Peter Fleischer, Google’s global privacy counsel, thinks it’s time for a lead privacy regulator in Europe. Writing on his personal blog, Peter uses the current situation of both the Irish Data Protection Commissioner and Germany each investigating Facebook as a case in point.
The German regulatory world is a microcosm of the European regulatory world. Each “Land” in Germany has its own independent data protection authority. In theory, each is entirely independent, and is free to investigate or regulate separately, or in addition to, or even differently than one of its sister-German-DPAs. But in practice, the German DPAs have developed a custom (not based in law, but based in deference and mutual respect) that they would defer to the “lead German DPA”. In the example of Facebook, the DPA of Hamburg is leading on behalf of its sister-German DPAs, because Facebook’s German headquarters are based in Hamburg. That’s why Hamburg, rather than, say, Munich, is investigating Facebook.
So, the question is simple: German DPAs have developed the concept of “lead regulator” amongst themselves. But are they willing to respect the same concept, and show the same necessary regulatory deference, at a European level, e.g., vis-a-vis the Irish DPA?
Read his full blog entry here.
The same argument could be made for U.S. privacy issues. While the FTC might be the “lead regulator” in some sense, each state has its own authority to protect its residents and may open their own investigations. Of course, that’s even more likely to occur because the FTC generally doesn’t tip anyone as to what firms it is investigating or why. And of course, it wouldn’t prevent consumer lawsuits filed in multiple jurisdictions until they’re consolidated.
So I’ll go one step further than Peter. I think that not only does the EU need a lead privacy regulator that has sufficient resources and some “teeth,” but that the U.S. also needs one. That concept is not new and has been proposed in Congress in the past, but it went the same way as efforts to get a strong federal privacy-protective law for consumers that would pre-empt individual state laws.