Europe Will 'Streamline' Cross-Border GDPR EnforcementEuropean Commission Anticipates 'Cooperation' Proposal After March
The European Commission is preparing a proposal mandating more cooperation among national government agencies charged with enforcing the continent's General Data Protection Regulation. Details of the proposal are scarce. The commission only has stated that it plans sometimes after March to publish a proposed rule meant to "streamline cooperation between national data protection authorities."
The GDPR, which came into effect in 2018, is among the world's toughest privacy rules, and major companies including Facebook and Google have been fined millions of euros for violations. The rule allows data protection authorities to levy fines of up to 4% of a company's global annual turnover. International law firm CMS estimates European data protection authorities have imposed GDPR fines totaling more than 2 billion euros so far.
Nationally driven enforcement of the regulation has emerged as a sore point for some during the GDPR's first half decade, and critics especially have called out the Irish Data Protection Authority. A slew of American tech companies - including Google, Facebook, Microsoft, PayPal and Salesforce - have their European or international headquarters in Dublin, giving the Irish data protection authority jurisdiction over their privacy practices. Critics contend the Irish commission soft-pedals enforcement against tech companies - an assertion Irish commission head Helen Dixon has contested, pointing to "very significant sanctions" and the complexity of the regulation.
The European Commission in January took steps to flex its authority, telling national data protection authorities to send periodic reports detailing "large-scale cross-border investigations."
The European Data Protection Board, the pan-European agency charged with ensuring consistent application of the GDPR, is embroiled in a fight with the Irish commission stoked by its December decision to order the Irish authority into a fresh investigation of WhatsApp to determine if the app's use of behavioral marketing violates the GDPR.
The Irish authority says the board lacks the authority to order investigations. "The EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation," it wrote, stating that it could take the matter before the Court of Justice of the European Union.