The draft Data Protection Regulation doesn’t offer many carrots to business – and a recent announcement by the Council of the European Union takes away one of the biggest carrots, the “One-Stop Shop” mechanism.
The One-Stop Shop refers to the principle that businesses would have to deal with just a single national data protection authority instead of 28 different authorities across the EU. The objective was to simplify logistics for businesses and to reduce any chance of multiple, inconsistent requirements from different authorities.
The One-Stop Shop was included in both the Commission’s and the European Parliament’s draft of the Regulation. General worries among Council members about loss of local control have been evident at least since meetings between the Commission and Council during the autumn of 2014. Concerns have also emerged that some countries (particularly Ireland, the European homebase for Facebook, Paypal, Apple and other Internet giants) might take a more pro-business stance than its continental counterparts.
In the end, it seems that the Council has decided against a true One-Stop Shop. On March 13, 2015 the Council announced that it had reached internal agreement that the One-Stop Shop should apply only in very limited circumstances where international coordination is vital. It appears that even in those circumstances, the lead authority would have to act more as a coordinator than a sole decision maker. Furthermore, if the lead authority fails to reach agreement with other interested national authorities, the decision must be referred to a new supervisory board, the European Data Protection Board.
The Council does not have the final say, since the Regulation is still in the “trilogue” phase that’s intended to allow the Council, Commission and Parliament to agree upon a mutually acceptable form of the Regulation. However, the Council seems fairly entrenched in its position, and a more pro-business compromise seems unlikely at this point.
The Council’s markup of the One-Stop Shop is available here.
Save the Date: The April edition of our Privacy Webinar series will be on Wednesday, April 29th and Sue Foster will discuss EU Data Protection for US Companies. Registration will open in early April. Check back!