Several members of the Alston & Bird Privacy and Security Group attended the IAPP Europe Data Protection Congress held in Brussels this past week. Much of the discussion at the Congress centered on the proposed new General Data Protection Regulation (the “Regulation”), which if enacted would replace the European Union Privacy Directive (Directive 95/46/EC) in effect since 1995.
The Regulation has proved controversial. Privacy advocates contend existing law needs updating to address the fundamental transformation of information technology since the mid-1990s. But others have expressed concern with the practicality of some of the Regulation’s proposed new standards, such as the right of data portability and the right to be forgotten. More recently, reports have noted certain reservations held by the European Council concerning the One-Stop Shop.[1]
The leaders of the data protection authorities (“DPAs”) in four member states – Belgium, Ireland, Poland and Slovenia – shared their views on the Regulation during a panel discussion on the first day of the Congress. The DPAs generally expressed support for the Regulation (with the exception of the Chairman of the Belgian Data Protection Authority as discussed at the end of this piece), but noted fairly significant concerns. A number of comments centered on the workability of the One-Stop Shop. For example, Billy Hawkes, Data Protection Commissioner of Ireland, predicted that his office would find itself involved in complaints brought by citizens of other member states against technology companies with their main EU establishments located in Ireland, such as Facebook and Google, that enjoy broad support among Irish citizens.[2] The DPAs also suggested it may be necessary for the various DPA offices, which may already be under-staffed, to share personnel for coordination purposes while also noting the language difficulties to be overcome.
Other topics included data protection seals, the role of the proposed European Data Protection Board, and proposed new data breach standards. The DPA heads expressed a common concern in particular about over-notification driven in part by the 72-hour notice requirement in the Parliamentary proposal.
The panel concluded with a discussion of the landmark monetary penalties set out in the Regulation, capped in the proposal approved by Parliament at the greater of 5% of worldwide annual turnover or €100 million. The Slovenian Information Commissioner predicted a reluctance on the part of Slovenian courts to uphold awards her office might enter due to the outsized scale of the proposed fines. The Belgian DPA Chair characterized the fines as a “weapon of mass destruction.”
The Chairman of the Belgian DPA, Willem Debeuckelaere, was singular in his criticism of the Regulation. Chairman Debeuckelaere stated that his office is “not ready” for the new standards and requirements. He described the One-Stop Shop as “crazy stuff” and expressed relief that there are “a lot of problems” with the drafts of the Regulation as that will slow down the process that otherwise is aimed toward formal approval and enactment into law.
For observations recorded by the Alston & Bird team in real time during the Congress, follow us on Twitter at @alstonprivacy.
Written by David Keating, Partner, Privacy & Data Security | Alston & Bird LLP
[1] The One-Stop Shop is a mechanism proposed both to address the ongoing concern of multinational corporations with having to coordinate with DPAs in 28 EU member states, and to resolve uncertainties concerning the ability of a data subject to bring a claim in the data subject’s country against a controller established in a different, and possibly geographically distant, member state.
[2] This is an interesting reflection of the competing roles of a DPA under the European system as a representative of the citizens of the DPA’s member state, and as a privacy enforcement authority envisioned under the One-Stop Shop as a “European DPA” acting in the interest of all EU citizens.