EU Court: GDPR cross-border cases not limited to leading authority

GDPR enforcement is currently structured around a one-stop shop mechanism that attributes the leadership of cross-border cases to the data protection authority where the processing organisation is legally based. [EPA-EFE/JULIEN WARNAND}]

National data protection authorities have the power in exceptional circumstances to launch General Data Protection Regulation (GDPR) infringement proceedings against firms registered in another European Union member state, the EU’s top court has ruled.

In the ruling dated Tuesday (15 June), the Court of Justice of the European Union (CJEU) indicated the specific conditions under which national supervisory authorities can bring alleged breaches of data protection rules to court in their jurisdiction.

GDPR enforcement is currently structured around a one-stop shop mechanism that attributes the leadership of cross-border cases to the data protection authority where the processing organisation is legally based.

Following the court ruling, in exceptional circumstances of urgency or where the impact is limited to a national or local jurisdiction, a non-leading supervisory authority can also initiate proceedings.

Facebook case

Background to the ruling was a case initiated by the Belgian Privacy Commission in September 2015 following alleged data breaches by Facebook Inc., Facebook Ireland and Facebook Belgium.

The Belgian privacy watchdog considered that Facebook and its subsidiaries were breaching data protection law by gathering behavioural data from Belgian internet users even when they did not have a Facebook account.

The acquisition of data occurred through tracking technology such as cookies, social plug-ins and pixels. The Belgian court upheld the view of the data protection authority, on the grounds that internet users had not been adequately informed about Facebook’s data collection practices and so could not consent to it.

The social network appealed against the judgement in March 2018, and GDPR entered into force shortly after. The appeal court required guidance on the GDPR provision on the one-stop shop, questioning whether it had the jurisdiction to intervene against Facebook Belgium when Facebook Ireland is the data controller within the EU.

Ruling implications

Facebook welcomed the ruling and said it interpreted it as underpinning the logic of the one-stop shop mechanism and confirming that cases where authorities from other EU member states take the lead “constitutes the exception to the rule.”

“We are pleased that the CJEU has upheld the value and principles of the one-stop shop mechanism, and highlighted its importance in ensuring the efficient and consistent application of GDPR across the EU,” Jack Gilbert, associate general counsel at Facebook, told EURACTIV.

However, others were more concerned about the judges ruling that in urgent cases, or in those that concern only one member state, national data protection authorities can initiate proceedings against firms based elsewhere.

The Computer and Communications Industry Association (CCIA), which includes Amazon, Facebook and Google among its members, said it regretted the CJEU decision and feared it could lead to inconsistent and uncertain GDPR enforcement.

CCIA Europe Senior Policy Manager Alex Roure considers that the ruling “opened the back door for all national data protection enforcers to start multiple proceedings against companies.” For the trade association, the ruling might lead to diverse interpretations of data protection rules across the European Union.

The judgement was welcomed however by the European Consumer Organisation (BEUC), which said having only one supervisory authority for cross-border cases is a serious shortcoming that is undermining GDPR enforcement, with Ireland a case in point.

“Most Big Tech companies are based in Ireland, and it should not be up to that country’s authority alone to protect 500 million consumers in the EU, especially if it does not rise to the challenge,” said BEUC Director General Monique Goyens.

Ireland has been accused by the bloc’s other data protection authorities of not taking enough action against Big Tech firms. In May, MEPs voted in favour of a resolution calling for an infringement procedure against Ireland for failing to enforce GDPR.

In response, Ireland’s data protection commissioner blamed its low response rate to privacy complaints on a lack of resources.

[Edited by Josie Le Blond]

MEPs call for infringement procedure against Ireland

The European Parliament voted on Thursday (20 May) in favour of a resolution calling on the European Commission to open an infringement procedure against Ireland for failing to enforce the General Data Protection Regulation (GDPR).

Subscribe to our newsletters

Subscribe