BY THE ITALIAN INSTITUTE FOR PRIVACY - A digital market would not exist without data. A European digital single market will never exist if data cannot circulate freely and safely within it.  Data are the pivotal driver of value in a modern economy. Yet data, when "personal", are something more than a carrier of economic value. Personal data bring along individuals' identity.

They somehow represent the individuals to whom they relate in the digital world.  It is therefore crucial, in tackling the issues that hurdle the full development of a digital single market, to carefully revise the legal provisions governing the free flow of personal data in Europe. Directive 95/46/EC has proven to be a useful tool for the past years but, as recent interpretation thereof by the Court of Justice of the European Union has made clear, its provisions needed a judicial "refresh" in order to become applicable to the modern digital environment. 

This shows that the time is ripe for a major change in the EU data protection legal framework, one that would, at the same time, simplify and unify the rules across Europe as well as set out high standards of protection for personal data.  

Bearing this in mind, we attach a great importance to the principle of one-stop-shop introduced by the Commission proposal for a General Data Protection Regulation, as recently discussed by the JHA Council on 12 and 13 March 2015.

This principle plays a crucial role in addressing the inconsistency and fragmentation in Member States’ personal data protection laws.

We believe it should serve two purposes: 

1. It should contribute to the simplification of the legal regime in the EU, thus helping organisations in finding the only authority competent to oversee their processing activities in the EU. The principle of legitimate expectations strengthens this assumption, because once a competent DPA applying a uniform set of rules has issued a decision intended to produce effects vis-à-vis a data controller, it would be tantamount to neglect its legitimate expectations if a different DPA were to reassess and, eventually, to ‘overrule’ a previous decision on the same issue.

2. It must always ensure the enforcement of data subjects' rights. This means that data subjects shall always be entitled to bring a claim in defence of their rights to their local DPA. It is the duty of the DPA to liaise with the one competent over a given data controller established elsewhere in the EU. 

The EU digital single market needs a new single set of data protection rules and a smooth application thereof.

In this regard, Europe has now a unique chance of setting the world's best standards on this matter, while paving the ground for a robust, innovation-driven and long lasting economic recovery to the benefit of its citizens and consumers.