A recent ruling by the EU Court of Justice (CJEU) has given the region’s data protection authorities a much greater capacity to pursue cases against Big Tech companies that are not headquartered in their territory. , which could lead to an increase in investigations and fines.
One of the central issues during the early years of General Data Protection Regulation (GDPR) enforcement was that most of the big tech companies keep their headquarters in Ireland, essentially channeling any cases against them through the intermediary of the Irish data protection regulator under the “One System” Stop Shop. This has caused serious backlogs, with some cases taking years to complete. The new CJEU ruling gives data protection authorities in other countries more flexibility to act directly on complaints lodged in their country, bringing cases into their own legal systems. However, data protection authorities will have to fulfill certain conditions.
Data protection authorities can conduct their own investigations, determine their own penalties
Some EU national data protection authorities, including Belgium’s, have expressed frustration with the impression that Ireland is too slow to deal with all the Big Tech cases that end up coming to it (in due to the popularity of the Dublin area as a base camp for EU operations). Ireland responded that since it deals with the largest and most resource-rich companies in the region, it should exercise particular caution in assessing cases involving these large tech companies.
The CJEU ruling clarified that EU member states are not limited to using their own laws, but can also directly pursue charges involving GDPR violations as long as the violations have taken place in that country. The court said member states must follow the principles of cooperation and consistency set out in the GDPR to do this, but will not necessarily have to defer to the data protection authorities of the country in which the defendant is headquartered.
Big Tech doesn’t like the increased chance of regulation
Big tech lobbying group CCIA Europe summed up the industry’s feelings about the move in a press statement, calling it a “backdoor” for data protection authorities to strike at companies with multiple simultaneous charges for the same offense.
However, the decision stressed that cases covering different countries will still have to follow established cooperation procedures. When it comes to decisions against big tech companies, EU member states typically spend some time deliberating on the appropriate sanction. This process won’t be much different, except for cases that will no longer be stuck in a backlog with data protection authorities in Ireland and Luxembourg (where most of the big tech companies are headquartered due to policies. favorable tax).
Ireland has been of particular concern in the application of the GDPR. In addition to taking very long periods of time to conduct investigations, the resulting fines ultimately appear to be significantly lower than the amounts offered by some other data protection authorities. Ireland has so far only fined a Big Tech company under its watch in a cross-border case, a fine of $ 550,000 on Twitter that has been contested by other countries (notably the proposal of Germany with a fine of $ 7-22 million). The pending Irish backlog contains similar cases against Silicon Valley giants such as Facebook, WhatsApp, Apple and others. Some of these cases date back to 2018.
The country in which the company is headquartered maintains some control over the process under the new rules, with other data protection authorities having to show ‘urgent’ (that the lead authority is taking unreasonable time) to comply. pronounce on the case. The measures to establish the emergency are, however, left vague by the decision, which will undoubtedly lead to conflicts down the road. Organizations also retain a minimum obligation to comply with requests from regulators who are not their lead agency.
Some of the EU’s national # data protection authorities have expressed frustration at the impression that Ireland is too slow to deal with all #BigTech cases. #RGPD #respectdata
However, the decision also made it clear that key regulators can no longer be the only ones determining the sanction in cross-border cases and will need to do more to communicate and reach consensus with other relevant data protection authorities. The new ruling could thus allow other countries to dislodge some of the cases currently pending in Ireland and Luxembourg, and force a more robust and participatory process to determine the final amount of the fine.