Some of the companies serving people in Europe have headquarters in the EU. Facebook is one of these companies. We established in Dublin in 2010.Years ago, the EU created data protection law so businesses and organizations that collect and use people’s data play by a consistent set of rules across Europe. Each of the EU’s 28 member states has implemented this law, and data protection authorities in each of the 28 member states enforce it.Since Facebook has headquarters and its privacy compliance function in Dublin, Ireland, the data protection authority there – the Irish Data Protection Commissioner (IDPC) – is the primary regulator for Facebook’s services in Europe. So Facebook regularly works with the IDPC to review products and policies to make sure we comply with the law.
But like many companies, Facebook’s “customers,” which include people, advertisers and developers, don’t just live in Ireland, they live across Europe. As a result, Facebook has offices in other EU member states for things like working with local businesses who advertise on Facebook, or working with industry partners like trade organizations.
This isn’t unique to Facebook. Lots of companies that handle people’s data – from banks to supermarkets to auto manufacturers – are established in one European country but do business in all of them. This is the vision of a single European market in action. Yet even with a common data protection law implemented by each member state, this raises an important question: which regulator holds a business accountable for privacy when that business serves people in multiple countries?
It’s a question all of the EU member states’ data protection authorities have had to confront. These officials are part of the Article 29 Working Party, a group the EU created to advise policymakers across Europe about consistently promoting data protection law. The group recognized that overlapping laws could bring about inefficiencies that ultimately hurt the people they’re trying to protect. In 2010, they explained the circumstances where a data protection authority oversees a business operating in its borders, differentiating between what’s known in the EU as data controllers and data processors.
Outside of data protection law, the difference between a controller and a processor may not be obvious, so it may be easier to think about them as people who play distinct roles in a workplace. The data controller is the supervisor or the person in charge, who determines what data should be processed, and why and how it should be carried out. Sometimes the supervisor does this work herself, and other times she requires her workers to help.
The data processor is the worker who does tasks for his supervisor, the data controller. The worker might specialize in one kind of project or be good at a lot of things, but he only carries out the precise work as requested by his supervisor. He doesn’t have any leeway to stray from his assignments; he works strictly within the controller’s instructions.
The Article 29 Working Party’s guidance states that EU data protection law applies where a data controller is established, and it does not apply in cases where a data processor simply carries out tasks on the controller’s behalf or where a local office exercises no control over the way data is used. Facebook’s headquarters in Dublin – Facebook Ireland – is a data controller, so it’s subject to EU data protection law as implemented in Ireland. The offices we have elsewhere in Europe, from our Belgian sales office in Brussels to an engineering hub in London, rarely interact with people’s data, and when they do, it’s only as directed by Facebook Ireland.
Importantly, data protection authorities outside of Ireland play a role in resolving issues on behalf of their citizens, even though Facebook doesn’t have a data controller inside their borders. They work regularly with Facebook as well as the IDPC, the regulator overseeing Facebook. National authorities also resolve problems about specific user accounts or violations of the company’s terms directly with Facebook’s headquarters in Dublin.
This model ensures people across Europe benefit from EU data protection law, regardless of where they live, and regardless of whether the services they use have offices in their countries. In turn, the businesses and organizations that serve them are able to operate under consistent, clear rules and to more quickly offer new services to people.