The Tuesday ruling from the European Union’s Court of Justice opened the door for other authorities besides a company’s lead regulator to pursue potential privacy violations in certain circumstances. Those circumstances include when the matter is urgent or when the lead regulator decides not to investigate.
Usually companies following EU’s General Data Protection Regulation, known as the GDPR, are supervised by a so-called one-stop-shop system in which the authority where a company is based oversees privacy in cooperation with other regulators.
The court’s decision allows for “a force multiplier” of other EU authorities enforcing the regulation, said Aaron Cooper, vice president of global policy at software industry group BSA. Letting other authorities bring privacy enforcement actions in local court could help alleviate concerns that some European regulators don’t have the resources to investigate and follow through on privacy complaints, Cooper said.
Privacy watchdogs across Europe should be consistent in how they interpret and apply the GDPR and how they coordinate with one another, he added.
At issue in the case before the Court of Justice was a 2015 legal action that Belgium’s data protection regulator brought against Facebook over cookies used to track users. Facebook argued that only its main regulator, Ireland’s Data Protection Commission, had the authority to bring the case.
Privacy activists and a European Parliament committee have criticized the Irish authority for being too slow to act on complaints. The agency has 27 privacy probes targeting Facebook and other tech companies that have set up their EU hubs in Ireland.
“If everyone picks Ireland as their one-stop-shop, you can imagine the kind of pressure it creates,” both on the Irish commission’s enforcement work and on other European data authorities to accept the commission’s lead role in regulating many big companies, said Boris Segalis, co-chair of the data privacy and cybersecurity practice at Goodwin Procter LLP.
The circumstances under which another authority could pursue a privacy violation, such as if the lead regulator isn’t moving fast enough, remain “open to interpretation,” Segalis added.
In its ruling, the Court of Justice made it clear that the one-stop-shop system still applies, according to Peter Swire, a law and ethics professor at Georgia Institute of Technology and senior counsel with Alston & Bird LLP. The court did, however, remove some potential barriers to action by another privacy authority that’s not a company’s lead regulator, he said.
“The decision sets the rules of the road for when a different country can bring enforcement actions,” Swire said.
Other authorities that aren’t the lead don’t need to have a local law in place that echoes the GDPR before taking action. In certain circumstances, non-lead regulators can also act even when a company is based in another EU member state—if the alleged privacy violation impacts residents in their jurisdiction.
Those parts of the court’s ruling could “strengthen the hand” of European privacy authorities, Swire said.