In fact, the European General Data Protection Regulation states: National data protection authorities are responsible for GDPR actions against companies – the company is headquartered in Europe. In the case of big tech companies like Facebook, Google, TickTalk or Apple, that would be the Irish authority. In some cases, the European Court of Justice (ECJ) ruled on Tuesday: Then even officials who are not actually responsible can take action.
There has long been dissatisfaction with the previous principle, which experts call the one-shop procedure. There is a perception that Irish data protection authorities are not speedily processing actions against Facebook and other digital companies, and that GDPR rules are being interpreted in favor of tax-paying companies in Ireland.
In a specific case before ECJ, the Belgian Data Protection Supervisory Authority had already filed a lawsuit against Facebook’s cookies, pixels and plugins in 2015, which are being used to monitor users who do not even have a Facebook account. In 2018, a Belgian court banned Facebook from the system. The group appealed because Belgium had no jurisdiction in the case under European Union law. The Belgian Court of Appeals therefore sought an explanation from the European Court of Justice.
The European Supreme Court has now largely rejected this argument from Facebook. The goal of GDPR is to protect the fundamental rights of EU citizens. Unless a lead authority guarantees this protection, for whatever reason, the national authorities have the right to do so themselves. Otherwise there is a risk that companies will decide where to fear. However, clear rules apply in these circumstances. In most cases, the national authorities can only do this in an emergency procedure, the effect of which is only valid for three months. After that, the European Data Protection Board must make a decision. The Irish Authority is also represented on the Committee of National Data Protection Authorities, but only by one vote.
German privacy advocates are happy. But so is Facebook
Federal Data Protection Officer Ulrich Kelber welcomed the decision. “We should not tolerate companies seeking a lead supervisory authority that has not decisively fulfilled its obligation to protect these fundamental rights,” Kelber of the SZ wrote. So he thinks it’s good to have exceptions to the main responsibility. His authority “will be examined very carefully when these opportunities arise in the future.”
In this country, German-based Facebook is the responsibility of Hamburg Data Protection Officer Johannes Caspar. The verdict must be a confirmation for him. Kaspersky banned Facebook in May as part of an urgent process to process the data of millions of German users on its subsidiary WhatsApp. WhatsApp users were asked to agree to the new terms and conditions that enable such processing. The European Data Protection Committee will have to decide in the coming weeks whether the Hamburg decision will survive.
Caspar does not believe the ECJ ruling will lead to immediate action for GDPR violations. “However, this device, which has not yet been used in practice, is likely to be modified in the future judgment, which protects the rights and freedoms of victims,” Casper said.
While many observers see the ruling as a setback for Facebook, the US company seems to have gained strength right after the ruling. “We are pleased that the ECJ has affirmed the value and principles of the one-stop shop system, highlighting its importance for the efficient and attractive application of GDPR across the European Union,” the company said in a statement.