Europe’s fight to enforce new privacy rules is just getting started — and it could get nasty.
That was the parting shot from Isabelle Falque-Pierrotin, Europe’s outgoing data privacy boss, as she stepped off the stage Wednesday after four years at the helm of the EU’s umbrella group of regulators.
Her departure comes a few months before the EU starts enforcing its General Data Protection Regulation (GDPR), a sweeping overhaul of privacy rules already being felt around the world.
But as Falque-Pierrotin — a high-level French civil servant and a leader on the global tech scene who has led probes into Google, Facebook and the U.S. government’s use of data — mulls her next move, she warned EU regulators not to get complacent about privacy. More so than drafting privacy rules or pushing them through the EU’s bureaucracy, the big challenge for Europe is getting companies and national governments to comply, she told POLITICO in an exit interview from Paris.
“The first thing is to make sure the [EU’s massive privacy law] General Data Protection Regulation is going to work effectively. That it is not only a theoretical monument but a real operational reality,” she said, as Austrian data protection chief Andrea Jelinek prepares to take over her role as head of the Article 29 Working Party.
One challenge is getting EU governments to apply new rules.
Another is pushing foreign powers to update their privacy standards via a tool known as “adequacy decisions” — a method Falque-Pierrotin criticized as being fraught with legal risk.
“Europe should not consider itself a fortress,” she said, but “You can’t build the whole strategy of data flows only on one tool that’s under discussion with the courts.”
Asked if rival economic powers such as China and the United States could push back against the EU’s privacy drive, she added: “What we’re asking others is to make an effort. If we are asking for this, maybe they can ask for other things on our side … There is a big negotiating table.”
After 48 months as the face of data privacy in Europe, Falque-Pierrotin is sure to attract plenty of attention from both the private and public sector. The graduate of France’s elite ENA school of public administration led high-profile fights against the biggest Silicon Valley firms, crafting European positions on the use of personal data for commercial purposes.
Asked about plans for her next job, Falque-Pierrotin said she is keeping an open mind. Beyond a yearlong assignment to chair the International Conference — an annual gathering of global data protection chiefs — and serving out her term as chief French regulator until February 2019, she said she remains “very interested in European subjects.”
Does that mean a potential bid to become a European Commissioner? No comment.
At the same time, with President Emmanuel Macron revamping France’s image abroad, Falque-Pierrotin sounds open to the idea of trying her hand at domestic politics. “France is getting smarter,” she said, adding that the country should look to Europe for its future.
Meanwhile there is much to digest from a chairmanship she described as “tremendous and hectic.”
Indeed Falque-Pierrotin’s time coordinating Europe’s privacy chiefs coincided with some of the biggest events to rock the field in decades — from the fallout of revelations about mass surveillance by the Edward Snowden case to the EU’s grand overhaul of privacy rules with GDPR.
“We echoed, we conveyed the new social expectations of the consumers and the citizens,” she said. “These expectations have changed a lot in the last years. People now really want their data protected.”
Some impact is measurable. Research shows the use of privacy technology such as encrypted messaging apps and tools to hide your identity while browsing the internet has shot up over the past five years.
Falque-Pierrotin also had her share of high-profile fights with tech giants. Under her leadership, authorities pushed back repeatedly against Silicon Valley firms whose business models were based on trading in personal data.
However, she added, “The actions of data protection in Europe in past years is not a crusade against the GAFA,” referring to the common denominator for tech giants Google, Apple, Facebook and Amazon.
Willem Debeuckelaere, the chief Belgian privacy regulator, said Falque-Pierrotin’s “style was rather presidential” — a trait that helped her stand up to tech giants like Google and Facebook: “She wasn’t shy about engaging in a discussion” with firms of this size, he said.
Her time as chairwoman marks a rise in power for authorities across Europe. “When I took over [the Article 29 Working Group] was more of an expert group — or, it was an expert group,” Falque-Pierrotin said.
Giovanni Buttarelli, the EU’s own data protection supervisor, said “everyone has his or her working style” and he “respected” his French counterpart. But he hopes that the new chair Jelinek will deliver on her promise to work in a collegial way with other authorities around Europe.
Jelinek inherits a group that is a political force on all topics intersecting with data protection, repeatedly moving the needle on issues such as international data flows and law enforcement access to data.
On privacy protections, she said, “there is a European identity, and this identity, for international actors, must be respected.”