The EU’s General Data Protection Regulation (GDPR) takes effect on May 25th, 2018. It is meant to give consumers more control over their personal information and provide safeguards against data breaches. However, it has been met with a lot of resistance from some companies who say the rules are too strict and will make their business unprofitable.
The GDPR is a set of European Union privacy rules that are designed to give people more control over their personal data. There has been discontent about how these rules will be enforced, and many people are wondering if the EU should have stricter privacy laws.
Disagreements among national authorities delayed the European Union’s recent $270 million punishment against WhatsApp for months, escalating tensions over how to implement the bloc’s privacy laws.
The disparate methods to enforcing the EU’s stringent General Data Protection Regulation are driving demands to rethink how national authorities from the EU’s 27 member states may intervene in each other’s cases and to consider establishing a more comprehensive EU-wide regulatory framework.
WhatsApp, which is owned by Facebook Inc., was penalized for not disclosing enough information to EU citizens about what it does with personal data, including sharing it with other Facebook entities. The punishment was made public by Ireland’s Data Protection Commission in early September, which has jurisdiction over the matter since WhatsApp and Facebook’s European headquarters are both in Ireland.
Eight other authorities claimed the proposed punishment of up to 50 million euros ($59 million) suggested by the Irish authority was too low and disagreed with the Irish regulator’s appraisal of the company’s data practices.
To resolve their differences, the authorities utilized a GDPR resolution procedure, and the Irish authority stated it accepted the other regulators’ suggestions, including increasing the punishment. Regulators and privacy experts, on the other hand, claim that the practice of sharing enforcement across national agencies has resulted in bottlenecks.
“We have the same problem every time. If everything depends on the lead data protection authority taking the first move, large cases will take a long time,” said David Martin Ruiz, senior legal officer of the European Consumer Organisation in Brussels.
Mr. Martin Ruiz believes that if authorities from other European nations collaborate early in investigations rather than waiting for the lead regulator’s conclusion before intervening, judgments will be made more quickly.
Since the GDPR went into force in 2018, there has been growing discontent among European privacy regulators, with some agencies openly criticizing their colleagues for taking too long to examine high-profile cases. In May, the Hamburg regional authority used an emergency measure to impose a three-month ban on Facebook collecting data from WhatsApp users in the EU, circumventing a clause that prohibits regulators from regulating businesses beyond their jurisdiction.
Stanzione, Pasquale
Roberto Monaldo/Zuma Press/Zuma Press/Zuma Press/Zuma Press/Zuma Press/Z
According to Pasquale Stanzione, the head of Italy’s privacy authority and one of the eight regulators who opposed the Irish draft decision on WhatsApp, legal procedures determining that a regulator is responsible for investigating a company based in its jurisdiction “are often not timely enough” to keep up with technology. Other participants included officials from France, Hungary, the Netherlands, Portugal, and Poland, as well as the federal German regulator and a regional German regulator from Baden-Württemberg.
WhatsApp will appeal the judgment, according to a spokesperson.
While European authorities have channels to express dissatisfaction with each other’s cases, Ulrich Kelber, Germany’s federal data protection commissioner, believes that GDPR provisions will need to be re-evaluated in the coming years to allow for broader investigations that aren’t overseen by a single regulator.
He said, “There is a genuine need for European choices, not simply the meddling of other agencies.” Mr. Kelber suggested that privacy regulators duplicate aspects of the European antitrust authorities’ approach for sharing probes that impact several countries. In such big, cross-border cases, the European Data Protection Board, an umbrella body comprising the 27 EU privacy agencies, may play a role, he said.
The European Data Protection Board’s head, Andrea Jelinek, said in an email that the dispute resolution procedure is time and resource demanding, but that it still works effectively.
“It is important to remember that the dispute resolution procedure is only used in rare circumstances when the [authorities] were unable to achieve an earlier agreement,” she added. The GDPR stipulates that the procedure should not take more than two months, and authorities have so far fulfilled that time in both dispute resolution instances, she said.
The second instance included a punishment imposed by the Irish regulator on Twitter Inc. for failing to promptly report a data breach in 2019. Other regulators objected to the fine, so it was increased.
The European Commission, which developed the GDPR law, has said that data is too early to make judgments about the degree of fragmentation, and that it would investigate whether to propose any “targeted changes” to the rule.
Dixon, Helen
courtesy of Bloomberg News/Simon Dawson
According to a report from the European Data Protection Board, Helen Dixon, Ireland’s data protection commissioner, published a draft judgment in the WhatsApp case in December, and other regulators voiced concerns between January and March. In April, Ms. Dixon’s office requested that WhatsApp reply to certain concerns, and in June, the dispute-resolution procedure was started to settle the disputes between authorities. The procedure was completed in late July, and the result was made public this month.
As the WhatsApp case demonstrated, authorities are able to work through deadlocks to reach compromise decisions, but cultural and mindset differences between regulators will likely persist, according to Eduardo Ustaran, co-head of the privacy and cybersecurity practice at law firm Hogan Lovells International LLP. “When you have 27 regulators attempting to work as one in a country as varied as Europe, this is always going to be an issue,” he added.
Catherine Stupp can be reached at [email protected].
Dow Jones & Company, Inc. All Rights Reserved. Copyright 2023 Dow Jones & Company, Inc. 87990cbe856818d5eddac44c7b1cdeb8