How Europe’s new Web privacy complaint rules will hit Silicon Valley
European member states have given preliminary approval to the idea of a “one-stop-shop” mechanism for data protection cases in the EU, which would theoretically simplify citizens’ access to regulatory help when they feel their personal data is being mishandled.
If the mechanism as described on Friday becomes law, it would let Europeans complain to data protection authorities in their own countries about how the likes of Google and Facebook treat their data, rather than having to approach regulators in the country where those firms have their European headquarters. Such companies generally set up shop in Ireland, which provides generous tax breaks and has a fairly small data protection authority.
In a package of new rules known as the General Data Protection Regulation, the European Commission originally proposed that, in cases involving more than one EU state, the lead should be taken by the data protection authority in the country where the company’s headquarters are situated. If different states’ regulators disagreed, a new European Data Protection Board would give advice on how to settle the dispute.
However, the European Parliament and now the Council of the European Union, representing member states, want to give more powers to this new board, including the ability to make binding decisions. In the theoretical example of Germany and Ireland, the Irish regulators no longer would automatically have the biggest say, while German regulators – who generally take a harder line than do their Irish counterparts – would be able to more effectively push their views in cases involving companies likGoogle (GOOG) and Facebook (FB).
This element of the regulation isn’t the only part Silicon Valley giants need to worry about. Unless the Council waters it down, the package also will give citizens the right to erasure of their data, beef up the consent requirements for taking and processing data and heavily step up the levels of fines that can be imposed on companies for flouting the rules.
Although the Council’s stance on this element of the incoming data protection regulation won’t become official until member states agree on the whole thing – an event that will trigger negotiations with the European Parliament – it does represent a major step forward, as the nature of the one-stop-shop mechanism has been the major sticking point in reaching overall agreement.
That said, not everyone is happy about the compromise. Digital privacy campaigners like EDRi and Access, as well as certain Internet companies, have expressed a preference for the Commission’s original proposal. While the new approach would make it easier for citizens to complain without having to repeatedly fly to Ireland, for example – as in the case of serial Facebook complainant Max Schrems – they say it also would slow down the complaint process and over-complicate matters for the Internet companies.
After all, one of the main drivers for the new regulation is the desire to let the companies deal with one unified set of rules across Europe, rather than with varying legal interpretations from 28 different member states. The new European Data Protection Board would be composed of regulators from all those countries.
Both sides have a point. On the one hand, if the lead in cross-border cases is automatically given to the country where the company’s headquarters are located, that may encourage companies to establish their European bases in countries with small regulators (although to be fair, the Irish privacy regulator is beginning to get stepped-up government funding). On the other, it really would be much simpler to have a true one-stop-shop in that sense, as originally proposed by the Commission.
According to Steven Peers, professor of EU law and human rights law at the University of Essex, the original proposal was “certainly simpler.” However, as he pointed out, the Council’s legal advisors had flagged up the fact that it was too inconvenient – perhaps illegally so — to expect people to make and follow up complaints in another country.
As for how complicated the Parliament and Council’s ideas would be in practice, Peers said the formation of the new data protection board – essentially an evolution of the current Article 29 Working Party of EU privacy regulators, which only has an advisory role – could help get the regulators on the same page, lessening the potential for lengthy disputes.
“I’m assuming that because they’re coming from a similar background and will want to make it work, that [the dispute process] won’t in practice often be triggered as much as it could possibly be,” Peers said. “There [may be] a tendency to say ‘We’ll compromise here’ unless there’s a big issue at stake.”
If the Council’s proposals are formalized in the summer and survive negotiations with the European Parliament, there will be a two-year waiting period before the new system takes effect. But if and when it does, as seems likely at this point, the likes of Facebook and Google may find themselves facing more complaints by Europeans angered at the treatment of their data.
David Meyer (@superglaze) is a technology writer based in Berlin, covering issues ranging from policy and privacy to emerging technologies and markets.