Thursday, August 16, 2012

It's time for a "lead regulator" in Europe




Who's in charge in Europe?  That's a common conundrum for those of us who work in the privacy field in Europe.  When I was at a Berlin privacy conference, dopey picture attached, everyone was talking about it.

Privacy regulators play the key role in enforcing privacy laws.  Most companies (certainly all Internet companies) operate globally.  So, it's a natural question to ask which regulator(s) will or should have jurisdiction to enforce privacy laws.  For many years, I have advocated for the concept of a "lead regulator" in Europe.  It makes a lot of sense for one country's regulator to take the lead on behalf of all of Europe.  It encourages consistency across Europe, it provides for a deeper regulatory-relationship, it saves taxpayer money, when numerous regulators are not all re-inventing the regulatory wheel.  This is exactly what the European Commission is proposing in its re-write of privacy laws for Europe.  

Take the example of Facebook, whose European operations are headquartered (in legal terms, "established") in Ireland.  Normally, the Irish data protection authority would therefore be the lead regulator of Facebook, on behalf of Europe.  And indeed, it has been acting accordingly, conducting a company-wide audit of Facebook's privacy practices.  

The key to making all this work is clear:  the concept of "lead regulator" simply cannot work unless other regulators to defer to their sister-regulator.  That's why this story caught my eye:  German privacy regulators re-open their investigation into Facebook's face recognition software, notwithstanding the fact that the Irish are currently investigating the same thing, and notwithstanding having previously said that they would defer to the Irish audit before proceeding.  

The German regulatory world is a microcosm of the European regulatory world.  Each "Land" in Germany has its own independent data protection authority.  In theory, each is entirely independent, and is free to investigate or regulate separately, or in addition to, or even differently than one of its sister-German-DPAs.  But in practice, the German DPAs have developed a custom (not based in law, but based in deference and mutual respect) that they would defer to the "lead German DPA".  In the example of Facebook, the DPA of Hamburg is leading on behalf of its sister-German DPAs, because Facebook's German headquarters are based in Hamburg.  That's why Hamburg, rather than, say, Munich, is investigating Facebook.  

So, the question is simple:  German DPAs have developed the concept of "lead regulator" amongst themselves.  But are they willing to respect the same concept, and show the same necessary regulatory deference, at a European level, e.g., vis-a-vis the Irish DPA? 

If the European Commission proposal becomes law, then the concept of "lead regulator" will be cemented into law.  I often critique other aspects of the Commission's proposal, but on "lead regulator", I applaud their efforts. The issue is contentious, and the French authority, the CNIL, to take one example, is very publicly attacking the concept of a "lead regulator", precisely because they don't want to defer to a non-French lead regulator.  

In the meantime, it's hard to know who's in charge.  I'm someone who believes that regulatory enforcement is more effective when it's absolutely clear who's in charge.  


No comments: