A comment on the latest developments in European data protection reform

The European Council expresses concern over the current one-stop-shop proposal which could make it difficult to challenge the decision of a regulator in another jurisdiction.

The proposed reform of the European data protection legal framework continues to be debated at an EU level, but the most recent developments in December 2013 suggest that its finalisation is still some way off. This article explains why.

On 21 October 2013, the European Parliament approved a compromise draft of the European General Data Protection Regulation (the new Regulation).  This was an important development in the long-running saga of the proposed successor to the 1995 Data Protection Directive (the 1995 Directive) which, if and when enacted, should become the principal law relating to data protection across the EU and, in the UK, would replace the Data Protection Act 1998.  Proposals were first brought forward by the European Commission in January 2012, and approval by the European Parliament in October 2013 of a compromise text was seen as a significant breakthrough.  However, the new Regulation still requires the approval of the European Council (made up of ministers of each EU member state) before it can become law.

The new Regulation was proposed in order to harmonise data protection laws across the EU member states, as well as to update those laws to reflect technological developments since 1995.  Harmonisation is seen as necessary because member states have implemented the 1995 Directive in different ways, leading to varying levels of data protection and differing requirements across the EU.  A key part of the new Regulation is the proposal for a 'one-stop-shop' regulatory regime, which will allow multinational companies to deal with only one regulator for the whole of their EU operations.  Rather than dealing with 28 different regulators across the EU, each applying different data protection laws, a multinational company would only need to comply with one principal data protection law (the new Regulation) and would be subject to the jurisdiction of one data protection regulator (being the regulator in the country of the company's 'main establishment').  Supporters claimed this would significantly reduce the cost of data protection compliance for larger businesses.

On 6 December 2013, the European Council considered the new Regulation.  The Council had previously indicated its support for the one-stop-shop concept.  However, lawyers for the Council argued that the one-stop-shop proposal was potentially unlawful, because it might infringe the rights of data subjects wishing to challenge the decision of a regulator.  The Council's lawyers have claimed that, if the single regulator was outside a data subject's jurisdiction, it would be difficult for the data subject to challenge that regulator's decisions, and this could infringe the data subject's access to justice.  The Council also expressed its concern about 'forum shopping', which could result in large organisations designating their main establishment in countries with weaker regulators, making it harder for data subjects to enforce their rights.  The Commission's legal team disagrees, but it is clear that the one-stop-shop concept needs further consideration before the new Regulation can be finalised and adopted.

The Greek presidency of the Council, beginning in January 2014, has data protection reform as a key priority, so the issue will continue to be debated.  However, in addition to the disagreements about the one-stop-shop, there are a number of other issues that remain to be resolved.  For example, a small number of member states (including the UK) remain sceptical about the need for a regulation at all, and would prefer data protection reform to take the form of a directive, giving member states more control as to how the reforms are enacted.  While such fundamental disagreements remain, it seems unlikely that the new Regulation will be passed before the EU Parliamentary elections in May 2014 or before the Greece presidency ends in June 2014.

Bond Dickinson