Lawyer Throws Spanner in EU Data Protection Regulation

Lawyer Throws Spanner in EU Data Protection Regulation
Lawyer Throws Spanner in EU Data Protection Regulation

The effect is another delay in the progress of the EU's proposed General Data Protection Regulation (GDPR) since the one-stop-shop has come to be seen as a central plank. Its principle, that a data protection ruling in one country would have weight in all countries, was introduced as an amendment by Jan Philipp Albrecht. It would allow EU citizens to file complaints with their own data protection regulator rather than be forced to do so where the company concerned is headquartered.

"A person in Austria, for instance," notes EU Observer, without mentioning Europe-Vs-Facebook by name, " who wants to file a complaint against Facebook, would not have to reach out to authorities in Ireland, where it has its European seat." He could file the complaint in Austria where his local regulator would liaise with Ireland. The ruling reached by Ireland would then hold for the whole of the EU.

But, said, Hubert Legal at a Brussels meeting of EU justice ministers on Friday (as reported in the Financial Times), "The problem is the results you get in terms of respecting the functioning of justice and people’s rights is actually a very bad outcome a very bad result and as your legal adviser I have to tell you it’s a bad outcome."

Viviane Reding, the EU Justice Commissioner who introduced the GDPR two years ago, was not amused. She pointed out that the EC and the member states had agreed the one-stop-shop in principle back in October. "Since then, instead of moving forwards, we have moved back . . . we are effectively reopening questions which had been agreed in October . . . In October, was the legal service in the room? Did the legal service read the conclusions of the council?"

By contrast, comments the HawkTalk data protection blog, "legal counsel for the Commission said there wasn’t a problem; Ms Reding then added that the solutions offered by the legal services counsel for the Council of Ministers should be rejected as being contrary to the agreements already made at the political level."

The result, however, is continued political stalemate, with any further progress delayed until at least January. "Not unsurprisingly," notes HawkTalk, "the UK (which is not a fan of the prescriptive nature of the Regulation) helpfully suggested that the delay should be until March 31st, to give time for the legal position to be clarified; as I said before, I suspect the UK 'hopes' the Regulation will disappear."

The episode highlights the complexity and difficulty in getting uniform agreement for the GDPR across the whole of Europe. In this instance, Germany (which is generally considered to be very strong on data protection), supported by Sweden and Belgium, is thought to be the main stumbling block. Germany is afraid that other regulators might be softer than the German regulator, and wishes to retain the ability to set its own fines for breaches of the data protection law.

Conversely, the United Kingdom (which would probably prefer to see the GDPR simply go away, but at the very least become a Directive rather than a Regulation) supports the idea. "The United Kingdom, along with the Czech Republic, Hungary and Denmark are said to favor it", explains EU Observer.

Nevertheless, the effect of heavyweight legal opinions in direct opposition to each other has, for the time being at least, stopped the GDPR. There you have it, says Hawktalk. "Clock ticking. Regulation stalled. Political agreement stalled. Leading lawyers fighting like ferrets in a sack."

"It is a disappointing day for data protection," said Reding. "Today, we have moved backwards."

What’s hot on Infosecurity Magazine?