The EU legislature is entering a crucial phase in discussing the proposal to modernise and update the EU’s data protection rules. A Committee of the European Parliament will seek a way to deal with more than 4000 amendments to the proposal on 21 October while the EU’s Council debated the proposal on 7 October. Although the European Commission proposed extensive changes to the substantive rules, it is the enforcement of those rules that has become the central issue in the discussions. ICOMP has always emphasised that these rules, as all other legal requirements, can only achieve their purpose in protecting people’s privacy if they are actively enforced.
According to reports there were sharp differences at the Council on how to ensure consistent EU-wide enforcement and sanctions. Where Germany, supported by various other countries, favours a formal role for a centralised enforcement body, Ireland and others are opposed to “adding more bureaucracy”. Rather than discussing vague general concepts, let’s look at the issue taking a real and current example. Indeed, in talking about the new proposals, many forget that the EU already has privacy rules which should be enforced now. EU citizens should not have to wait until the new rules are adopted and entered into force before their privacy is protected.
When EU Justice Commissioner, Viviane Reding, addressed the Council she claimed that the one-stop-shop principle enshrined in the proposal would solve all problems: it would “ensure legal certainty for businesses operating throughout the EU and bring benefits for businesses, individuals and data protection authorities”. So who could be against it? According to the one-stop-shop principle companies that collect and use personal data will have to deal with only one enforcement agency, normally the one in the country where they are established. Google’s EU headquarters are in Ireland, so any future violations by Google would be dealt with only by the Irish authority. But the Irish aren’t even part of the working group now looking at the most recent privacy violation by Google. And they have not acted against any of the many other privacy breaches either, no matter how much others have called them “very serious”. Any system, whatever it is called will have to address this situation.
What users and competitors need is a system that ensures that Europe’s data protection rules are effectively enforced against all companies. The ultimate test should not be which system involves the lowest number of authorities but which one ensures effective enforcement. The current one doesn’t as the many unresolved breaches by Google clearly show. The next system needs to change this and ensure that all competitors are treated in the same manner while all users can trust that their privacy is effectively protected.