CJEU opinion could further expose Big Tech under GDPR

The view of one of the EU’s most senior lawyers means it would not always be left to the Irish Data Protection Commission (DPC) to act as lead investigator in cross-border privacy complaints simply because it is the European home to the world’s tech and social media giants. This news is likely to please several DPAs that have openly shown frustration with the slow progress of the Irish DPC—Facebook’s lead EU data supervisory authority—has made with its two dozen cross-border investigations into Big Tech firms.

In his opinion, Michal Bobek of the Court of Justice of the European Union (CJEU) affirmed the Irish regulator had a “general competence” over cross-border data complaints since the idea of a “one-stop-shop”—whereby the data watchdog of the country where the company is headquartered takes the lead in any investigation—was at the heart of the General Data Protection Regulation (GDPR) system.

“If upheld by the court, the impact of this opinion is far reaching as it would give equal right to any of the 27 data protection commissioners across Europe to take action for a breach of the rules. The consequences are significant given there are certain countries within Europe that have a much more proactive stance on strong enforcement of the GDPR.”

Cillian Kieran, CEO, Ethyca

However, he added citizens and regulators were still permitted to take complaints to their own national courts in situations where the GDPR specifically allowed them to do so, such as cross-border data processing, “even where the lead data protection authority is the data protection authority of another member state.”

Bobek also stressed the lead DPA “cannot be deemed as the sole enforcer of the GDPR in cross-border situations and must closely cooperate with the other data protection authorities concerned.”

Although the CJEU is not bound by this opinion—the Court has to make a decision, and there is no timeline as to when such a judgment will be made—lawyers suggest judges are likely to follow it in the majority of cases. As such, the announcement may ramp up the pressure for more transparency and accountability—and ultimately regulation and oversight—for Big Tech firms in their ongoing battles with the European Union.

In a statement, Jack Gilbert, associate general counsel at Facebook, said the company was “pleased” to see Bobek reaffirm the value of the one-stop shop mechanism in his opinion. “We await the court’s final verdict,” Gilbert said.

The opinion comes after Belgium’s data protection regulator has tried to stop Facebook from gathering data on the browsing behavior of Belgian users by placing cookies on users’ computers without their consent to help target ads back at them. The Belgian DPA—which initiated court proceedings against the social media firm in 2015—says this happened even when users did not have a Facebook account.

David Stevens, chairman of the Belgian DPA, said in a statement: “We are pleased to see that the Advocate General confirms that in principle data protection authorities can bring proceedings before their national courts, provided that this does not encroach on the loyal cooperation between data protection authorities. If data subjects can go to court to defend their rights, data protection authorities should also be able to do this on their behalf in certain exceptional cases.”

Experts say the opinion could have serious ramifications for social media firms, as well as companies generally.

Alan Calder, CEO of IT governance company GRC International Group, partly welcomes Bobek’s view. He agrees it may be more practical to enable national data regulators to take up minor issues directly with organizations rather than wait for the lead supervisory authority to investigate as a way of speeding up the caseload and cutting costs. However, he warns “organizations may reject enquiries from supervisory authorities that are not their lead.”

Cillian Kieran, CEO of IT privacy company Ethyca, says that “if upheld by the court, the impact of this opinion is far reaching as it would give equal right to any of the 27 data protection commissioners across Europe to take action for a breach of the rules. The consequences are significant given there are certain countries within Europe that have a much more proactive stance on strong enforcement of the GDPR.”