| 26 February 2024, Monday |

Facebook, big tech face EU blow in national data watchdogs ruling

After the European Union’s top court authorized national privacy watchdogs to pursue them, even when they are not their lead regulators, Facebook and other Silicon Valley behemoths might face further scrutiny and punishment in the EU.

BEUC, a consumer advocacy group, applauded the EU Court of Justice’s (CJEU) decision on Tuesday, which affirmed national agencies’ right to intervene, citing enforcement bottlenecks.

Facebook, like Google, Twitter, and Apple, has its EU headquarters in Ireland, bringing it under the watchful eye of the Irish data protection authority under the GDPR privacy rules, which allow for fines of up to 4% of a company’s global revenue for data breaches.

The CJEU got involved after a Belgian court sought guidance on Facebook’s challenge to the territorial competence of the Belgian data watchdog, which was trying to stop it from tracking users in Belgium through cookies stored in the company’s social plug-ins, regardless of whether they have an account or not.

“Most Big Tech companies are based in Ireland, and it should not be up to that country’s authority alone to protect 500 million consumers in the EU, especially if it does not rise to the challenge,” BEUC Director General Monique Goyens said.

Several national watchdogs in the 27-member EU have long complained about their Irish counterpart, saying that it takes too long to decide on cases. Ireland has dismissed this, saying it has to be extra meticulous in dealing with powerful and well-funded tech giants.

Ireland’s cases in the pipeline include Facebook-owned Instagram and WhatsApp as well as Twitter, Apple, Verizon Media, Microsoft-owned LinkedIn and U.S. digital advertiser Quantcast.

“Under certain conditions, a national supervisory authority may exercise its power to bring any alleged infringement of the GDPR before a court of a member state, even though that authority is not the lead supervisory authority,” the CJEU said.

Judges said these conditions include regulators following cooperation and consistency procedures set out in the GDPR and that the violations occurred in the relevant EU country.

“We are pleased that the CJEU has upheld the value and principles of the one-stop-shop mechanism, and highlighted its importance in ensuring the efficient and consistent application of GDPR across the EU,” Jack Gilbert, Facebook’s associate general counsel, said.

The verdict, according to the technology advocacy group CCIA, might result in inconsistent and unpredictable enforcement, as well as increased costs.

“It has also created the back door for all national data protection enforcers to commence various procedures against corporations,” said Alex Roure, CCIA Europe’s senior policy manager.

“Inconsistent, fragmented, and unpredictable data protection compliance in the EU is a real possibility. We advise national authorities to be wary of commencing multiple procedures, which would erode legal certainty and make data protection compliance throughout the EU even more difficult “he stated

  • Reuters