BRUSSELS (Reuters) - A new body of European data protection authorities could have the power to adopt legally binding decisions in cross-border disputes over a company’s misuse of personal data, according to a draft document seen by Reuters.
Under a mechanism originally proposed in reforms of Europe’s data protection laws, businesses operating across the 28-nation European Union would have to deal only with the data protection authority in the country where they are headquartered - even if alleged mishandling of data affects citizens in another country.
A new proposal by Italy, which holds the rotating European presidency, gives all concerned authorities the chance to intervene in all stages of the decision-making process.
A failure to reach an agreement between the authorities concerned, or even conflicts over which regulator should take the lead, would then be arbitrated by the European data protection Board, with legally binding powers.
The original “one-stop-shop” proposal had divided member states and been the main sticking point in the data protection reform discussions.
It would be a boon for firms like Google, Facebook and Amazon which operate across the bloc and handle vast amounts of personal data.
But many governments do not want their data privacy watchdogs to lose the power to impose fines on companies such as Google for privacy breaches concerning their citizens, even when the company is not headquartered in the same country.
Some governments, however, worry the new proposal would only complicate monitoring by allowing several authorities to intervene in the process. It also raised the risk of contradictory court judgements because citizens would be able to appeal against the same decision in several member states.
In cases where national authorities were unable to agree the European data protection board could intervene.
Presently, businesses have to deal with 28 different data protection laws and regulators, something which the executive European Commission has said leads to legal uncertainty.
In the Italian proposal the European data protection Board would issue binding decisions in cases of disagreement, which would then have to be adopted by each national regulator.
Currently EU data protection authorities only meet as an advisory group called the Article 29 Working Party.
The Italian proposal will undergo some changes and then be presented to ministers in early December. If agreed, a full legal text should follow next year.
Reporting by Julia Fioretti; editing by Ralph Boulton