Today was a time for contemplation on the concept of the One Stop Shop. What was a One Stop Shop? Was it one where the shopkeeper was master of his premises, and could decide how to treat his customers, what to sell them, at what price and when to exclude them? Or was it one where someone else could have the final say in who should be allowed in the store, what could be sold, and at what price?
In data protection terms, the discussion focused on what role a lead supervisory authority should play when dealing with complaints raised by someone who lived elsewhere, but where the data controller fell within that supervisory authority’s ambit.
What role should the lead authority be required to allow a regulator from that other country to play? Should the lead authority be allowed to deal with the complaint, determine the appropriate sanction and take the relevant enforcement action all by themselves? Or should there be a formal requirement to refer some issues to a European Data Protection Board, who might be given powers to articulate precisely how the Regulation (if there is to be a Regulation) should be interpreted in that instance, with the decision being binding both in that country and elsewhere within the European Union?
Surely, anything less than absolute control over the complaint, sanction and enforcement mechanism would undermine the lead authority.
If the concept of the One Stop Shop is to work, then it can only work when a political decision has been taken to allow it to work. There was general agreement that it has to be the lead DPA that makes the final decision. Yes, it can take account of representations made by other regulators, but accountability for taking the final decision must lie completely at the door of the lead authority.
But this has consequences. It means that Member States will have to overcome their natural reluctance to give up things they had enjoyed before. Global corporations with “main establishments” in, say, Ireland will, in future, be regulated by, say, Irish regulators, rather than a host of European regulators, each with slightly different views on what local cultural norms comprise acceptable data processing.
It would not be acceptable to weaken the competence of the lead authority by creating some crafty “review by qualified majority” mechanism. The potential consequences for some Member States could be pretty dire. We plucky Brits could face the prospect of being outvoted by the Data Protection Taleban each and every time another regulator felt it appropriate to challenge the ICO’s competency and have decisions referred to a superior body. It’s happened before. Remember how the rules of the Eurovision Song Contest have resulted in the UK never being able to win that competition again.
I also shudder to think how long this superior body might ponder the issue for, before making a decision that could well be referred to the courts by the losing party, anyway. If anyone thinks they’re going to get a speedy decision, they must be mistaken.
Now, tell me. Just where would a review mechanism leave the concept of legal certainty and all the other good things that could emerge from the One Stop Shop?