Industry and MEPs grapple over data protection law
Concerns by industry that the European Parliament’s version of the EU data protection bill will fundamentally change how data complaints are handled are unfounded, says the head of the EU data advisory group, Jacob Kohnstamm.
Kohnstamm chairs the influential ‘Article 29 working group’ which advises EU lawmakers on data protection and privacy issues. He is also the head of the Netherlands' data protection authority (DPA).
Join EUobserver today
Get the EU news that really matters
Instant access to all articles — and 20 years of archives. 14-day free trial.
Choose your plan
... or subscribe as a group
Already a member?
He refuted claims that there are major differences between the draft data protection bill proposed by the European Commission and the amended bill proposed by German Green MEP Jan Philipp Albrecht when it comes to who should spearhead investigations against industry abuse.
“I hear the noise over and over again that there is a big difference between the regulation like it is proposed by the European Commission and what Albrecht is doing and I don’t think that is true,” he told this website.
Each member state has a data protection authority to handle complaints and ensure industry complies with national privacy laws.
Some DPAs have more power than others and are more active in imposing sanctions.
Germany’s DPA can, for instance, set the amount a company needs to pay if it violates data protection law. But in Ireland, the DPA must first go through the Irish court system. Other DPAs simply issue press releases in a name-and-shame tactic.
Under the commission’s proposal, the power of the DPAs would remain the same and their verdicts binding across the whole of the EU.
The commission’s draft EU data bill keeps the lead authority in the country of the company’s main headquarters along with additional safeguards to ensure its regulation is applied uniformly throughout the Union.
EU-based complaints against Facebook, for example, would see Ireland’s data protection commissioner Billy Hawkes take the lead.
But amendments tabled by the European Parliament’s lead rapporteur Albrecht would also entitle residents of any EU member state to file complaints against Facebook with their own national data protection authorities.
Under Albrecht’s proposal, Hawkes would then have a co-ordinating role with the data protection authority in the country where the complaint was originally filed.
This means Hawkes would have to consult with other authorities before adopting any measure.
In case of disagreement between Hawkes and another authority, then the European Data Protection Board, composed of members of the Article 29 working group, would step in to mediate.
“I am fairly in line with what he [Albrecht] says is that the outcome of that decision making procedure led by the lead DPA in a co-ordinating role should be binding on all supervisory authorities,” notes Kohnstamm.
The issue is key for industry. Facebook is opposing the dual nature of Albrecht’s lead authority.
Erika Mann, Facebook’s managing director of policy at its Brussels office, said Albrecht takes away the role of the lead authority in the so-called one-stop shop principle to the detriment of achieving the European single digital market.
Kohnstamm rejects the notion.
“The national data protection authority should be and remain the contact point for its own citizens,” he said.
“The main difference between the proposition of the commission and the main proposition of Albrecht, is not killing the idea of one-stop shop, but having it slightly differently organised,” he said.
National laws are currently based on an outdated 1995 EU data protection directive that the commission wants to overhaul with a single EU-wide legislation.
The commission proposed its draft in January 2012.
The heavily-lobbied bill is now at the European Parliament where deputies are reviewing close to four thousand amendments before it goes to vote in the civil liberties committee at the end of May.