A recent ruling by the EU Court of Justice (CJEU) has given the region’s data protection authorities a much greater ability to pursue cases against Big Tech companies that are not headquartered in their territory, which could lead to an increase in probes and fines.
One of the central issues in the early years of General Data Protection Regulation (GDPR) enforcement has been that most of the Big Tech firms keep their EU headquarters in Ireland, essentially routing any case against them through the Irish data protection regulator under the “One Stop Shop” system. This has caused serious backlogs, with some cases taking years to conclude. The new CJEU ruling gives the data protection authorities of other nations more flexibility to directly act on complaints filed in their country, bringing cases into their own court systems. However, the data protection authorities will need to meet certain conditions.
Data protection authorities may conduct their own probes, determine their own penalties
The ruling from the EU’s top court originates with a case brought by Belgium’s data protection authorities after Facebook challenged its territorial competence. The Belgian DPA had opened a case against Facebook in 2015 under the country’s own data privacy laws, challenging its use of cookies to track users through website plugins unbeknownst to the visitors of those sites.
Some of the EU’s national data protection authorities, including that of Belgium, have expressed frustration with a perception that Ireland is too slow in dealing with all of the Big Tech cases that end up being routed through it (due to the popularity of the Dublin area as a basecamp for EU operations). Ireland has responded that because it is dealing with the biggest and most resource-rich companies in the region, it must use extra care in evaluating cases involving these Big Tech firms.
The CJEU ruling specified that EU member states are not limited to using their own laws, but can also directly prosecute charges that involve GDPR violations so long as the violations occurred in that country. The court said that member states must follow cooperation and consistency principles established in the GDPR in doing this, but will not necessarily have to defer to the data protection authorities of the country the defendant is headquartered in.
Big Tech not appreciative of increased chances of regulation
Big Tech specialist lobbying group CCIA Europe summed up the industry’s feelings toward the ruling in a statement to the press, characterizing it as a “back door” for data protection authorities to hit companies with multiple simultaneous charges for the same offense.
However, the ruling stressed that cases spanning different countries will still have to follow established procedures of cooperation. When it comes to rulings against Big Tech firms, EU member states generally spend some time deliberating on what the appropriate penalty should be. That process will not look much different, save for cases no longer getting stuck in a backlog with the data protection authorities of Ireland and Luxembourg (where most Big Tech firms are headquartered due to favorable tax policies).
Ireland has been a particular point of concern in GDPR enforcement. In addition to taking very long periods of time to conduct investigations, the fines it ultimately comes up with seem to be significantly smaller than the amounts proposed by some other data protection authorities. Ireland has thus far only issued one fine to a Big Tech firm under its watch in a cross-border case, a $550,000 penalty to Twitter that was disputed by some other nations (most notably Germany’s proposal for a fine of $7 to $22 million). Ireland’s pending backlog contains similar cases against Silicon Valley giants such as Facebook, WhatsApp, Apple and others. Some of these cases originated in 2018.
The nation that the company is headquartered in maintains some control over the process under the new rules, with other data protection authorities having to show “urgency” (that the lead authority is taking an unreasonable amount of time) to take point on the case. The measures to establish urgency are left vague by the ruling, however, no doubt leading to some conflicts down the road. Organizations also retain minimal obligation to comply with requests from regulators that are not their lead agency.
However, the ruling also clearly established that the lead regulators can no longer be the sole determiner of the penalty in cross-border cases and will have to do more to communicate and reach consensus with other involved data protection authorities. The new ruling could thus allow some other nations to dislodge some of the cases currently backlogged in Ireland and Luxembourg, and force a more robust and participatory process of determining the ultimate fine amount.
