This isn't the one-stop EU data protection you're looking for
A twisting, tangled solution for a pretty simple problem
“Nothing is agreed, until everything is agreed.” So said EU Justice Commissioner Vera Jourova on Friday announcing a partial agreement on the proposed new Data Protection Regulation.
Clear? It gets worse.
Jourova announced that Europe’s data protection ministers had agreed on a so-called “one-stop-shop” mechanism for dealing with privacy complaints. The problem is that the plan is far from “one stop”.
The original idea was that companies would only have to deal with the data protection authority in the country in which they're headquartered.
However, this proved controversial with national authorities from the outset, as many were worried that it would lead to forum shopping with big corporations setting up in countries with weaker data protection enforcement. Some national representatives were also worried that their citizens would have to seek redress abroad if they had a complaint.
Of particular concern was Ireland, which has been seen as soft on the many data-hungry multinationals based there, including Apple, Facebook, LinkedIn and Google.
As a sop, ministers agreed to set up a pan-EU supervisory board that would oversee cases. Any concerned authority can now object to any ruling and have the case referred to the (as yet non-existent) European Data Protection Board.
Last month, the European Council ditched plans to set a minimum number of objections before a case could be referred. Ireland and the UK strongly opposed removing a threshold, saying that the board would be bombarded with more cases than it could handle if any old member state could weigh in. Ireland’s data protection minister, Dara Murphy, was in particular worried about what he called “capricious referrals”.
Speaking to the press in Brussels on Friday, Jourova said the Commission had taken on board these concerns and would monitor the situation to ensure there was no overloading of the system with too many cases.
The clear-as-mud draft of the law contains some absolute gems, such as:
“Each supervisory authority should not act as lead supervisory ... be competent to deal with it in local cases where the controller or processor is established in more than one member state [although] the subject matter of the specific processing concerns only processing carried out in a single member state and involving only data subjects in that single member state ... for example, where the subject matter concerns the processing of employees data in the specific employment context of a member state".
"In such cases, the supervisory authority should inform the lead supervisory authority without delay on this matter", we are told.
After "being informed, the lead supervisory authority should decide whether it will deal with the case within the one-stop-shop mechanism or whether the supervisory authority which informed it should deal with the case at local level".
Clear? No? Good.
As well as annoying Ireland and the UK, the new text has also alienated the tech industry.
“The agreement on the so-called one-stop-shop mechanism falls short of its stated aim," said John Higgins, director general of industry lobby group DigitalEurope, "which is to benefit all involved parties by providing a clear framework for handling cross-border cases."
"This harmonised approach was one of the main benefits we saw in the regulation. Unfortunately, we believe that which has been agreed will be even more cumbersome than the status quo," he added. "The mechanism the ministers are expected to agree to creates unnecessary administrative burdens for all parties concerned, including citizens."
Ministers also managed to alienate the European Parliament (whose consent they need for the law) by watering down other parts of it.
“Where it is technically feasible and effective, the data subject's consent to processing may be given by using the appropriate settings of a browser or other application,” said the new text.
“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest,” it goes on.
However, the European Parliament rapporteur on data protection regulation, Jan Philipp Albrecht, said the council text would weaken data protection.
“Reaching an agreement in negotiations with the European Parliament will become much more difficult now as Parliament instead wants to strengthen the principle of purpose limitation," he said.
"Ministers will have to deliver high standards when it comes to individual consumers’ rights and sanctions in case of data protection violations. Otherwise they would gamble away the basis for a trustful reform.” ®
Credit: Photo by Jon Candy