U.S. technology giants from Google Inc. to Facebook Inc. are too big to be left in the hands of individual national privacy watchdogs, according to the European Union’s top data protection official.
It would be bad if proposed EU rules mean that “two or three countries take the lead on dealing with the big players and the others watch the trains go by,” Isabelle Falque-Pierrotin, who became head of a panel of EU privacy regulators in February, said in an interview. “There has to be more substantial consultation between the authorities on topics such as Google or Facebook.”
With U.S. companies such as Facebook, Apple Inc., and LinkedIn Corp. having Ireland as their main European base for data-protection purposes, policing privacy violations already resembles a battle between David and Goliath for thinly staffed agencies in some of the EU’s smallest nations.
As negotiations between governments and European Parliament lawmakers drag on over how to revamp privacy rules, there are splits on whether regulators in countries where companies have their European headquarters should be in charge of complaints or whether privacy watchdogs in other nations could also deal with them or probe those companies.
One goal is to establish a “one-stop-shop” for businesses, so companies will only have to deal with a single supervisory authority. Proposals to hand a lead role to regulators in the country where each company has its European headquarters shouldn’t sideline other agencies, said Falque-Pierrotin, who also heads France’s CNIL data privacy agency.
“Developing a coherent one-stop shop is the main stumbling block for approval of the regulation,” said Christopher Kuner, a privacy specialist at law firm Wilson Sonsini Goodrich & Rosati in Brussels. “It’s one of the core, one of the most important elements of the proposal.”
The EU’s current rules were drafted nearly two decades ago, when the Web was in its infancy and before smartphones and tablets were widely used. EU nations have dragged their heels over revamping the law, replacing a firm 2014 deadline last year with plans to introduce the legislation in a “timely fashion.”
While under existing rules some regulators can’t levy fines, the new law could boost national data watchdogs’ powers to sanction companies, including U.S. technology businesses, as much as 100 million euros ($138 million) for privacy violations, after EU lawmakers sought tougher penalties.
Google’s biggest European privacy fine to date was 1 million euros by Italy’s regulator, after the search-engine company’s Street View cars were allowed to roam incognito across the country.
“With such big players whose data treatment has an effect on many countries there has to be more intense cooperation between the authorities,” Gerard Lommel, head of the Luxembourg watchdog, said in an interview. “It’s good to trust each other more and not be jealous over our responsibilities.”
A one-stop-shop needs “to balance the interests of companies, privacy regulators and most importantly European citizens,” said Sabina Gockel, a spokeswoman for Microsoft Corp. “It is a logical principle to work towards.”
EU Justice Commissioner Viviane Reding, heralded the one-stop-shop as a way to simplify procedures for companies and citizens alike when she proposed revamping the bloc’s privacy law in January 2012.
While there will be one lead authority, it “does not mean that all powers are vested solely in that authority,” she said in an e-mailed response to questions from Bloomberg News. “Data protection authorities will be strengthened” by giving fining powers to all and they will “act as a team when dealing with cross-border businesses.”
A one-stop-shop system will reduce red tape and “will support both larger companies like Facebook and smaller startups across many different sectors,” said Erika Mann, managing director for public policy at Facebook Brussels.
Apple spokesman Josh Rosenstock declined to comment on the possible EU measures. Al Verney, a spokesman for Google, didn’t immediately respond to e-mails seeking comment.
The 28 national regulators are grouped together under the Article 29 Data Protection Working Party, which France’s Falque-Pierrotin now heads. The EU panel published its position on the one-stop-shop last month.
Its members currently work in line with their country’s privacy laws, based on EU legislation. If the proposed new rules are adopted by governments and EU lawmakers, they would apply across all the countries and differences in approach would no longer be possible.
A string of divergent decisions by European data protection authorities in recent years concerning privacy violations by Google when it took pictures across several nations for its Street View mapping service led some regulators to push for a more coordinated approach.
Ireland’s Data Protection Commission said in a statement that it backed the concept of a ‘one-stop-shop’ for companies providing services in different EU countries.
“We agree on the importance of the lead data protection authority working in close cooperation with other data protection authorities whose residents are impacted,” it said.
While data authorities should guard their independence from government interference, “it doesn’t mean that they should go ahead and do whatever they think and not coordinate with other data protection authorities,” said Jacob Kohnstamm, head of the Dutch data protection regulator, who was also chairman of the EU’s Article 29 group until February.
For example, in cases outside the Netherlands involving companies such as Amsterdam-based Royal Philips NV, “where the lead authority would probably be the Dutch authority,” the agency “should be given the chance to get involved,” Kohnstamm said at a Brussels event in April.
Where there is a clash of opinions between the lead and national authority, cases should be dealt with by the European Data Protection Board, the equivalent of the Article 29 group under the draft rules, said Kohnstamm.
A spokesman for Greece, which holds the EU’s rotating presidency, didn’t immediately respond to an e-mails seeking comment on the measures.
Members of the European Parliament already signed off on the draft law before this month’s elections. Governments must now agree on their negotiating stance, before entering final talks with lawmakers aimed at clinching a final deal.
Reding said there are many possible ways for making the plans effective. “But let’s be clear: without a one-stop-shop, there can be no deal.”