Germany’s data protection authorities have welcomed a ruling by the EU Court of Justice that gives national authorities more leeway in taking action against online platforms data breaches under urgency provisions of the EU data protection framework. EURACTIV Germany reports.
The EU Court ruled that individual authorities not sufficiently fulfilling their obligations should not be allowed to engage in “forum-shopping”, as this would result in a watering down of EU data protection rules.
“In its judgment, the CJEU emphasises that a data protection supervisory authority may bring an action against a controller or processor even if the latter does not have a principal place of business or another establishment in the territory of the member state,” a spokesperson for the Berlin data protection authority told EURACTIV.
Johannes Caspar, head of the Hamburg data protection authority, has recently criticised the current GDPR regime for its “massive flaws.” In an interview with Bloomberg, he said the current system gives regulators “lots of room for interpretation.”
Under the European General Data Protection Regulation (GDPR), the national data protection authority leading proceedings will depend on where the company is headquartered.
Ireland, due to its preferential tax regime, is home to most giant tech companies like Facebook, Google or Apple. This makes the Irish Data Protection Authority (DPC) the lead supervisory authority for data protection claims against most tech giants.
The DPC’s cautious interpretations of data protection regulations and low response rate to complaints have hailed criticism in the past, however. In May, the European Parliament even called on the Commission to launch infringement proceedings against Ireland, accusing the DPC of poor enforcement of the GDPR.
Deviating from the rule
The EU court’s ruling now highlights ways “to deviate from the rule of the lead supervisory authority in certain cases,” a spokesperson of the Federal Data Protection Commissioner told EURACTIV.
Although the lead authority retains its primary responsibility for coordinating data protection investigations in principle, the Luxembourg court emphasised that the lead authority “does not have the sole authority to initiate data protection procedures without exception,” a spokesperson for the Hamburg data protection commissioner has said.
Other national authorities are also allowed to step in and take action if a lead authority fails to sufficiently ensure data protection, according to GDPR urgency procedures. However, the outcome of an emergency procedure is only valid for three months, after which the European Data Protection Board (EDPB) must issue a binding ruling.
The EDPB is made up of all national supervisory authorities, which means it can bypass Ireland’s sole decision-making power.
“This takes sufficient account of the coherence of the application of European law,” according to the office of the Hamburg data protection commissioner. This would “better counteract obvious procedural delays” by Irish authorities, the spokesperson of the Federal Data Protection Commissioner added.
Proceedings against WhatsApp
The ruling comes at a time when the Hamburg data protection authority had already initiated an urgency procedure against Facebook in May, banning the online platform from processing personal data from WhatsApp to protect the “rights and freedoms” of millions of users in Germany.
The aim was to bring the case to the EU level to circumvent the slow and lax interpretation by the Irish data protection authority.
Given that this is the first urgent procedure to have been launched since the GDPR came into force in 2018, the spokesperson for the Hamburg data protection authority does not expect to see “many of these urgency procedures in the wake of the CJEU ruling.”
The European Data Protection Board is expected to decide on the matter in the coming weeks and it is hoped that its ruling will set a precedent for stronger action against tech giants in the future. “It remains to be seen whether the EDPB is willing to go down this path and issue a binding decision on the matter,” the spokesperson of Hamburg’s data watchdog added.
[Edited by Luca Bertuzzi]