Facebook and other Silicon Valley giants could face more scrutiny and potential sanctions in the European Union after the bloc’s top court backed national privacy watchdogs to pursue them, even when they are not the lead regulators.
Consumer lobbying group BEUC welcomed Tuesday’s ruling by the EU Court of Justice (CJEU), which backed the right of national agencies to act, citing enforcement bottlenecks.
“Most Big Tech companies are based in Ireland, and it should not be up to that country’s authority alone to protect 500 million consumers in the EU,” BEUC Director General Monique Goyens said after the judgement.
Along with Google (GOOGL.O), Twitter (TWTR.N) and Apple (AAPL.O), Facebook (FB.O) has its EU headquarters in Ireland, putting it under the oversight of the Irish data protection regulator under privacy rules known as GDPR, which allow for fines of up to 4% of a company’s global turnover for breaches.
The CJEU got involved after a Belgian court sought guidance on Facebook’s challenge to the territorial competence of the Belgian data watchdog, which was trying to stop it from tracking users through cookies stored in the company’s social plug-ins, regardless of whether they have an account or not.
“The BE DPA (Belgium’s data watchdog) now needs to analyse the judgment in more details to determine whether any of the situations described … apply to the case it has opened against Facebook in 2015,” Hielke Hijmans, Chairman of the Belgian Data Protection Authority’s Litigation Chamber, said.
Several national watchdogs in the 27-member EU have long complained about their Irish counterpart, saying that it takes too long to decide on cases. Ireland has dismissed this, saying it has to be extra meticulous in dealing with powerful and well-funded tech giants.
Ireland’s cases in the pipeline include Facebook-owned Instagram and WhatsApp as well as Twitter, Apple, Verizon Media, Microsoft-owned LinkedIn and U.S. digital advertiser Quantcast.
“Under certain conditions, a national supervisory authority may exercise its power to bring any alleged infringement of the GDPR before a court of a member state, even though that authority is not the lead supervisory authority,” the CJEU said.
Judges said these conditions include regulators following cooperation and consistency procedures set out in the GDPR and that the violations occurred in the relevant EU country.
“We are pleased that the CJEU has upheld the value and principles of the one-stop-shop mechanism, and highlighted its importance in ensuring the efficient and consistent application of GDPR across the EU,” Jack Gilbert, Facebook’s associate general counsel, said.
BACK DOOR OPEN
But tech lobbying group CCIA said the ruling could lead to inconsistent and uncertain enforcement and jack up costs.
“It has also opened the back door for all national data protection enforcers to start multiple proceedings against companies,” CCIA Europe senior policy manager Alex Roure said.
“Data protection compliance in the EU risks becoming more inconsistent, fragmented, and uncertain,” he said.
However, David Stevens, President of Belgium’s DPA, said the ruling was “a good thing for the protection of the privacy of citizens, and for the harmonized application of the GDPR.”
“We have always been convinced of the importance of maintaining a possibility for authorities to act on behalf of users,” Stevens added in a statement.
Wojciech Wiewiórowski, of the EDPS, the EU privacy watchdog for EU institutions such as the European Commission and the European Parliament said the ruling confirmed that a lead supervisory authority cannot “go it alone” and must closely cooperate with other data protection authorities.
Wiewiórowski said it had stressed the need for “sincere and effective cooperation to preserve both consistent interpretation of the GDPR and the effectiveness of its provisions”.
The case is C-645/19 Facebook Ireland & Others.