April 16th, 2015
EU Council’s Agreement and the “One-Stop Shop”
By: Kevin Gallagher
In March 2015, the Council of the European Union published an agreement on the One Stop Shop mechanism of the proposed new European data protection regulation.
Background
In 1995, the EU passed a directive that aimed to regulate the processing of personal data in the European Union. As with all EU directives, each member state was required to implement this directive in their own internal law. This approach can create many problems. Firstly, the cultural view of privacy protection may not be the same in every country. Therefore, many countries may create different levels of privacy protection while implementing laws fulfilling the same directive. Though this may not be a problem for corporations that operate within the borders of one European Union Member State, jurisdictional problems can arise with trans-national companies within the EU.
In an attempt to solve these and other issues, the European Commission has proposed the General Data Protection Regulation (GDPR). The GDPR is a single law which attempts to “[harmonize] data protection legislation and enforcement.” [1] After passing through the European Parliament with several thousand amendments, [2] the proposed legislation is now being reviewed by the European Council. In March 2015, the European Council published a partial general agreement on parts of this legislation. [3] Included in this partial general agreement was its view on a “One Stop Shop” mechanism to make enforcement easier for trans-national companies within the EU and companies outside of the EU that do business within or collect data from European Union Member States.
The Council’s One Stop Shop Mechanism
In the European Council’s version of the One Stop Shop mechanism, supervisory authorities (SA) “assume control of the controller’s or processor’s activities” of the companies within their EU Member State. However, for trans-national companies the decision of which SA assumes control of the company’s activities. In order to compensate for this, the idea of a “main establishment” of a business is used. In the proposal by the European Commission, the main establishment is defined in the as “the place of its establishment in the Union where the main decisions as to the purposes, conditions and means of the processing of personal data are taken;if no decisions as to the purposes, conditions and means of the processing of personal data are taken in the Union, the main establishment is the place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place. As regards the processor, ‘main establishment’ means the place of its central administration in the Union.” [3] To simplify, the main establishment in relation to a data controller is the EU state in which decisions regarding “purposes, conditions and means of processing the data are taken.” [4] If these decisions aren’t taken in the EU, this the main establishment is where the main processing takes place. [4] In relation to a data processor, the main establishment is the place of central administration within the EU. [4] In addition to these definitions, the European Council added that “The main establishment of a controller in the Union should be the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union. In this case the latter should be considered as the main establishment.” [3] For companies that do business in the EU but do not have an EU establishment are “obliged to designate a representative in one of the EU Member States in which it offers goods and services or carries out monitoring activities.” [4]
Though the purpose of the One Stop Shop was to simplify the enforcement process, critics have noted that the One Stop Shop method will be used only in “very limited circumstances” and that the lead SA “would have to act more as a coordinator than a sole decision maker.” [5] “Furthermore,” the critics add, “if the lead authority fails to reach agreement with other interested national authorities, the decision must be referred to a new supervisory board, the European Data Protection Board.” [5] For this reason, arguments can be made that this is not a “true One-Stop Shop.” [5]
Implications
Despite criticisms this agreement has received, it would still create a more harmonious way of dealing with enforcement for trans-national companies than exists under the current EU directive. It is worth noting, however, that “nothing is agreed until everything is agreed,” which means that the European Council, European Parliament and the European Commission still need to agree on a final text after the Council publishes the complete draft of its internal agreement, meaning this is not necessarily the final wording of the GDPR. One thing is certain, however. The EU is one step closer to beginning the “trialogue” that is required to pass an EU regulation.
References
[3] http://register.consilium.europa.eu/doc/srv?l=EN&f=ST%206833%202015%20INIT