European regulators: We're not ready for new privacy law
Send a link to a friend
 [May 08, 2018]
By Douglas Busvine, Julia Fioretti and Mathieu Rosemain
FRANKFURT/BRUSSELS/PARIS (Reuters) -
Europe's General Data Protection Regulation (GDPR) has been billed as
the biggest shake-up of data privacy laws since the birth of the web.
There's one problem: many of the regulators who will police it say they
aren't ready yet.
The pan-EU law comes into effect this month and will cover companies
that collect large amounts of customer data including Facebook <FB.O>
and Google <GOOGL.O>. It won't be overseen by a single authority but
instead by a patchwork of national and regional watchdogs across the
28-nation bloc.
Seventeen of 24 authorities who responded to a Reuters survey said they
did not yet have the necessary funding, or would initially lack the
powers, to fulfill their GDPR duties.
"We've realized that our resources were insufficient to cope with the
new missions given by the GDPR," Isabelle Falque-Pierrotin, president of
France's CNIL data privacy watchdog, said in an interview.
She, like some other regulators, was pressing her government for a
substantial increase in resources and staff.
Many watchdogs lack powers because their governments have yet to update
their laws to include the Europe-wide rules, a process that could take
several months after GDPR takes effect on May 25.
Most respondents said they would react to complaints and investigate
them on merit. A minority said they would proactively investigate
whether companies were complying and sanction the most glaring
violations.
Their responses suggest the GDPR enforcement regime will be weaker than
the bloc's anti-trust authority run directly by the European Commission,
the EU executive, which hit Google https://uk.reuters.com/article/uk-eu-google-antitrust-idUKKBN19I102
with a 2.4-billion-euro ($2.9 billion) fine last year.
The launch of GDPR comes as data privacy is making headlines, with
Facebook facing intense scrutiny over the leak of 87 million users'
personal data to Cambridge Analytica, a political consultancy that
advised U.S. President Donald Trump's election campaign.
HEAVYWEIGHTS IN IRELAND
The law aims to give EU citizens more rights to control over their
online information. It has a slew of technically demanding requirements,
and threatens fines of up to 4 percent of a company's annual revenue for
serious infringements.
Companies, for example, must be able to provide European customers with
a copy of their personal data, and under some circumstances delete it at
their behest. They should also report serious data breaches within 72
hours.
The industries most affected will be those that collect large amounts of
customer data, including technology companies, retailers, healthcare
providers, insurers and banks.
Reuters sent all the regulators a four-question survey about how they
would handle their responsibilities. Eighteen national authorities
replied, plus data protection officers in six of the 16 German federal
states who are responsible for enforcement.
Only five in total said the necessary data protection laws and funding
in their jurisdiction were in place. Of the 17 who said they did not
have the necessary funding and legislation, 11 expected both to be
provided in future.
The new law calls for national watchdogs to assume the lead role in
overseeing companies headquartered within their borders.
[to top of second column] |
Silhouettes of laptop and mobile device users are seen next to a
screen projection of Google logo in this picture illustration taken
March 28, 2018. REUTERS/Dado Ruvic/Illustration/File Photo
It does however create a central body, the European Data Protection Board (EDPB),
in an attempt to ensure the law is applied consistently across the bloc. The
panel would serve both as a forum for regulators and issue binding rulings in
disputes.
In the recent Facebook breach case, most regulators have not taken an active
role because the firm's EU headquarters is in Ireland, falling under the
country's Data Protection Commissioner (DPC). Cambridge Analytica is being
investigated by the UK Information Commissioner's Office (ICO).
The DPC of Ireland, which is also home to Google, Apple and Twitter, was among
those who declined to take part in the survey, citing the complexity of the
issues, as did the UK ICO.
The Irish authority did, however, say its budget and staffing had been ramped up
in preparation for GDPR. Yet its funding this year, at 11.7 million euros, works
out at less than one-thousandth of Facebook's annual net income of $15.9
billion.
Johannes Caspar, the data protection commissioner in the German city-state of
Hamburg, told Reuters he had had many differences of opinion with the Irish
regulator in the past over its handling of Facebook, without giving details.
He also did not see the data protection board as an adequate forum to address
issues, calling it "a cumbersome – and for outsiders certainly opaque –
exercise".
'CONVENIENCE ESTABLISHMENTS'
Italy's data protection chief Antonello Soro welcomed the pan-European rules as
a "guarantee against companies opening 'convenience' establishments in
countries". But its 2018 budget of just under 25 million euros and 122 active
staff were inadequate to fulfill its responsibilities, and it would require
double the funding and 300 staff.
Regulators largely did not specify what duties might be affected by a lack of
resources. Experts expect oversight to be inconsistent at first, with regulators
facing tough choices on whether to prioritize outreach work to encourage
compliance, or enforcement actions against violators. Working smoothly as a
group in the EDPB could also be a challenge.
"I think it will work but it will take time for companies and data protection
authorities," said Joerg Hladjk, counsel for cybersecurity, privacy and data
protection at law firm Jones Day. "They need to try this out in practice."
Estonia, known as a pioneer of e-governance, had backed a stronger regime
enforced by the Commission.
Viljar Peep, head of the Estonian Data Protection Inspectorate, said the quality
of enforcement under the chosen local system risked being inconsistent and would
depend on the "administrative culture" of officials, which varied widely.
Some countries, like Estonia, took a broad view of data privacy, engaging with
business and society to ensure the new rules are understood and respected,
whereas others took a far narrower view, he added.
"Are we supposed to be proactive?" he asked.
($1 = 0.8386 euros)
(Additional reporting by Hans-Edzard Busemann; Writing by Douglas Busvine;
Editing by Jonathan Weber and Pravin Char)
[© 2018 Thomson Reuters. All rights
reserved.] Copyright 2018 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |
