Big Tech to face more scrutiny from national data watchdogs after EU court ruling

National data protection watchdogs in the EU will be emboldened to pursue Big Tech companies after the bloc’s highest court confirmed their investigative powers that are enshrined in EU and national data protection laws.

The EU Court of Justice ruled on Tuesday that Belgium's Data Protection Authority can continue to investigate Facebook for alleged violations of the General Data Protection Regulation regarding "cookies".

"Certain data protection authorities — and I'm thinking in particular the French, Spanish and Belgian — will be looking to do whatever they can now," after the EU court ruling, Emily Cox, a partner at Stewarts Law in London, said in an interview with MLex.

The ruling is significant because it’s the first time the EU court described how authorities that aren’t the “lead” supervisor for companies — the country where they have their headquarters — can investigate and pursue companies in national courts.

The court stressed that the lead authority is still in charge, but both the lead and other national authorities have a duty to work together to ensure the protection of privacy rights.

While the EU court confirmed that the "one-stop shop" mechanism is still intact, it did give non-lead DPAs the go-ahead to pursue investigations. However, these probes must follow the procedures in the GDPR, which provide for exceptions to allow non-lead supervisors to take on companies that don’t have their headquarters in those countries.

The "one-stop shop" mechanism requires cross-border cases under the GDPR to be led by the authority where the company in question has its EU headquarters. That includes the most serious complaints against US tech giants, whose business models affect citizens across the EU. Most of them have their EU establishment in Ireland.

Irish DPC under fire

The GDPR’s "one-stop shop" system has come under sharp criticism by members of the European Parliament and data protection authorities, particularly in Germany. Some authorities are openly critical that the Irish Data Protection Commission has wrapped up very few cases, more than three years since the GDPR took effect in May 2018.

The expectation was that the landmark GDPR — much feared by US tech companies — would usher in a wave of multibillion-dollar fines against Big Tech. The reality is that these investigations are extremely complex. Procedures are new, and building up evidence, allowing companies the right to defend themselves, is a time-consuming process.

The Irish DPC is seen by critics as woefully understaffed and resourced to tackle the job as the de facto data protection regulator for the bloc.

"I do think there'd be more action," Cox said. "There has been a lot of pent-up frustration about the Irish DPC,” which has so far imposed only one GDPR fine on a Big Tech company, namely Twitter.

"It's been years and years, and none of the investigations into the likes of Facebook or Google have got anywhere at all," Cox said.

European DPAs have been increasingly chafing under the constraints of the "one-stop shop" mechanism. Authorities in France, Spain, Germany and Belgium are under pressure from privacy advocates to investigate tech giants such as Facebook, Amazon and Google, but the Irish DPC has a monopoly on running those probes.

In the EU court decision on Facebook, there was also an implicit criticism of the Irish DPC. Without making a specific reference to the Irish authority, the EU judges did state that lead authorities can’t operate in a vacuum and must cooperate with other authorities.

EU judges emphasized that “the lead supervisory authority cannot, in the exercise of its competences ... eschew essential dialogue, and sincere and effective cooperation, with the other supervisory authorities concerned.”

They also said that non-lead authorities must also cooperate and stay vigilant about the lead supervisor’s actions.

The "one-stop shop" system requires “sincere and effective cooperation between the lead supervisory authority and the other supervisory authorities concerned,” the court said.

The EU court added that the lead authority must “assume” its responsibilities to avoid companies engaging in “forum shopping,” in which they seek jurisdictions that have the weakest enforcement.

Significantly, the court said that it doesn’t matter where a company is based for a non-lead supervisor to investigate. A national DPA can start an investigation and move forward if it gets permission from the authority where it has its main establishment, provided that the company falls under the scope of the GDPR and the exceptions in the "one-stop shop" mechanism are met.

Also, if a lead supervisor doesn’t take action against a company, the court said the door is open for the non-lead authority to do so.

That scenario may apply to the Belgian case: The Belgian authority said it pursued the Facebook case after the Irish authority declined its request to do so.

However, Facebook said at a hearing in October that there was no evidence in the file to show that the Belgian authority requested “mutual assistance” from the Irish authority. The Irish DPC wasn’t a party in the case, so it wasn’t able to provide the court with any evidence to rebut the Belgian authority’s assertions.

It’s not known what evidence the Belgian authority gave to the EU court on its request for “mutual assistance” and how the Irish DPC responded. The Brussels Court of Appeal — which referred questions about the Facebook case and the “one-stop shop” system to the EU Court of Justice — will now decide how to pursue the case.

Germany, France

The ruling’s significance is that if the EU's top court had ruled the other way — stating that only the lead authority can pursue GDPR violations — then the frustration with the "one-stop shop" would have boiled over.

The judgment will be music to the ears of officials in Germany and France, who have both gone after Big Tech in recent years under both the GDPR and its sister regulation on privacy in network communications, the EU's e-Privacy Directive.

In Germany, Andreas Mundt, the head of the competition authority, has worked with the country’s data protection authority to meld competition and data protection law to find that Facebook has abused its market power by combining user data without consent.

Facebook has argued that Ireland — where it has its headquarters — should be responsible for investigations. In March, a German court asked the EU Court of Justice to determine whether the competition authority was right to invoke a violation of the GDPR.

Last year in France, the country’s data protection authority, the CNIL, fined Google 100 million euros ($119 million) and Amazon 35 million euros under the national Data Protection Act, which implements the e-Privacy Directive — a separate piece of legislation to the GDPR.

The EU court said in Tuesday’s ruling that the e-Privacy Directive doesn’t fall within the "one-stop shop" mechanism. The Advocate General in the case, Michal Bobek, had said in an opinion prepared for the court ahead of the ruling that the Belgian and Irish DPC disagreed on whether Facebook’s use of cookies fell within the scope of the GDPR.

National DPAs will carefully review the court’s ruling and see where their cases may meet the exceptions under the GDPR. This process may yield a flurry of new cases against Big Tech companies, which might be why the Computer and Communications Industry Association, a lobby group for US tech companies — including Amazon, Google and eBay — issued a statement after the ruling expressing concern about increased “liability exposure and compliance costs.”

Companies are unnerved that the original promise of EU lawmakers — that the "one-stop shop" would lead to cost savings of about $2.3 billion — is evaporating before their eyes, the CCIA said.

National DPAs, meanwhile, will rejoice that the EU court is implicitly recognizing that there should be a way out of a frustrating period in which the "one-stop shop" has led to a bottleneck of cases in Ireland. Whether more cases by non-lead authorities are on the horizon is now the main question as GDPR heads into its fourth year.