Facebook Inc. can’t fully escape potential privacy orders from European Union data protection authorities beyond its lead watchdog based in Ireland, the EU’s top court said.
Under certain conditions, a national supervisory authority may exercise its power “to bring any alleged infringement” of EU data protection rules to court anywhere in the bloc, “even though that authority is not the lead supervisory authority with regard to that processing,” the EU Court of Justice ruled on Tuesday.
At issue is the scope of the so-called one-stop-shop system, set up under the EU’s data protection rules since May 2018, which puts the authority in a company’s chosen EU base in charge of supervising it, in close cooperation with the other regulators. Ireland has become the chosen EU hub for some of the biggest U.S. tech giants, including Facebook, but its data watchdog has been criticized for taking too long.
Facebook is “pleased” with the ruling, which “has upheld the value and principles of the one-stop-shop mechanism, and highlighted its importance in ensuring the efficient and consistent application of GDPR across the EU,” Jack Gilbert, the company’s associate general counsel, said in a statement.
The EU’s General Data Protection Regulation, or GDPR, gave data regulators unprecedented powers to fine companies as much as 4% of their annual sales. The one-stop-shop policy has raised questions about the powers of EU regulators other than the Irish to sanction a company like Facebook.
The system “requires close, sincere and effective cooperation between those authorities, in order to ensure consistent and homogeneous protection of the rules for the protection of personal data, and thus preserve its effectiveness,” the court said.
An authority that is not the lead watchdog for a company, can start a legal case for a cross-border data privacy violation, as long as as it complies with the “allocation of competences” under EU law, the court said.
Tuesday’s case goes back to a privacy order by the Belgian data protection watchdog for Facebook to stop placing tracking cookies without user consent. Facebook has argued that only the Irish authority has a right to rule on its activities.
EU judges said the Belgian court that sought the EU tribunal’s guidance, will have to decide if procedures and “the rules for the distribution of powers” were correctly applied in the dispute concerned and whether the alleged violations targeted by the Belgian authority fall under its competence and are in line with Tuesday’s ruling.
While the Belgian dispute dates back to the time before GDPR took effect, it raises key questions for data watchdogs across the 27-nation EU as tensions have been building up over what some perceive as their Irish colleagues’ slow pace of taking action.
Helen Dixon, Ireland’s privacy chief, has hit back at critics, describing such comments as “ludicrous.” Her office has at least 27 privacy probes open targeting Apple Inc., Google and other tech companies. Facebook accounts for nine of these investigations and more are pending into its WhatsApp and Instagram units.
The case is: C-645/19, Facebook Ireland and Others.
This story has been published from a wire agency feed without modifications to the text.
Never miss a story! Stay connected and informed with Mint.
our App Now!!