"One Stop Shop" - The Devil is in the Detail
The EU justice ministers today discussed the "one stop shop" principle, which is one of the pillars of the EU data protection Regulation proposed by the EU Commission in January 2012. The discussion showed that the details of the EU data protection reform are complex and challenging.
Conflicting Perspectives
There are two perspectives on the "one stop shop" principle:
- Perspective of Enterprises: When an enterprise operates in various EU member states, it presently has to deal with the Data Protection Authorities of every single state. In Germany, the situation is even more complicated as data protection is a state matter, and each of the 16 German federal states has its own DPA. It is common knowledge and experience that the interpretation of German data protection law can vary immensly amongst these state authorities. Ask DPAs in Northern and Southern Germany the same question and you may get, at least, two different, opposing answers. No surprise: Enterprises think that a European "one stop shop" is a good idea (ICDP, "Industry Coalition for Data Protection urges EU Member States to advance One-Stop-Shop Mechanism in Proposed General Data Protection Regulation", Press Release of 6 December 2013).
- Perspective of DPAs and Activists: The idea of a "one stop shop" is much less popular with DPAs and activists. They think that DPAs should protect the rights of their own citizens. And, indeed, it would be hard to explain to a Northern German citizen that he has to deal with a Croatian DPA when a Croatian Company has mishandled his data.
Approach by EU Commission
The EU Commission clearly sided with enterprises on strengthening the "one stop shop" principle when it suggested Art. 51 (2) DP Regulation:
"Where the processing of personal data takes place in the context of the activities of a establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority of the main establishment of the controller or processor shall be competent for the supervision of the processing activities of the controller or the processor in all Member States..." (Datenschutz-GVO, COM (2012) 11, 25.1.2012, S. 88)
Approach by EU Parliament
The LIBE committee of the European Parliament thought that this went too far and suggested a weakening of the "one stop shop" principle in Art. 54 a (1) of its proposals:
"Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State, or where personal data of the residents of several member States are processed, the supervisory authority of the main Establishment of the controller or processor shall act as the lead authority responsible for thesupervision of the processing activities of the controller or the processor in all Member States..." (General Data Protection Regulation, Inofficial Consolidated Version afer LIBE Committee Vote provided by the Rapporteur, 22 October 2013, p. 86f.)
The "lead authority" should then be put under a duty to consult the DPAs of other member states, Art. 54 a (2) of its proposals:
"The lead supervisory authority shall take appropriate measures for the supervision of the processing activities of the controller or processor for which it is responsible only after consulting all other competent supervisory authorities within the meaning of paragraph 1 of Article 51 in an endeavour to reach a consensus. For that purpose it shall in particular submit any relevant information and consult the other authorities before it adopts a measure intended to produce legal effects vis-à-vis a controller or a processor within the meaning of paragraph 1 of Article 51. The lead authority shall take the utmost account of the opinions of the authorities involved. The lead authority shall be the sole authority empowered to decide on measures intended to produce legal effects as regards the processing activities of the controller or processor for which it is responsible." (General Data Protection Regulation, Inofficial Consolidated Version afer LIBE Committee Vote provided by the Rapporteur, 22 October 2013, p. 87)
The disadvantage of such a consultation process is clear: In most cases, the LIBE proposal would make quick decisions by DPAs impossible.
Approach by EU Council
Today's meeting of EU justice ministers has shown that many governments find it difficult to explain the principle of "one stop shop" (or "one lead shop") to their citizens.
Why should, for example, the Berlin state DPA be strengthened to strictly control businesses established in Berlin but not be empowered to protect data protection rights of an individual from Berlin when the violation has been committed by a French or Polish company? ("EU data protection rules hit by surprise legal objection", Financial Times v. 6.12.2013)
Conclusion for Enterprises
For enterprises, the "one stop shop" principle remains the chief advantage of a reform.
Without such a principle, there is little, if any, reason to support the Commission's proposals.