When the EU’s digital chief Margrethe Vestager meets Google’s Sundar Pichai on Wednesday, you could forgive her for feeling smug.
Last week, a top EU court upheld her €2.4 billion fine against the U.S. search giant for boosting its own shopping comparison service over competitors’ in a ringing endorsement of her crackdown on tech power.
Secretly, Pichai may be smug too.
It’s been almost a year since Vestager approved his company’s acquisition of wearables company Fitbit — and its troves of sensitive health data — despite fierce pushback from privacy campaigners and concerns raised by Europe’s network of privacy regulators.
It wouldn’t be the first time that her office has waved through a big data deal that causes privacy headaches later on, after Facebook reneged on promises it made when buying WhatsApp not to combine customer data across the platforms.
Now, Ireland’s data protection commission, which regulates the vast majority of American tech companies under the EU data-protection rulebook, the GDPR, is being asked to weigh in on the Facebook/WhatsApp data sharing.
“Data protection authorities are often left mopping up after other regulatory regimes have failed to act,” said Daragh O’Brien, a privacy consultant at Castlebridge.
The Irish privacy regulator — whose chief, Helen Dixon, will be meeting with EU justice chief Didier Reynders on Wednesday a few doors down from Vestager’s session with Pichai — is no stranger to criticism.
Some of the sharpest criticism came after the Irish privacy regulator in October said it didn’t have the authority to assess Facebook’s contract with users to provide them with a personalized, advertising-funded platform.
When contacted by POLITICO, the competition authority said it hadn’t received a copy of the draft decision, which had been published by the privacy campaigners behind the complaint. Besides, the Irish trustbuster didn’t have the authority to weigh in on the privacy regulator’s decision, it said.
The case highlights how even some of the most widespread practices by tech companies can fall between the cracks in Europe’s digital regulatory frameworks.
It’s an issue that threatens to derail the 27-member bloc’s fight against Big Tech — and one it should bear in mind as it drafts sprawling new rulebooks meant to police online content and digital competition.
The Irish privacy regulator may have been wise to stick to its lane. In other cases where regulators have tried to bridge the divide between regulatory regimes, they have been shot down. In 2019, the German competition authority — working in close tandem with privacy regulators — ruled that Facebook’s data collecting and combining were an abuse of market power.
But the German competition decision faces legal challenges and currently sits with the EU’s top court, which has been asked to decide whether the authority went beyond its remit in using data-protection law to enforce trustbusting measures.
Other attempts to join up different digital regimes are proceeding more cautiously.
The EU’s in-house privacy regulator, the European Data Protection Supervisor, began discussing increased cooperation between digital regulators back in 2013, forming the Digital Clearinghouse in 2016 to “bring together agencies from the areas of competition, consumer and data protection willing to share information and discuss how best to enforce rules in the interests of the individual.”
But the Digital Clearinghouse quickly became ensnared in legal issues around how much regulators across different disciplines and countries could actually cooperate, and now operates mainly as an academic-led think tank.
Experiences across the Channel may point the way forward.
In 2020, the U.K. data protection, competition and media regulators formed the Digital Regulation Cooperation Forum to tighten cooperation on online regulation. Despite the cumbersome name, the body has gotten off to a promising start, announcing a detailed work program in March 2021, and bringing in the financial regulator shortly thereafter. The forum also has full-time staff, and it poached a Google executive earlier this month to become its chief executive.
The British regulators now work hand-in-hand on various topics, including a sprawling investigation into Google’s online advertising empire. But it’s not foolproof, as the country’s regulator recently approved Facebook’s deal to buy Kustomer, a software company sitting on troves of personal data, without any input from the data protection authority.
Arrangements like this could become more commonplace. In October, the Dutch privacy, competition and media regulators announced a similar arrangement. Across the Atlantic, the powerful U.S. Federal Trade Commission under new boss Lina Khan is looking to marry different strands of its large remit in a bid to strike at the heart of Big Tech’s business models.
Brussels‘ proposed new digital rules also hint at bridging the divide.
The European Commission’s draft Digital Markets Act introduces prohibitions on combining personal data from several sources without seeking the user’s consent as well as obligations to „refrain from using, in competition with business users, any data not publicly available, which is generated through activities by those business users.”
There is a hope that such joined-up thinking could avoid cases like Ireland’s Facebook decision, that seemingly fall into a legal no man’s land.
“Regulation of data needs the intervention of different authorities, and what we miss in Europe is a coordination mechanism among authorities,” said Alexandre de Streel, academic co-director at the CERRE think tank.
As the EU’s in-house privacy regulator Wojciech Wiewiórowski puts it: „We need a common framework.“
Want more analysis from POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email [email protected] to request a complimentary trial.