Blow for Irish data protection watchdog, as Europe’s top court rules it is no longer the only data enforcer across the bloc
Facebook, Twitter and Google could be facing even more scrutiny and censor in Europe after a ruling by the EU Court of Justice.
Europe’s top court has on Tuesday ruled that national data regulators have the power (under certain conditions) to pursue their own cases against major tech (mostly US-based) companies, even when they are not the lead regulator for the tech firm.
Under the current setup, Ireland’s data protection watchdog has for many years acted as the lead regulator in Europe, because firms such as Facebook, Google, Apple, and Twitter all have their European headquarters located in that country.
The ruling on Tuesday came after a probe by Belgian authorities (the Belgian Privacy Commission) in 2015 against Facebook, which claimed the social media giant did not adequately notify users about data collection and use.
It sought an injunction against Facebook Ireland, Facebook Inc. and Facebook Belgium, aiming to put an end to alleged infringements of data protection laws by Facebook.
Facebook however had argued that the complaint about Facebook in Belgium should rightfully be heard in Ireland, where Facebook’s headquarters is based.
But Europe’s top court has backed the quest by the Belgian Privacy Commission to conduct its own investigations.
“Under certain conditions, a national supervisory authority may exercise its power to bring any alleged infringement of the GDPR before a court of a member state, even though that authority is not the lead supervisory authority with regard to that processing,” the court’s ruling reads.
At the moment, the EU’s General Data Protection Regulation (GDPR) puts the authority in a company’s chosen European headquarters (i.e. Ireland) in charge of overseeing it under its one-stop-shop system.
Note this case began before the GDPR rules came into effect.
With this decision however, it means the American tech giants like Facebook, Google, Twitter and Apple may face investigations from more bloc members under certain circumstances.
The ruling is noteworthy because of reported frustration in some quarters with the Irish data protection watchdog, who some feel is too slow at enforcing GDPR rules on US tech giants.
German officials, such as Hamburg-based data regulator Johannes Caspar, have accused the Irish regulator of letting tech companies away with too much and imposing fines that are too low, Irish media have reported.
For its part the Irish Data Protection Commissioner has argued that it must handle complaints and enforcement procedures meticulously, so that its enforcement decisions do not end in courts for years.
Last month, Austrian privacy campaigner Max Schrems reportedly told an Oireachtas Committee that Europeans seeking to vindicate their privacy rights under GDPR are now trying to find ways around Ireland’s privacy regulator because of what he claims is chronic non-enforcement.