Getting the 'one stop shop' principle to work
This article was first published in Data Protection Law & Policy in October 2012
Going all the way to the Rio de la Plata to discuss the content of the future European data protection framework seems a little over the top, but the recent International Privacy Commissioners' Conference in Punta del Este, Uruguay provided a perfect forum as a neutral ground for a fierce policy debate. Surrounded by equally fierce winds and rain for added dramatic effect, regulators and other influential stakeholders in the privacy world locked horns in the most constructive possible way for three days to make the most of this annual gathering. One of the immediate outcomes was the realisation that much work remains to be done if we are to achieve the necessary balance between progress and protection. No other issue symbolised the need for this balance better than the 'one stop shop' principle under the proposed EU data protection regulation – the sole competence of one single regulator over the same controller all over the European Union.
As a concept, this principle seems like a no brainer that everyone would be happy with. If anything, having a single regulator with responsibility for supervising the activities of a corporate group across the EU on the basis of the same law should be the most efficient way of managing the limited time and resources that data protection authorities have. If the organisation to be supervised operates on a pan-European basis and the law is the same everywhere, surely this approach is the most logical in the absence of a central European regulator. However, why is it that this concept is proving so difficult to shape to everyone's satisfaction? There is even a precedent with the concept of a "lead authority" for BCR authorisations which has been working quite effectively for years now. Are national interests preventing this principle from working or is there a more fundamental issue getting in the way?
In line with the overall harmonisation objective, the 'one stop shop' principle brings with it a significant change, as the law is seeking to designate only one competent regulator per EU-based controller. By definition, this approach relies on the trust that needs to be placed on the competent authority by the authorities of all of the other countries where a given controller operates. This is certainly an ambitious expectation but surely one that can be met if the collaborative mood of the Commissioners' Conference is anything to go by. So a lack of trust amongst regulators should not be a reason to question the 'one stop shop' principle.
A more damaging factor is the suspicion that astute organisations will seek to manipulate the system and aim to be supervised by the 'easy' regulators. Frankly, there are no easy or difficult regulators. They all take their jobs very seriously and have good days and bad days – like everyone else. What is essential is a sufficient degree of pragmatism that brings compliance with the law to a viable level that meets the right standards. For this to happen, dialogue is essential but, again, seeking that level of compliance should not be seen as a sign of defiance or an easy way of avoiding legal requirements.
Could the 'one stop shop' principle ever work then? Of course it can. As a starting point, it needs dialogue and collaboration amongst the data protection authorities and a realistic approach to data protection compliance. Linked to this, what is also needed is trust. Trust by the regulators in their counterparts and ultimately trust in the legal system. However, trust should not be about 'easy' regulators behaving unreasonably to show how 'tough' they are, and trust should not be about triggering a dangerously bureaucratic "consistency mechanism" at the first sight of disagreement. The 'one stop shop' principle is ultimately about effective compliance and should be given the chance to succeed.
The next two years of legislative reform are crucial. We have a golden opportunity to establish a supervisory approach that is geared to deal with global organisations operating in Europe in a consistent and effective way. Change should be accepted because it is inevitable. The 'one stop shop' model is perfectly workable if it throws away old and unhelpful prejudices. Efforts should be made to find the best criteria to determine which authority is the competent one in respect of every controller subject to EU law – irrespective of where they are based – and to support that authority in their role. Diversity is a great thing but when it comes to regulatory enforcement, it creates uncertainty and unfairness. Let's not risk that outcome and let's try to make the 'one stop shop' principle work instead.