EU Justice Ministers Hold Up Regulation; Finalization Appears Less Likely in 2015

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Dec. 4 — Justice ministers from the European Union's 28 member states meeting in Brussels Dec. 4 once again made little headway in discussions about how cross-border privacy complaints should be managed under the proposed EU data protection regulation.

In a meeting chaired by Italy, which presently holds the rotating presidency of the EU Council in which EU member states meet, ministers were unable to agree on jurisdictional issues and on the role of the proposed European Data Protection Board in data protection cases that involve more than one country.

The European Commission, the EU's executive arm, proposed the data protection regulation in January 2012 to replace the 1995 Data Protection Directive (95/46/EC). The commission proposed that privacy complaints be handled by the data protection authority in a company's country of “main establishment,” even if the data subject complainant lived in another country.

EU member states, however, have been unable to agree to the idea, known as the one-stop-shop principle, because of concerns that a DPA in one member state would be given powers to issue binding decisions affecting the citizens of other EU countries.

Member states have also taken different positions on the role of the proposed European Data Protection Board, with some countries saying that it should be able to issue binding decisions in cross-border cases, and others saying they want it to be an advisory body only.

Tom De Cordier, counsel with Allen & Overy LLP in Brussels, told Bloomberg BNA Dec. 4 that slow progress in the EU Council means finalization of the data protection regulation in 2015 “becomes all the more unlikely.”

Italian Compromise Scheme 

Ahead of the Dec. 4 meeting, Italy prepared a compromise proposal on the one-stop-shop plan. The proposal suggested that decisions on cross-border disputes would be taken by a “lead DPA” in consultation with other affected DPAs.

Decisions would be formally given effect by the “the DPA best placed to deliver the most effective protection both from the perspective of the controller/processor and of the data subject,” the proposal said. That could either be the DPA in the country of main establishment of the company concerned, or the DPA in the country of the data subject, according to the Italian proposal.

Under Italy's proposal, disputes between DPAs would be referred to the European Data Protection Board, which would have the power to issue binding adjudications.

Ministers Split

At the Dec. 4 meeting, justice ministers from some member states, including Belgium, Finland, France and the Netherlands, said they favored the Italian proposal and agreed that the European Data Protection Board should be able to issue binding decisions.

However, ministers from other countries, including the Czech Republic, Ireland, Sweden and the U.K., said they opposed the proposal.

Swedish Justice Minister Morgan Johansson said it was of “utmost importance” that the independence of national DPAs shouldn't be undermined.

Czech Justice Minister Helena Válková said there was a risk that the European Data Protection Board might issue rulings that were incompatible with the law of the affected member states.

British Justice Minister Chris Grayling said that the system proposed by Italy would lead to cases being “pulled upwards to the European Data Protection Board” and could lead to “paralysis” in decision making.

Referral of cases to the European Data Protection Board would also take decision making further away from data subjects, Grayling said.

The EU Council's legal service, at a December 2013 meeting of EU justice ministers, said that to protect the rights of data subjects, the role of DPAs in countries where complaints originate should take priority in cross-border cases.

One-Stop-Shop Confusion

Henriette Tielemans, a partner at Covington & Burling LLP in Brussels, told Bloomberg BNA Dec. 4 that for companies, the one-stop-shop proposal was one of the major advantages in the EU data protection reform. She said there was a risk the EU Council would replace it with a less efficient system for managing cross-border privacy cases.

“I would find it a real missed opportunity if the one-stop-shop would be abolished or eroded,” Tielemans said.

She added that DPAs already work together on issues such as mutual recognition of binding corporate rules and could cooperate “based on trust” in a one-stop-shop system.

U.S.-based Internet companies, such as Google Inc. and Facebook Inc., are concerned that the EU may be retreating from the one-stop-shop approach.

Rules for Public Sector

Ministers also discussed Dec. 4 differentiated rules that would apply to data processing by the public sector compared to the private sector.

On this issue, ministers were broadly in agreement, but they said that further work was needed on the details.

A Dec. 1 background paper on the issue prepared by Italy said that, while under the regulation the private sector would be governed by EU-wide rules, member states should have the flexibility to adopt national rules on public sector data processing “for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”

Tielemans said that the issue was of less concern to companies than resolution of the one-stop-shop question.

“There will be points where public and private sector processing cross, but this will not keep chief privacy officers awake at night,” she said.

Delay in Reform Effort

De Cordier said the council is adopting positions on parts of the regulation, such as the introduction of separate rules for the public sector, that are at variance with those of DPAs themselves and the European Parliament.

Consequently, when the council finalizes its position, the subsequent negotiations with the European Parliament “will easily bring us into quarter one, quarter two 2016, before the regulation is adopted,” De Cordier said.

The European Parliament adopted its position on the draft data protection regulation in March.

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Donald G. Aplin at

The background paper prepared by the Italian presidency of the EU Council on the one-stop-shop proposal is available at

The background paper on rules for data processing by the public sector is available at