European Union legislators have blinked over plans for one-stop-shop data protection, after effectively handing the Irish government much greater power over data issues anywhere in the 28 nation bloc.
The original plan was for a"one-stop-shop" that would mean that a business operating across the EU would only have had to deal with the data protection authority of the member country where it is headquartered or has its main European base, even if a data protection issue arose which affected citizens in another member country.
This, argue critics, effectively casts the Irish Data Protection Commission in the role of European regulator, something which nations like Germany and Austria, strict advocates of tough data protection, are not entirely comfortable with.
The German interior minister Thomas de Mazière told reporters:
What we want, and what we've reached, is a system, what we call a one-stop-shop, so the companies can be located in Ireland, but it is important that we have a common decision for all of Europe. We don't want to have the same disaster like we've seen it in the financial system some years ago.
But EU ministers have now decreed that any "concerned" authority will have the power to object to any particular ruling. That objection would then be passed to the European Data Protection Board (EDPB).
That means that if there are complaints by citizens about any company headquartered in Ireland, then the Irish Data Commissioner will have to get involved, something which has led to fears of increased bureaucracy and workload on the Irish Data Commission office.
The Irish Minister for Data Protection Dara Murphy has admitted:
Ireland had suggested that a minimum of a third of all EU member states should have to support a proposed appeal, before it could be sanctioned in order to reduce the bureaucratic workload that now seems inevitable. Murphy explained:
Yes, it will create more work for our Data Protection Commissioner. We have doubled resources, we're opening a new office in Dublin and the doubling of staff will take place to take into account the additional workload.
We would have preferred if decisions taken locally were binding, and a couple of other countries were strongly supportive of that view.
We're willing to see how it will work over the next couple of years. The appeals process is something we want to work quickly and efficiently, and won't add to the additional burden and administrative difficulties.
We would have preferred a system where it would have taken a number of countries to trigger an appeals process, where now it is just one.
We would have liked to have seen a little bit more on the qualitative or quantitative selection of how cases would enter that [appeal] process. At the moment, essentially anybody can appeal, and we believe that this is a little bit too cumbersome.
But he rejected criticism from the likes of Germany that Ireland is too soft on data protection:
Criticism from Germany and others has been unfair.
We have a very proud tradition in our country of our independent regulators, whether it is in the courts, in the DPP, or the Data Protection Commissioner in this case. We would not foresee a disproportionate number of our cases being overturned by the EDPB, ultimately.
Friday's agreement could still be changed when ministers in June review the complete proposals for the General Data Protection Regulation.
The Financial Times yesterday dubbed this anticipated outcome as a Eurovision Song Contest approach to data protection.
If you understand what that means, you'll know that's not a good thing.