Under the draft EU Data Protection Regulation, the proposal is to create a “one-stop-shop” for regulation. This means that data controllers will be regulated on data privacy by the regulator in the EU jurisdiction in which they have their “main establishment”. This could mean that you will be regulated by a single EU regulator rather than one for each jurisdiction in which you have operations (potentially up to 28 in total; one for each EU member state). So this has to be a good thing (for business).
However, the Council and the Parliament believe that individuals should be able to complain directly to their local regulator rather than having to make a complaint to a far off regulator in, say, Ireland, if that is where the controller’s group has its main EU establishment. So this, say the Council’s lawyers, is a human rights issue. The Commission believe that, in the interests of greater harmonisation, the “one-stop-shop” procedure should remain as drafted. Expect much legal argument and debate to try and resolve this one.
Is this about politics?
Let’s set aside the legal debate and ask ourselves what would happen if we apply the “one-stop-shop” to many of the large corporates operating across Europe today. The answer would be that many would be regulated in jurisdictions like Ireland and certainly not by, for example, Germany or France. The German and French regulators will be the losers in terms of “regulatory business” under the new rules. This is clearly causing concern in those jurisdictions. This is also evidenced by the attempts by the German DPA in Schleswig Holstein to regulate Facebook recently even though Facebook’s establishment is in Ireland. So far, the German courts have agreed with Facebook. But if that case can be decided under the current Data Protection Directive, you can see the direction of travel.
Impact on timing
Whatever the legal or political debate, there is no doubt that this additional issue will complicate the “trilogue” discussions between the Commission, the Council and Parliament whose job it now is to agree a final version of the text for the new Regulation. Although the Commission’s aim is to have this agreed by May 2014, the indications are that this is more likely to happen by the end of 2014 or (…let’s be honest) during 2015.