Data Privacy

Regulators from both sides of the Atlantic weighed in on privacy regulations and enforcement on the first day of the International Association of Privacy Professionals' annual summit in Washington, D.C.

The Global Privacy Summit kicked of Thursday morning with a panel of European regulators: U.K. Information Commissioner Elizabeth Denham, Irish Data Protection Commissioner Helen Dixon and head of the Austrian Data Protection Authority and chairwoman of the European Data Protection Board Andrea Jelinek, moderated by Bird & Bird partner Ruth Boardman.

Almost a year after the EU's General Data Protection Regulation went into effect, the regulators discussed what's worked.

Jelinek said the importance of having a data protection officer role “can't be overstated.” Appointing a DPO was mandatory for some companies under GDPR. She also said GDPR's status as an EU-wide law “makes it easier” for companies to comply because there's just “one set of rules.” Her comments come as American policymakers debate whether a U.S. federal privacy law would preempt state laws, including the California Consumer Privacy Act.

The Senate Committee on Commerce, Science and Transportation heard Dixon's input on an American federal privacy law at a hearing Wednesday, where she noted that each member state has its own “flavor” of GDPR despite it being EU-wide. On the panel, Dixon said she's interested in U.S. policymakers' focus on whether an American privacy law “would regulate very specific uses as well was having those high-level principles and rules.”

In an afternoon session, Federal Trade Commission chairman Joseph Simons spoke with IAPP president and chief knowledge officer Omer Tene about the future of a federal data privacy law and the agency's enforcement strategies.

Simons said he's heard a federal law could be coming. He was hesitant to speculate on whether it would include preemption or what that would look like, but Simons guessed it would be a “narrow preemption focused on laws that look like CCPA.” If a federal law does come, Simons said the FTC would need to “beef up” its Division of Privacy and Identity Protection to meet enforcement needs.

According to the Simons, the FTC currently has 40 employees who “punch way above their weight,” but the agency would use any extra resources allocated by Congress “to very good use.” Consumer advocates called for more FTC resources at Wednesday's Senate committee hearing, comparing the size of the FTC with Ireland's Data Protection Commission size of around 140 employees.

Simons said the comparison is “apples to oranges” because the IDPC has more authority and oversees GDPR. He also noted the different power between European regulators and the FTC.

“One thing we do not have which the EU has is fining authority. … The only way we can get money from folks in these privacy cases is we have to get them under order and we have to have them seek civil penalties and we can't do that ourselves, we have to go to court,” Simons said.

He declined to answer a question on a possible coming FTC penalty on Facebook, which the Menlo Park, California-based company has estimated could be up to $5 billion. Simons did say the idea of charging company executives for illegal data privacy business practices is “on the [FTC's] radar,” but he's not ”expecting to do this in every case.”

Read More: