When the European Commission introduced the EU General Data Protection Regulation (GDPR) in 2012, then-Vice President Viviane Reding described the reform as “a strong, clear and uniform legislative framework that will help unleash the potential of the Digital Single Market (DSM).” Central to this goal: a one-stop shop where “a company will have to comply with one law for the whole of the EU territory…(and) will only have to deal with one single data protection authority (DPA)” of the Member State in which the company has its main establishment.
But this vision is in danger.
There is a battle for power taking place that can be seen in the competing investigations against Facebook by a handful of DPAs, as well as in the latest text of the European Council’s GDPR proposal. For a company of our size and prominence, we expect scrutiny and to be held to the highest standards. Nevertheless, the regulatory actions we’ve recently experienced foreshadow the likely consequences if the one-stop shop is rejected or seriously watered down.
Years ago we recognized that Facebook needed a base to serve a rapidly growing community outside North America. In 2010 we chose to establish and vest control over EU users’ data in our international headquarters in Ireland. Although this was—at the time—a rare step for a U.S. tech company to establish in an EU member state for data protection purposes, it was precisely what Europe’s policy makers wanted so companies like Facebook did not seek to avoid data protection laws.
Our decision relied on established EU law and clear regulatory guidance issued by the Article 29 Working Party (WP29). The EU Data Protection Directive states that a DPA may only assert and enforce its local law in countries where the relevant data controller is established. The WP29 also agreed in a formal opinion in 2010 that only this lead regulator may enforce and investigate the Directive. In fact, the WP29 specifically focused on an example of a social media company headquartered in a third country with an establishment in the EU, finding that it would be subject to enforcement solely by the lead regulator in that jurisdiction:
Under this framework, the Office of the Irish Data Protection Commissioner (IDPC) is responsible for enforcing the obligations of the EU Directive as implemented by Irish law, and it serves as lead regulator for companies that are established there, including Facebook.
For the last five years this model has benefited Facebook and the people who use our service, just as EU policymakers and regulators intended. We support the Directive's aim to provide European consumers with a consistent set of data protection laws across Europe, whether they live in Brussels, Berlin or Bordeaux. We've complied with the letter and spirit of the law. DPAs anywhere in Europe or the rest of the world can submit queries to us on behalf of people in their countries. They can also raise queries about our privacy practices via our lead regulator, the IDPC, which has acquired technical knowledge of our practices through two extensive and publicly available audits of Facebook’s business.
We continue to engage in rigorous dialogue with the IDPC, meeting often to provide product briefings and respond to detailed questions. We frequently modify products based on feedback and to ensure we comply with EU data protection law. For example, we built our “Download Your Information” tool, a data portability feature that lets people download things from Facebook like posts they’ve shared, messages, photos, friends list and data associated with logins to their account. People across Europe benefit from the heightened privacy protections we employ as a result of our engagement with the IDPC, and the vast majority of DPAs use this to the benefit of people across Europe.
But a handful of authorities have recently opened competing investigations into Facebook’s practices rather than liaise with and draw upon the expertise of the IDPC and its audits. These efforts are contrary to both the Directive and the Article 29 Working Party’s own official guidance issued in 2010, and are squarely at odds with any conceivable version of the one-stop-shop expected to be agreed later this year.
Consider this for a moment: What if DPAs’ efforts are successful?
Digital businesses seeking to benefit from a DSM would instead have to face up to 28 national variants of data protection law applying to their products and services, along with national DPAs' conflicting opinions and requirements. As a result, they would have to redesign or reconsider global services for each market: precisely what the DSM seeks to avoid. For companies of our size and scale, we can manage this complexity, even if it means delaying or not launching services in particular markets. But for smaller businesses and startups, it represents a major barrier to even getting off the ground: a huge setback for Europe’s digital ambitions. Even mid-size, growing European tech companies, many of whom have also established in a single member state for data protection purposes, would see a significant impact on their ability to serve consumers throughout the EU.
This same power struggle infects the current debate about the GDPR and the one-stop shop. The most recent draft from the Council departs from the vision originally laid out by Madame Reding upon which so many of the benefits of the GDPR hinge. Instead, the Council draft threatens to create prolonged tug-of-wars between DPAs that will ultimately harm consumers’ access to services, create uncertainty and complexity for businesses and trigger unnecessary costs for businesses and regulators alike.
Our recent experience paints a grim portrait of the future. We believe the vision set out by the Commission in 2012 envisaged a better path forward that protects European citizens and promotes innovative services that hold the keys to economic progress across the continent. It’s now up to policy makers across the EU to resist short-sighted power struggles and make the right decisions for the people and businesses they serve.
If you want to comment on this post, you need to login.