Justice Ministers' Impasse Slows Progress Of EU Data Protection Reform Negotiations

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner  

Dec. 6 --The chance of agreement on the European Commission's proposed general data protection regulation before European Parliament elections in May 2014 has receded, with an inconclusive meeting of EU justice ministers in Brussels Dec. 6 held up by disagreement on jurisdictional issues.

Justice ministers continued discussions from October on the “one-stop shop” for data protection in the European Union, meaning that the data protection authority in the member state in which a company has its “main establishment” would be responsible for oversight of that company's data processing activities, wherever in the EU they take place.

In October, the justice ministers agreed to the principle of the one-stop-shop but couldn't agree on details for implementing the plan (12 PVLR 1762, 10/14/13).

EU member states continued to hold different views on the details of the one-stop-shop approach, with several countries calling for the DPA in the country where a complaint originates to take the lead role, rather than the DPA in the country where a company has its main establishment.

Countries also disagreed on the role of the proposed European Data Protection Board, with some, such as Ireland, saying it should have only an advisory role in transnational complaints, while others, such as Cyprus and Portugal, said it should be given powers to make binding decisions.

The proposed board would replace the Article 29 Working Party of data protection officials from the 28 EU member states. The Art. 29 Party recently urged all of the parties to the negotiations to act quickly to adopt the proposed data protection regulation (see related report).

In addition, the discussions were held up by new legal advice from the EU Council, the EU institution that represents member states, which said that to protect the rights of data subjects, the role of “local” DPAs in countries where complaints originate should be prioritized. The advice was referenced by ministers at the Dec. 6 meeting but has not been made public by the council.

This advice contrasted with the view of the European Commission, the EU's executive arm that proposed the data protection regulation in January 2012 (11 PVLR 178, 1/30/12). The commission advised that the DPA in a data processor's country of main establishment should play the leading role.

Ministers Call for More Time.

Because of the conflicting advice, a number of justice ministers said more time would be needed to consider the issue.

U.K. Justice Secretary Chris Grayling said “we have got a difference of opinion here” and “conflicting legal advice,” and consequently any decision on the one-stop-shop approach should be deferred to the next meeting of EU justice ministers, which is scheduled for March 7-8, 2014.

Swedish Justice Minister Beatrice Ask said “we need to consider the differing views in a serious way before we can go to a legal decision.”

Irish Justice Minister Alan Shatter said that “some legal confusion and disagreement has arisen,” which threatened to undo work from the October justice ministers' meeting, at which there was broad agreement on the DPA in a company's jurisdiction of main establishment taking the lead in transnational disputes, though no agreement on the details of procedures.

“My fear is we are moving further away from achieving those objectives,” Shatter said.

Reding 'Disappointed.’

Viviane Reding, the European Commission Justice Commissioner and Vice-President who proposed the data protection regulation to replace the EU's 1995 Data Protection Directive (95/46/EC), said after the ministers' meeting that it had been a “disappointing day for data protection.”

“We have moved backwards,” Reding said, adding she was “not happy” about developments since the October meeting.

Referring to the uncertainty about the principle of the DPA in a data processor's country of main establishment taking the lead in cross-border cases, she said “I cannot accept that the one-stop-shop becomes an empty shell.”

Ministers would continue to try to resolve differences in early 2014, Reding said.

Doubts Over Pre-Election Agreement

The discussion on the one-stop-shop principle is holding up the EU Council's formulation of its overall position on the proposed data protection regulation. Once that position is agreed upon, the Council will negotiate with the European Parliament on the final form of the regulation.

Pia Kohorst, a spokeswoman for German Green lawmaker Jan Philipp Albrecht, the European Parliament's lead negotiator on the data protection reform, told Bloomberg BNA Dec. 6 that slow progress in the Council now made agreement between the institutions on the draft regulation “very unlikely” before May 2014, when European Parliament elections take place.

If there is no agreement by that date, negotiations between the European Parliament and EU Council to finalize the regulation would not happen until at least September 2014, Kohorst said.

The newly constituted Parliament would be required to agree on the composition of its committees, including the Committee on Civil Liberties, Justice and Home Affairs (LIBE), which adopted its position on the data protection reform in October (12 PVLR 1817, 10/28/13).

LIBE would then need to reconfirm its position on the proposed regulation, and either reconfirm the mandate of Albrecht to negotiate with the Council on its final form, or choose another lead negotiator, Kohorst said.

Nora Ni Loideain, researcher for the Centre for Intellectual Property and Information Law at the University of Cambridge said: “Ultimately, not rushing the proposals is a positive approach for the Council given the complexity of the major changes involved.”

Commission Still Hopeful

However, Reding's spokeswoman Mina Andreeva told Bloomberg BNA Dec. 6 that the Parliament could vote in plenary in April 2014 on the position prepared by LIBE, and on the basis of that position, negotiations could take place with the Council after the May elections.

In that case, “there is no discontinuity,” and the regulation could be finalized by the end of 2014, Andreeva said.

“We want a swift agreement,” in particular because “citizens want” reinforced data protection in the light of revelations about government mass surveillance programs, as exposed by former U.S. National Security Agency contractor Edward Snowden, Andreeva said.

 

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor on this story: Donald G. Aplin at daplin@bna.com