National data watchdogs will be able to pursue big tech firms even if they are not their lead regulators, the European Union's top court has ruled.
The Court of Justice of the European Union (ECJ) ruling opens the way for national agencies to act against US tech companies such as Google, Twitter and Apple which all have their European Union headquarters in Ireland.
Under EU rules, these companies would face oversight by the Irish data protection authority. But Tuesday’s ruling confirmed that a national data protection authority can take a company to court in its own country under GDPR when there are cross-border data processing activities.
The case came before the ECJ following a challenge taken by Facebook against the territorial competence of the Belgian data watchdog to stop it from tracking users in Belgium through cookies stored in the company's social plug-ins, regardless of whether they have an account or not.
“Under certain conditions, a national supervisory authority may exercise its power to bring any alleged infringement of the GDPR before a court of a member state, even though that authority is not the lead supervisory authority with regard to that processing,” the ECJ said.
“We are pleased that the CJEU has reaffirmed the value and principles of the one-stop-shop mechanism and the role of the lead supervisory authority,” Jack Gilbert, Facebook’s associate general counsel, said.
“Today’s ruling confirms that the competence of other authorities to deviate from this principle is limited to the exceptional circumstances outlined in GDPR. We agree that this principle is essential to ensuring the efficient and consistent application of GDPR across the EU,” he added.
US warning
The news comes as the US warned the EU against pursuing “protectionist” technology policies that exclusively target American companies. The National Security Council, an arm of the White House, wrote last week to complain about the tone of recent comments about the EU’s flagship tech regulation, as debates are about to begin in the European parliament.
“We are particularly concerned about recent comments by the European Parliament rapporteur for the Digital Markets Act (DMA), Andreas Schwab, who suggested the DMA should unquestionably target only the five biggest US firms,” said the email, seen by the Financial Times and dated June 9th.
Criticism
Ireland’s Office of the Data Protection Commission (DPC) has faced criticism from national watchdogs in the 27 member states that it is under resourced for the task and takes too long to decide on cases.
The DPC has dismissed this, saying it has to be extra meticulous in dealing with powerful and well-funded tech giants.
Speaking at an Oireachtas committee in April, commissioner Helen Dixon defended the work of the DPC. She criticised a “superficial skimming of the surface” on major issues and “exaggeration” by some critics, and also rebutted criticism regarding the time taken to reach decisions.
The European Consumer Organisation (BEUC) said Tuesday’s ruling should have positive repercussions in the fight to better protect consumers’ personal data.
The organisation said the cross-border enforcement system had shortcomings, with the enforcement procedure and decision depending on the authority in the country where the company has its main base, and that this was undermining the effective application of the rules.
The DPC did not respond to a request for comment on Tuesday.
Consumers
“This is a positive development in the bid to have our privacy respected regardless of where the company is established in the EU. Given the existing bottlenecks in the GDPR cross-border enforcement system, all national authorities must be able, under certain conditions, to proactively take matters into their own hands and use their full powers when our rights are trampled on,” said BEUC director general Monique Goyens.
“Most Big Tech companies are based in Ireland, and it should not be up to that country’s authority alone to protect 500 million consumers in the EU, especially if it does not rise to the challenge.”
The GDPR, which came into effect in May 2018, gives regulators powers to fine companies up to 4 per cent of their global turnover of the previous year or €20 million, whichever is greater, for violating the law. – Additional reporting: The Financial Times/Reuters