National Enforcement Actions in Six EU Countries
Google decided not to implement the Article 29 Working Party’s recommendations.
Following a meeting with Google on March 19,, 2013 the national Data Protection Authorities of 6 of the 27 EU Member States announced that each will launch investigations and enforcement procedures against Google. Unlike the initial assessment phase that was coordinated by the CNIL on behalf of the other EU authorities, these investigations and enforcement procedures are not being jointly pursued. Indeed, each national Data Protection Authority has its own procedures, powers and sanctions.
Although the authorities have announced that they will cooperate together, Google will nevertheless face six distinct national procedures, and should they result in divergent decisions, there is no system to reconcile them. One goal of EU data protection reform is to establish a new system of supervision when data processing has an EU-wide impact. Under the proposition for a new EU data protection regulation made by the European Commission in January 2012 [http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf] and currently under review before the European Parliament, only the Data Protection Authority of the EU country where the company has its main establishment would be in charge of taking legally binding decisions against a non-compliant company (one-stop shop). In addition, mandatory cooperation between national authorities, as well as a consistency mechanism at the EU level, would be implemented to ensure consistency across investigations and enforcement procedures.