CJEU Ruling: Big Tech Faces Increased Privacy Litigation in Europe

Privacy Ruling Empowers National Authorities in Facebook Tracking Case

A protracted legal battle between Belgium’s data protection authority and Facebook, concerning the company’s utilization of online trackers – such as pixels and social plug-ins – to monitor internet users, has reached a pivotal juncture. Today’s ruling from Europe’s highest court carries potential implications for the enforcement of cross-border cases targeting tech giants within the region.

GDPR’s One-Stop-Shop Mechanism Under Scrutiny

The Court of Justice of the European Union has confirmed that, under specific conditions, national DPAs are permitted to initiate legal action, even when they aren't designated as the lead data supervisor under the General Data Protection Regulation (GDPR)’s one-stop-shop (OSS) mechanism. This development opens the door for litigation by watchdogs in Member States where a local agency perceives an urgent need for intervention, despite not being the primary regulator for the company in question.

The Bottleneck Effect of the OSS

The OSS was initially incorporated into the GDPR to streamline enforcement for businesses operating across multiple EU markets. The intention was to require companies to interact solely with one ‘lead’ data protection authority. However, this mechanism has faced criticism for creating a bottleneck, with a growing backlog of GDPR complaints accumulating on the desks of a limited number of DPAs.

Forum Shopping and Delayed Enforcement

Enforcement of the EU’s data protection regulations against major tech companies has been hindered by concerns about ‘forum shopping’. This refers to the disproportionate number of significant, cross-border cases being directed to a small group of EU DPAs, versus the resources allocated to them by their respective national governments. This situation can lead to delays in GDPR enforcement, potentially benefiting the companies under scrutiny.

Varied Enforcement Approaches Among EU DPAs

Certain EU DPAs are demonstrably more proactive in enforcing the bloc’s privacy regulations than others. Ireland, for example, has been noted for a comparatively slower pace of investigations and enforcement. It defends its approach by emphasizing the need for thorough due diligence to ensure the longevity of its decisions in the face of potential legal challenges.

Ireland’s Enforcement Record

Ireland has faced criticism regarding the length of time taken to investigate GDPR complaints, procedural concerns, and its overall enforcement record against tech giants. To date, its enforcement actions are limited to a single $550,000 penalty issued to Twitter last year.

Ongoing Cases and Calls for Commission Intervention

The Irish Data Protection Commission (DPC) currently manages a substantial number of open cases, including significant complaints against Facebook and Google, some of which are over three years old. This has prompted calls for the European Commission to intervene and address Ireland’s perceived inaction, though the Commission’s response has been limited to urging Ireland to expedite its processes.

CJEU Ruling Offers Limited Relief

Today’s CJEU ruling may offer some limited relief to the GDPR enforcement blockage. It allows national DPAs to pursue litigation regarding user rights when a lead agency fails to act on complaints, but only in specific circumstances. However, experts believe it won’t fully resolve the issues with the OSS mechanism.

Urgency as a Key Factor

According to Luca Tosoni, a research fellow at the Norwegian Research Center for Computers and Law, the ruling confirms that non-lead DPAs can initiate enforcement actions only in cases of urgency. However, the court did not provide clear criteria for assessing urgency, leaving room for further litigation to clarify this point.

Article 56 and National-Level Action

Article 56 of the GDPR permits non-lead DPAs to take action at a national level when complaints relate to issues that primarily affect users within their jurisdiction and when urgent action is deemed necessary. A recent example is the Italian DPA’s emergency action against TikTok concerning child safety on the platform.

The Importance of Cooperation Between DPAs

The court emphasized the importance of cooperation between DPAs, stating that a “go-it-alone” approach is incompatible with the GDPR’s spirit and letter. The ruling acknowledged concerns about under-enforcement but deemed it premature to determine whether this affects the regulation itself.

Potential Impact on the Belgian Case

The ruling may facilitate the Belgian DPA’s ongoing litigation against Facebook’s tracking of non-users through cookies and social plug-ins, which initiated the referral of questions regarding the OSS scope to the CJEU. However, a Belgian court will ultimately determine whether the DPA’s intervention meets the GDPR’s requirements.

Facebook’s Response

Facebook welcomed the CJEU judgement, stating its satisfaction that the court upheld the value and principles of the one-stop-shop mechanism and its importance in ensuring consistent GDPR application across the EU.