Rob Corbet is a Partner at Arthur Cox — the views expressed are his own
At the time of writing, it appears that the so called 'one stop shop' mechanism in the proposed EU Data Protection Regulation is being further diluted. At the recent meeting of the Permanent Representatives Committee ('COREPER') on 25th February 2015, new amendments were proposed to the draft Regulation, the impact of which will be significant for the many companies established in Ireland who deal with customers across the EU. The main proposed changes relate to the process to be applied in the context of investigation of data protection issues which have a cross border dimension.
The original text of the Regulation anticipated that a data controller would have a single 'main establishment' which would provide it with a one stop shop in terms of data protection oversight. This principle was intended to assuage concerns under the existing Data Protection Directive (95/46/EC) that companies operating internationally are faced with multiple, sometimes inconsistent, approaches to enforcement and investigations across EU countries. This concept is particularly important for Ireland given its role as a main establishment for the many multinationals who operate across Europe from an Irish base.
'Lead' and 'concerned' supervisory authorities
The proposed amendments introduce the concepts of a 'lead supervisory authority' and a 'concerned supervisory authority'. A concerned supervisory authority can intervene where it is concerned by a particular act of processing because (a) the controller or processor is established on the territory of the Member State of that supervisory authority; or (b) data subjects residing in this Member State are substantially affected or likely to be substantially affected by the processing; or (c) the underlying complaint has been lodged to that supervisory authority.
Under the current proposal, in addition to general provisions encouraging supervisory authorities to cooperate with each other, a concerned supervisory authority can submit a 'relevant and reasoned objection' to the lead authority where it disagrees with the lead authority on a matter. In reaching decisions that have legal effects, the lead supervisory authority is to 'take utmost account of the view of the supervisory authority to which the complaint has been lodged' and the text seems to imply that the concerned authority in that case would remain competent to carry out its own investigation 'in liaison with the competent supervisory authority'.
Role of the European Data Protection Board
The draft Regulation proposes the establishment of a European Data Protection Board which, among other roles, would be tasked with adjudicating whether the criteria for being 'concerned' exist in any particular case. The EDPB would include all of the supervisory authorities of the Member States. It would replace the Article 29 Working Party and would adjudicate conflicting views among supervisory authorities. Decisions of the EDPB would also be subject to judicial review but only the Court of Justice of the EU has the power to declare an EDPB decision invalid. Any person would have the right to bring an action for annulment of a decision made by the EDPB before the CJEU.
The proposed changes remain in draft form and have not yet been finalised. The Latvian Presidency has invited delegations to discuss the text with a view to reaching a 'partial general approach' on the relevant Chapters of the Regulation at the next meeting of the Council later in March 2015.
The proposed amendments are reported to have emerged as a direct result of concerns by some supervisory authorities that Ireland would become the sole main establishment for large internet multinationals. Previous provisions that required a quorum of at least three supervisory authorities to trigger the 'concerned' process appear to have been dropped. In practical terms therefore, any supervisory authority can express itself to be 'concerned' in the context of any Internet company's operations, the likelihood being that the company would then find itself having to deal with multiple investigations from different supervisory authorities.
Irish headquartered companies are unlikely to welcome the changes. The one stop shop mechanism was intended to offer clarity and predictability for companies that would enable them to resource their compliance programmes around a 'home' jurisdiction. The proposed amendments will have the opposite effect bringing us largely back to the position under the existing Directive, where companies complain that they find it difficult to apply their data protection programmes against a backdrop of 28 national regimes. The notion of multiple supervisory authorities disputing jurisdiction, providing conflicting interpretations and referring issues to the EDPB (and ultimately the CJEU) does not inspire confidence that clarity or predictability will emerge. The draft Regulation was first published in January 2012 — it seems that three years of European bureaucracy has managed to convert the one stop shop into a multi-story shopping centre.
Back to square one.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.