Latest Trending
Last Updated, Sep 13, 2021, 9:30 AM
Discontent Simmers Over How to Police EU Privacy Rules


The European Union’s recent $270 million fine against WhatsApp was held up for months by disagreements among national authorities, ratcheting up tensions over how to enforce the bloc’s privacy rules.

The varied approaches to policing the EU’s strict General Data Protection Regulation are fueling calls to redesign how national authorities from the 27 EU countries can intervene in each others’ cases and to explore creating a broader EU-wide regulatory system.

WhatsApp, owned by

Facebook Inc.,

was fined for failing to tell EU residents enough about what it does with their data, including sharing their information with other Facebook units. The fine was made public in early September by Ireland’s Data Protection Commission, which had jurisdiction over the case because WhatsApp’s and Facebook’s European headquarters is in Ireland.

Eight other regulators said the Irish authority’s proposed fine of up to 50 million euros, equivalent to roughly $59 million, was too low and disagreed with the Irish regulator’s analysis of the company’s data practices.

The regulators used a GDPR resolution process to settle their disagreements, and the Irish authority said it followed the other regulators’ recommendations, including raising the fine. But regulators and privacy experts say the process of sharing enforcement among national authorities has led to bottlenecks.

“We always have the same issue. If everything relies on the lead data protection authority taking the initial step then we have the big cases taking a lot of time,” said David Martin Ruiz, senior legal officer at the European Consumer Organisation, a Brussels-based advocacy group.

If authorities from other European countries cooperate early in investigations, instead of waiting for the lead regulator’s verdict before they can intervene, decisions might be issued faster, Mr. Martin Ruiz said.

Discontent among European privacy regulators has been brewing since the GDPR took effect in 2018, with some authorities publicly criticizing their counterparts for taking too long to investigate in high-profile cases. In May, the regional authority in Hamburg, Germany, used an emergency measure to issue a three-month ban on Facebook’s collection of data from WhatsApp users in the EU, sidestepping a provision that prevents regulators from policing companies outside their jurisdiction.

Pasquale Stanzione



Photo:

Roberto Monaldo/Zuma Press

Legal procedures determining that a regulator is responsible for investigating a company based in its jurisdiction “are often not timely enough” to keep up with technology, said Pasquale Stanzione, the head of Italy’s privacy authority, and one of the eight regulators who opposed the Irish draft decision on WhatsApp. The others were authorities representing France, Hungary, the Netherlands, Portugal and Poland; the federal German regulator; and a regional German regulator from the state of Baden-Württemberg.

A spokeswoman for WhatsApp said the company will appeal the decision.

While European authorities have channels to voice disagreement with each other’s cases, there might still be a need to re-evaluate GDPR provisions in the next few years and enable broader investigations that aren’t overseen by one regulator alone, said Ulrich Kelber, the German federal data protection commissioner.

“There’s really a need for European decisions and not just the interference of other agencies,” he said. Privacy regulators might want to replicate elements of the system that European antitrust authorities use to share investigations if they affect more than one country, Mr. Kelber said. Alternatively, the European Data Protection Board, the umbrella group of all 27 EU privacy authorities, could have a role in such large, cross-border cases, he added.

Andrea Jelinek,

chair of the European Data Protection Board, said in an email that the dispute resolution process is time- and resource-intensive, but still works well.

“It is important to bear in mind that the dispute resolution process is only employed in the exceptional circumstance where the [authorities] could not reach consensus at an earlier stage,” she said. The GDPR specifies that the process can take no longer than two months and authorities met that deadline in the two dispute-resolution cases so far, she added.

The second case involved the Irish regulator’s fine against

Twitter Inc.

for failing to quickly disclose a 2019 data breach. That fine was also raised after other regulators voiced objections.

The European Commission, the EU executive arm that drafted the GDPR legislation, has said it is too soon to draw conclusions about the level of fragmentation and it will explore whether to propose some “targeted amendments” to the regulation.

Helen Dixon



Photo:

Simon Dawson/Bloomberg News

Helen Dixon,

Ireland’s data protection commissioner, circulated a draft decision in the WhatsApp case in December, and other regulators raised objections between January and March, according to a report from the European Data Protection Board. Ms. Dixon’s office asked WhatsApp to respond to some objections in April, and then triggered the dispute-resolution process in June to resolve the conflicts between authorities. That process finished in late July and the decision was announced this month.

Authorities are managing to work through deadlocks to reach compromise decisions, as the WhatsApp case showed, but differences in culture and mindsets between regulators will likely remain, said

Eduardo Ustaran,

co-head of the privacy and cybersecurity practice at law firm Hogan Lovells International LLP. “This is always going to be an issue when you have 27 regulators trying to operate as one in a place that is as diverse as Europe,” he said.

Write to Catherine Stupp at Catherine.Stupp@wsj.com

Copyright ©2021 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

24World Media does not take any responsibility of the information you see on this page. The content this page contains is from independent third-party content provider. If you have any concerns regarding the content, please free to write us here: contact@24worldmedia.com

Latest Post

Common Mistakes When Using Athletic Field Tarps

Last Updated,Jun 5, 2024

High-Performance Diesel Truck Upgrades You Should Consider

Last Updated,May 14, 2024

Warehouse Optimization Tips To Improve Performance

Last Updated,May 6, 2024

Fire Hazards in Daily Life: The Most Common Ignition Sources

Last Updated,Apr 30, 2024

Yellowstone’s Wolves: A Debate Over Their Role in the Park’s Ecosystem

Last Updated,Apr 23, 2024

Earth Day 2024: A Look at 3 Places Adapting Quickly to Fight Climate Change

Last Updated,Apr 22, 2024

Millions of Girls in Africa Will Miss HPV Shots After Merck Production Problem

Last Updated,Apr 18, 2024

This Lava Tube in Saudi Arabia Has Been a Human Refuge for 7,000 Years

Last Updated,Apr 17, 2024

Four Wild Ways to Save the Koala (That Just Might Work)

Last Updated,Apr 15, 2024

National Academy Asks Court to Strip Sackler Name From Endowment

Last Updated,Apr 12, 2024

Ways Industrial Copper Helps Energy Production

Last Updated,Apr 11, 2024

The Ins and Out of Industrial Conveyor Belts

Last Updated,Apr 10, 2024