Privacy & Information Security Law Blog

This week, the Article 29 Working Party (“Working Party”) prepares to debate various proposals on the “one-stop-shop” mechanism under the proposed EU General Data Protection Regulation (“Regulation”). Hunton & Williams’ Global Privacy and Cybersecurity practice and its Centre for Information Policy Leadership submitted a strategy paper on the one-stop-shop to the Working Party. The paper proposes a methodology for selecting and defining the role of a lead regulatory authority with the objective of making the one-stop-shop more operational, flexible and viable. The work draws on a more detailed article published on November 3, 2014, by Hunton & Williams senior attorney Rosemary Jay in the magazine for the Society for Computers and Law, entitled The “One Stop Shop” – Working in Practice.

In the article, Jay argues that the currently endangered one-stop-shop arrangements under the Regulation can be rescued and made effective by the adoption of a more flexible and balanced methodology. Under the current text of the Regulation, a data controller with operations in more than one EU Member State will be subject to the lead supervision of the regulatory authority for the Member State in which it has its “main establishment.” This raises concerns that (1) regulatory authorities without lead supervision may lose influence over data protection issues that affect citizens in their Member States, (2) the regulatory authority with lead supervision may be removed from individuals affected by the data controller’s processing activities, (3) businesses may “forum shop,” to obtain their preferred lead regulatory authority and (4) orders by lead regulatory authorities may be unenforceable in other Member States. Jay addresses these issues simply and effectively by making the one-stop-shop elective rather than automatic, and more tailored to specific business models.

In an elective system, a business must apply for a lead regulatory authority. To have its application approved, the business must represent that it will comply with the lead regulatory authority’s orders across its businesses in all EU Member States. The application process also could involve discussions with non-lead regulatory authorities and incorporate specific arrangements to resolve their reservations or concerns. The one-stop-shop could be implemented gradually to accumulate experience and facilitate a more streamlined application process as implementation of the one-stop-shop progresses.

When launching the Regulation, the European Commission indicated that the one-stop-shop would benefit businesses operating among several EU Member States. Those working in privacy and data protection across Europe are hopeful that the Working Party’s deliberations can rescue the one-stop-shop concept to realize the benefits previously announced by the European Commission.