CNIL v Google – one directive and 27 data protection laws

Today’s announcement from the French data protection regulator, CNIL, highlights one of the problems with the current Euroopean data protection regime for businesses that operate across the EU.

One data protection directive; 27 data protection laws
Whilst European data protection laws are derived from a single EU-wide directive, implementation of those laws is done at a national level, with each country having its own data protection regulator. This means that some countries have a more onerous implementation than others, and/or have a regulator that takes a more pragmatic approach than others. Or to put it another way, some countries are more business friendly than others.

These variations cover issues ranging from rules on international data transfers (the UK implementation of the directive is noticably more business friendly as it permits data controllers a degree of discretion in determining whether or not a proposed outsourcing arrangement provides sufficient guarantees in relation to the protection of personal data) to data subject consent (the UK ICO embraces the concept of “implied consent” (in particular, in relation to information collected online), whereas other member states reject that concept).

This means that businesses trading across Europe are being given mixed messages as to what is expected. Witness the recent issues with businesses grappling with different national implementations of the cookie law to see the sorts of problems that this can cause.

In relation to Google’s new privacy policy, the Article 29 Working Party (a grouping of representatives from each of the national data protection regulators) agreed to collaborate on a single response to Google, rather than provide Google with 27 different responses.

From a data controller’s perspective, that is to be welcomed.

However, it’s interesting that it is the French data protection regulator that led this investigation. French data protection laws (and the French regulator) are considered to be more onerous than those in many other member states, and CNIL has historically led the complaints against Google’s new privacy policy.

Whilst CNIL’s decision is apparently endorsed by all the national EU data protection regulators (with the exception of Greece, Romania and Lithuania), the approach is very much consistent with what might be expected by CNIL under French data protection law. Had the investigation been led by another data protection regulator then the report may have been different.

Does this matter? Well yes – if the effect of the report is that a national data protection regulator’s requirement is more onerous than the requirements under the national data protection laws in a particular member state (or that regulator’s previous guidance and practice), then the data controller may feel a bit agreived.

Will this change under the new data protection regulation?
Ultimately, these problems arise because of the different approaches in each member state. Under the proposed data protection regulation this is likely to change. In particular:

  • The new laws will be set out in a regulation, not a directive. That’s important as a regulation has direct effect under EU law and does not need to be implemented nationally by each member state. This means that there will not be any varations between member states in relation to the statutory laws.
  • A requirement for explicit consent to the processing will apply (it cannot be implied). This should help ensure that organisations take a common approach to consent across the EU.
  • Data controllers operating in multiple countries will be able to elect a “home” regulator, rather than be subject to up to 27 different regulators. Issues raised by data subjects in other member states will be referred for resolution by the data subject’s data protection regulator to the home regulator of the data controller.

This last point is directly aimed at ensuring that the processing activities of a data controller are subject to a consistent approach across the EU.

Of course, the fact that there will still be 27 data protection regulators means that there could still be 27 implementations of the regulation, as each regulator will interpret the regulation in its own way. How will disagreements in interpretation of the regulation between the national regulators be resolved? Will we see a sink to the bottom where businesses choose as their home regulator the most business-friendly regulator (and if so, how will that regulator be funded)?

That remains to be seen. But I bet Google doesn’t choose CNIL as its home regulator.

1 Response to “CNIL v Google – one directive and 27 data protection laws”

  1. 1 How will the proposed data protection law reform affect Santa? « Brodies TechBlog Trackback on December 20, 2012 at 4:01 pm

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Twitter: @BrodiesTechBlog feed

October 2012
« Sep   Nov »

%d bloggers like this: