Peter Fleischer, an American in Paris who is also Google’s Global Privacy Counsel, knows a bit about privacy and law. Writing in his own blog, he has warned Europe to expect a litigious explosion in a few years, with the new EC data protection regulation expected to come into force in 2015.
So far, breaches of privacy regulations have been handled by national data protection authorities (DPAs) such as the UK’s ICO and the French CNIL. These regulators have limited powers: “the largest fine ever imposed by the CNIL…was 100,000 euros”, Fleischer notes. There have been few challenges to the fines. Why would a company launch a legal challenge when the cost would outweigh the amount of the fine?
But this will change under the data protection regulation, where fines will be based on a percentage of revenue. For larger companies, this could easily lead to very large fines; and those companies will certainly object in court with serious, heavyweight legal counsel. The problem is aggravated by the make-up of most national DPAs, which are under-staffed and lack the necessary legal expertise. The UK’s information commissioner, for example, comes from a marketing rather than a legal background.
“It’s one thing to launch an enforcement action where the money at stake is €100,000. It’s entirely different when the money at stake is €100,000,000”, warns Fleischer. “In a couple years, privacy litigation will go big time in Europe.”