EU court, Facebook can face national privacy cases outside Ireland

national privacy

National data watchdogs will be able to pursue big tech firms even if they are not their lead regulators, the European Union’s top court has ruled.

The Court of Justice of the European Union (ECJ) ruling opens the way for national agencies to act against US tech companies such as Google, Twitter and Apple which all have their European Union headquarters in Ireland.

“Most big tech companies are based in Ireland, and it should not be up to that country’s authority alone to protect 500m consumers in the EU,” BEUC director general Monique Goyens said after the judgement.

Along with Google, Twitter and Apple, Facebook has its EU headquarters here, putting it under the oversight of the Data Protection Commissioner under the GDPR national privacy rules, which allow for fines of up to 4 percent of a company’s global turnover for breaches.

The CJEU got involved after a Belgian court sought guidance on Facebook’s challenge to the territorial competence of the Belgian data watchdog. The watchdog was trying to stop Facebook from tracking users through cookies stored in the company’s social plug-ins, regardless of whether they have an account or not.

“Under certain conditions, a national supervisory authority may exercise its power to bring any alleged infringement of the GDPR before a court of a member state, even though that authority is not the lead supervisory authority with regard to that processing,” the ECJ said.

“We are pleased that the CJEU has reaffirmed the value and principles of the one-stop-shop mechanism and the role of the lead supervisory authority,” Jack Gilbert, Facebook’s associate general counsel, said.

Judges said these conditions include regulators following cooperation and consistency procedures set out in the GDPR and that the violations occurred in the relevant EU country.

The news comes as the US warned the EU against pursuing “protectionist” technology policies that exclusively target American companies.

The National Security Council, an arm of the White House, wrote last week to complain about the tone of recent comments about the EU’s flagship tech regulation, as debates are about to begin in the European parliament.

In addition, BEUC director general Monique Goyens said “This is a positive development in the bid to have our privacy respected regardless of where the company is established in the EU. Given the existing bottlenecks in the GDPR cross-border enforcement system, all national authorities must be able, under certain conditions, to proactively take matters into their own hands and use their full powers when our rights are trampled on.”