In April of this year, after many years of debate and drafting, the EU adopted its new General Data Protection Regulation (which I will call “the regulation” for the rest of this post). The regulation is an attempt to resolve a problem which is manifested itself for a very long time now – privacy regulation in Europe is done on a national basis, by highly independent national data privacy authorities, which means that any business in Europe that is implicated by privacy laws is dealing with 28 sets of laws. The national data privacy authorities have gone off in a great many different directions, resulting in very light regulation of data privacy issues in some places – e.g. the United Kingdom – and extraordinarily prescriptive and detailed regulation in other places such as France. The resulting hodgepodge has been a compliance nightmare for organizations for many years now, and the stated goal of the regulation is to harmonize this mass of law and make it easy for organizations to comply. The question is, does it actually do this?
So, Does It?
Superficially, the answer is yes. So, for example, an organization will now (actually in May 2018, when the regulation comes fully into force) have a “home” regulator, in the EU jurisdiction where it has its major presence. That regulator is supposed to coordinate with the other national regulators, with the goal of providing the organization with a single set of harmonized requirements applicable to all its locations, and a single point of contact for dealing with issues in the form of the home regulator. That sounds like a pretty good improvement over the current situation. And if it actually happens, it will be a significant improvement.
There’s also a new mechanism governing rulemaking by national data privacy authorities. Prior to promulgating a new regulation, they must submit it to the EU commission and the EU Data privacy board. These two authorities are supposed to vet and criticize any new rules, with a view to ensuring that new rules promulgated by national authorities are in harmony with one another. And again, to the extent that all of this actually happens, it will be a significant improvement over the current situation. But here’s where I see the flies in the ointment:
The Flies in the Ointment
First, the regulation reinforces the independent status of the national data privacy authorities. They are currently answerable to no one, and this will remain the case. The regulation explicitly gives them plenary authority on privacy matters, without any oversight by national legislatures or anyone else.
Second, the regulation doesn’t deal with the enormous plethora of conflicting and confusing regulations already in place. As far as we know, all of that will continue to remain in place, which means that uniformity has already vanished, because it’ll never be there in the first place.
Third, although the “home” and the other data privacy authorities governing a multinational entity are supposed to confer and attempt to come up with some sort of harmonized regulation of an organization, they don’t actually have to if they don’t feel like it. At the end of the day, if each one of them decides they want to impose a different set of regulations on an organization, there’s nothing anybody can do about it, because there is no mechanism in place to force them to harmonize anything.
Fourth, although the national authorities must submit proposed regulations to the EU commission and the EU data privacy board for approval, at the end of the day, neither the commission or the board can actually stop a national data privacy authority from promulgating a regulation. The most that they can do is suspend its implementation for one year, at which time the national data privacy authority can pretty much do what it pleases. That’s hardly a mechanism for forcing consistency.
The Lack of Compulsion
So you can see the problem – the regulation operates as a mechanism for encouraging cooperation amongst the national data privacy authorities, and to encourage them to harmonize their regulations, but at the end of the day there is no mechanism in place – at least as yet – to force that cooperation and harmonization. At the end of the day, they can still do pretty much as they please. And it’s hard to imagine the French Data Privacy Commissioner waking up one night and having an epiphany, and realizing he’s been doing it all wrong these years, and repealing his many privacy regulations and directives. This is likewise true for his colleagues in Germany, the Netherlands and some of the other more prescriptive jurisdictions within the EU. So there’s no reason to believe that any of them will start doing things in a way that’s radically different than what they’re doing now. Why should they?
The Bottom Line
So what we’re likely to find at the end of the day is that nothing much is likely to change. Those jurisdictions that feel they have a compelling reason to regulate privacy related matters with very prescriptive and detailed regulations will continue to do so, and those who feel less such a need will likewise continue to do so. And in the meantime, penalties for noncompliance will have gotten much larger, and some restrictions on data collection will have gotten much tighter and stricter. So we’ll have tighter restrictions and tougher penalties, and still 28 versions of the rules. Maybe Brexit wasn’t such a bad idea after all – at least by then maybe we’ll only have 27 versions. But that’s a different post.