Europe’s powerful data protection regulators are banding together to coordinate how they investigate and sanction misbehaving companies before a major overhaul of the bloc’s privacy law takes effect in May.
National watchdogs are about to get a lot more power under the strict new EU rules. And they will be forced to work together more as part of a restructured and muscled up umbrella group.
The watchdog body insists that it’s ready for the change: a surge in new privacy concerns over the last few years already forced them to meet more frequently in person and make sure they applied EU data protection law in a way that was similar from country to country.
Isabelle Falque-Pierrotin, who has led the EU group since 2014, said on Wednesday (7 February), that “external pressure” made the watchdogs pay closer attention to what their counterparts do in other parts of the bloc.
“We changed our culture,” Falque-Pierrotin told reporters on Wednesday, referring to national authorities who previously “mostly focused on their domestic markets”.
She said that a slew of groundbreaking EU court rulings forced the group to act more quickly as a unified regulator, like in the 2014 right to be forgotten case, which required Google to stop listing search results if they violate Europeans’ privacy, and the 2015 decision knocking down the bloc’s safe harbour data sharing deal with the United States.
Both decisions put national watchdogs in the hotseat: they are in charge of handling consumers’ complaints if companies don’t follow the rules.
Last year, the watchdogs asked messaging app WhatsApp to stop sharing user data its parent company Facebook while they assessed whether the sharing broke EU law. They also teamed up to investigate massive data breaches at Yahoo and Uber.
“Four years ago we were a group of experts,” Falque-Pierrotin said, adding that the group now has “quite an influential voice”.
The regulators currently investigate and sanction data breaches in their own countries, and can share information about probes with each other. But they will soon be required to coordinate even more on cases that affect more than one member state.
Companies will answer to only one national authority under the new EU law, instead of separately to regulators in every country where they do business. Regulators will need to consult each other before deciding how to police those companies that operate in multiple member states.
“We are going to enable the consistency mechanism to work. Because if there is one authority that is not in a capacity to take part in the consistency mechanism once facing a trans-border case, it means the whole system is stopped,” Falque-Pierrotin said.
Currently, the national authorities’ approach to regulating companies, and the level of their fines, can differ. That will change once the EU regulation goes into effect on 25 May.
Regulators will then have the power to slap firms with a chilling fine of up to €20 million, or 4% of their global turnover, if they break the rules, which include an obligation to inform authorities about data breaches within 72 hours.
Falque-Pierrotin, who doubles as the head of France’s data protection agency, stepped down on Wednesday. During a meeting in Brussels, the group elected Andrea Jelinek, the Austrian data protection authority, to take her place. Jelinek defeated one challenger from Bulgaria.
The new chief privacy watchdog is relatively unknown outside Austria. She said on Wednesday that she will defend data protection and support Europeans in their “fight for their rights”.
Jelinek told EURACTIV.com that the group will have to become “even more united” before the sweeping new data protection law takes effect in three months.
“Even if a team of 28 is very big, it can work,” she said.
The group will hold another vote in May when it officially transforms into the closer-knit European data protection board, replacing the current, more porous watchdog body. Sources close to the group said they expect the May vote to be symbolic, and for Jelinek to stay in the role.
If she remains the board’s leader after May, much of Jelinek’s role will be in coordinating national watchdogs’ joint investigations and responses to cross-border violations of the new law. Privacy lawyers will look to her as the bloc’s new chief regulator, even though the regulation does not set up an office for a single, permanent watchdog to oversee pan-EU data cases.
“Europe is so diverse that that’s not a realistic way of operating. To bridge the gap, the EDPB [the new data protection board that Jelinek will chair] fulfills that crucial role,” said Eduardo Ustaran, who runs law firm Hogan Lovells’ privacy practice. Ustaran called the muscled up data protection group “critically important” to the new regulation.