EU lawmakers should create a new, centralised data protection authority to oversee investigations of privacy breaches that affect more than one member state in the bloc, Giovanni Buttarelli, the EU’s top privacy watchdog, said in an interview.
Giovanni Buttarelli is the European Data Protection Supervisor. He spoke to EURACTIV’s Catherine Stupp.
National watchdogs policing data protection, consumer rules and competition often confront companies with similar complaints, and a central authority should do away with that fragmentation, Buttarelli said. The change could be a long-term move that would require new EU privacy legislation and more power for a single regulator to investigate and sanction companies.
Buttarelli also said he will publish an opinion next year on how fake news affects data protection.
[This interview has been shortened.]
What should a single EU data protection regulator do and why is a new centralised office needed for that?
To speak about a single digital regulator doesn’t mean that we would not trust the current legal framework. We are working by thinking in two different perspectives, about the present and the long-term future. We see an increasing interplay, and the digital clearinghouse exercise [a series of meetings that Giovanni’s office organises between national authorities in charge of data protection, consumer rights and competition] clearly demonstrates, including its last exercise, the need for more convergence, more synchronisation. It doesn’t appear sustainable in the long-term that competent authorities in different areas continue to act as regulators by fragmenting their actions at EU and national level and within different sectors. The answer will be increasingly global. So building on what we can achieve today with the GDPR [EU data protection regulation set to go into effect next year], in thinking of what different players are doing today, a digital single regulator in the long-term, not before ten years from now, may improve European leadership in terms of values and enforcement. This has to be designed, carefully considered and digested by legislators. And it will take time. Because it means gradually approaching an entire different system. This is not a solution for tomorrow morning.
To take an example from Wednesday (29 November), seven data protection authorities from EU countries said they will coordinate their investigations into Uber’s data breach. When the EU data protection regulation comes into effect next year, one country’s authority will be able to investigate in a case like Uber’s that affects multiple member states. What would be the advantage of a single European regulator’s more centralised approach to cases that affect multiple countries?
When you see Whatsapp and Facebook’s issues, there are national and EU competent authorities dealing with the same issues from different angles. Both Facebook and Whatsapp were approached by different regulators.
And in a particular case [a 2013 privacy probe of WhatsApp], investigations by the Canadian DPA and the Dutch DPA were concluded and the day after, the Italian DPA came with another investigation on additional issues. The day before, we had a press release to say, “Okay, case closed”. The day after, we had an entirely different message. We have to reassure the public that in dealing with such strategic issues, there has to be a global response. For the time being we have to increasingly use existing and future provisions on bilateral and multilateral cooperation, joint operations. I welcome establishing memoranda of understanding between certain DPAs to coordinate their options.
Are you actively pushing for a single data protection regulator to be appointed and for his or her office to become, for example, a formal EU agency?
Different options are available. A first step would be to have a higher level EDPB [the European data protection board, a restructured and beefed up EU privacy office that will be created next year when the privacy regulation comes into effect], where the balance in between the proximity of data subjects and the EU vision may be performed in a different way. Existing rules on the consistency mechanisms, one stop shop mechanism, are not so bad. But they may only work if we act proactively in an endeavor to reach consensus. If we start having negative or positive conflicts of competences among DPAs, it would be a time-consuming activity and the signal outside the EU would not be strong. At least for cross-border operations, we have to administer presently in the best way, but at the same time prepare for the future. Things evolve in a way that is unthinkable and unpredictable. We should not believe that the GDPR, which is likely to stay for over two decades, will be forever. The future has to be prepared and this is why I’ve been appointed to anticipate the challenges and to provide the legislator with relevant input in time to start a debate. It doesn’t mean undermining the present, but it means we are deeply committed to a future-oriented approach.
That would require more big legal changes.
Of course, a lot of legal changes. This is why you may have pushback, resistance or scepticism. But all in all, I think this will be the result, it’s unavoidable. We will have an EU body such as the EDPS competent for the supervision on centralised systems. And then national authorities competent for the national sections. But the cooperation, the forum where we will coordinate our actions and take, where possible, unified decisions has to be harmonised and synchronised. There has to be a really urgent need to start with this exercise. It means that legislators see the need to make existing enforcement more effective in practice. The reality that the fragmentation of consumer protection, antitrust, privacy and data protection actions in different fora, according to different rules, to deal with the same phenomena, is therefore not a perspective for the long-term.
You said you will publish an opinion on fake news next year. What does fake news have to do with data protection?
We will highlight to what extent data protection is at stake. Fake news doesn’t necessarily mean processing of personal data, although the broad notion of personal data can be used. The UK ICO [British data protection authority] started an investigation of micro-targeting and profiling of potential voters to demonstrate that there is at least one important area where data protection is relevant. Second, a lot of fake news is spread via social networks. Here, together with colleagues in the Article 29 working party [the group of national data protection watchdogs from EU countries], we adopted documents to focus on controller accountability and highlight to what extent the provider of a social network is responsible for what. The single user may be considered a core controller or a separate controller. The identification of the responsibility cannot depart from data protection rules. Of course we are not directly competent for certain considerations, for instance relating to the democracy approach and the impact on political campaigns. But all in all, these phenomena have to be considered as the background.
The opinion will be a contribution from the data protection point of view. It will also analyse the results we achieved by using different existing systems, including the German one [Germany’s new law against hate speech on social media], the [European Commission’s] code of conduct and the recent updates. We will analyse all existing answers to this problem and will try to give some suggestions on the limited view on data protection by considering the big picture.