New rules governing who handles EU consumers’ privacy complaints will not be agreed to Friday, despite being on the agenda for member states to discuss.
Justice and Home Affairs ministers from the EU’s 28 member states will meet to talk about the proposed Data Protection Regulation, specifically plans to create a so-called one-stop-shop principle.
There has been much disagreement between member states about which authorities should handle complaints about the misuse of data when the companies and complainants are in different countries. A “discussion text” released last week attempted to resolve the issue by proposing more powers for the data protection authority in which the individual consumer or complainant is based—the local authority—while maintaining the one-stop-shop principle of a “lead authority” in the country of the accused company.
Some member states, in particular Germany, fear that they could become subject to data laws from another country. In Germany’s case, there are concerns that its stringent privacy rules could be watered down by regulators in other countries. The U.K. has also dragged its heels due to fears that investors will react badly to tighter privacy rules.
The European Data Protection Supervisor (EDPS) Peter Hustinx said the one-stop-shop principle is crucial for the whole structure of the proposed Data Protection Regulation, which would update the 1995 Data Protection Directive.
“I expect the council will mark that progress has been made, but will probably not give the OK to the final version,” Hustinx said. However, he added that he thinks talks are in much better shape than they were at the end of 2013. “I think they will encourage further progress. We may even see conclusions on other elements. But with the one-stop-shop principle, it can only work if we think in terms of close collaboration,” he said.
A source close to the negotiations said that although a large majority of countries appear ready to agree to a partial general approach, this will be “a purely symbolic move to allow the Greek Presidency to claim to have advanced the file during its term.”
Such an approach does not exclude future changes and means that talks with the European Commission and the European Parliament, which are necessary for any new law, cannot begin.
The European Parliament’s rapporteur for the proposed data protection reform, has even accused the responsible ministers of “refusing to work.”
“I am disappointed that the council is not aiming to finalize the agreement. I think that will not be appreciated by the new European Parliament,” said Jan Philipp Albrecht, the German member of the European Parliament who steered the complex text through to a compromise in that institution in March. “My impression is that most member states are trying to conclude something. France has been more outspoken in its criticism of the slow pace. And even those countries that have been hesitant are more willing to reach an agreement. Even the UK seems to be reducing its stalling tactics.”
The proposed law has been discussed since 2012 and when implemented—probably not before 2017 at the current pace of negotiations—will apply to all companies operating within the European Union, no matter where they are based.
The proposal would give authorities the power to impose multimillion-dollar fines on any company that misuses Europeans’ data. Under the latest compromise text, even local data protection authorities will have a say on sanctions. If they disagree with a lead authority, they can object and the matter will then be referred to the European Data Protection Board.