Facebook can't dodge EU-wide privacy orders, top court rules

Facebook Inc. and other US tech giants can't dodge potential privacy orders from European Union data protection authorities beyond their lead watchdog in Ireland, the bloc’s top court said in a ruling that tests the limits of beefed-up EU rules.

Under certain conditions, a national regulator may exercise its power "even though that authority is not the lead supervisory authority with regard to that processing," the EU Court of Justice ruled on Tuesday.

At issue is the scope of the so-called one-stop-shop system, set up under the EU’s data protection rules since May 2018, which puts the authority in a company’s chosen EU base in charge of supervising it, in close cooperation with the other regulators. Ireland has become the chosen EU hub for some of the biggest US firms, including Facebook, but its data watchdog has been criticized for taking too long.

Despite the potential for extra privacy probes, Facebook said it was "pleased" with the ruling.

Judges "upheld the value and principles of the one-stop-shop mechanism, and highlighted its importance in ensuring the efficient and consistent application of GDPR across the EU," Jack Gilbert, the company's associate general counsel, said in a statement.

The EU's General Data Protection Regulation, or GDPR, gave data regulators unprecedented powers to fine companies as much as 4% of their annual sales.

The one-stop-shop policy has raised questions about the powers of EU regulators other than the Irish to sanction a company like Facebook.

The system "requires close, sincere and effective cooperation between those authorities, in order to ensure consistent and homogeneous protection of the rules for the protection of personal data, and thus preserve its effectiveness," the court said.

An authority that is not the lead watchdog for a company, can start a legal case for a cross-border data privacy violation, as long as it complies with the "allocation of competences" under EU law, the court said.

Tuesday's case goes back to a privacy order by the Belgian data protection watchdog for Facebook to stop placing tracking cookies without user consent. Facebook has argued that only the Irish authority has a right to rule on its activities.

The Belgian authority said it "will now analyse the judgment to better understand its impact on its ongoing case before the Brussels Court of Appeal."

EU judges said the Belgian court that sought the EU tribunal's guidance, will have to decide if procedures and "the rules for the distribution of powers" were correctly applied in the dispute concerned and whether the alleged violations targeted by the Belgian authority fall under its competence and are in line with Tuesday’s ruling.

While the Belgian dispute dates back to the time before GDPR took effect, it raises key questions for data watchdogs across the 27-nation EU as tensions have been building up over what some perceive as their Irish colleagues' slow pace of taking action.

Helen Dixon, Ireland's privacy chief, has hit back at critics, describing such comments as "ludicrous." Her office has at least 27 privacy probes open targeting Apple Inc., Google and other tech companies. Facebook accounts for nine of these investigations and more are pending into its WhatsApp and Instagram units.

The case is: C-645/19, Facebook Ireland and Others.

Luxembourg's privacy watchdog last week proposed the heaviest fine yet under EU privacy law on the US company Amazon, which has its European headquarters in the Grand Duchy, at more than $425 million (€349 million).

©2021 Bloomberg L.P.