On 6 December 2013, the EU justice ministers took again a step back in
adopting the EU Data Protection Regulation.
The day was considered by EU commissioner for justice, Viviane Reding as
a disappointing one for data privacy. What was this time? “The ministers
did not want to make hasty decisions,” Lithuanian Justice Minister
Juozas Bernatonis told reporters. The issue having caused the delay
seems to be the so-called one-stop shop principle which harmonizes
decision-making across the EU.
Hubert Legal, head of the legal service for the European Council said
the one-stop shop rule undermined citizens’ human rights. “The problem
is the results you get in terms of respecting the functioning of justice
and people’s rights is actually a very bad outcome a very bad result and
as your legal adviser I have to tell you it’s a bad outcome.” Mr Legal
believes that under the one-stop-shop system, EU citizens whose data had
been mishandled by a company based in another member state would face
linguistic and financial barriers discouraging them from going to court.
Ms Reding reacted by claiming that talks should now be at a “political”
rather than “legal” stage, drawing attention on the fact that that
current data protection legislation was fragmented, inconsistent and
needed to be fixed. She insisted that the commission’s own legal review
provided assurance that the one-stop-shop was legal.
Yet, the issue seems more complicated for some member states. It appears
that Germany, with the support of Sweden and Belgium, is partly
responsible for the delay. Although the Commission’ briefings on the
Council’s meeting in October 2013 show that an agreement on the
one-stop-shop issue was reached, in fact Member States are still to find
a common ground on the extent of their powers beyond authorization. A
note from the Lithuanian Presidency of the Council circulated in late
November 2013 revealed how Member States were unable to agree on the
DPAs power to order fines and other penalties and on a practical
mechanism for consumer redress.
There was also a debate around the legal form of the bill – regulation
or directive. The UK, for instance, wants to downgrade the “regulation”
into a “directive.” A passed EU regulation is immediately applicable
across the EU while a directive must be transposed into national law,
which can take years.
EU data protection bill ‘moves backwards’ (6.12.2013)
Progress falters on EU Data Protection Regulation at Council meeting
EU legal eagle Legal: Data protection reforms ‘very bad outcome’ for
EU data protection rules hit by surprise legal objection (6.12.2013)
EDRi-gram: Tough Negotiations For The Law Enforcement Data Protection