Discontent simmers over how to police EU privacy rules

Discontent simmers over how to police EU privacy rules

The EU’s recent $270 million fine against WhatsApp was put on hold for months due to disagreements between national authorities over how best to enforce the bloc’s privacy rules.

Various approaches to governing the EU’s strict General Data Protection Regulation are calling for a redesign of how the national authorities of the 27 EU countries can interfere in each other’s affairs and create a comprehensive May explore creating an EU-wide regulatory system.

WhatsApp is owned by Facebook Inc.,

EU residents were fined for failing to disclose what it does to their data, including sharing their information with other Facebook entities. The fine was made public in early September by Ireland’s Data Protection Commission, which has jurisdiction over the matter because WhatsApp and Facebook have their European headquarters in Ireland.

Eight other regulators said the Irish authority’s proposed fine of up to €50 million, roughly equivalent to $59 million, was too low and disagreed with the Irish regulator’s analysis of the company’s data practices.

Regulators used the GDPR resolution process to settle their disagreements, and the Irish authority said it followed recommendations from other regulators, including increasing fines. But regulators and privacy experts say the process of sharing enforcement among national authorities has created bottlenecks.

“We always have the same issue. If everything depends on the major data protection authority taking the initial steps then we have a lot of big cases,” said David, senior legal officer at the European Consumer Organization, a Brussels-based advocacy group Martin Ruiz said.

If officials from other European countries cooperate early with the investigation, decisions could be issued faster, instead of waiting for a decision from a major regulator before they can intervene, Mr. Martin Ruiz said.

Discontent has been brewing among European privacy regulators since the GDPR took effect in 2018, with some officials publicly criticizing their counterparts for taking too long to investigate high-profile cases. In May, the regional authority in Hamburg, Germany, used an emergency measure to issue a three-month ban on Facebook’s collection of data from WhatsApp users in the European Union, bypassing a provision that would allow regulators from their jurisdiction. Stops from outside policing companies.

Pasquale Stanzione


Roberto Monaldo/Zuma Press

The legal process stipulates that a regulator responsible for investigating a company located in its jurisdiction is “often not timely enough” to keep up with the technology, the head of Italy’s privacy authority, and the Irish oppose. One of the eight regulators to do so. Draft decision on WhatsApp. The others were officials representing France, Hungary, the Netherlands, Portugal and Poland; Federal German regulator; and a regional German regulator from the state of Baden-Württemberg.

A WhatsApp spokesperson said the company would appeal against the decision.

While European officials have channels for expressing dissent from each other’s affairs, GDPR provisions may need to be reevaluated over the next few years and enable wider scrutiny, not overseen by a single regulator alone. So, said Ulrich Kelber, the German federal data protection commissioner.

“What is really needed is European decisions, not just the intervention of other agencies,” he said. Privacy regulators may want to reiterate elements of the system that the European Antitrust Authority uses to share investigations if they affect more than one country, Mr Kelber said. Alternatively, the European Data Protection Board, the umbrella grouping of all 27 privacy authorities in the EU, could play a role in such large, cross-border cases, he said.

Andrea Jellinek, president of the European Data Protection Board, said in an email that the dispute resolution process is time- and resource-intensive, but still works well.

“It is important to note that the dispute resolution process is employed only in exceptional circumstances where [authorities] A consensus could not be reached at the earlier level,” she said. He said the GDPR specifies that the process cannot take more than two months and that officials have so far met that time limit in two dispute-resolving cases.

Irish regulator fined Twitter in second case Inc.

For failing to immediately disclose the 2019 data breach. The penalty was also imposed after other regulators raised objections.

The European Commission, the EU’s executive arm that drafted the GDPR law, has said it is too soon to draw conclusions about the level of fragmentation and will explore whether to propose some “targeted amendments” to the regulation.

Helen Dixon


Simon Dawson/Bloomberg News

Ireland’s data protection commissioner Helen Dixon circulated a draft decision in the WhatsApp case in December, and other regulators objected between January and March, according to a report by the European Data Protection Board. Ms Dixon’s office asked WhatsApp to respond to some of the objections in April, and then began a dispute-resolution process in June to resolve the conflict between officials. The process ended in late July and the decision was announced this month.

Eduardo Ustaran, co-head of privacy and cybersecurity practice at law firm Hogan Lovells International LLP, said officials are managing to work through the impasse to reach compromise decisions, as shown in the WhatsApp case, but The difference in culture and mindset among regulators will remain. . “It’s always going to be an issue when you have 27 regulators trying to operate as one in a location as diverse as Europe,” he said.

write to Katherine Stupp at [email protected]

Copyright © 2021 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8


Please enter your comment!
Please enter your name here