EU regulators have forced tech giants to comply with the bloc’s strict data protection rules. But when Isabelle Falque-Pierrotin took over as top EU privacy watchdog in 2014, she said the mostly American companies were ignorant about Europe’s strict standards and thought “the world is uniform”.
Falque-Pierrotin is the outgoing chair of the EU umbrella group of national data protection regulators. She began leading the Article 29 working party group in 2014 and stepped down on Wednesday (7 February). She will remain France’s top data protection authority.
She told EURACTIV.com in an interview that Facebook and other big tech companies are “very good at marketing” their privacy features, but that won’t convince regulators. A tough EU new data protection regulation that is set to go into effect in May will bring on “a new era”, she said.
Falque-Pierrotin spoke to EURACTIV after stepping down from her EU role. The group of regulators elected Austrian data protection authority Andrea Jelinek to be her successor.
You said that the Article 29 working party – the group representing national data protection authorities in Europe – has over the last few years become more unified in how they police privacy breaches in each member state. Now that the EU data protection regulation is about to go into effect, do you see the group taking on a role that is more like a pan-EU privacy regulator?
I think the GDPR [data protection regulation] is a huge step because there will be much more integration between the European authorities than there is now. We have started this learning curve to really be network authorities. With the GDPR, we are becoming network authorities, part of an operational network able to co-decide with 28 national authorities. It’s a new era. We have prepared the way with the working party 29, but there is still some progress to make.
What still needs to change for the European data protection board to enforce the privacy rules in the same way in every EU country? [The board will replace the Article 29 working party in May.]
It has to show it’s in a capacity to produce decisions. That will be the test.
There are differences today in how Europe’s national authorities punish companies that break data protection rules. What do the new chair and the entire group of regulators need to do to make more united decisions that apply across the EU?
On various subjects we need to work together more closely. When we speak of all the enforcement action, the enforcement action will be a true test. We have now a very high level of power for enforcement and there is this possibility to co-decide with a binding decision of the European data protection board. We need to show that it’s going to work.
In your time as chair of the working party, you’ve overseen some very high-profile cases and cracked down on Google, Facebook, Yahoo and Uber. Do you think there needs to be a more aggressive approach to these tech giants because they are processing an increasing amount of their users’ personal data?
I’m not in favour of aggression. I’m in favour of respect and what we’ve done in the working party 29 is make sure that these actors, when they operate on European soil, are respecting European law. This is the least we can ask of them.
I think now, since 2014, they have identified Europe, whereas before they didn’t even know there was a specific approach in Europe as regards data. They were operating in a pure marketing and business manner and the world was uniform.
I think now they have identified that in Europe, data was not only a commodity, that behind data there were people and these people were expecting guarantees and protection of their data. We, I think through our pressure, have seen that the practices of these big actors have gradually evolved. So now we’ll see what’s going on with the GDPR, how they want to comply.
Sheryl Sandberg was in Brussels two weeks ago and said Facebook will start a new ‘privacy centre’ for users, and will also comply with the GDPR. This is coming from the company that toppled the safe harbour agreement because it was sending Europeans’ data to the United States where it was no longer secure, and you’ve had other privacy complaints against Facebook. Do you believe Facebook’s pro-privacy message or is this publicity spin?
I think they’re very good at marketing. All of them are very good at marketing but that’s not the message that will convince authorities.
As authorities, we have to make sure they’re respecting the new rights, for instance the portability right. This is something that’s really important. It means that each European citizen will have the possibility to come to Facebook, to come to Google, and ask for his or her data in a readable and interoperable format. How will they answer to that?
I don’t have any preset conclusion and we will see what’s going on now that we have the European data protection board.
Do you have any prediction about what will happen at first when the GDPR takes effect? Will national authorities struggle to keep up with all the complaints they get, given their limited resources? Or are most companies going to comply because they’re afraid they might otherwise be fined up to 4% of their turnover?
I think it pushes the regulators not only to make fines. We will decide a limited number of fines because they are difficult to set, they need to be legally very robust. For instance, we have in France almost 15 fines per year. It means the national authorities have to invest also in regulatory dialogue with the actors to provide them with a compliance tool that is very flexible, deciding the provision of the regulation in a more operational way.
We’ve started this sectoral conversation with the actors in France and I believe in most of the countries we’re going to have this type of demand from stakeholders. Because of course they want to avoid fines, it’s normal. It’s our job as regulators to help them comply.
Our job is not to have fines at any price.
Only two countries, Germany and Austria, were ‘ready’ to implement the GDPR as of two weeks ago. Are you afraid the other 26 EU member states won’t have their national versions of the law passed in time for the May deadline?
I’m not afraid, but I guess there are many laws in the pipeline. In France we have a law that is in the pipeline and will be ready by May. Let’s wait until May comes.
You said today that you still haven’t seen the Commission’s new text on data flows in trade agreements. There are only 12 countries the EU has adequacy agreements with, specifically to allow for digital trade. Should this remain so exclusive, or should the Commission be trying to sign these deals with even more countries if they meet the data protection criteria?
I think it’s a very demanding standard because you need to survey all the laws of the country and we have other transfers tools that are much more flexible, like BCRs [a company’s ‘binding corporate rules’ to guarantee privacy], contractual clauses. And we just issued yesterday new guidelines on BCRs and adequacy derogation.
I believe we should not rely just on one tool for international data transfers, like adequacy agreements. We should play on various tools.
The Commission is placing a lot of emphasis on adequacy agreements as the legal grounding for commercial data to travel between countries.
The Commission is taking a risk because if the adequacy mechanism is brought to the courts, it’s not good for them either.
So companies should also rely on their own binding corporate rules even if they transfer data to a country that has an adequacy agreement with the EU.
I think strategically we need an adequacy standard, obviously it’s under discussion because we have the concerns of the working party 29. There are at least two cases in front of EU courts. I believe this standard needs to be fine-tuned in order to be chosen as the ultimate tool for international transfers. [The European Court of Justice dismissed one challenge to the EU-US privacy shield agreement for data transfers in December. Another case brought by a French digital rights group is still pending.]
Is your successor’s job going to be even more difficult than yours?
I think she’s going to face a very intensive and difficult job. She’s totally capable of facing this.