Facebook Inc can’t fully escape potential privacy orders from European Union data protection authorities beyond its lead watchdog based in Ireland, the EU’s top court said.
Under certain conditions, a national supervisory authority may exercise its power “to bring any alleged infringement” of EU data protection rules to court anywhere in the bloc, “even though that authority is not the lead supervisory authority with regard to that processing,” the EU Court of Justice ruled on Tuesday.
At issue is the scope of the so-called one-stop-shop system, set up under the EU’s data protection rules since May 2018, which puts the authority in a company’s chosen EU base in charge of supervising it, in close cooperation with the other regulators. Ireland has become the chosen EU hub for some of the biggest US tech giants, including Facebook, but its data watchdog has been criticised for taking too long.
The EU’s General Data Protection Regulation, or GDPR, gave data regulators unprecedented powers to fine companies as much as 4% of their annual sales. The one-stop-shop policy has raised questions about the powers of EU regulators other than the Irish to sanction a company like Facebook.
Tuesday’s case goes back to a privacy order by the Belgian data protection watchdog for Facebook to stop placing tracking cookies without user consent. Facebook has argued that only the Irish authority has a right to rule on its activities.
While the Belgian decision dates back to the time before GDPR took effect, it raises key questions for data watchdogs across the 27-nation EU as tensions have been building up over what some perceive as their Irish colleagues’ slow pace of taking action.
Helen Dixon, Ireland’s privacy chief, has hit back at critics, describing such comments as “ludicrous”. Her office has at least 27 privacy probes open targeting Apple Inc, Google and other tech companies. Facebook accounts for nine of these investigations and more are pending into its WhatsApp and Instagram units. – Bloomberg