A week of important announcements has offered tentative signposts on the road ahead to broader regulation and oversight of the technology industry in the EU. On Tuesday, the Irish Data Protection Commission (DPC) announced its first formal decision against a major technology firm under the 2018 General Data Protection Regulation (GDPR).
Under the latter’s one-stop shop approach, complaints go the regulator in the EU state where a company has its EU headquarters. Grievances with almost every large multinational technology company will thus end up with the Irish DPC.
So this verdict was long-awaited. GDPR decisions on behalf of the EU’s 500-million strong market will influence and affect how the tech giants operate globally. In this first decision, against social media platform Twitter, a fine of €450,000 for a GDPR breach may have elicited a sigh of relief from tech firms, but was quickly criticised internationally as too lenient and slow.
Much remains to be determined in the final format of the Acts
In this case, Twitter could have been fined up to €60 million and fellow EU regulators were unhappy with the DPC’s initial draft decision. It then went to an adjudicating EU mechanism, but still resulted in a modest fine.
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/EIOP2XO6XME7SE2Y5T6NQYH42A.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/Y6OMRNAKUZJ3HGAAPBIKNKKGH4.jpg)
:fill(white):background_color(white)/static.themebuilder.aws.arc.pub/irishtimes/1647534191476.png)
The DPC defended the fine as "effective, proportionate and dissuasive", though DPC Helen Dixon acknowledged to the Wall Street Journal that to protect against legal challenges, the overall process had taken "too long". The European Commission's principal adviser on justice policy, Paul Nemitz, however, told the paper: "It is important that the lead authority for Google and other tech companies enforce GDPR properly to preserve the functioning of the one-stop shop."
Yet perhaps that function needs to be reconsidered, given the burden of regulating the world’s most powerful, well-financed companies out of one of Europe’s smallest states. A broader European regulatory approach might work better.
Draft proposals this week for two significant pieces of EU regulatory legislation, the Digital Services Act and the Digital Markets Act, suggest that companies be tiered into regulatory levels depending on their power, scope and market capitalisation. The higher the tier, the more responsibility and liability a company would carry, and punishments adjusted accordingly.
Oversight would be maintained at a pan-EU level, not delegated to national regulators. These important acts are intended to interlock with protections in the GDPR and the ePrivacy Directive to ensure adequate protections and market supervision.
Much remains to be determined in the final format of the Acts. And GDPR enforcement is still in its infancy. But this week’s announcements hint that greater regulatory power and harmony might be achieved if GDPR reconsidered the one-stop shop mechanism.