On November 13-15, 2012, delegates at the IAPP Europe Data Protection Congress in Brussels were given insight into how discussions with key policymakers are progressing. As European Parliament rapporteur and Member of the European Parliament Jan Philipp Albrecht aims to finalize the reform of the EU Data Protection Directive by the end of the current European Parliament’s mandate in 2014, this ambitious goal faces numerous hurdles.
Françoise Le Bail, the Director General for the European Commission’s Directorate-General Justice responsible for the proposed General Data Protection Regulation (the “Proposed Regulation”), made clear that the Commission is prepared to accept change in several areas which have concerned data protection authorities (“DPAs”). These areas include reducing the number of delegated powers for the Commission, reviewing the role of the Data Protection Officer and considering a risk-based approach to data protection compliance generally.
Despite this openness to change, there is no sign of agreement in an area that is of real concern to many businesses: the proposal for a “one-stop shop” regulator. The proposition, as embedded in the Proposed Regulation, is that a company with multiple operations in the EU will be subject to the supervision of the DPA in the country in which it has its main establishment. The clear intention is that the relevant DPA should be solely competent to impose fines and take other regulatory action against the company.
Françoise Le Bail described the “one-stop shop” policy as a part of the “major simplification” of the proposed data protection regime. Le Bail affirmed that under the Proposed Regulation, companies with diverse operations in the EU would be able to deal with one single DPA, rather than 27 different ones. Although Jan Philipp Albrecht also supported the one-stop shop policy, the opposition of certain regulators was evident both from keynote speeches and discussions. Jacob Kohnstamn, President of the Article 29 Working Party, suggested that, while “in principle” companies could deal with one regulator, the DPAs in individual states could still take legal action against data controllers. Kohnstamm noted that the Article 29 Working Party is still considering this issue. Isabelle Falque-Pierrotin, Chair of the French DPA (the “CNIL”), strongly attacked the policy during a debate with Jan Philipp Albrecht. Falque-Pierrotin argued that the policy potentially could allow forum shopping and disenfranchise data subjects, reducing the role of DPAs in many cases to that of a “mere post box.”
The dilution or removal of the “one-stop shop” policy would have a number of consequences. Fundamentally, it would require a change in the proposed level of fines. A fine of 2% of global turnover may be acceptable when a regulator has authority over the behavior of a data controller throughout the EU; it would be extremely unbalanced when the regulator oversees only the organization’s national processing. It also could mean a return to 27 different approaches to regulation, as well as 27 different sets of forms, rules and requirements imposed on data controllers. Although there are encouraging signs of agreement in relation to many areas of the proposed reforms, the “one-stop shop” issue continues to be an area of discord.