The ECJ ruling will pull some authority away from Ireland’s Data Protection Commission and grant other regulators more room to manoeuvre.
The European Court of Justice ruled today (15 June) that national data protection authorities across the EU can pursue cases against tech giants even when they are not the lead watchdog for that company.
The ruling states that national authorities, in cases where cross-border data processing is involved, can bring a company to court in their jurisdiction under GDPR, rather than relying solely on the actions of the lead authority in the investigation.
GDPR established the one-stop-shop mechanism where a company can report to one national authority in Europe for its data protection obligations.
This is why Ireland’s Data Protection Commission (DPC) has oversight for cross-border investigations into Facebook, Google, Twitter and many others as their European HQs are in Dublin.
‘Most Big Tech companies are based in Ireland, and it should not be up to that country’s authority alone to protect 500m consumers in the EU’
– MONIQUE GOYENS
The mechanism has come in for much criticism for creating bottlenecks where one authority’s workload becomes immense. The DPC has also faced criticism from its counterparts in other countries over the pace of its investigations.
“Under certain conditions, a national supervisory authority may exercise its power to bring any alleged infringement of the GDPR before a court of a member state, even though that authority is not the lead supervisory authority with regard to that processing,” the ECJ said.
The ruling is not an outright rebuke against the one-stop-shop but it does provide more latitude for national authorities in member states to take a company to court in their own country in a cross-border investigation.
It is a blow for Facebook, which will now have a more complex legal web to navigate if more authorities can take it to court.
“This is a positive development in the bid to have our privacy respected regardless of where the company is established in the EU,” Monique Goyens, director general of the European Consumer Organisation (BEUC), said in response to the ruling.
“Given the existing bottlenecks in the GDPR cross-border enforcement system, all national authorities must be able, under certain conditions, to proactively take matters into their own hands and use their full powers when our rights are trampled on,” she said.
“Most Big Tech companies are based in Ireland, and it should not be up to that country’s authority alone to protect 500m consumers in the EU, especially if it does not rise to the challenge.”