EU ministers OK new cross-border data protection plan, sparking criticism

Ministers of European Union countries have agreed on a new plan to deal with cross-border privacy cases. Companies and a variety of critics, though, have called the proposal a mess.

The plan, at least originally, was supposed to put in place a “one-stop-shop” mechanism that would make it easier for businesses and citizens to deal with privacy-related complaints. The idea of a streamlined approach to resolving privacy issues is a key pillar of EU data-protection reform and member states agreed on a version of such a plan on Friday, said Vra Jourová, European Commissioner for Justice during a press conference.

At the moment, companies operating in the EU like Google, Facebook and Apple can be held responsible for privacy issues by national data protection authorities (DPAs). In Google’s case, for instance, this has led to multiple simultaneous investigations into the privacy policy it introduced in 2012. Enforcement actions related to various complaints have been taken in several EU countries.

The Commission, the EU’s executive and regulatory branch, had proposed that these companies in the future should only have to deal with one authority, in the country where they have their European headquarters or main business. A European Data Protection Board would be able to adopt legally binding decisions in cases where the national authority is challenged by privacy supervisory bodies in other countries.

However, the ministers in the Council of the EU agreed that this mechanism should only kick in for important cross-border cases. And even in those cases, other concerned authorities would be able to enter into a joint decision-making process, enabling them to object to the main body’s decision, the Council said in a news release.

Going ahead with this plan would be a very disappointing move, said the Industry Coalition for Data Protection in a news release ahead of the Friday talks.

The proposed plan would be more cumbersome than the current one and lead to unnecessary administrative burdens, including delayed decisions, for all parties concerned, according to the group, which comprises 18 associations. The associations represent European and international companies, including Google, Microsoft, Facebook Apple and Yahoo.

Marc Dautlich, a lawyer specializing in information law, said ahead of Friday’s decision that the compromise proposed by the ministers is a mess.

It is disappointing for nearly everyone, he told, a website that publishes legal news and guidance on behalf of his law firm, Pinsent Masons.

For cross-border businesses, it seems to fall short of the original one-stop shop proposals, while for DPAs responsible for enforcement it would be hard to determine what important cases are, he said. For citizens looking for a solution, the mechanism seems to increase rather than decrease the time needed to get redress, he added.

The compromise, though, is the best the Council could achieve at this moment, said Dzintars Rasnas, Minister for Justice of Latvia, the country which currently holds the rotating presidency of the Council.

Details could still change, however, before the Council makes a final decision on the whole data protection package. The current plan does not exclude the possibility of improving the text before June, when the ministers are scheduled to reach an agreement on data-protection reforms, Rasnas said.

If the Council reaches an agreement in June, it will be possible to conclude data protection reform in 2015, Jourová said. However, after reaching an agreement of its own, the Council must discuss the plan with the Commission and the European Parliament. All three legislative branches must sign off on the reform in order for it to become law.

ITWorld DealPost: The best in tech deals and discounts.