European Union ministers agreed on Friday (13 March) to give more powers to a pan-European body of regulators to enforce a new data protection law, upsetting businesses who hoped more power would be devolved to individual national regulators.
Justice and home affairs ministers considered the Commission’s proposed data protection regulation in Brussels today (13 March).
Under a “one-stop-shop” mechanism initially proposed under the new EU data protection law, a business operating across the 28-nation bloc would only have had to deal with the data protection authority of the member country where it is headquartered or has its main European base – even if a data protection issue arose which affected citizens in another member country.
But under pressure from countries that do not want their national regulators to lose all jurisdiction over big technology companies such as Apple and Facebook, EU ministers agreed to give any “concerned” authority the power to object to any particular ruling. Apple, Facebook and other giants have declared Ireland their European bases.
That would result in the case being referred to a yet to be created board of all 28 EU regulators which could then take binding decisions.
“The proposed mechanism will be more cumbersome than the existing procedures, resulting in unnecessary administrative burdens, including delayed decisions for citizens,” said the Industry Coalition for Data Protection, which includes major technology companies such as Apple, Google and IBM.
EU diplomats had already agreed on 25 February to scrap a proposal that at least a third of concerned authorities had to object to a decision before a case could be referred to the European Data Protection Board (EDPB).
“The revised approach seems to open the door to more conservative voices amongst the data protection authorities having an even greater say,” said Paula Barrett, a partner at law firm Eversheds.
Countries such as Ireland, Britain and the Netherlands opposed scrapping the numerical threshold, arguing that it would lead to a flood of cases being referred to the board and that it went counter to the original proposal’s aim of making it easier for businesses to operate across the bloc.
“It [the numerical threshold] would have greatly reduced the risk of capricious referrals,” said the Irish justice minister.
In the past Ireland has been accused of going soft on multinationals when it comes to privacy laws to remain an attractive business location, something it has denied.
However, even if the ultimate data protection regulation has been centralised under the proposals, ministers gave companies more leeway in using consumer data under the new rules.
”A majority of ministers today was in favour of weakening the purpose limitation principle regardless of public opposition,” according to German Green MEP Jan Philipp Albrecht, the parliamentary rapporteur for the paper.
The purpose limitation broadly prevents companies using consumers data for purposes other than those linked to the reason for which they obtained it.
“Reaching an agreement in negotiations with the European Parliament will become much more difficult now as Parliament instead wants to strengthen this principle,” Albrecht said.
“Ministers will have to deliver high standards when it comes to individual consumers’ rights and sanctions in case of data protection violations. Otherwise they would gamble away the basis for a trustful reform,” he added.
Friday’s agreement could still be changed when ministers in June review the whole new proposed data protection law – the General Data Protection Regulation.
- End 2015: Commission aims to complete agreement of data protection regulation by end of this year