EU ministers backpedal on one-stop data protection shop plan
Justice ministers had discussed a plan to let tech firms like Google, Facebook, Microsoft and Apple deal with only one data protection authority (DPA) in Europe. The plan, drafted by the European Commission in 2012, is one of the main pillars of the EU's data protection reform.
However, during a meeting of justice ministers in Brussels on Thursday a majority of ministers endorsed the general architecture of a rather different plan proposed by the Italians, who currently hold the presidency of the Council of the EU, the body where national ministers meet to adopt laws and coordinate policies.
That proposal diverges from the original Commission plan by suggesting a mechanism that kicks in only in the most important cross-border cases and consists of "cooperation and joint-decision making between several data protection authorities concerned."
The proposal of the Italian presidency is disappointing, said a spokesman of the Industry Coalition for Data Protection (ICDP), which is comprised of 18 associations representing thousands of European and international companies, including Facebook, Google, Microsoft, Apple and Yahoo.
It seems to create a more complicated mechanism instead, in which all DPAs may get involved in the vast majority of cases, the ICDP said in a letter sent to the ministers before the meeting. If this is coupled with the ability of each "concerned" DPA to veto a decision, that would render the process at best very burdensome.
A spokesman for the Computer and Communications Industry Association (CCIA), which represents U.S. and EU Internet firms, agreed. There is a need for a real one-stop shop, which should let international tech companies as well as SMEs deal with just one privacy regulator, regardless of how many EU countries they operate in.
The Council will further discuss the further technical parts of the plan in the coming months.
The original plan considered by the justice ministers would give companies a single supervisory authority responsible for monitoring its personal-data processing activities in the EU, rather than force a company to deal with multiple bodies in different countries. Under this proposal, the supervisory authority of the country in which a search engine has its main EU operation would be responsible for the monitoring the data processing activity.
Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com