The proposed EU Data Protection Regulation is an ambitious piece of legislation by any measure. Perhaps the most ambitious element of all is the introduction of the one-stop-shop principle: one single data protection authority being exclusively competent over an organisation collecting and using data throughout the EU. The reason why this is such a big deal is that even if the law ends up being exactly the same across all Member States (in itself a massive achievement), regulators are human and often show different interpretations of the same issues and rules. So if one-stop-shop becomes a reality, all EU data protection regulators will simply have to accept the position adopted by the one deemed to be competent and keep their own interpretation to themselves. But will they???
Today the Council of the EU is debating how to structure and shape this principle in a way that provides the benefits that the European Commission and global organisations are seeking, whilst meeting the national expectations of each Member State at the same time. It is a matter of legal and political effectiveness. So far and not surprisingly, the Council’s scale seems to be tilting towards greater national intervention than what the Commission originally aimed for. Whilst most Member States appear to be in favour of the philosophy underlying the one-stop-shop mechanism, only a few accept that one single authority should have exclusive jurisdiction to supervise all of the processing activities of a pan-European data user and decide exclusively upon all measures (including penalties). They cite the likely detriment to the protection of the data protection rights of individuals as their main stumbling block.
Therefore, there are a number of possible changes to this principle that will be discussed today, including:
* Limiting the powers of the ‘competent’ authority to authorisation and consultation functions only. So basically, leaving the paperwork for one regulator whilst any other EU authorities would continue to have enforcement powers.
* Replacing the one-stop-shop with a co-decision model (at least for the most important cases) where all relevant regulators need to agree.
* Adopting a consultation model where the competent authority is legally required to consult the other supervisory authorities concerned with a view to reaching consensus.
* Allowing appeals by unhappy authorities to the European Data Protection Board, which would then collectively be empowered to make the final decision.
How realistic these potential changes are is no doubt something that will come up in the discussions. What is clear is that any weakening of the one-stop-principle will affect the effectiveness of the core ‘one law/one regulator’ thinking of the Commission.