The “one-stop-shop” was to have been be a cornerstone of the EU General Data Protection Regulation (GDPR) which is currently being negotiated by the member states and is expected to be ratified this year, or early 2016. However, reports have emerged that these plans are to be abandoned for all but a few serious data protection cases.
The one-stop-shop idea would allow companies that processes EU residents’ personal data to deal with one data protection authority, rather than up to 28. So, if a company had its main European base in the UK, it could be supervised by the UK data protection authority (DPA), and all necessary paperwork and administration could be filed with that authority to cover activities in all of the EU Member States in which it operates. The UK authority would adjudicate on any disputes around data protection within the whole EU.
In the current system, companies have to deal with the individual regulators in each member state where they operate.
The aim of the one-stop-shop is to ease the administrative burden for businesses and to ensure consistency in the application of the GDPR throughout the EU. At the moment companies often base themselves in countries with the most relaxed data protection regulations, creating a “race to the bottom” in terms of personal privacy.
However, quoting unnamed executives from technology companies, the FT today said that the idea of centralising powers in one chosen authority has been “watered down”.
In an amendment expected to be approved this week by member states, the one-stop shop idea has been set to one side. Instead regulators from other affected countries will have a say in data protection disputes, with a board consisting of 28 national privacy watchdogs having the final say on data protection matters.
Some member states are wary about the creation of a pan-European data protection authority and other states are currently attempting to cut down the powers of the proposed European Data Protection Board still further.
A senior executive from a large US firm told the FT that this will be bad news for smaller companies: “Can we deal with responding to 28 regulators? Yes, definitely,” he said. “Can smaller companies? Probably not. This would limit the creation of a single digital market.”
Commenting on the news, Marc Dautlich, partner at law firm Pinsent Masons, said the new proposal will please no-one.
“According to the proposal, the one-stop-shop mechanism should only intervene in important cross-border cases and will consist of a cooperation and joint-decision making between several data protection authorities concerned,” Dautlich said.
“Compromises of this sort are a fact of legislative life and by definition tend to fall short of stakeholders’ expectations, but the remodelled mechanism here has something to disappoint nearly everyone: for businesses operating cross-border, it seems to fall far short of the proper one-stop-shop originally proposed; for the data protection agencies responsible for enforcement, how much time will be spent distinguishing ‘important’ cross-border cases from the rest? (as this might not necessarily always be obvious when a matter is first raised with a DPA); and for data subjects, the mechanism seems bound to increase delay in obtaining redress,” Duatlich concluded.