Expert Comment
The term ‘one stop shop’ was coined to describe a solution to one of the more frustrating aspects of the current regime: that at present, an organisation may be subject to the supervisory powers of the data protection authorities of several Member States, each of whom may have a different approach to an issue and differing powers of enforcement. For organisations, it is time consuming to deal with multiple regulators, but also difficult (and expensive) to accommodate the differing approaches that regulators may take in relation to the same issue.
The European Commission’s draft of the Regulation includes two key (and related) proposals: the one stop shop and the consistency mechanism. The one stop shop proposal is that only one regulator, the lead supervisory authority, would take decisions against the organisation. Where an entity has operations in several Member States, the lead supervisory authority will be that of the jurisdiction in which the ‘main establishment’ is located.
The consistency mechanism refers to a decision making process that promotes consistent decision making across Member States. In the Commission’s proposal, where a case does not have EU-wide impact, the relevant national regulator would make its own decision, without consultation. If the issue had EU-wide impact, it would be considered by the EU Data Protection Board, which could issue an opinion which the national regulator would need to take into account. This formulation envisaged the Commission acting as a back stop, with the ability to make a non-binding intervention or to require the regulator to take certain steps.
The Commission’s formulation is not universally accepted, however. In particular, difficulties stem from the mechanics of how the one-stop shop regime will work in practice where the laws of other Member States in which the main establishment is not located continue to apply. This issue was the focus of discussion when the Council of Ministers met on 6th December 2013. The Council had previously expressed support for the concept of one stop shop, but there was disagreement as to how to guarantee data subjects’ rights within a one stop shop regime. Specifically, the Council’s legal advisers noted that the proposed model was incompatible with a data subject’s right to an effective remedy. This prompted lengthy debate as to whether these risks could adequately be mitigated by giving additional powers to the European Data Protection Board. The Council concluded ultimately that further technical work is required.
The debate within the Council has floundered on both legal and political issues. Mrs Reding has expressed her displeasure, but urged the Council to move ahead under the Greek Presidency, due to start in January 2014. Later, she characterised the debate as a ‘disappointing day for data protection’, noting that ‘even after three months of discussion on the one stop shop principle there is still no workable solution on the table’. While urging the Council to move forward, she noted that, although she had always been vocal in calling for a swift agreement on data protection, she would not pursue that objective at any cost. This may be the first real sign of doubt that the legislative proposal will not be agreed within the term of this Commission.
Mrs Reding also announced that ten fullday working meetings on data protection have already been scheduled under the Greek Presidency. Clearly she has not yet given up!