In January 2012, the European Commission presented a legislative package to update the core data protection principles enshrined in the 1995 Data Protection Directive (Directive 95/46/EC). The policy objectives of the European Commission set out an ambition to build a more cohesive EU data protection framework supported by stronger enforcement. Central to facilitating this were proposals for a General Data Protection Regulation (the Regulation) and a directive on protecting personal data.
On 7-8 October 2013, the Justice and Home Affairs Council (the Council) debated the European Commission’s proposals. In a press release, the Council showed its support for a ‘one-stop-shop’ for data protection compliance, rather than the existing 28-member state compliance approach, as well as a consistency mechanism, both of which form the core pillars of the proposals.
The Council suggested that consistency in the application of EU data protection rules could be achieved by entrusting central power with the European Data Protection Board, which would take over from the existing Art. 29 Working Party, to ensure a harmonised approach to the Data Protection Framework.
The one-stop-shop principle would create consistency for international organisations to process personal data in multiple member states through the appointment of a single competent authority to monitor the data controller’s activities across all member states. The relevant supervisory authority would be determined by the member state in which the data controller or processer has its main establishment. The supervisory authority would also be responsible for providing a single supervisory decision in the context of enforcement. However, Council debate reached an impasse when discussing how this decision should be reached. While some member states support further expert work toward a single supervisory authority model, others preferred the concept of co-decision mechanism encouraging proximity between the main establishment supervisory authority involving local supervisory authorities. Either way, a one-stop-shop approach would undoubtedly be beneficial, ensuring faster and more consistent application of decisions, as well as offering legal certainty, reducing the administrative and cost burden for international organisations to comply with data protection rules.
Juozas Bernatonis, Justice Minister of Lithuania, commented:
“I would like to say that the Council generally supports the principle that the draft regulation should provide for a ‘one-stop-shop’ mechanism in important cross-border cases in order to arrive at a single decision in respect of companies operating in several member states. The aim is to develop a simple, fast mechanism that would contribute to a more consistent application of the data protection rules in the EU, to ensure legal certainty and reduce the administrative burden. This is an important factor to enhance the cost-efficiency of the data protection rules for international business, thus contributing to the growth of the digital economy.”
Progress in moving toward a new General Data Protection Regulation is proving very slow, and despite the ‘vote’ by the Council having been scheduled for 7 October, the proposals are still not finalised.