAs in Germany, could have powers to issue binding guidelines on the action that should be taken by regulators in individual cases.

DPAs that receive data protection complaints would also have the power to reject those complaints providing the lead authority agrees with that action, although individuals would be able to appeal against the decision of their local regulator before the courts in their country.

The Presidency has asked EU ministers whether the latest proposals "are a way forward to build a consistent and efficient one-stop-shop mechanism while ensuring proximity". Ministers are set to meet later this week to discuss the data protection reforms.

"The current compromise text provides for a possibility for a data protection authority to act as lead authority in cases of processing by a controller or processor established only in one member state, but which affects data subjects in other member states," the Presidency said.

"It also covers the situation of processing in the context of the activities of an establishment of the same controller or processor established on the territory of different member states. In both cases, the data protection authority of the member state of the main or sole establishment acts as lead authority in close cooperation with the authorities of other concerned member states," it said.

Disagreement over the way the 'one stop shop' mechanism would work in practice is one of the main factors behind the delay in EU ministers reaching a consensus on the wording of a new EU General Data Protection Regulation. MEPs have given their support to a new Regulation. Both the European Parliament and the Council of Ministers must agree on the wording of the text before it can become law, however.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.