Today was a
time for contemplation on the concept of the One Stop Shop. What was a One Stop
Shop? Was it one where the shopkeeper was master of his premises, and could
decide how to treat his customers, what to sell them, at what price and when to
exclude them? Or was it one where
someone else could have the final say in who should be allowed in the store,
what could be sold, and at what price?
In data protection
terms, the discussion focused on what role a lead supervisory authority should
play when dealing with complaints raised by someone who lived elsewhere, but
where the data controller fell within that supervisory authority’s ambit.
What role should
the lead authority be required to allow a regulator from that other country to
play? Should the lead authority be allowed
to deal with the complaint, determine the appropriate sanction and take the relevant
enforcement action all by themselves? Or should there be a formal requirement
to refer some issues to a European Data Protection Board, who might be given
powers to articulate precisely how the Regulation (if there is to be a Regulation)
should be interpreted in that instance, with the decision being binding both in
that country and elsewhere within the European Union?
Surely, anything
less than absolute control over the complaint, sanction and enforcement
mechanism would undermine the lead authority.
If the
concept of the One Stop Shop is to work, then it can only work when a political
decision has been taken to allow it to work. There was general agreement that
it has to be the lead DPA that makes the final decision. Yes, it can take account of representations
made by other regulators, but accountability for taking the final decision must
lie completely at the door of the lead authority.
But this has
consequences. It means that Member States will have to overcome their natural
reluctance to give up things they had enjoyed before. Global corporations with “main
establishments” in, say, Ireland will,
in future, be regulated by, say, Irish regulators, rather than a host of
European regulators, each with slightly different views on what local cultural
norms comprise acceptable data processing.
It would not
be acceptable to weaken the competence of the lead authority by creating some crafty
“review by qualified majority” mechanism.
The potential consequences for some Member States could be pretty dire. We
plucky Brits could face the prospect of being outvoted by the Data Protection
Taleban each and every time another regulator felt it appropriate to challenge the
ICO’s competency and have decisions referred to a superior body. It’s happened before. Remember how the rules
of the Eurovision Song Contest have resulted in the UK never being able to win
that competition again.
I also shudder
to think how long this superior body might ponder the issue for, before making
a decision that could well be referred to the courts by the losing party,
anyway. If anyone thinks they’re going to get a speedy decision, they must be
mistaken.
Now, tell
me. Just where would a review mechanism leave the concept of legal certainty
and all the other good things that could emerge from the One Stop Shop?
Image
credit:
.
Posts
