EU ministers OK new cross-border data protection plan, sparking criticism

The proposed new data protection mechanism will lead to unnecessary administrative burdens, companies said

Ministers of European Union countries have agreed on a new plan to deal with cross-border privacy cases. Companies and a variety of critics, though, have called the proposal a mess.

The plan, at least originally, was supposed to put in place a "one-stop-shop" mechanism that would make it easier for businesses and citizens to deal with privacy-related complaints. The idea of a streamlined approach to resolving privacy issues is a key pillar of EU data-protection reform and member states agreed on a version of such a plan on Friday, said Vra Jourová, European Commissioner for Justice during a press conference.

At the moment, companies operating in the EU like Google, Facebook and Apple can be held responsible for privacy issues by national data protection authorities (DPAs). In Google's case, for instance, this has led to multiple simultaneous investigations into the privacy policy it introduced in 2012. Enforcement actions related to various complaints have been taken in several EU countries.

The Commission, the EU's executive and regulatory branch, had proposed that these companies in the future should only have to deal with one authority, in the country where they have their European headquarters or main business. A European Data Protection Board would be able to adopt legally binding decisions in cases where the national authority is challenged by privacy supervisory bodies in other countries.

However, the ministers in the Council of the EU agreed that this mechanism should only kick in for important cross-border cases. And even in those cases, other concerned authorities would be able to enter into a joint decision-making process, enabling them to object to the main body's decision, the Council said in a news release.

Going ahead with this plan would be a very disappointing move, said the Industry Coalition for Data Protection in a news release ahead of the Friday talks.

The proposed plan would be more cumbersome than the current one and lead to unnecessary administrative burdens, including delayed decisions, for all parties concerned, according to the group, which comprises 18 associations. The associations represent European and international companies, including Google, Microsoft, Facebook Apple and Yahoo.

Marc Dautlich, a lawyer specializing in information law, said ahead of Friday's decision that the compromise proposed by the ministers is a mess.

It is disappointing for nearly everyone, he told, a website that publishes legal news and guidance on behalf of his law firm, Pinsent Masons.

For cross-border businesses, it seems to fall short of the original one-stop shop proposals, while for DPAs responsible for enforcement it would be hard to determine what important cases are, he said. For citizens looking for a solution, the mechanism seems to increase rather than decrease the time needed to get redress, he added.

The compromise, though, is the best the Council could achieve at this moment, said Dzintars Rasnas, Minister for Justice of Latvia, the country which currently holds the rotating presidency of the Council.

Details could still change, however, before the Council makes a final decision on the whole data protection package. The current plan does not exclude the possibility of improving the text before June, when the ministers are scheduled to reach an agreement on data-protection reforms, Rasnas said.

If the Council reaches an agreement in June, it will be possible to conclude data protection reform in 2015, Jourová said. However, after reaching an agreement of its own, the Council must discuss the plan with the Commission and the European Parliament. All three legislative branches must sign off on the reform in order for it to become law.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

Tags Council of the European Unionregulationsecuritydata protectiongovernment

More about AppleEUEuropean ParliamentFacebookGoogleIDGMicrosoftNewsYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts