One Step Closer to Streamlined EU Data Protection Enforcement?

Published On April 30, 2014 | By Melissa Maalouf | Data Security, General, International
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

On April 24, the Article 29 Working Party (“WP29”) issued a statement setting forth a compromise position on the “one-stop-shop” enforcement system contained in the Proposed EU Data Protection Regulation. The Proposed Regulation, first released in January 2012, seeks to establish a single, pan-European law for data protection. It also proposes a “one-stop-shop” enforcement system under which companies would only need to deal with a single supervisory authority in the EU country where they have their primary establishment regarding consumer data privacy inquiries.

A number of EU Member States have expressed concern that the “one-stop-shop” enforcement system may strip them of their sovereignty over data protection issues that impact citizens within their Member States. In response to those concerns, the WP-29’s most recent statement advises that:

  • All Member State data protection authorities should maintain responsibility for monitoring the application of the Regulation, including where individuals in their territories are affected by data processing activities.
  • The one-stop-shop system should be supported when a company’s data processing activities cross borders or where individuals in multiple EU Member States are impacted by data processing activities. In such cases, the EU data protection authority in the Member State where the company is headquartered should take the lead in resolving issues, but should be “obligated” to work closely with other data protection authorities in impacted Member States to ensure consensus. If the data protection authorities cannot agree, a national European Data Protection Board (“EDPB”) should help resolve the issue.
  • Cases dealing with minor privacy issues should continue to be dealt with by the data protection authorities in each individual Member State, and the EDPB should issue guidance on how minor cases should be resolved to ensure consistency across the EU.
  • Individuals whose complaints are rejected by a data protection authority should have the right to judicial review in the courts in the Member State in which the complaint has been lodged.

To assist in these recommendations, the WP-29 advised that the EDPB’s authority should be strengthened to issue binding guidelines when concerned supervisory authorities in cross-border cases do not reach a consensus within the one-stop-shop mechanism. The WP-29 also believes that the EDPB should be authorized to address cases that apply broadly to data protection across the EU or present issues of novelty.

The WP-29 also cautioned that to be effective, all parties involved (data controllers, data processors, data subjects, and supervisory authorities) must understand the operation of the one-stop-shop system. The WP-29 therefore urged the system to be as straightforward and clear as possible.

EU Flag by MPD01605

About The Author

Melissa Maalouf’s practice focuses on advising a broad range of clients, from start-ups to established companies, on both U.S. and international data privacy and security issues. Melissa assists clients in drafting appropriate website disclosures, implementing legally-compliant e-commerce flows, responding to FTC Section 5 and state AG enforcement actions, analyzing advertising claims, and children’s online privacy and safety issues. She also regularly helps clients obtain certification under the EU-US Safe Harbor and navigate compliance with divergent international privacy laws.