Italy seeks deal on ‘one-stop-shop’ data-protection complaints

6 November 2014. By Vesela Gladicheva.

People objecting to the way a company in another EU country has handled their data should be able to seek action by their own national privacy regulator, under possible changes to a draft EU
bill.

European Commission proposals to review data-protection laws said that in such cross-border cases, the regulator in the home country of the company facing the complaint should take the
final decision.

Under this “one-stop-shop” model, that authority would take the “lead” in any investigation, with input from officials in the country of the complainant.

But under a compromise now under discussion by EU governments, complainants would be able to seek a decision from their “local” regulator.

That’s according to leading Italian justice official Antonio Mura, speaking at an event* this week.

“This entails the need to ensure that . . . there is a mechanism for consultation, cooperation and eventual resolution of disagreements between the local and the lead” data-protection authorities, he said.

Here, the European Data Protection Board — an EU-level group of privacy watchdogs — would be “best placed” to deal with divergent decisions.

Most EU states reject a “system which would force the data subjects to seek remedy and redress for violation of their data rights only in the legal system where the lead authority operates,” Mura said.

Italy is chairing intergovernmental talks on EU matters, in its role as the current six-month EU “presidency.”

The government has drafted the possible compromise as a basis for talks at a ministerial meeting timetabled for Dec. 4 and 5.

Public sector 

The other major aspect of the draft regulation, on which Italy aims to align national views, concerns the question of whether the rules for organizations in the public sector should be more flexible than those for companies.

The current EU data-protection directive applies to both enterprises and public organizations. EU states have adapted the directive to their national laws.

The new rules would maintain that broad scope, but would be directly binding on member states. Some countries, notably Germany, have said this would jeopardize their existing provisions for data processing in the public sector.

Italy wants to “introduce into the regulation clauses allowing those member states that so wish to maintain special regimes for processing in the public sector,” Mura said.

But these rules must not “constitute an obstacle to the cross-border flow of personal data,” he told the gathering of privacy experts.

Negotiators initiated this discussion in July, and national government experts in Brussels are now working on a compromise text.