Last Friday, the Data Protection Regulation faced a tough challenge; at the Council of Ministers, two influential lawyers advising the Council and the Commission had a public disagreement which exposed two fundamentally different opinions. The unexpected (and late) disagreement was over whether the one-stop shop was lawful.
Two years after the proposal was first suggested by the Commission, leading legal services counsel for the Council of Ministers lobbed a hand-grenade into the discussions: he labelled the one-stop shop as being a “very bad outcome” for data subjects and likely to breach the human rights of European citizens.
By contrast, legal counsel for the Commission said there wasn’t a problem; Ms Reding then added that the solutions offered by the legal services counsel for the Council of Ministers should be rejected as being contrary to the agreements already made at the political level.
So there you have it – two diverse heavyweight legal opinions on an important part of the Regulation, laid out before Ministers, in a public arena, for anybody to watch (see references). Not a happy sight unless you like blood-sports.
The result is that the whole Regulation show is delayed until at least January, when the Greek Presidency might organise political discussions on the “one-stop shop” proposals. Ms Reding at her press conference said she “hoped” there might be agreement, but I must add, the use of the word “hope” did not carry much conviction of “hope being realised”.
In other words, there is a prospect that the current legal stalemate might not be resolved and that, if the Council of Minister's lawyer is proved correct, his opinion might scupper the whole process. Not unsurprisingly, the UK (which is not a fan of the prescriptive nature of the Regulation) helpfully suggested that the delay should be until March 31st, to give time for the legal position to be clarified; as I said before, I suspect the UK “hopes” the Regulation will disappear.
Note that those countries opposing the Regulation for whatever reason had no need to expend any ammunition; with lawyers going head to head like this, they could safely keep their powder dry.
Legal services counsel for the Council of Ministers said that the "one-stop shop" was designed for data controllers at the expense of data subjects whose fundamental rights will be affected as they would have to overcome a “three-stop shop” if they were to exercise their rights. This, the legal services counsel concluded, would not be acceptable on human rights grounds (Article 6; accessibility to the Courts).
Legal counsel for the Council raised the issue of a data subject dealing with a problem with a in another jurisdiction. He argued that these three stops means that data subjects:
(a) had first to approach the Data Protection Authority in the home country and an Authority that did not have any jurisdiction or competence in the matter; with luck the Authority could help the data subject by passing details to the Authority in the data controller's main establishment.
(b) had secondly to approach the Data Protection Authority and courts of the territory of the main establishment jurisdiction. Human Rights case-law on Article 6 shows that the ECHR “would not approve of this” because the data subject might have to deal with unfamiliar court processes in a foreign language. The data subject would have to expend “disproportionate” resources protecting their rights and therefore would be “put off” from exercising rights; it followed that there was no effective judicial remedy as promised by the Regulation.
(c) The court of the country of origin of the data subject could be bound by a decision made in the county of the main establishment; this could lead to “conflicts of jurisdiction which would be “disastrous” for the administration of justice.
In addition, the one-stop shop would encourage “forum shopping” where large multinationals could establish themselves with a country that has a weak regulator (not unlike Facebook, Google, Yahoo etc and Eire). Much better to have a pan-European data protection authority (strong enough to take such large data controllers) looking at trans-border disputes which could then be subject to rulings from the European Court of Justice. (At the meeting, Ms, Reding said that the Commission was not seeking to establish such an authority).
By contrast, the leading lawyer for the Commission said there was no legal problem. This is because the case suggested, in practice, was very narrow; a data subject seeking judicial review of a decision of the main data protection authority in a foreign jurisdiction. This, the Commission’s lawyer explained, was the case in other EU laws. In addition, the domestic courts in the data subject's jursidiction could offer redress and therefore there was no conflict in jurisdictions nor unpredictable results that would trouble the European Court of Human Rights.
So there you have it. Clock ticking. Regulation stalled. Political agreement stalled. Leading lawyers fighting like ferrets in a sack. Don’t hold your breath.
Press conference: http://video.consilium.europa.eu/webcast.aspx?ticket=775-979-13738
Legal ferrets in a sack (beginning of: http://video.consilium.europa.eu/webcast.aspx?ticket=775-979-13755)
Please have a look at the Amberhawk Associate's web-site: http://associates.amberhawk.com/