Archive for the ‘Applicable law’ Category

European Parliament votes in favour of data protection reform

Posted on March 21st, 2014 by



On 12 March 2014, the European Parliament (the “Parliament”) overwhelmingly voted in favour of the European Commission’s proposal for a Data Protection Regulation (the “Data Protection Regulation”) in its plenary assembly. In total 621 members of Parliament voted for the proposals and only 10 against. The vote cemented the Parliament’s support of the data protection reform, which constitutes an important step forward in the legislative procedure. Following the vote, Viviane Reding – the EU Justice Commissioner – said that “The message the European Parliament is sending is unequivocal: This reform is a necessity, and now it is irreversible”. While this vote is an important milestone in the adoption process, there are still several steps to go before the text is adopted and comes into force.

So what happens next?

Following the Civil Liberties, Justice and Home Affairs (LIBE) Committee’s report published in October 2013 (for more information on this report – see this previous article), this month’s vote  means that the Council of the European Union (the “Council”) can now formally conduct its reading of the text based on the Parliament’s amendments. Since the EU Commission made its proposal, preparatory work in the Council has been running in parallel with the Parliament. However, the Council can only adopt its position after the Parliament has acted.

In order for the proposed Data Protection Regulation to become law, both the Parliament and the Council must adopt the text in what is called the “ordinary legislative procedure” – a process in which the decisions of the Parliament and the Council have the same weight. The Parliament can only begin official negotiations with the Council as soon as the Council presents its position. It seems unlikely that the Council will accept the Parliament’s position and, on the contrary, will want to put forward its own amendments.

In the meantime, representatives of the Parliament, the Council and the Commission will probably organise informal meetings, the so-called “trilogue” meetings, with a view to reaching a first reading agreement.

The EU Justice Ministers have already met several times in Council meetings in the past months to discuss the data protection reform. Although there seems to be a large support between Member States for the proposal, they haven’t yet reached an agreement over some of the key provisions, such as the “one-stop shop” rule. The next meeting of the Council ministers is due to take place in June 2014.

Will there be further delays?

As the Council has not yet agreed its position, the speed of the development of the proposed regulation in the coming months largely depends on this being finalised. Once a position has been reached by the Council then there is also the possibility that the proposals could be amended further. If this happens, the Parliament may need to vote again until the process is complete.

Furthermore, with the elections in the EU Parliament coming up this May, this means that the whole adoption process will be put on hold until a new Parliament comes into place and a new Commission is approved in the autumn this year. Given these important political changes, it is difficult to predict when the Data Protection Regulation will be finally adopted.

It is worth noting, however, that the European heads of state and government publicly committed themselves to the ‘timely’ adoption of the data protection legislation by 2015 – though, with the slow progress made to date and work still remaining to be done, this looks a very tall order indeed.

How do EU and US privacy regimes compare?

Posted on March 5th, 2014 by



As an EU privacy professional working in the US, one of the things that regularly fascinates me is each continent’s misperception of the other’s privacy rules.  Far too often have I heard EU privacy professionals (who really should know better) mutter something like “The US doesn’t have a privacy law” in conversation; equally, I’ve heard US colleagues talk about the EU’s rules as being “nuts” without understanding the cultural sensitivities that drive European laws.

So I thought it would be worth dedicating a few lines to compare and contrast the different regimes, principally to highlight that, yes, they are indeed different, but, no, you cannot draw a conclusion from these differences that one regime is “better” (whatever that means) than the other.  You can think of what follows as a kind of brief 101 in EU/US privacy differences.

1.  Culturally, there is a stronger expectation of privacy in the EU.  It’s often said that there is a stronger cultural expectation of privacy in the EU than the US.  Indeed, that’s probably true.   Privacy in the EU is protected as a “fundamental right” under the European Union’s Charter of Fundamental Rights – essentially, it’s akin to a constitutional right for EU citizens.  Debates about privacy and data protection evoke as much emotion in the EU as do debates about gun control legislation in the US.

2.  Forget the myth: the US DOES have data protection laws.  It’s simply not true that the US doesn’t have data protection laws.  The difference is that, while the EU has an all-encompassing data protection framework (the Data Protection Directive) that applies across every Member State, across all sectors and across all types of data, the US has no directly analogous equivalent.  That’s not the same thing as saying the US has no privacy laws – it has an abundance of them!  From federal rules designed to deal with specific risk scenarios (for example, collection of child data online is regulated under the Children’s Online Privacy Protection Act), to sector-specific rules (Health Insurance Portability and Accountability Act for health-related information and the Gramm-Leach-Bliley Act for financial information), to state-driven rules (the California Online Privacy Protection Act in California, for example – California, incidentally, also protects individuals’ right to privacy under its constitution).  So the next time someone tells you that the US has no privacy law, don’t fall for it – comparing EU and US privacy rules is like comparing apples to a whole bunch of oranges.

3.  Class actions.  US businesses spend a lot of time worrying about class actions and, in the privacy realm, there have been multiple.  Countless times I’ve sat with US clients who agonise over their privacy policy drafting to ensure that the disclosures they make are sufficiently clear and transparent in order to avoid any accusation they may have misled consumers.  Successful class actions can run into the millions of $$$ and, with that much potential liability at stake, US businesses take this privacy compliance risk very seriously.  But when was the last time you heard of a successful class action in the EU?  For that matter, when was the last time you heard of ANY kind of award of meaningful damages to individuals for breaches of data protection law?

4.  Regulatory bark vs. bite.  So, in the absence of meaningful legal redress through the courts, what can EU citizens do to ensure their privacy rights are respected?  The short answer is complain to their national data protection authorities, and EU data protection authorities tend to be very interested and very vocal.  Bodies like the Article 29 Working Party, for example, pump out an enormous volume of regulatory guidance, as do certain national data protection authorities, like the UK Information Commissioner’s Office or the French CNIL. Over in the US, American consumers also have their own heavyweight regulatory champion in the form of Federal Trade Commission which, by using its powers to take enforcement against “unfair and deceptive practices” under the FTC Act, is getting ever more active in the realm of data protection enforcement.  And look at some of the settlements it has reached with high profile companies – settlements that, in some cases, have run in excess of US$20m and resulted in businesses having to subject themselves to 20 year compliance audits.  By contrast, however vocal EU DPAs are, their powers of enforcement are typically much more limited, with some even lacking the ability to fine.

So those are just some of the big picture differences, but there are so many more points of detail a well-informed privacy professional ought to know – like how the US notion of “personally identifiable information” contrasts with EU “personal data”, why the US model of relying on consent to legitimise data processing is less favoured in the EU, and what the similarities and differences are between US “fair information practice principles” and EU “data protection principles”.

That’s all for another time, but for now take away this:  while they may go about it in different ways, the EU and US each share a common goal of protecting individuals’ privacy rights.  Is either regime perfect?  No, but each could sure learn a lot from the other.

 

 

 

EU Parliament’s LIBE Committee Issues Report on State Surveillance

Posted on February 19th, 2014 by



Last week, the European Parliament’s Civil Liberties Committee (“LIBE“) issued a report into the US National Security Agency (“NSA“) and EU member states’ surveillance of EU citizens (the “Report“). The Report was passed by 33 votes to 7 with 17 abstentions questioning whether data protection rules should be included in the trade negotiations with the US. The release of the report comes at a crucial time for both Europe and the US but what does this announcement really tell us about the future of international data flows in the eyes of the EU and the EU’s relationship with the US?

Background to the Report

The Report follows the US Federal Trade Commission (“FTC“)’s recent response to criticisms from the European Commission and European Parliament following the NSA scandal and subsequent concerns regarding Safe Harbor (for more information on the FTC – see this previous article). The Report calls into question recent revelations by whistleblowers and journalists about the extent of mass surveillance activities by governments. In addition, the LIBE Committee argues that the extent of the blanket data collection, highlighted by the NSA allegations, goes far beyond what would be reasonably expected to counter terrorism and other major security threats. The Report also criticises the international arrangements between the EU and the US, and states that these mechanisms “have failed to provide for the necessary checks and balances and for democratic accountability“.

LIBE Committee’s Recommendations

In order to address the deficiencies highlighted in the Report and to restore trust between the EU and the US, the LIBE Committee proposes several recommendations with a view to preserving the right to privacy and the integrity of EU citizens’ data, including:

  • US authorities and EU Member States should prohibit blanket mass surveillance activities and bulk processing of      personal data;
  • The Safe Harbor framework should be suspended, and all transfers currently operating under this mechanism should stop immediately;
  • The status of New Zealand and Canada as ‘adequate’ jurisdictions for the purposes of data transfers should be reassessed;
  • The adoption of the draft EU Data Protection Regulation should be accelerated;
  • The establishment of the European Cloud Partnership must be fast-tracked;
  • A framework for the protection of whistle-blowers must be established;
  • An autonomous EU IT capability must be developed by September 2014, including ENISA minimum security and privacy standards for IT networks;
  • The EU Commission must present an European strategy for democratic governance of the Internet by January 2015; and
  • EU Member States should develop a coherent strategy with the UN, including support of the UN resolution on ‘the right to privacy in the digital age‘.

Restoring trust

The LIBE Committee’s recommendations were widely criticised by politicians for being disproportionate and unrealistic. EU politicians also commented that the Report sets unachievable deadlines and appears to be a step backwards in the debate and, more importantly, in achieving a solution. One of the most controversial proposals in the Report consists of effectively ‘shutting off‘ all data transfers to the US. This could have the counterproductive effect of isolating Europe and would not serve the purpose of achieving an international free flow of data in a truly digital society as is anticipated by the EU data protection reform.

Consequences for Safe Harbor?

The Report serves to communicate further public criticism about the NSA’s alleged intelligence overreaching.  Whatever the LIBE Committee’s position, it is highly unlikely that as a result Safe Harbor will be suspended or repealed – far too many US-led businesses are dependent upon it for their data flows from the EU, meaning a suspension of Safe Harbor would have a very serious impact on transatlantic trade. Nevertheless, as a consequence of these latest criticisms, it is now more likely than ever that the EU/US Safe Harbor framework will undergo some changes in the near future.  As to what, precisely, these will be, only time will tell – though more active FTC enforcement of Safe Harbor breaches now seems inevitable.

 

The country of origin principle: a controller’s establishment wish list

Posted on July 1st, 2013 by



Data controllers setting up shop in the Europe are typically well aware of the EU’s applicability of law rules under Art. 4 of the Data Protection Directive (95/46).  In particular that, by having an “establishment” in one Member State, they are subject only to the data protection law of that Member State – even when they process personal information about individuals in other Member States.  For example, a controller “established” in the UK is subject only to UK data protection law, even when it processes information about individuals resident in France, Germany, Spain, and elsewhere. 

Referred to as the “establishment” test, this model is particularly common among US online businesses selling into the EU.  Without an EU “establishment”, they risk exposure to each of the EU’s 28 different national data protection laws, with all the chaos that entails.  But with an EU “establishment”, they take the benefit of a single Member State’s law, driving down risk and promoting legal certainty.  This principle was most recently upheld when a German court concluded that Facebook is established in Ireland and therefore not subject to German data protection law.

What does it mean to have a data controlling “establishment” though?  It’s a complex question, and one for which the Article 29 Working Party has published detailed and technical guidance.  In purely practical terms though, there are a number of simple measures that controllers wanting to evidence their establishment in a particular Member State can take:

1.  Register as a data controller.  It may sound obvious, but controllers claiming establishment in a particular Member State should make sure to register with the national data protection authority in that Member State.  Aside from helping to show local establishment, failing to register may be an offence.

2.  Review your external privacy notices.  The business should ensure its privacy policy and other outward-facing privacy notices clearly identify the EU controller and where it is established.  It’s all very well designating a local EU subsidiary as a controller, but if the privacy policy tells a different story this will confuse data subjects and be a red flag to data protection authorities.

3.  Review your internal privacy policies.  A controller should have in place a robust internal policy framework evidencing its controllership and showing its commitment to protect personal data.  It should ensure that its staff are trained on those policies and that appropriate mechanisms exist to monitor and enforce compliance.  Failure to produce appropriate policy documentation will inevitably raise questions in the mind of a national data protection authority about the level of control the local entity has over data processing and compliance. 

4.  Data processing agreements.  It’s perfectly acceptable to outsource processing activities from the designated controller to affiliated group subsidiaries or external vendors, but controllers that do so must make sure to have in place appropriate agreements with their outsourced providers – within those providers are intra-group or external.  It’s vital that, through contractual controls, the designated controller remains in the driving seat about how and why its data is used; it mustn’t simply serve as a ‘rubber stamp’ for data decisions ultimately made by its parent or affiliates.  For example, if EU customer data is hosted on the CRM systems of a UK controller’s US parent, then arm’s length documentation should exist between the UK and US showing that the US processes data only as a processor on behalf of the UK.

5.  Appoint data protection staff.  In some territories, appointing a data protection officer is a mandatory legal requirement for controllers.  Even where it’s not, nominating a local employee to fulfill a data protection officer (or similar) role to oversee local data protection compliance is a sensible measure.  The nominated DPO will fulfill a critical role in reviewing and authorizing data processing policies, systems and activities, thus demonstrating that data decisions are made within the designated controller.  He or she will also provide a consistent and informed interface with the local data protection authority, fostering positive regulatory relationships.

This is not an exhaustive list by any means, but a controller that takes the above practical measures will go a long way towards evidencing “establishment” in its national territory.  This will benefit it not just when corresponding with its own national data protection authority but also when managing enquiries and investigations from overseas data protection authorities, by substantially reducing its exposure to the regimes of those overseas authorities in the first place.

ECJ Advocate General: Google is NOT a controller of personal data on other sites

Posted on June 25th, 2013 by



We now know the Advocate General’s Opinion in the most eagerly followed data protection case in the history of the European Court of Justice (ECJ). After the prolific enforcement actions of the Spanish data protection authority to stop Google showing unwanted personal data in search results, their court battles were escalated all the way to the ECJ. Whilst the final decision is still a few months away, the influential Opinion of the Advocate General (AG) is a clear indication of where things are going.

The ultimate question is whether Google, in its capacity as a search engine provider, is legally required to honour individuals’ request to block personal data from appearing in search results. For that to be the case, the court will have to answer affirmatively a three-fold legal test:

1. Does EU law apply to Google? The AG’s Opinion is YES if the search engine provider has an establishment in a Member State for the purpose of promoting and selling advertising space on the search engine, as that establishment acts as the bridge between the search service and the revenue generated by advertising.

Unfortunately the AG does not deal with the question of whether Google Inc. uses equipment in Spain, so we don’t know whether an Internet company with no physical presence in the EU will be caught by EU law.

2. Does a search engine process personal data? The AG’s answer here is also YES, because notions of ‘personal data’ and ‘processing’ are sufficiently wide to cover the activities involved in retrieving information sought by users.

3. Is Google a controller of that data? Crucially, the AG’s answer is NO, because a search engine is not aware of the existence of a certain defined category of information amounting to personal data. Therefore, Google is not in a position to determine the uses made of that data.

So the conclusion, according to the AG, is that a data protection authority cannot compel Google to stop revealing personal data as part of search results.

In addition, the AG goes on to say that even if the ECJ were to find that internet search engine service providers were responsible as controllers for personal data appearing in search results, an individual would still not have a general ‘right to be forgotten’, as this is not contemplated in the current Directive.

What will happen if there is no new EU privacy law next year

Posted on June 20th, 2013 by



The European Parliament has just announced another delay affecting the vote on its version of the EU Data Protection Regulation. That means that we will now not know where the Parliament truly stands on this issue until September or October at the earliest. Although this was sort of expected, optimistic people like me were still hoping that the LIBE Committee would get enough consensus to issue a draft this side of the Summer, but clearly the political will is not quite there. This is obviously disappointing for a number of reasons, so in case the MEPs need a bit of motivation to get their act together, here are a few things that are likely to happen if the new Regulation is not adopted before next year’s deadline:

* Inconsistent legal regimes throughout the EU – The current differences in both the letter of the law and the way it is interpreted are confusing at best and one of the biggest weakness to achieve the right level of compliance.

* Non application of EU law to global Internet players – Thanks to its 90′s references to the ‘use of equipment’, the Directive’s framework is arguably not applicable to Internet businesses based outside the EU even if they collect data from millions EU residents. Is that a good idea?

* Death by paperwork – One of the most positive outcomes of the proposed Regulation will be the replacement of the paper-based compliance approach of the Directive with a more practical focus. Do we really want to carry on spending compliance resources filling in forms?

* Uncertainty about the meaning of personal data – Constantly evolving technology and the increasing value of data generated by our interaction with that technology have shaken the current concept of personal data. We badly need a 21st century definition of personal data and its different levels of complexity.

* Massive security exposures – The data security obligations under the existing Directive are rather modest compared to the well publicised wish list of regulators and, frankly, even some of those legal frameworks regarded as ‘inadequate’ by comparison to European data protection are considerably ahead of Europe in areas like data breach notification.

* Toothless regulators – Most EU data protection authorities still have very weak enforcement powers. Without going overboard, the Regulation is their chance to make their supervisory role truly effective.

The need to modernise EU data protection law is real and, above all, overdue. A bit of compromise has to be better that not doing anything at all.

How to solve BCR conflicts with local law

Posted on March 13th, 2013 by



A frequently asked question by many clients considering BCR is “How can we apply BCR on a global basis?  What if non-EU laws conflict with our BCR requirements?”  Normally, this question is raised during an early-stage stakeholder review – typically, by local in-house counsel or a country manager who points out, quite reasonably, that BCR are designed to meet EU data protection standards, not their own local laws.

It’s a very good, and perfectly valid, question to ask – but one that can very quickly be laid to rest.  BCR are a voluntary set of self-regulatory standards that can readily be designed to flex to non-EU local law requirements.  Global businesses necessarily have to comply with the myriad of different laws applicable to them, and the BCR policy can address this need in the following way:

(*)  where local law standards are lower than those in the BCR, then the BCR policy should specify that its standards will apply.  In this way, the local controller not only achieves, but exceeds, local law requirements and continues to meet its commitments under its BCR; and

(*)  where local law standards are higher than those in the BCR, then the BCR policy should specify that the local law standards will apply.  In this way, the local controller achieves local law compliance and exceeds its commitments under the BCR.

In both cases, the controller manages to fulfill its responsibilities under both applicable local law and the BCR, so a head on collision between the two almost never arises.  But for those very exceptional circumstances where mandatory local laws do prohibit the controller from complying with the BCR, then the group’s EU headquarters or privacy function is simply required to take a “responsible decision” on what action to take and consult with EU data protection authorities if in doubt.

The net result?  Carefully designed BCR provide a globally consistent data management framework that set an expected baseline level of compliance throughout the organization – exceeded only if and when required by local law.

Positive ruling for US businesses adopting single EU controller model?

Posted on February 19th, 2013 by



In two preliminary decisions, the Administrative Court of German Federal State Schleswig-Holstein ruled last week that two administrative acts which had been issued by the DPA of Schleswig-Holstein (ULD) against Facebook Inc. and Facebook Ireland Ltd. cannot be enforced until a decision in the main proceedings is made (ref. nos. 8 B 60/12 and 8 B 61/12). What at first sight seems to be only a side aspect in the ULD´s battle against the handling of personal data by the world´s largest social network has some fundamental implications as the court denied the applicability of German data protection law on the company´s German activities at all.

In its preliminary decisions, the court followed Facebook´s argument that only Facebook Ireland Ltd. is relevant for the determination of applicable law, as its German entity solely provides supporting services (marketing and acquisition) and is not involved in the processing of personal data. Facebook Ireland would be the only European entity with direct control about user data of non-US users. Other European entities would not be involved in the processing of personal data. The court regarded it irrelevant whether Facebook Inc. (USA) would be the sole controller of personal data, or whether it would be joint controller together with Facebook Ltd. (Ireland), as Facebook Ltd. must be regarded as an establishment of Facebook Inc. which processes personal data in the course of its business operations. The court stated that Facebook Ltd., with its 400 employees and its infrastructure in Dublin “implies the effective and real exercise of activity through stable arrangements” within the meaning of recital 19 of the Directive, and thus fulfills the requirements for an “establishment” under Art.  4 (1)(a) of Directive 95/46/EC.

Further, the court stated it would not be relevant where the servers are located on which the data is stored and processed as Art. 4 (1) (a) of Directive 95/46/EC only requires that the processing is carried out “in the context of the activities of an establishment of the controller”, so that Facebook Ltd. must be regarded as an establishment within the meaning of Art. 4 (1) (a) of Directive 95/46/EC even if the technical infrastructure is located in the US.

The background of the case is that the ULD had issued two identical  administrative orders against Facebook Inc. and Facebook Ireland Ltd. in December 2012 to force the company to unlock aliased user accounts that had been locked by Facebook. The ULD regards Facebook´s policy that users must use full and correct names for their profiles to be in violation of German data protection regulation and the German Telemedia Act, which stipulate that an anonymous/aliased use of the internet services must be offered where possible. The ULD also made the order immediately enforceable, and only this additional element to the order was subject to the preliminary ruling of the court.

It must thus be borne in mind that the decision is only preliminary and based on a consideration of interests rather than a thorough legal consideration. The main criterion for the court was whether the interest of the DPA in an immediate enforcement supersedes Facebook´s interest in the suspension of the enforcement. The legal assessment, although part of that consideration, is not binding and will be further scrutinized in the main proceedings. Also, the DPA of Schleswig-Holstein has lodged a complaint against the decision.

Conclusions: In general, the decisions of the administrative court support the validity of a structure that various US internet businesses use in Europe to mitigate potential exposure to multiple EU data protection regimes, i.e. appointing a single European subsidiary to assume controllership of European users’ personal data, while other European subsidiaries provide supporting services in the areas of marketing and distribution. However, the decision also shows that the setup of a European structure must be carefully shaped as the court put specific emphasis on the “stable arrangements” and the personnel and infrastructural configuration of the establishment. This makes clear that “letterbox offices” will not be accepted, and that only a legal setup that reflects the reality of the business may qualify as an establishment under the Directive.

As a further important point to note, the court also held that EU data protection law does not require the IT infrastructure to be located on European soil. In this regard, it must be noted that Directive 95/46/EC potentially allows for an opposing interpretation; and it should be closely monitored whether the position of the Administrative Court of Schleswig-Holstein finds support in potential appellate proceedings.

European Parliament’s take on the Regulation: Stricter, thicker and tougher

Posted on January 9th, 2013 by



 

If anyone thought that the European Commission’s draft Data Protection Regulation was prescriptive and ambitious, then prepare yourselves for the European Parliament’s approach. The much awaited draft report by the LIBE Committee with its revised proposal (as prepared by its rapporteur Jan-Philipp Albrecht) has now been made available and what was already a very complex piece of draft legislation has become by far the strictest, most wide ranging and potentially most difficult to navigate data protection law ever to be proposed.

This is by no means the end of the legislative process, but here are some of the highlights of the European Parliament’s proposal currently on the table:

*     The territorial scope of application to non EU-based controllers has been expanded, in order to catch those collecting data of EU residents with the aim of (a) offering goods or services (even if they are free) or (b) monitoring those individuals (not just their behaviour).

*     The concept of ‘personal data’ has also been expanded to cover information relating to someone who can be singled out (not just identified).

*     The Parliament has chosen to give an even bigger role to ‘consent’ (which must still be explicit), since this is regarded as the best way for individuals to control the uses made of their data. In turn, relying on the so-called ‘legitimate interests’ ground to process personal data has become much more onerous, as controllers must then inform individuals about such specific processing and the reasons why those legitimate interests override the interests or fundamental rights and freedoms of the individual.

*     Individuals’ rights have been massively strengthened across the board. For example, the right of access has been expanded by adding to it a ‘right to data portability’ and the controversial ‘right to be forgotten’ potentially goes even further than originally drafted, whilst profiling activities are severely restricted.

*     All of the so-called ‘accountability’ measures imposed on data controllers are either maintained or reinforced. For example, the obligation to appoint a data protection officer will kick in when personal data relating to 500 or more individuals is processed per year, and new principles such as data protection by design and by default are now set to apply to data processors as well.

*     The ‘one stop shop’ concept that made a single authority competent in respect of a controller operating across Member States has been considerably diluted, as the lead authority is now restricted to just acting as a single contact point.

*     Many of the areas that had been left for the Commission to deal with via ‘delegated acts’ are now either specifically covered by the Regulation itself (hence becoming more detailed and prescriptive) or left for the proposed European Data Protection Board to specify, therefore indirectly giving a legislative power to the national data protection authorities.

*     An area of surprising dogmatism is international data transfers, where the Parliament has added further conditions to the criteria for adequacy findings, placed a time limit of 2 years to previously granted adequacy decisions or authorisations for specific transfers (it’s not clear what happens afterwards – is Safe Harbor at risk?), reinforced slightly the criteria for BCR authorisations, and limited transfers to non-EU public authorities and courts.

*     Finally, with regard to monetary fines, whilst the Parliament gives data protection authorities more discretion to impose sanctions, more instances of possible breaches have been added to the most severe categories of fines.

All in all, the LIBE Committee’s draft proposal represents a significant toughening of the Commission’s draft (which was already significantly tougher than the existing data protection directive). Once it is agreed by the Parliament, heated negotiations with the Council of the EU and other stakeholders (including the Commission itself) will then follow and we have just over a year to get the balance right. Much work no doubt awaits.

 

Getting the ‘one stop shop’ principle to work

Posted on November 5th, 2012 by



Going all the way to the Rio de la Plata to discuss the content of the future European data protection framework seems a little over the top, but the recent International Privacy Commissioners’ Conference in Punta del Este, Uruguay provided a perfect forum as a neutral ground for a fierce policy debate.  Surrounded by equally fierce winds and rain for added dramatic effect, regulators and other influential stakeholders in the privacy world locked horns in the most constructive possible way for three days to make the most of this annual gathering.  One of the immediate outcomes was the realisation that much work remains to be done if we are to achieve the necessary balance between progress and protection.  No other issue symbolised the need for this balance better than the ‘one stop shop’ principle under the proposed EU data protection regulation – the sole competence of one single regulator over the same controller all over the European Union.

As a concept, this principle seems like a no brainer that everyone would be happy with.  If anything, having a single regulator with responsibility for supervising the activities of a corporate group across the EU on the basis of the same law should be the most efficient way of managing the limited time and resources that data protection authorities have.  If the organisation to be supervised operates on a pan-European basis and the law is the same everywhere, surely this approach is the most logical in the absence of a central European regulator.  However, why is it that this concept is proving so difficult to shape to everyone’s satisfaction?  There is even a precedent with the concept of a “lead authority” for BCR authorisations which has been working quite effectively for years now.  Are national interests preventing this principle from working or is there a more fundamental issue getting in the way?

In line with the overall harmonisation objective, the ‘one stop shop’ principle brings with it a significant change, as the law is seeking to designate only one competent regulator per EU-based controller.  By definition, this approach relies on the trust that needs to be placed on the competent authority by the authorities of all of the other countries where a given controller operates.  This is certainly an ambitious expectation but surely one that can be met if the collaborative mood of the  Commissioners’ Conference is anything to go by.  So a lack of trust amongst regulators should not be a reason to question the ‘one stop shop’ principle.

A more damaging factor is the suspicion that astute organisations will seek to manipulate the system and aim to be supervised by the ‘easy’ regulators.  Frankly, there are no easy or difficult regulators.  They all take their jobs very seriously and have good days and bad days – like everyone else.  What is essential is a sufficient degree of pragmatism that brings compliance with the law to a viable level that meets the right standards.  For this to happen, dialogue is essential but, again, seeking that level of compliance should not be seen as a sign of defiance or an easy way of avoiding legal requirements.

Could the ‘one stop shop’ principle ever work then?  Of course it can.  As a starting point, it needs dialogue and collaboration amongst the data protection authorities and a realistic approach to data protection compliance.  Linked to this, what is also needed is trust.  Trust by the regulators in their counterparts and ultimately trust in the legal system.  However, trust should not be about ‘easy’ regulators behaving unreasonably to show how ‘tough’ they are, and trust should not be about triggering a dangerously bureaucratic “consistency mechanism” at the first sight of disagreement.  The ‘one stop shop’ principle is ultimately about effective compliance and should be given the chance to succeed.

The next two years of legislative reform are crucial.  We have a golden opportunity to establish a supervisory approach that is geared to deal with global organisations operating in Europe in a consistent and effective way.  Change should be accepted because it is inevitable.  The ‘one stop shop’ model is perfectly workable if it throws away old and unhelpful prejudices.  Efforts should be made to find the best criteria to determine which authority is the competent one in respect of every controller subject to EU law – irrespective of where they are based – and to support that authority in their role.  Diversity is a great thing but when it comes to regulatory enforcement, it creates uncertainty and unfairness.  Let’s not risk that outcome and let’s try to make the ‘one stop shop’ principle work instead.

 
This article was first published in Data Protection Law & Policy in October 2012.