Privacy & Information Security Law Blog

On April 16, 2014, the Article 29 Working Party (the “Working Party”) sent a letter (the “Letter”) to Lilian Mitrou, Chair of the Working Group on Information Exchange and Data Protection (the “DAPIX”) of the Council of the European Union, to support a compromise position on the one-stop-shop mechanism within the proposed EU General Data Protection Regulation (the “Proposed Regulation”).

The one-stop-shop mechanism is being discussed in the Council in the context of the ongoing legislative debate on the Proposed Regulation. With the Letter, the Working Party aims to support a compromise between the various positions that have so far been expressed in the Council. The Working Party’s compromise position is set out in a statement (the “Statement”) which was sent to the Council as an annex to the Letter. In the Statement, the Working Party underlines its support for a one-stop-shop mechanism in cases where a data processing operation is carried out in the context of activities of a controller’s or a processor’s establishments in different EU Member States, or where individuals in different EU Member States are affected by a data processing operation. The Working Party considers that this mechanism should not apply to cases of pure national relevance or minor cross-border relevance. Guidance on such minor cross-border cases should be provided by the European Data Protection Board (“EDPB”).

The Working Party considers that, in those cases where the one-stop-shop mechanism applies, the lead supervisory authority (i.e., the supervisory authority in the EU Member State of the main establishment) and the other concerned supervisory authorities should cooperate and reach a consensus on the case. The lead supervisory authority will then have the authority to take the relevant measures against the main establishment of the controller or processor concerned. If they do not reach a consensus, the EDPB should have the authority to impose binding measures. The controller or processor concerned will be required to fulfil and implement the measures imposed by the lead supervisory authority or the EDPB in all of its EU establishments.

In addition, in the Statement, the Working Party also declares its support for the accountability elements of the Proposed Regulation (e.g., the EU-wide establishment of internal data protection officers, data protection impact assessments, privacy by design and privacy by default principles). Finally, the Working Party added to the Letter its advice paper on profiling which was adopted in May 2013, as this topic is currently on the agenda of the DAPIX.