Viviane Reding joins those who blame limp privacy enforcement on the regulation itself.
Former EU justice chief Viviane Reding has called for Europe’s data protection rulebook to be revised just three years after it came into force.
The intervention by the Luxembourgish politician, who spearheaded the European Commission’s proposal of the General Data Protection Regulation in 2012, comes as the flagship law celebrates its third anniversary.
Reding, now an opposition MP in the Grand Duchy, told POLITICO that though the GDPR has succeeded in becoming a global privacy standard copied by the likes of Brazil and India, its enforcement was uneven.
“For a regulator, it’s easier to control the local football club than a worldwide company. We should leave the local football club alone and focus on the real troublemakers,” Reding said, suggesting that regulators can more easily enforce against small local organizations than big multinational companies.
“The enforcement against systematic stealing of data for commercial or political purposes is somehow not so strong.”
Three years on from the regulation coming online, a €50 million fine for Google by the French regulator in 2019 remains the highest penalty to date, despite a volley of complaints against tech companies.
Stop the one-stop-shop
The center-right politician suggested that reform to centralize enforcement of the GDPR could help rein in powerful tech companies.
At present, a patchwork of national and regional regulators are tasked with enforcing the code. But that arrangement is further complicated by the “one-stop-shop,” a rule that obliges the regulator where a company is legally established to be the one in charge, leaving Luxembourg and Ireland’s data protection authorities responsible for almost all Silicon Valley giants.
“I really plead for reform of the enforcement,” she told POLITICO over the phone. “Enforcement should be more centralized for big affairs.”
Reding’s not the only one itching to rejig the rulebook.
Last month, the European Data Protection Supervisor, who is responsible for ensuring the EU institutions comply with the law, also questioned the mechanism’s worth.
“The one-stop-shop has impacted the functioning of the GDPR … as a matter of principle, I’m not sure this is the right approach,” said Wojciech Wiewiórowski, the head of the Brussels-based regulator.
He said that legislators had underestimated issues with the one-stop-shop and indicated that he preferred the European Commission’s initial GDPR proposal, which backed a more centralized enforcement mechanism.
“While at the time of its adoption of the GDPR, the one-stop-shop was hailed as a potential model to be followed, we should now be very careful to follow it for other laws,” Wiewiórowski said, noting that the system also risked national governments being placed under pressure by the powerful companies they are tasked with regulating.
Criticism of the mechanism focuses on the perceived lack of enforcement by Ireland and Luxembourg against the biggest digital players. So far, the pair have only finalized a single fine against a tech platform between them: a €450,000 penalty for Twitter meted out by Dublin.
But not all think the time is right for reform.
Marie-Laure Denis, the head of the French privacy regulator CNIL, did not immediately support changing the enforcement mechanism in an interview with POLITICO this month.
“In the short term, the main point is that it’s better to ensure that [the mechanism] is fully effective before considering, if necessary, to change some of it,” she said.
Jan Phillip Albrecht, who was in charge of negotiating the GDPR in the European Parliament, also stopped short of calling for changes to the code.
“I don’t think that the GDPR itself needs to be changed. The rules we have should be applied properly first, and my feeling is that the authorities haven’t used the possibilities which they have to the full extent,” he said.
Albrecht is not alone in thinking that aspects of the GDPR remain underused.
In the two-year review of the law last year, the European Commission urged regulators to make more use of cooperation tools like opening joint operations, while campaigners have called for more frequent use of emergency procedures that allow regulators to take interim action against companies not under their jurisdiction if they perceive an immediate threat to their data subjects.
There are also fears that a reform of the one-stop-shop would open the entire rulebook to intense lobbying — which many want to avoid.
“There are clear issues with the enforcement of the GDPR, in particular in relation to the one-stop-shop, but it is unclear if a reform can fix this situation,” said Estelle Massé, data protection lead at human rights NGO Access Now.
While many think it too early to open up a regulation at this stage, it is clear that enforcement remains an issue.
Irish regulator Helen Dixon, whose office is often the target of criticism, has questioned whether the enforcement system is sustainable as it stands, noting lengthy procedures to finalize the Twitter fine and a pending decision on WhatsApp that could be as high as €50 million.
“The DPC has a number of other cases that are going to go through [a cooperation mechanism]. If all of them go the path that the Twitter and WhatsApp decisions have gone so far, the EDPB as a decision maker is going to be under a huge strain,” she said at a conference in April.
Source: POLITICO https://www.politico.eu/article/eu-privacy-laws-chief-architect-calls-for-its-overhaul/?utm_source=RSS_Feed&utm_medium=RSS&utm_campaign=RSS_Syndication