September 16, 2021
European Union nations are voicing discontent over delays in enforcement of the General Data Protection Regulation (GDPR) implemented in May 2018. Earlier this month Ireland announced a $266 million fine against WhatsApp, after haggling to boost the original sanction of up to $59 million by the Irish Data Protection Commission (WhatsApp parent Facebook has European headquarters in Ireland). The situation has prompted calls to revise how the 27 EU member countries participate in overlapping cases, with expanded pan-EU rules also under consideration.
WhatsApp, which is accused of failing to disclose to EU members how it shared user data with other Facebook units, called the fine “entirely disproportionate” and says it will appeal, according to U.S. News & World Report.
The Irish authority was criticized by eight other regulators who argued the fine was too low and had issues with the Irish agency’s assessment of WhatsApp’s data practices. After working through a GDPR resolution process, Ireland’s DPC said it capitulated to the other regulators’ recommendations, which included a larger fine.
However, The Wall Street Journal reports the various regulatory agencies still feel the process of sharing enforcement is cumbersome and has led to bottlenecks. “We always have the same issue,” explained European Consumer Organisation senior legal officer David Martin Ruiz. “If everything relies on the lead data protection authority taking the initial step then we have the big cases taking a lot of time.”
Some authorities have charged their counterparts take too long to investigate high-profile cases. In May, a German regional authority used an emergency procedure to bypass rules prohibiting regulating beyond their jurisdiction and levied a three-month ban on Facebook’s ability to collect data from the EU’s WhatsApp users.
“It is important to bear in mind that the dispute resolution process is only employed in the exceptional circumstance where the [authorities] could not reach consensus at an earlier stage,” European Data Protection Board chair Andrea Jelinek told the WSJ. GDPR rules stipulate the dispute process be concluded within two months, a deadline the two controversies on record seem to have met.
Hogan Lovells International LLP’s Eduardo Ustaran, who jointly runs the law firm’s privacy and cybersecurity practice, suggested there “is always going to be an issue when you have 27 regulators trying to operate as one in a place that is as diverse as Europe.” The European Commission, which crafted the GDPR legislation, said while it does not want to prematurely draw conclusions about fragmentation, it plans to explore “targeted amendments.”