At its meeting on October 7, 2013, the Council of the European Union voiced support for the “one-stop-shop” mechanism in the draft General Data Protection Regulation (the “Regulation”). The “one-stop-shop” mechanism allocates responsibility for overseeing data processing activities in multiple EU Member States to the data protection authority of the EU Member State where the data controller or processor has its main establishment. At the Council meeting, a majority of the EU Member States indicated that the responsible data protection authority should have exclusive decision powers with regard to enforcement actions, but acknowledged that the “local” DPAs should be involved in the decisionmaking process as well. The Council emphasized the need for further exploration of the European Data Protection Board’s role in ensuring consistent application of EU data protection rules.
Also on October 7, 2013, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) held a hearing to assess the EU-U.S. Safe Harbor Framework and other legal mechanisms for transferring personal data to the United States in the wake of recent reports concerning electronic mass surveillance of EU citizens. At the hearing, the European Data Protection Supervisor (“EDPS”) stressed that, although the Safe Harbor has been controversial from the very beginning, substantial improvements have been made over time. For example, the U.S. Department of Commerce is playing a more active role in the self-certification process, and the Federal Trade Commission has increased enforcement efforts. The EDPS believes in the merits of the Safe Harbor program, and stated that Safe Harbor should not be summarily “thrown away” without an investigation of how it could be improved, including by addressing mass surveillance programs. On the other hand, the rapporteur of the LIBE Committee’s report on this issue, Claude Moraes, stated that the Committee should call for the suspension of the EU-U.S. Safe Harbor agreement.