European data regulators risk damaging the EU business market by fragmenting regulation into 28 individual national markets, Facebook has warned today in its first extensive public comments on data protection issues.
Regulators responding to complaints about Facebook —which has its European headquarters in Ireland and is under increased European scrutiny for its data handling practices— should work with Ireland's Office of the Data Protection Commissioner (OPDC) to resolve regulatory issues, according to Richard Allan, vice president of EMEA policy at the company.
“This is a serious issue for internet businesses generally across Europe,” he told the Irish Times in an interview. He said multiple regulatory investigations in different jurisdictions were “completely inconsistent with the principle of a single market.”
Allan added that small, growing European companies should be particularly concerned because they could face daunting cost and management problems on complex data issues in 28 separate EU jurisdictions.
Facebook is currently implicated in a case before the European Court of Justice regarding its data gathering practices, originally brought by Austrian law graduate Max Schrems against the Irish OPDC. Though the core case questions whether the Irish OPDC was correct in refusing to rule on the adequacy of existing Safe Harbour data handling agreements between the EU and US, the ECJ has indicated an interest in the Safe Harbour provision itself.
Schrems has brought an additional, class action civil case against Facebook in a Vienna court, on the same basic issues.
Allan said that facing multiple national regulatory regimes goes against the intention of existing EU data protection legislation, which implies a “one-stop shop” approach, where a company meeting the regulatory requirements of any one EU state may do business in all others.
A proposed new data protection Regulation, currently reaching final negotiations within the EU, had the intent of harmonising data protection legislation across the EU to prevent such fracturing. It would place the responsibility of enforcement in the EU state in which a company is based.
Most of the significant US internet, social media and technology companies have their operational headquarters in Ireland.
Recently some states have lobbied for the new Regulation to allow national DPCs to challenge regulatory decisions made in the headquarter country.
Allan said Facebook is concerned this would remove the benefits of the ‘one-stop shop’ and reintroduce greater costs to businesses as they face increased regulatory uncertainty.
“This is why it is important to have this discussion now,” he said.
Unlike some other internet multinationals that have customers in Europe but remain based in the US, such as Google, Allan said that Facebook deliberately chose to come to Europe to establish an office that has stand-alone responsibilities for handling data and various functions for the EMEA market.
“We are a European company,” he said. “W’eve established an office here, and we’ve been through two audits.” The Irish audits required the allocation of millions of euro worth of staff time, he said.
Allan refuted claims by Schrems, also reflected by ECJ judges in questions at a recent hearing for the case, that Facebook chose to locate in Ireland because it had a more “lax” approach to data regulation.
“The decision was made to come to Ireland because operationally [for many reasons], that was the best location to build our European headquarters,” he said.
“Our experience is that the Irish data protection commissioner is incredibly thorough. They spent weeks and weeks going through our operations in two separate audits. The office is actually far more rigorous that any of the other EU regulatory offices, which have only made a few phone calls or asked questions by email.”
He said some view the DPC role as one in which the regulator waits for complaints to arrive in, to conduct an investigation. Others see the DPC as a job where “you continually engage and if you see problems, you fix them.”
The Irish DPC office took the latter approach, he said, which enabled Facebook to go to the regulator when it had plans for a new product or service and try to resolve potential issues before launch.
Allan said Facebook did not accept the accusation that it had mishandled user data or did not comply with EU data protection law.
"We observe privacy laws and we keep data securely," he said. He also said the company had not allowed the US National Security Agency (NSA) direct access to its servers in the US and that this was a misrepresentation of information that had emerged in documents revealed by whistleblower Edward Snowden.
The company was part of the Reform Government Surveillance alliance of companies in the US and Europe campaigning for greater government transparency and more restrictions on surveillance activities, he said.
Of the current debate over the adequacy of Safe Harbour in the Schrems case, Allan said: “It is right that the ECJ should be asked to consider those questions,” as Safe Harbour is intended to be “a mega-protection” for data.
But he added that he did not think there was any fault on the part of the Irish DPC not to have ruled directly on Safe Harbour’s adequacy.