OK. Let’s assume that you are a multinational data controller who can chose which of the EU privacy regulators you wish to be regulated by.
Today, which regulator would that be?
The Fundamental Rights Agency helpfully published a very useful report back in April 2010, which compared the independence, effectiveness, resources and powers of each data protection authority. Almost 4 years have passed since its publication, so some of the text is out of date, but it still remains a great reference document.
If you are interested in learning which regulators are truly independent, and which are political patsies, read the report.
If you really want to know which ones are starved of resources, then this is a good place to start.
If you want to compare their powers of investigation, powers of intervention, powers to hear claims and engage in legal proceedings, and appreciate what advisory powers they have, then this really is an essential document.
And if you want a report that comments on their activities, yes – what they had actually got up to - then again you should read the report.
The report also points out the deficiencies of data protection authorities, the relative lack of enforcement of data protection rules generally, the problems of rights awareness among citizens, the problems of meshing the needs of the crime and security agencies with general privacy rules, and various technological challenges that data protection authorities face.
It’s an essential document for anyone interested in forum shopping - or for anyone who (mistakenly) believes that multinational data controllers are seriously interested in data protection forum shopping. No one in their right minds is going to deliberately arrange their business affairs so that they fall under the supervision of the weakest data protection regulator. Tax and employment issues will always far outweigh data protection considerations.
Just be mindful of the report's subliminal message – which is that if there should be 'one data protection rule to rule us all,' then the logical consequence is that 'one regulator should enforce it all.'
Anyway, the identity of Europe’s weakest data protection regulator.
I’ve given you enough material for today.
Read the report and work it out for yourself!