A new ruling by the European Court of Justice (ECJ) has opened the door for national data watchdogs across the EU to probe Big Tech firms, regardless of the location of their European headquarters.
The main result of the ruling is that the Irish Office of the Data Protection Commission (DPC) will no longer be the only national agency that can investigate possible data misdeeds by major Silicon Valley firms. Facebook, Twitter Google and Apple have their European head offices in Ireland.
The ruling came after Facebook questioned the Belgian data regulator’s authority to stop the social media platform from tracking users through cookies stored in the company’s social plug-ins, regardless of whether they have an account or not. A similar German case went to the EU top court in March.
“Under certain conditions, a national supervisory authority may exercise its power to bring any alleged infringement of the GDPR before a court of a member state, even though that authority is not the lead supervisory authority with regard to that processing,” the ECJ ruled.
The news comes after the Irish watchdog had faced criticism from the other 27 EU nations for being too lax and too slow in its investigations. The DPC had shot back that it was just being careful.
The news that other national data cops can hold Facebook and the other Big Tech firms responsible for data breaches was welcomed by consumer lobbying group BEUC.
“This is a positive development in the bid to have our privacy respected regardless of where the company is established in the EU,” said Monique Goyens, director General of the BEUC. “Given the existing bottlenecks in the GDPR cross-border enforcement system, all national authorities must be able, under certain conditions, to proactively take matters into their own hands and use their full powers when our rights are trampled on.
“Most Big Tech companies are based in Ireland, and it should not be up to that country’s authority alone to protect 500 million consumers in the EU, especially if it does not rise to the challenge.”
Jack Gilbert, Facebook’s associate general counsel, said: “We are pleased that the CJEU has upheld the value and principles of the one-stop-shop mechanism, and highlighted its importance in ensuring the efficient and consistent application of GDPR across the EU.”