EU data protection bill 'moves backwards'
The EU data protection regulation hit a setback on Friday (6 December) after justice ministers backed off on a key component.
“The ministers did not want to make hasty decisions,” Lithuanian Justice Minister Juozas Bernatonis told reporters.
Join EUobserver today
Get the EU news that really matters
Instant access to all articles — and 20 years of archives. 14-day free trial.
Choose your plan
... or subscribe as a group
Already a member?
But the EU commissioner for justice, Viviane Reding, described it as a disappointing day for data privacy.
Insiders say delay tactics triggered by a number of states means adoption would likely occur near the end of 2014, after European Parliament elections.
An EU diplomat said Germany, with the support of Sweden and Belgium, is partly responsible for the delay.
The issue revolves around a so-called one-stop shop principle, considered a central pillar of the proposal because it harmonizes decision-making across the bloc.
Each member state has a data protection authority (DPA) to handle complaints to ensure industry complies with national privacy laws. Some have more powers than others and are more pro-active in taking up cases, however.
Germany’s DPA can, for instance, set the amount a company needs to pay if it violates data protection law.
But in Ireland, the DPA must first go through the Irish court system.
Other DPAs simply issue press releases in a name-and-shame tactic.
An amendment to the draft law tabled by German Green Jan Philipp Albrecht would allow EU citizens to issue complaints on data-mishandling directly to their national data supervisors.
A person in Austria, for instance, who wants to file a complaint against Facebook, would not have to reach out to authorities in Ireland, where it has its European seat.
The Austrian data authority would instead pass on the complaint, in a co-ordinating role, to its Irish counterpart.
Any decision made by the Irish authority would then be binding across the bloc.
A "European Data Protection Board" would step in to mediate if the two co-ordinating authorities disagree on the verdict.
On the other side, companies would be able to tackle EU-wide data cases through the data chief in the EU country in which they have their HQ, instead of dealing with 28 national regimes.
“The code word is always ‘this is too important’ to take hasty decisions,” an EU diplomat told this website.
The German argument, said the contact, is that Berlin does not want the EU law to be any weaker than its domestic one.
But the EU data proposal is modelled on the German one.
“Reding has asked the German minister so many times to send her just two examples where they think the German standard is higher,” said the contact.
Opposing member states also say the bill would result in an overcomplicated system.
They say certain additional powers should instead be given to the European Data Protection Board.
Reding’s idea does have some backing.
The United Kingdom, along with the Czech Republic, Hungary and Denamrk are said to favour it.
But the UK has issue with the legal basis and wants to downgrade the "regulation" into a "directive."
“There is no question that this will be turned into a directive, I mean there is simply nobody asking for that aside from them,” noted the diplomat.
An EU regulation is immediately applicable across the bloc when it is passed. But a directive must be transposed into national law, which can take years and lead to fudging.
Reding, for her part, pointed out that ministers in October had agreed that one national data protection authority should be in charge for a company and for a citizen’s complaints, not 28.
“Today, we have moved backwards,” she said.