On Monday, May 16, 2016, the Supreme Court of the United States issued its highly anticipated opinion in Spokeo, Inc. v. Robins, a case that examined the question of whether a plaintiff who ...25 May 2016
Progress Falters on EU Data Protection Regulation at Council Meeting
The one-stop-shop concept is a key element of the European Commission's reform proposal, designed to bring simplicity and cost-savings to pan-European data controllers and processors, who would deal with a single supervisory authority, not 28. However, reports of debate at the recent JHA meeting refer to German intransigence over consumer protection in the context of the one-stop-shop proposal, with ministers from the Czech Republic, Denmark, and Hungary also expressing unease.
Although the Commission, in its briefings, refers to the Council having reached agreement on the one-stop-shop issue at its meeting in October 2013, in fact Member States struggled to find common ground on the extent of the powers to be exercised by any single supervisory authority beyond authorization, notwithstanding the strong cooperation and consistency mechanism provided for in the draft Regulation. A note from the Lithuanian Presidency of the Council circulated in late November 2013 revealed how Member States were unable to agree on the concentration in the hands of the main establishment authority of the power to order fines and other penalties and on a practical mechanism for consumer redress.
The same sticking points were encountered at the meeting of the Council on Friday, 6 December, which concluded that further consideration should be given to granting the European Data Protection Board the power to adopt binding decisions regarding corrective measures.
The output from the Council negotiations under both Irish and Lithuanian Presidencies shows that the one-stop-shop issue is not the only stumbling block within the Council. Debate continues on the form of the legislation (regulation or directive), with the UK and Sweden preferring a Directive to allow more flexibility in local implementation. Members of the Council have expressed a desire to see a reduction in the regulatory burden on controllers/processors where the processing contemplated is low risk. Discussions have focused on the use of pseudonymous data in order to trigger lesser obligations, plus the use of a risk-based approach to the application of the more rigorous provisions.
For the moment, the pace of reform that the Commission has called for repeatedly (including in its recent review of EU-U.S. data flows) seems to be flagging.
Special thanks to Biddy Wyles for her substantial assistance in the preparation of this entry.
The French Data Protection Authority (CNIL) has announced its inspections program topics for 2016, with health data, flight passengers’ data, and data used for marketing and Internet...20 May 2016