In privacy cases, European internet companies may not be subject to just their home regulator, explains Sam Pfeifle
Being the world’s biggest social media platform has its advantages: the pick of the world’s top talent, a voice on the national policy stage, and a growing revenue stream among them.
But it has its drawbacks, too. Facebook currently finds itself in the unenviable spot of being part of a test case in similar fashion to Google, just a few years back. Just as Spain used Google to show that it, indeed, had jurisdiction to bring an enforcement action, regardless of where Google is headquartered, so, too, is Belgium (alongside Spain, Germany, and the Netherlands) using Facebook to show that it has the right to regulate a company, even if the company’s EU headquarters reside inside a different set of borders.
Ostensibly, Belgium and its partners are looking at how the Facebook Like button sets a cookie and how the site tracks users who don’t have accounts or aren’t logged in, but the privacy industry doesn’t much care about all that, truth be told. Facebook has shown itself, through its response to FTC enforcement action for example, to be a good corporate privacy citizen. If a regulator finds it to be violating privacy law, it takes the required corrective action and figures it out.
The company’s momentum is not likely to be derailed by having to tweak cookie policy at Belgium’s behest.
Rather, what industry observers care about is whether, under the current European Data Privacy Directive, and, going forward under the proposed European General Data Privacy Regulation, companies in the EU are going to find themselves under the jurisdiction of 28 separate regulators all interpreting the law in their own separate way, or whether they can expect to be under the auspices of a single privacy regulator.
The answer to that question has far-reaching implications.
Large companies are in the business of predicting risk. How will markets change, consumers’ desires change, world environmental conditions change in ways that will affect their ability to turn a profit? All of those, of course, are difficult to pin down. Generally, however, the law is a fairly slow-moving target. Companies peg their risk against operating in a jurisdiction with a certain law and lay plans accordingly.
If a bill is introduced that would change that risk assessment, they monitor it and adjust if necessary.
However, these risk managers wonder, how is a company to lay plans and operate in a world where there is a single law, but 28 potential interpretations?
In the case of Facebook, the company’s cookie practices have been audited by their regulator in Ireland and deemed up to snuff. And thus they went forward. Now, however, they are told by another country, operating under the same directive, that they are not up to snuff.
You can see why they sound like a child arguing with her mother: “But dad said it was okay!”
"If there is really to be such thing as an EU Digital Single Market, where companies can operate in the EU with the freedom that the internet provides, how can they be asked to abide by 28 different sets of privacy law?"
You might also see why there is momentum in the European policy community for the so-called ‘one-stop shop’ in the proposed Data Privacy Regulation. If there is really to be such thing as an EU Digital Single Market, where companies can operate in the EU with the freedom that the internet provides, how can they be asked to abide by 28 different sets of privacy law?
However, there is of course the opposite argument: If privacy is actually a human right, and someone feels that human right has been violated, how is that they don’t have redress against the company who committed that violation just because a regulator in some other country decided it wasn’t really a violation?
These countries in Europe have long and storied histories and it’s understandable that they would have differing cultural opinions about what constitutes something like a legitimate interest to process data.
Thus, all eyes are on this Facebook case. Given the proposed Regulation has already been three years in development, we may find ourselves under the current Directive for some time yet. Is it now open season on internet companies? Or can companies be reasonably confident that their home regulator is all they need to worry about?
And as the Regulation comes into focus, will this case swing public opinion toward the one-stop shop or away from it?
It is not an exaggeration to say just about every company collecting personal data puts itself in Facebook’s shoes and awaits the answer just as expectantly.
About the Author
Sam Pfeifle is the publications director of the International Association of Privacy Professionals (IAPP), the world’s largest privacy association.