Mr Giovanni Buttarelli, the newly appointed European Data Protection Supervisor (“EDPS”), spoke earlier this week at a seminar in Brussels on antitrust, privacy and big data (a transcript of his speech can be consulted here).
After having explored the conceptual overlap between data protection law, competition law and consumer law in a preliminary Opinion published in March 2014, the EDPS now calls for a more holistic approach in enforcing competition and data protection rules.
Such an approach is said to be needed in order to keep pace with the rapid evolution in the digital economy. Both competition law and data protection law are being challenged by the rise of free-to-consumer advertising supported business models where personal data constitute the new currency.
Taking into account issues of common concern such as internet monopolies, customer lock-in and asymmetries of power between citizens and those controlling information about them, the EDPS regrets the current silo mentality and pleads for more dialogue between data protection and competition regulators in order to encourage privacy-enhancing technologies and services.
Mr Buttarelli wants the EU to be a “beacon of respect for data protection and privacy” and highlighted the fact that individuals’ rights are worthless without effective enforcement and redress.
An interesting position he took was that data protection enforcement has a lot to learn from the more established tradition of enforcing competition rules, both with respect to accountability and sanctions.
The EDPS puts emphasis on companies’ self-assessment regarding compliance with the prohibition on anti-competitive agreements. Indeed, since 2003 companies no longer have to notify horizontal cooperation agreements to the European Commission but instead, they have to assess their own compliance with the rules under article 101 of the Treaty on the Functioning of the European Union.
The principle of accountability is also a corner stone of the proposal of the European Commission for a General Data Protection Regulation, which abolishes the notification obligation to national data protection authorities and instead imposes, under certain conditions, the appointment of a data protection officer and the organisation of internal data impact assessments by data controllers.
In any case, for data processing organisations the message is clear: the EDPS considers that they should be held accountable for ensuring compliance with the data protection rules by assessing themselves their level of compliance.
Mr Buttarelli also referred to the fact that under competition law “dominant firms have a ‘special responsibility’ to avoid any action which might impair effective competition“. We understand that in a data protection context this would mean that, although the data protection rules apply to any organisation processing personal data, organisations engaging in significant data processing activities, such as big data analytics, have a comparatively higher responsibility.
Further, Mr Buttarelli explicitly mentioned that the Google Spain judgment on the right to be forgotten – in which the European Court of Justice emphasised the responsibilities of data controllers – and other independent developments such as a risk-based approach, go in a similar direction in terms of accountability of businesses vis-à-vis the people whose information they handle.
As to sanctions, Mr Buttarelli sent a strong message, stating that “there is a realisation that new data protection rules will only be effective if those responsible for data processing know that there will be serious penalties for failing to respect fundamental rights“.
It seems that the EDPS considers that, in comparison to the huge potential fines for violation of competition rules – up to 10% of the annual worldwide turnover – the potential fines for data protection violations – e.g. in Belgium, fines of up to 600.000 EUR – are not dissuasive enough.
Again, this will likely change with the upcoming Data Protection Regulation which sets forth fines of up to 5% (in the version as amended by the European Parliament) of the annual worldwide turnover of the data controller.
To conclude, this speech calls for a paradigm shift in enforcement, once more highlighting the need to use competition enforcement in tandem with effective data protection enforcement. However, it remains to be seen if and how data protection and competition regulators will cooperate in the future and whether comparable fines will be imposed for data protection violation as is the case today in competition matters. In a few weeks Mr Buttarelli will shed some more light on this project when he will present the EDPS’ strategic plan for 2015-2019.
In practice, we note that for many companies data protection compliance has already acquired a prominent place on their “risks to watch”-list.