The meeting of the EU Justice and Home Affairs Council in Brussels on December 4 brought the curtain down on a tumultuous year for all involved in negotiating the proposed General Data Protection Regulation.
With the European Commission and the European Parliament eagerly awaiting the start of “trilogue” negotiations to finalize the regulation, all eyes were on the Council of Ministers to see whether they could build on the incremental agreements made under the Greek and Italian EU Council presidencies during 2014. Could the Italians demonstrate concrete progress on the enduring issues of public-sector flexibility and the regulatory “one-stop shop” before the end of their presidency?
With “by 2015” now widely seen as the deadline for agreeing to the regulation , although this is now interpreted as meaning by the end of 2015, the Italians were keen to hand over the file to the incoming Latvian presidency in good shape.
A Flexible Approach for the Public Sector
The meeting certainly got off to a good start for the presidency with the ministers agreeing to a “partial general approach” on member state flexibility for the public sector. Partial general approach agreements on this regulation have always been subject to the condition that “nothing is agreed until everything is agreed.” However, it was significant that the European Commission, Germany, France, the UK and most other member states gave their backing to the presidency’s proposals, albeit with some details still to be ironed out.
For example, Germany wanted to make sure that the processing of police and criminal justice data did not fall within the scope of the regulation, noting there should be no overlap with the proposed data protection directive that also remains under negotiation. It was also important that member states could maintain “higher” domestic data protection standards in the public sector, even though this would represent a shift away from the harmonizing nature of this legislation. Some may see this as a “directivization” of the regulation.
This notion was underlined by several member states that observed some of the "flexible" provisions in the regulation should also apply to the private sector. This would effectively undermine the European Commission’s original aim of harmonized rules for businesses. Indeed, Austria and Slovenia declared that there was no proper solution on the power of member states to adopt rules on private data, particularly with regards to workers’ protections. On this basis, they could not agree to a partial general approach. Although Hungary also backed this declaration, the presidency ultimately confirmed the council’s majority support for its proposals on public-sector flexibility. This appeared to draw to a close, for now at least, what had been a problematic issue for the council over the last three years.
One-Stop Shop? Or Many Stops, Many Shops?
The ministers subsequently held a nonbinding “orientation debate” on what is generally recognized as a cornerstone of the proposed regulation: the “one-stop shop” and the associated “consistency mechanism.” These aim to ensure that businesses deal with as few national data protection authorities (DPAs) as possible, preferably only one, while not undermining the right of citizens to seek redress through their local DPA.
The presidency pushed hard to close this discussion at the meeting, but the member states are still some way apart, as was demonstrated during the debate. In particular, Ireland and the UK came out forcefully against the proposed solution. They claimed the proposed setup is too bureaucratic, that the mechanism will be swamped by cases and that a similar fate will befall the European Court of Justice when trying to sort out the day-to-day issues of data protection cases raised throughout the EU. The UK justice minister implored his colleagues to "take a step back" before proceeding down the road proposed by the presidency.
It does, however, appear likely that the council will choose to step forward rather than back. The Italian presidency's proposal does attempt to address numerous and varied concerns raised by member states. It aims to ensure that no DPA is bound by the decisions taken by another DPA; it allows for cases to be escalated for binding resolution by the European Data Protection Board; it provides at least some resolution to the issues of cross-border enforcement, and it gives citizens the option to go to their local DPA to seek redress.
So the one-stop shop may not be exactly what some businesses or member states hoped for, but it is likely to gain approval during 2015. And as the incoming Latvian presidency will ask the naysayers: What is the alternative?