3 Big Takeaways from Amanda Witt’s Transatlantic Data Protection Enforcement Panel in Dublin

Amanda Witt represented the U.S. on an extraordinary panel in Dublin yesterday in which the participants – leaders in data protection from both sides of the Atlantic – learned from one another and from their national perspectives.  Here are just a few of the takeaways from this great discussion:

1.  The Big Enforcement Questions and a Clear View of What’s Next from Helen Dixon

Helen Dixon -- the Irish Data Protection Commissioner and perhaps the world’s most important regulator of the tech industry now – asked some of the most difficult and critical questions facing data protection today, including:

  • Can shaping the issues into actionable court cases do justice to what is at stake and desirable for society - especially if changing the business model is the only solution?
  •  If even in the context of $5 billion fees, the narrative immediately becomes “the cost of doing business,” are requirements for conduct not necessary?      
  • For digital advertising, is there any solution other than or in between the status quo or a subscription-based model?  

You will note that Commissioner was telegraphing a rather clear intent or at least desire to prescribe and/or proscribe conduct in her widely-anticipated upcoming enforcement actions.  But does the GDPR, with its focus on fines, give her that authority?  It certainly gives her an axe to order that the data no longer be processed, but what about a scalpel to prescribe conduct? 

2.  Amanda Witt’s Answer from the U.S. 

Amanda Witt’s description of the Federal Trade Commission’s enforcement powers depicted – some would say ironically – a world in which Commissioner Dixon would have the creative enforcement power on conduct she apparently intends to exercise or seek.  The FTC’s initial consent decrees must focus on agreed-upon – and potentially therefore creative – regulation of conduct precisely because the FTC has very restricted initial fining authority.  To issue its increasingly substantial fines, the FTC must find noncompliance with the conduct requirements in the consent decrees.  And the requirement in all such consent decrees of 20 years of monitoring may seem long given tech company lifespans – Are Myspace orders still scheduled to end in 2032? – but they provide the ideal way for the regulator to enforce conduct restrictions, potentially with more conduct restrictions as well as fines.  A DPA can use the “axe” offered by GDPR to initiate negotiations with companies over compliant business models; could or should it include monitoring over the years to continue to assure compliance?

In response to these inventive points raised by Ms. Witt and a question from the great moderator and panel organizer Niko Härting about her biggest takeaway from the panel, Helena Koning, now DPO of Mastercard and former General Counsel to the Dutch Data Protection Authority, said that she has been “spending too much time in Brussels,” now recognizing that Europe can learn from U.S. enforcement efforts and “compliance culture.”  When asked the same question, Ms. Witt noted the challenges cited by Canada’s former interim Privacy Commissioner Chantal Bernier as posed by Canada’s “ombuds” privacy enforcement framework, which Ms. Bernier says is showing its age, and which is likely to be replaced by a GDPR-like law, but perhaps could benefit from powers to craft innovative conduct regulation as well. 

3.  Amanda Witt on the Influence of GDPR in the U.S.

Ms. Witt described the strong influence of the GDPR on the intense privacy debate in the U.S. in terms of (a) the way in which it has shaped the dialogue on individual rights and (b) the way in which it has helped our clients organize their information to address privacy and deal more effectively with new privacy laws such as the CCPA and the Brazilian law.  The latter point reflects a recognition of the value of creating a data processing registry that lies at the heart of GDPR preparation.  She contrasted the GDPR with the CCPA, which has no such requirement, as a way of showing the relative value of the GDPR to our clients, particularly in the context of the aforementioned compliance culture of the U.S. 

The biggest CCPA fireworks for organizations -- one might respond – occur after the law goes into effect, if many consumers avail themselves of the law’s focus:  the “Do Not Sell My Personal Information” button.  In the case of both laws and GDPR-inspired laws around the world, we look forward to whatever contributions the U.S. “culture of compliance” can offer (if working together like this panel we can just keep it alive). 


Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their