Greetings from Brussels!
The Court of Justice of the European Union in Luxembourg affirmed this week in a ruling EU member state regulators may exercise their powers to bring any alleged infringement of the EU General Data Protection Regulation before a member state court, even when they are not the EU lead supervisory authority as determined by the one-stop shop mechanism under the GDPR.
For context, and you may recall from my write up on this subject last October, this ruling is the culmination of a long-running standoff between the Belgian DPA and Facebook dating back to 2015. The case relates to Facebook’s challenge against the territorial competence of the Belgian regulator’s bid to stop the technology giant from tracking Belgian users — be they account holders or not — through tracking pixels and cookies stored in social plug-ins. It needs to be noted that despite the media headlines around the ruling, EU regulators may invoke initiate proceedings to pursue organizations only in exceptional circumstances of a certain urgency, or where impact is limited to national or local jurisdiction. There may still need to be some consistent interpretation in that regard. In what concerns cross-border processing cases, the OSS mechanism is, and remains, core to GDPR enforcement. The full CJEU news release, which specifies the conditions for the exercise of powers by EU member state supervisory authorities for cross-border processing, can be found here.
For reference, Article 56 of the GDPR allows for non-lead DPAs to pursue action at a national level in the case of complaints that relate to an issue that substantially affects only users under their jurisdiction, and where they believe there is a need to act urgently (where a lead authority has chosen not to). So, it does seem fairly limited in application. The European court upheld the principle and value of cooperation and consistency foreseen under the GDPR to be followed and adhered to by the regulators. Moreover, it will ultimately be up to the national courts to determine whether a DPA’s intervention complies with the provisions of the GDPR for starting such proceedings or not.
The ruling paves the way for more scrutiny and potentially more litigation aimed at Big Tech by EU supervisory authorities. Notably, the ruling will also impact smaller internet-oriented companies that operate in the EU. Reaction has been mixed. On the one hand, there are those that see this as an underpinning of the OSS as fundamental to enforcement. Conversely, some stakeholders are concerned about the potential for fragmented interpretations (akin to pre-GDPR), leading to multiple and inconsistent enforcement proceedings across the EU.
I spoke with Charles Helleputte, head of EU Cyber, Data & Privacy at Steptoe here in Brussels, and a member of the IAPP European Advisory Board. He believes the OSS as a mechanism is not under threat, adding what the GDPR offers us in enforcement terms is a balanced set of rules and exceptions: The exceptions are still wide enough to support isolated actions. Helleputte points to such cases from Germany to France, from Belgium to Italy and opines we are likely to see more. He caveats with the question of whether privacy is winning. That remains to be seen, as the flip side of the coin is more disruption for rules predictability, not to mention the potential for inefficient use of supervisory resources and risk around legal certainty. These are fair comments, and in conclusion, Helleputte feels we need to be ambitious in our quest for EU cooperation and keep exceptions for the truly exceptional cases.