A long running privacy fight between Belgium’s data protection authority and Facebook — over the latter’s use of online trackers like pixels and social plug-ins to snoop on web users — has culminated in a ruling by Europe’s top court today that could have wider significance on how cross-border cases against tech giants are enforced in the region.
The Court of Justice of the European Union has affirmed that, in certain circumstances, national DPAs can pursue action even when they are not the lead data supervisor under the General Data Protection Regulation (GDPR)’s one-stop-shop mechanism (OSS) — opening up the possibility of litigation by watchdogs in Member States which aren’t the lead regulator for a particular company but where the local agency believes there is an urgent need to act.
The OSS was included in the GDPR with the idea of simplifying enforcement for businesses operating in more than one EU market — which would only need to deal directly with one ‘lead’ data protection authority. However the mechanism has been criticized for contributing to a bottleneck effect whereby multiple GDPR complaints are stacking up on the desks of a couple of DPAs (most notably Ireland and Luxembourg) — EU Member States which attract large numbers of multinationals (typically for tax reasons, such as Ireland’s 12.5% corporate tax rate).
Enforcement of the EU’s flagship data protection regime against tech giant has thus been hampered by a perception of ‘forum shopping’ — whereby a handful of EU DPAs have a disproportionately large number of major, cross-border cases to deal with vs the (inevitably limited) resources provided for them by their national governments. The resulting bottleneck looks convenient for those companies that face delayed GDPR enforcement.
Some EU DPAs are also considered more active in enforcement of the bloc’s privacy rules than others — and it’s fair to say that Ireland is not among them. (Albeit, it defends the pace of its investigations and enforcement record by saying that it must do due diligence to ensure decisions stand up to any legal challenges.)
Indeed, Ireland has been criticized for (among other things) the length of time it’s taken to investigate GDPR complaints; for procedural issues (how it’s gone about investigating or indeed not investigating complaints); and for its enforcement record against tech giants — which to date is limited to just one $550k penalty issued against Twitter issued at the end of last year.
The Irish Data Protection Commission (DPC) had originally wanted to give Twitter an even lower fine but other EU DPAs disputed its draft decision — forcing it to increase the penalty slightly.
As it stands, scores of cases remain open on the DPC’s desk, including major complaints against Facebook and Google — which are now over three years old.
This has led to calls for the Commission to step in and take action over Ireland’s perceived inaction. Although, for now, the EU’s executive has limited its intervention to a few words urging Ireland to, essentially, hurry up and get on with the job.
Today’s CJEU ruling may alleviate a little of the blockage around GDPR enforcement — in some narrow situations — by enabling national DPAs to take up the baton to litigate over users’ rights when a lead agency isn’t acting on complaints.
However the ruling does not look set to completely unblock the OSS mechanism, per Luca Tosoni, a research fellow at the Norwegian Research Center for Computers and Law at the University of Oslo who has been following the case closely — and whose work was cited by the CJEU’s advocate general in an earlier opinion on the case.
“The Court has essentially confirmed the views that the Advocate General had expressed in his opinion: Under the GDPR’ one-stop-shop system, those data protection authorities that are not the ‘lead authority’ may start enforcement actions against big tech companies only in very limited circumstances, including in case of urgency,” he told TechCrunch.
“However, unfortunately, the Court’s ruling does not elaborate on the criteria to be followed to assess the urgency of an enforcement action. In particular, the Court has not expressly seconded the advocate general’s view that a failure to act promptly from the part of the lead authority may justify the adoption of interim urgent measures by other data protection authorities. Thus, this important point remains partially unclear, and further litigation might be necessary to clarify this issue.
“Therefore, today’s ruling is unlikely to completely settle the ‘Irish issue’.”
Article 56 of the GDPR allows for non-lead DPAs to pursue action at a national level in the case of complaints that relate to an issue that substantially affects only users under their jurisdiction, and where they believe there is a need to act urgently (as a lead authority has not). So it does seem fairly narrow.
One recent example of a non-lead DPA intervention is the Italian DPA’s emergency action against TikTok — related to child safety on the platform after the death of a local girl who had been reported to have participated in a challenge on the platform.
“An authority’s wish to adopt a ‘go-it-alone’ approach… with regard to the (judicial) enforcement of the GDPR, without cooperating with the other authorities, cannot be reconciled with either the letter or the spirit of that regulation,” runs one paragraph of today’s judgement, underlining the court’s view that the GDPR requires careful and balanced joint-working between DPAs.
The ruling does go into some detailed discussion of the “dangers” of under-enforcement of the GDPR — as the concern was raised with the CJEU — but the court takes the view that it’s too soon to say whether such a concern affects the regulation or not.
“If, however, [under-enforcement were to] be evidenced by facts and robust arguments – then I do not believe that the Court would turn a blind eye to any gap which might thereby emerge in the protection of fundamental rights guaranteed by the Charter and their effective enforcement by the competent regulators,” the CJEU goes on. “Whether that would then still be an issue for a Charter-conform interpretation of provisions of secondary law, or an issue of validity of the relevant provisions, or even sections of a secondary law instrument, is a question for another case.”
The ruling, while narrow, may at least unblock the Belgian DPA’s long-running litigation against Facebook’s tracking of non-users via cookies and social plug-ins which was the route for the referral of questions over the scope of the OSS to the CJEU.
Although the court also notes that it will be for a Belgian court to determine whether the DPA’s intervention meets the GDPR’s bar for starting such proceedings or not.
Contacted for comment on the CJEU judgement, Facebook welcomed the ruling.
“We are pleased that the CJEU has upheld the value and principles of the one-stop-shop mechanism, and highlighted its importance in ensuring the efficient and consistent application of GDPR across the EU,” said Jack Gilbert, associate general counsel at Facebook in a statement.