BRUSSELS (Reuters) - European Union ministers agreed on Friday to give more powers to a pan-European body of regulators to enforce a new data protection law, upsetting businesses who hoped more power would be devolved to individual national regulators.
Under a “one-stop-shop” mechanism initially proposed under the new EU data protection law, a business operating across the 28-nation bloc would only have had to deal with the data protection authority of the member country where it is headquartered or has its main European base - even if a data protection issue arose which affected citizens in another member country.
But under pressure from countries that do not want their national regulators to lose all jurisdiction over big technology companies such as Apple and Facebook, which have declared Ireland to be their European bases, EU ministers agreed to give any “concerned” authority the power to object to any particular ruling.
That would result in the case being referred to a still to be created board of all 28 EU regulators which could then take binding decisions.
“The proposed mechanism will be more cumbersome than the existing procedures, resulting in unnecessary administrative burdens, including delayed decisions for citizens,” said the Industry Coalition for Data Protection, which includes major technology companies such as Apple, Google and IBM.
EU diplomats had already agreed on Feb. 25 to scrap a proposal that at least a third of concerned authorities had to object to a decision before a case could be referred to the European Data Protection Board (EDPB).
“The revised approach seems to open the door to more conservative voices amongst the data protection authorities having an even greater say,” said Paula Barrett, a partner at law firm Eversheds.
Countries such as Ireland, Britain and the Netherlands opposed scrapping the numerical threshold, arguing that it would lead to a flood of cases being referred to the board and that it went counter to the original proposal’s aim of making it easier for businesses to operate across the bloc.
“It (numerical threshold) would have greatly reduced the risk of capricious referrals,” said the Irish justice minister.
In the past Ireland has been accused of going soft on multinationals when it comes to privacy laws to remain an attractive business location, something it has denied.
Friday’s agreement could still be changed when ministers in June review the whole new proposed data protection law - the General Data Protection Regulation.
In addition, a review clause could be inserted to determine the effectiveness of the “one stop shop” mechanism, as requested by Ireland.
Editing by Greg Mahlich