Last year, Norway’s privacy watchdog imposed a ban on Meta Platforms Inc. related to the processing of its users’ data. It was a risky move for a small office, but it paid off several months later when European Union regulators expanded restrictions across the region. It also burnished the reputation of the agency’s new head, one of the most recent additions to Europe’s growing list of female data regulators seeking to rein in Big Tech.
Line Coll, a former technology lawyer, takes office in 2022, joining an elite group of officials who can impose changes on the world’s largest companies by wielding the magic wand of the region’s strict data protection law, the General Data Protection Regulation. That legislation, which came into effect in 2018, transformed data regulation, once seen as a legal backwater, into a prominent area, and put many women who work in it in the spotlight.
More than half of the bloc’s 30 data enforcement authorities are led by women, and with the EU’s sweeping new tech regulations now in place, their roles as gatekeepers may expand further. Norway, Sweden, Denmark, Finland and Iceland have female data commissioners, as do France, Spain, Luxembourg and, until recently, Ireland.
Regulators are also leading the way in other fields. EU antitrust chief Margrethe Vestager made her mark again this week when she hit Apple with the third-largest competition fine ever imposed by the bloc. Today, Vestager is one of the three most powerful antitrust watchdogs in the world, along with Britain’s Sarah Cardell, executive director of the CMA, and US Federal Trade Commission Chairwoman Lina Khan.
Women “shaped what this field of law is today,” Andrea Jelinek, Austria’s former top technology regulator, said in a speech in November. “When I started in data protection there were hardly any men,” she recalls. Furthermore, the women who took on these roles “often did so in addition to our day jobs as lawyers, technologists, and entrepreneurs.”
“My theory was, and remains, that men were less attracted to data protection because it was a field of human rights law, and money was a lesser consideration,” he added.
As American tech giants became more dominant in Europe, women continued to take on regulatory roles. “It started maybe 10 years ago,” said Wim Nauwelaerts, a data protection lawyer with more than two decades of experience.
Among the early pioneers is Isabelle Falque-Pierrotin, former head of France’s data protection watchdog and actively responsible for enforcing pre-GDPR EU data protection rules, who warned that if “two or three countries take the initiative in dealing with the big players,” then the rest of the bloc would be left to “watch the trains go by.” Another is former EU commissioner Viviane Reding, who devised the so-called single window mechanism in 2012 to simplify data protection procedures for companies and citizens.
The biggest name, however, is Helen Dixon, Ireland’s former data protection commissioner. When the GDPR came into force, empowering regulators to impose fines of up to 4% of a company’s annual revenue for violating data protection rights or failing to prevent serious data breaches, his office instantly became the Europe’s main control body. Some of the most powerful American tech companies, including Meta, Apple Inc. and Alphabet Inc.’s Google, set up their EU bases in Ireland, and Dixon was tasked with monitoring their compliance.
Throughout his tenure, Dixon opened more than 80 investigations into the world’s largest players and imposed more than €2.8 billion in fines. Some of his most extensive investigations involved Twitter and ByteDance Ltd.’s TikTok, but no company received as much scrutiny as Meta, which received more than €2.5 billion in collective fines over a series of investigations. Dixon made history last year when he fined Meta €1.2 billion, surpassing the previous record by Luxembourg data chief Tine Larson, who fined Amazon.com Inc. a €746 million data protection fine. euros in 2021. Both decisions are under appeal. , and more investigations are still pending on Meta, TikTok, Google and Twitter.
As laws and procedures vary from one EU country to another, one of the biggest challenges of regulatory work is ensuring that decisions stand up in court. To develop her cases, Dixon met regularly in some cases with large companies based in Ireland, which some activists may have seen as bias, but as a regulator she considered it necessary.
“The meetings with companies are not intended to help them,” Dixon explained in an interview in January. While his office helps organizations interpret the law, the real goal of such meetings “is to learn and understand what their data processing operations are,” she said. “It’s extremely arrogant to think that as a regulator you know everything.”
Dixon, who resigned in February after almost 10 years in the role, is confident that with new content moderation and digital antitrust rules coming into force, as well as a host of other EU laws, regulators will have the opportunity of applying years of perfected experience. through the GDPR. When that legislation was first implemented, regulators in the 27-nation bloc were able to weigh in on cases from across the EU before a watchdog issued a final decision, raising tensions over jurisdiction and speed.
Criticism that Irish regulators were taking too long to complete investigations across the EU led to investigations and ultimately a decision to increase the number of national commissioners from one to three. With the support of Vice President Vera Jourova, the European Commission also intervened last year with legal adjustments to help streamline cooperation between data protection authorities so that important cases can be dealt with more quickly and efficiently. These changes come just in time, as the new regulatory landscape will place unprecedented demands on data protection lawyers to up their game and already overstretched regulators to increase their resources and expertise.
The versatility the field has shown in adapting to change is also reflected in the work itself. Data protection offers greater flexibility than more conservative, male-dominated areas of law, which may be one reason why it has proven attractive to women. Before taking charge of Norway’s data watchdog, Coll spent five years as a partner at a corporate law firm. When they proposed the job to me, “the first thing I told them was: I am a single mother, I have two children. I leave my office at four every day. “I can work hours and hours outside the office, but I’m leaving.” Instead of seeing this as a burden, she believes that her trust “was something they needed.”
And as the field has risen to prominence, it has begun to attract a broader range of professionals—that is, more men. This has raised some concern that women will soon be pushed out of top positions.
Nauwelaerts, the data lawyer, is skeptical. Many of the women leading the field are uniquely qualified to do so thanks to decades of experience, he noted. He doubts that “the women who reached those ranks will suddenly be expelled by the men.” The EU’s top data chief shares the same opinion.
“Women have been here for a long time,” said Anu Talus, Finland’s data ombudsman and head of the European Data Protection Board. And despite recent changes, it remains “a field with many experienced women who have decided to stay.”
