This Tuesday (15 June), the Court of Justice of the European Union ruled that national data protection authorities in the European Union could, under certain conditions, launch General Data Protection Regulation (GDPR) infringement proceedings against companies based in another EU country. This decision could have a significant impact on the future enforcement of the GDPR and provide national data protection authorities with new ground for taking legal actions against big tech companies. The background of this ruling is a lawsuit of Belgium’s data protection authority against Facebook.
It is no secret that Facebook and many other multinational companies have their EU headquarters in Ireland. Under the GDPR and its “one-stop-shop” principle, Ireland’s Data Protection Commission has the primary jurisdiction for cross-border proceedings. As a result, until now, data protection authorities from otherMember States needed to hand over a case to the Irish authority to take legal actions against companies over privacy rights disputes. However, the Irish data protection authority has been repeatedly criticised for the delay of its proceedings against the big tech companies.
In 2015, the Belgian data protection authority sued Facebook over the collection of personal data of its users without their consent via cookies, pixels and plugins. Facebook, however, responded that it is up to the lead authority to decide whether a company violated the GDPR. An appeals court in Brussels had then asked the ECJ whether legal actions against Facebook were admissible in Belgium.
In its ruling, the ECJ confirmed that, while it is still the responsibility of the lead authority to bring privacy cases, other supervisory authorities could, under certain circumstances, exercise their “power to bring any alleged infringement of the GDPR before a court of that State and to initiate or engage in legal proceedings in relation to an instance of cross-border data processing.” According to the court, such conditions apply when illegal conduct falls outside the EU’s data protection rules, urgent issues linked to protecting EU citizens’ data protection rights arise or when a lead authority chooses not to take legal action.
The ECJ also specified that supervisory authorities could carry on with legal action that had been filed before the entry into force of the GDPR in 2018. The Belgian court will therefore be able to issue a final ruling.
In more general terms, the ECJ’s landmark ruling implies that national data protection authorities could use new court proceedings to build up pressure on Facebook and other corporations in cross-border data protection proceedings. It also further increases the pressure on Ireland and the Irish Data Protection Commission.
Meanwhile, EU consumer organisation BEUC called the ruling a positive development regarding the protection of user’s online data, with its Director General, Monique Goyens, saying that “most Big Tech companies are based in Ireland, and it should not be up to that country’s authority alone to protect 500 million consumers in the EU, especially if it does not rise to the challenge.”
On the other hand, Facebook interpreted the ruling differently and saw it as confirmation of the “one-stop-shop” mechanism that specifies the authority’s primary jurisdiction in the EU country hosting the company’s headquarters. “We are pleased that the court has upheld the value and principles of the one-stop-shop mechanism and highlighted its importance in ensuring the efficient and consistent application of GDPR across the EU,” Facebook lawyer Jack Gilbert stated.
However, the Computer and Communications Industry Association (CCIA), one of the EU’s leading tech associations, warned that “data protection compliance in the EU risks becoming more inconsistent, fragmented, and uncertain” after the ECJ decision.