These women are Europe's prime Big Tech watchdogs and 'shaped what this field of law looks like today'
Last year, Norway’s privacy watchdog hit Meta Platforms Inc. with a ban related to their processing of user data. It was a risky move for a small office to make, but it paid off several months later when European Union regulators extended the curbs across the region. It also burnished the reputation for the agency’s new boss — one of the most recent additions to Europe’s growing roster of female data regulators out to rein in big tech.
Line Coll, a former tech lawyer, stepped into her role in 2022, joining an elite cohort of officials who can force changes on the world’s biggest companies by wielding the magic wand of the region’s strict data protection law, the General Data Protection Regulation. That legislation, which went into effect in 2018, transformed data regulation, once seen as a legal backwater, into a prominent area, and elevated many women working in it into the spotlight.
More than half of the 30 authorities tasked with enforcing the bloc’s data rules are led by women, and with sweeping new EU tech regulations now in effect, their roles as watchdogs may expand even further. Norway, Sweden, Denmark, Finland and Iceland all have female data commissioners, as do France, Spain, Luxembourg and, until recently, Ireland.
In other fields too, female regulators are leading the way. The EU’s antitrust chief Margrethe Vestager made her mark again this week when she hit Apple with the third largest competition fine ever doled out by the bloc. Vestager these days is one of the world’s three most powerful antitrust watchdogs, together with the UK’s Sarah Cardell, who is CMA chief executive officer, and US Federal Trade Commission Chair Lina Khan.
Women “shaped what this field of law looks like today,” Andrea Jelinek, Austria’s former top tech regulator, said in a speech in November. “When I first started out in data protection, there were barely any men,” she recalled. The women who took on these roles, moreover, “were often doing so on top of our day jobs as lawyers, technologists, and businesswomen.”
“My theory was, and still is, that men were less attracted to data protection because it was a human rights field of law, and money was less of a consideration,” she added.
As US tech giants became more dominant in Europe, women continued to move into regulatory roles. It “started maybe 10 years ago,” said Wim Nauwelaerts, a data protection lawyer with more than two decades of experience.
Early pioneers include Isabelle Falque-Pierrotin, the former head of France’s data protection watchdog and an active enforcer of the EU’s pre-GDPR data protection rules, who cautioned that if “two or three countries take the lead on dealing with the big players,” then the rest of the bloc would be left to “watch the trains go by.” Another is former EU commissioner Viviane Reding, who devised the so-called one-stop-shop mechanism in 2012 to simplify data protection procedures for companies and citizens.
Yet the biggest name is Helen Dixon, Ireland’s former data protection commissioner. When the GDPR went into effect, empowering regulators to levy fines of up to 4% of a company’s annual revenue for violating data protection rights or failing to prevent serious data breaches, her office instantly became Europe’s top watchdog. Some of the most powerful U.S. tech firms such as Meta, Apple Inc. and Alphabet Inc.’s Google established their EU bases in Ireland, and Dixon was charged with monitoring their compliance.
Over the course of her tenure, Dixon opened more than 80 probes into the biggest global players and levied over €2.8 billion in fines. Some of her most sweeping investigations involved Twitter and ByteDance Ltd.’s TikTok, but no company received as much scrutiny as Meta, which received more than €2.5 billion in collective fines across a series of probes. Dixon made history last year when she hit Meta with a €1.2 billion penalty, topping the previous record held by Luxembourg data chief Tine Larson, who handed Amazon.com Inc. a €746 million data protection fine in 2021. Both decisions are under appeal, and further investigations into Meta, TikTok, Google and Twitter are still pending.
With laws and procedures varying from one EU country to the next, one of the biggest challenges of regulatory work is ensuring that decisions will stand up in court. To build her cases, Dixon regularly in some cases met with the big firms based in Ireland, which some activists may have seen as bias, but as a regulator she saw as necessary.
“Sit-downs with companies are not about helping those companies,” Dixon explained in an interview in January. While her office does help organizations interpret the law, the true aim of such meetings “is to learn and understand what their data processing operations are,” she said. “It’s extremely arrogant to think that as a regulator, you know everything.”
Dixon, who stepped down in February after almost 10 years on the job, is confident that with new content moderation and digital antitrust rules as well as a slew of other EU laws coming into effect, regulators will have an opportunity to apply years of experience honed through the GDPR. When that legislation was first implemented, regulators across the 27-nation bloc were able to weigh in on EU-wide cases before a watchdog issued a final decision, leading to tensions over jurisdiction and speed.
Criticism that Irish regulators were taking too much time to complete EU-wide probes led to inquiries, and ultimately a decision to boost the number of national commissioners from one to three. With the support of Vice President Vera Jourova, the European Commission also stepped in last year with legal tweaks to help streamline cooperation between data protection authorities so big cases can be addressed more quickly and efficiently. Such changes come just in time, as the new regulatory landscape will put unprecedented demand on data protection lawyers to up their game and on already overburdened watchdogs to boost their resources and expertise.
The versatility that the field has demonstrated in adapting to change is also reflected in the work itself. Data protection offers greater flexibility than more conservative and male-dominated corners of law, which may be one reason it has been attractive to women. Prior to taking charge of Norway’s data watchdog, Coll spent five years as a partner at a corporate law firm. Upon being approached for the job, “the first thing I said to them was, I’m a single mom, I have two kids. I leave my office at four every day. I can work hours and hours out of office, but I leave.” Rather than seeing this as a liability, she thinks her confidence “was something they needed.”
And as the field has risen to prominence, it has started to attract a wider range of practitioners – namely, more men. This has raised some concern that women may soon be driven out of top jobs.
Nauwelaerts, the data lawyer, is skeptical. Many of the women leading the field are uniquely qualified to do so thanks to decades of experience, he noted. He doubts that “the women who made it into those ranks would be suddenly pushed away by men.”The EU’s top data chief shares the same view.
“Women have been here for a long time,” said Anu Talus, Finland’s data ombudsman and head of the European Data Protection Board. And despite recent changes, it remains “a field with many experienced women who have decided to stay.”