Finding the Right Path Forward for European Data Protection Regulation

When the European Commission introduced the EU General Data Protection Regulation (GDPR) in 2012, then-Vice President Viviane Reding described the reform as “a strong, clear and uniform legislative framework that will help unleash the potential of the Digital Single Market (DSM).” Central to this goal: a one-stop shop where “a company will have to comply with one law for the whole of the EU territory…(and) will only have to deal with one single data protection authority (DPA)” of the Member State in which the company has its main establishment.

But this vision is in danger.

There is a battle for power taking place that can be seen in the competing investigations against Facebook by a handful of DPAs, as well as in the latest text of the European Council’s GDPR proposal. For a company of our size and prominence, we expect scrutiny and to be held to the highest standards. Nevertheless, the regulatory actions we’ve recently experienced foreshadow the likely consequences if the one-stop shop is rejected or seriously watered down.

Years ago we recognized that Facebook needed a base to serve a rapidly growing community outside North America. In 2010 we chose to establish and vest control over EU users’ data in our international headquarters in Ireland. Although this was—at the time—a rare step for a U.S. tech company to establish in an EU member state for data protection purposes, it was precisely what Europe’s policy makers wanted so companies like Facebook did not seek to avoid data protection laws.

Our decision relied on established EU law and clear regulatory guidance issued by the Article 29 Working Party (WP29). The EU Data Protection Directive states that a DPA may only assert and enforce its local law in countries where the relevant data controller is established. The WP29 also agreed in a formal opinion in 2010 that only this lead regulator may enforce and investigate the Directive. In fact, the WP29 specifically focused on an example of a social media company headquartered in a third country with an establishment in the EU, finding that it would be subject to enforcement solely by the lead regulator in that jurisdiction:

(When a) social network platform has its headquarters in a third country and an establishment in a Member State. . . the applicable law will be, pursuant to Article 4(1)a (of the EU Data Protection Directive), the data protection law of the Member State where the company is established within the EU.

Under this framework, the Office of the Irish Data Protection Commissioner (IDPC) is responsible for enforcing the obligations of the EU Directive as implemented by Irish law, and it serves as lead regulator for companies that are established there, including Facebook.

For the last five years this model has benefited Facebook and the people who use our service, just as EU policymakers and regulators intended. We support the Directive's aim to provide European consumers with a consistent set of data protection laws across Europe, whether they live in Brussels, Berlin or Bordeaux. We've complied with the letter and spirit of the law. DPAs anywhere in Europe or the rest of the world can submit queries to us on behalf of people in their countries. They can also raise queries about our privacy practices via our lead regulator, the IDPC, which has acquired technical knowledge of our practices through two extensive and publicly available audits of Facebook’s business.

We continue to engage in rigorous dialogue with the IDPC, meeting often to provide product briefings and respond to detailed questions. We frequently modify products based on feedback and to ensure we comply with EU data protection law. For example, we built our “Download Your Information” tool, a data portability feature that lets people download things from Facebook like posts they’ve shared, messages, photos, friends list and data associated with logins to their account. People across Europe benefit from the heightened privacy protections we employ as a result of our engagement with the IDPC, and the vast majority of DPAs use this to the benefit of people across Europe.

But a handful of authorities have recently opened competing investigations into Facebook’s practices rather than liaise with and draw upon the expertise of the IDPC and its audits. These efforts are contrary to both the Directive and the Article 29 Working Party’s own official guidance issued in 2010, and are squarely at odds with any conceivable version of the one-stop-shop expected to be agreed later this year.

Consider this for a moment: What if DPAs’ efforts are successful?

Digital businesses seeking to benefit from a DSM would instead have to face up to 28 national variants of data protection law applying to their products and services, along with national DPAs' conflicting opinions and requirements. As a result, they would have to redesign or reconsider global services for each market: precisely what the DSM seeks to avoid. For companies of our size and scale, we can manage this complexity, even if it means delaying or not launching services in particular markets. But for smaller businesses and startups, it represents a major barrier to even getting off the ground: a huge setback for Europe’s digital ambitions. Even mid-size, growing European tech companies, many of whom have also established in a single member state for data protection purposes, would see a significant impact on their ability to serve consumers throughout the EU.

This same power struggle infects the current debate about the GDPR and the one-stop shop. The most recent draft from the Council departs from the vision originally laid out by Madame Reding upon which so many of the benefits of the GDPR hinge. Instead, the Council draft threatens to create prolonged tug-of-wars between DPAs that will ultimately harm consumers’ access to services, create uncertainty and complexity for businesses and trigger unnecessary costs for businesses and regulators alike.

Our recent experience paints a grim portrait of the future. We believe the vision set out by the Commission in 2012 envisaged a better path forward that protects European citizens and promotes innovative services that hold the keys to economic progress across the continent. It’s now up to policy makers across the EU to resist short-sighted power struggles and make the right decisions for the people and businesses they serve.

Written By

Stephen Deadman


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds and unparalleled programs—plus a whole new spin on Active Learning!

Canada Privacy Symposium 2017

The Symposium returns to Toronto! Take advantage of Early Bird rates before March 31 and join your fellow privacy pros for a stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is SOLD OUT and the wait list is closed. If you got on the wait list, we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»