The proposed EU Data Protection Regulation continues to be considered by EU Member State representatives. The proposed Regulation was published by the European Commission on 25 January 2012 and the European Parliament voted in favour of an amended version in October last year. It is now being deliberated by the Council of the European Union (the “Council”). 

Reports suggest that progress is slow. Viviane Reding, Vice President of the European Commission, stated on 6 December 2013 that the Council had “moved back” on the data reform package at their meeting of the Justice and Home Affairs Committee on 5 – 6 December. Ms Reding stated that “Instead of building on our progress in October, the document we have before us today deconstructs it.” 

The main issue causing the delay appears to be the detail of the so called ‘one-stop shop’ principle, which aims to reduce the administrative burden placed on businesses with a presence in more than one EU country. Under the current EU law, each EU subsidiary of a multi-national company is required to comply with the local data protection laws of the territory in which they are established, which can vary substantially from its neighbouring Member State’s data protection law. The one-stop shop, as included in the amended version of the proposal for the EU Data Protection Regulation reduces that burden considerably, by providing that a business with a presence in more than one EU Member State, would only have to report to one lead national data privacy authority. However, the Council is currently arguing over whether, in the case of data breaches, it is the territory where the data breach takes place, or where the infringing business has its main establishment, that should determine which authority has oversight. 

Further, the Legal Service for the Council takes the view that the one-stop shop rule undermines citizens’ human rights, as reporting complaints via this mechanism would be so complicated that it would dissuade individuals from pursuing them.  One concern is that, as the proposals currently stand, it would be difficult for EU citizens to identify which authority to complain to. 

Ms Reding expressed her disappointment with the Council’s position on this issue, stating that the Council were effectively re-opening questions which she believed had been resolved in October. She urged them to move forward with meaningful reform, which should include a meaningful one-stop shop, not an empty shell. 

Reports have also suggested that the Member States are currently unable to agree on the power to order fines and on a practical mechanism for consumer redress. The European Parliament’s proposal increased the maximum potential fines from an appreciable 2% of turnover, or EUR 1 million, to an eye-watering 5% of turnover or EUR 100 million. 

The form of the new law is also under debate – should it be a Regulation or a Directive?  A Regulation would be directly applicable in all Member States, whereas a Directive would need to be individually implemented by each Member State.  The UK, Sweden, Czech Republic and Hungary are apparently pushing for a Directive, in order to retain control over implementation. However, the price of such control is the risk that another Directive would fail to effectively harmonise EU data protection law, as happened with the 1995 Directive. There are currently substantial variations in the content and enforcement of data protection law in different EU Member States. 

It is understood that the European Parliament is scheduled to vote on the EU Data Protection Regulation on 11 March 2014. The outcome of this vote will play a crucial part in determining whether agreement is likely to be reached before the EU Parliament elections in May 2014. Failure to reach an agreement before that point is likely to result in substantial delays in the progress of the EU Data Protection Regulation, beyond the target adoption date of Autumn 2014 to Spring 2015 at the earliest (with a 2 year grace period before it becomes enforceable). 

Look out for a further update on this subject matter in March 2014.