The EU’s top court Tuesday ruled that any of the bloc’s national data protection authorities (DPAs) can pursue a privacy complaint against Facebook—and potentially any other company or Big Tech firm—and not just the supervisory authority where the company has its European headquarters.
The legal decision means the “one-stop shop” mechanism of the General Data Protection Regulation (GDPR) could be circumvented by other national regulators if they feel progress is too slow or proposed penalties are too low—an often-repeated criticism against Ireland, the European home to most Big Tech firms.
The Court of Justice of the European Union (CJEU) stated “under certain conditions” the GDPR “authorizes a supervisory authority of a Member State to exercise its power to bring any alleged infringement of the GDPR before a court … in relation to an instance of cross-border data processing,” even if the DPA “is not the lead supervisory authority.”
The court also confirmed a lead supervisory authority could not simply toss out or ignore a complaint passed to it by another DPA, and that a DPA could delay a draft decision made by the designated authority if it had “relevant and reasoned” objections.
The CJEU added member states can proceed with complaints against Facebook (and potentially other companies) if they were brought before the GDPR came into force, while a DPA can bring an action even for infringements committed after the date of entry of the GDPR.
The ruling stems from Belgium’s legal attempts begun in 2015 to bring Facebook to book for allegedly infringing Belgian internet users’ rights by collecting their information on their browsing behavior whether they were Facebook users or not. As the legal wrangling continued into 2018 when the GDPR came into force, the Big Tech firm said the case should be moved to Ireland, where the company’s European headquarters is located. Further legal battles have found in Belgium’s favor, but no GDPR fine has yet been issued.
The CJEU’s ruling should not be a surprise.
In a non-binding opinion published in January, the EU’s top legal expert, Michal Bobek, said that while the Irish Data Protection Commission had a “general competence” over cross-border data complaints, it could not “be deemed as the sole enforcer of the GDPR in cross-border situations.”
As such, he said, citizens and regulators were still permitted to take complaints to their own national courts in situations where the GDPR specifically allowed them to do so, such as cross-border data processing.