A Blog by Jonathan Low

 

May 4, 2015

Global Tech Companies Battle Individual European Nations' Data Protection Agencies

Tech companies, those avatars of multiplicity, argue for a centralized data protection agency. The Europeans, famous for a centralized bureaucracy, argue for an internet-like diversity of influences. Economic advantage respects no ideology. JL

Duncan Robinson and Murad Ahmed report in the Financial Times:

The scale of large internet companies, such as Facebook — which has nearly 300m active users in Europe — can dwarf the operations of data protection agencies originally designed to cope with the demands of, say, 4.6m Irish citizens.
Google, Facebook, Apple and now Twitter: the list of companies that submit to Ireland’s data protection regime is a long and growing one.
Twitter last week confirmed that any complaints about data protection from its non-US users will be dealt with by Ireland’s increasingly busy data protection agency.
But not everyone is happy. In Brussels and national capitals across the continent, critics have been grumbling that Dublin’s enforcement of European data protection rules is too weak.The fact that the Irish Data Protection Commission is housed in Canal House, a dingy looking building on Station Road in Portalington, an hour outside Dublin, is regularly brought up as an example of the limited resources given to data protection — much to the chagrin of Dara Murphy, Ireland’s data protection minister.
“I marvel at the fact that people feel that business can’t be conducted over a grocery shop,” he says.
The Irish say they follow the same rules as everyone else and that the criticism is based less on the basis of enforcement but on the fact that companies such as Twitter and LinkedIn opted for Dublin over Paris, Berlin or Amsterdam.
Mr Murphy believes the arrival of the US technology groups in Ireland has created both jobs and jealousy. “I think if they were all based in Paris, you would not be having the debate coming from France,” he says.
Ireland has also doubled funding for the IDPC to €3.65m. It will also soon open a swankier office in Dublin — while maintaining the office above a shop — and hire two dozen more staff, taking its headcount to around 50.
Even then, however, it will still lack the resources of its peers. Despite the fact that the IDPC oversees the regulation for 29 of the 30 biggest technology businesses in Europe, its budget is eight times smaller than the UK’s regulator.
Ireland also has a more low-key approach than other DPAs. There is regular communication between the IDPC and large US technology groups, with an emphasis on collaboration rather than confrontation. This suits the web giants that have made Ireland their European home over the past decade.
“If they were merely a ‘big stick’ regulator, frankly, we would be incentivised not to take things to them,” says Richard Allan, director of public policy for Facebook in Europe. “They provide advice and guidance, that means that we fix things so that they don’t have to bring out the big stick.“We’re not scared to go and see them because they will drag us into court the next day.”
For other regulators in Europe, however, this is precisely the problem.
Enforcers in Belgium, the Netherlands and Germany have all launched probes into Facebook’s operations in Europe, and similar moves are being considered in France and Italy. The Dutch DPA, meanwhile, threatened Google with a €15m penalty for privacy breaches.
This suggests that not all on the continent are happy with Ireland’s approach.
New rules on data protection within the EU are swiftly developing into a potential jurisdictional dogfight.
Proposals for a “one-stop shop” — where one data protection authority in a single country would have been responsible for all EU citizens using a particular company — have been watered down.
Both the parliament and member states had backed a supranational regulator with the ability to make binding decisions, settling disputes between data protection authorities in different countries. But countries such as Ireland and the UK have expressed concern that this system will be bureaucratic and slow.
New data protection rules are expected to be completed by the end of the year, and the new plan will see one data agency take the lead but others will be able to chip in if they are annoyed, with disputes settled by supranational body.
The scale of large internet companies, such as Facebook — which has nearly 300m active users in Europe — can dwarf the operations of data protection agencies originally designed to cope with the demands of, say, 4.6m Irish citizens.“We thought that having one authority exclusively competent for internet rights did not correspond to the way the internet works,” says Florence Raynal, head of the Department of European and International Affairs at CNIL, France’s data protection authority.
“Imagine there’s a security breach [at a company] and there are complaints across Europe, imagine the poor DPA which will be totally overwhelmed.”
Privacy advocates argue that the system is at fault, rather than one misbehaving member state. Blaming Ireland “misses the point”, says Jan Philipp Albrecht, a German Green MEP who follows privacy issues.
At the moment, governments have leeway in how EU rules on data protection are enforced, leading to big gaps in sanctions. “That makes the enforcement weak,” he says.
New rules on data protection — which could be finalised by the end of the year — would be binding on member states. “It is a good thing for Dublin,” says Mr Albrecht. “Those companies have no incentive to move away as it makes no difference [in terms of data protection legislation].”
But if stricter rules hurt Ireland, Mr Murphy says they hurt the rest of Europe too. “This presumption that [large internet companies] would land in the bigger states if not in Ireland . . . is flawed. We are competing with Singapore and India,” he says. “If we were less competitive, Europe would not benefit.”

0 comments:

Post a Comment