Discontent simmers Over How to Police EU Privacy Rules

Delay in WhatsApp fine highlights some EU regulators’ dissatisfaction with GDPR enforcement.

By guest author Catherine Stupp from the Wall Street Journal

The European Union’s recent USD 270 million fine against WhatsApp was held up for months by disagreements among national authorities, ratcheting up tensions over how to enforce the bloc’s privacy rules.

The varied approaches to policing the EU’s strict General Data Protection Regulation are fueling calls to redesign how national authorities from the 27 EU countries can intervene in each others’ cases and to explore creating a broader EU-wide regulatory system.

WhatsApp, owned by Facebook Inc., was fined for failing to tell EU residents enough about what it does with their data, including sharing their information with other Facebook units. The fine was made public in early September by Ireland’s Data Protection Commission, which had jurisdiction over the case because WhatsApp’s and Facebook’s European headquarters is in Ireland.

Eight other regulators said the Irish authority’s proposed fine of up to EUR 50 million, equivalent to roughly USD 59 million, was too low and disagreed with the Irish regulator’s analysis of the company’s data practices.

The regulators used a GDPR resolution process to settle their disagreements, and the Irish authority said it followed the other regulators’ recommendations, including raising the fine. But regulators and privacy experts say the process of sharing enforcement among national authorities has led to bottlenecks.

“We always have the same issue. If everything relies on the lead data protection authority taking the initial step then we have the big cases taking a lot of time,” said David Martin Ruiz, senior legal officer at the European Consumer Organisation, a Brussels-based advocacy group.

If authorities from other European countries cooperate early in investigations, instead of waiting for the lead regulator’s verdict before they can intervene, decisions might be issued faster, Mr. Martin Ruiz said.

Discontent among European privacy regulators has been brewing since the GDPR took effect in 2018, with some authorities publicly criticising their counterparts for taking too long to investigate in high-profile cases. In May, the regional authority in Hamburg, Germany, used an emergency measure to issue a three-month ban on Facebook’s collection of data from WhatsApp users in the EU, sidestepping a provision that prevents regulators from policing companies outside their jurisdiction.

Legal procedures determining that a regulator is responsible for investigating a company based in its jurisdiction “are often not timely enough” to keep up with technology, said Pasquale Stanzione, the head of Italy’s privacy authority, and one of the eight regulators who opposed the Irish draft decision on WhatsApp. The others were authorities representing France, Hungary, the Netherlands, Portugal and Poland; the federal German regulator; and a regional German regulator from the state of Baden-Württemberg.

A spokeswoman for WhatsApp said the company will appeal the decision.

While European authorities have channels to voice disagreement with each other’s cases, there might still be a need to re-evaluate GDPR provisions in the next few years and enable broader investigations that aren’t overseen by one regulator alone, said Ulrich Kelber, the German federal data protection commissioner.

“There’s really a need for European decisions and not just the interference of other agencies,” he said. Privacy regulators might want to replicate elements of the system that European antitrust authorities use to share investigations if they affect more than one country, Mr. Kelber said. Alternatively, the European Data Protection Board, the umbrella group of all 27 EU privacy authorities, could have a role in such large, cross-border cases, he added.

Andrea Jelinek, chair of the European Data Protection Board, said in an email that the dispute resolution process is time- and resource-intensive, but still works well.

“It is important to bear in mind that the dispute resolution process is only employed in the exceptional circumstance where the [authorities] could not reach consensus at an earlier stage,” she said. The GDPR specifies that the process can take no longer than two months and authorities met that deadline in the two dispute-resolution cases so far, she added.

The second case involved the Irish regulator’s fine against Twitter Inc. for failing to quickly disclose a 2019 data breach. That fine was also raised after other regulators voiced objections.

The European Commission, the EU executive arm that drafted the GDPR legislation, has said it is too soon to draw conclusions about the level of fragmentation and it will explore whether to propose some “targeted amendments” to the regulation.

Helen Dixon, Ireland’s data protection commissioner, circulated a draft decision in the WhatsApp case in December, and other regulators raised objections between January and March, according to a report from the European Data Protection Board. Ms. Dixon’s office asked WhatsApp to respond to some objections in April, and then triggered the dispute-resolution process in June to resolve the conflicts between authorities. That process finished in late July and the decision was announced this month.

Authorities are managing to work through deadlocks to reach compromise decisions, as the WhatsApp case showed, but differences in culture and mindsets between regulators will likely remain, said Eduardo Ustaran, co-head of the privacy and cybersecurity practice at law firm Hogan Lovells International LLP. “This is always going to be an issue when you have 27 regulators trying to operate as one in a place that is as diverse as Europe,” he said.