![]() Significantly, the court said that it doesn’t matter where a company is based for a non-lead supervisor to investigate. The EU court added that the lead authority must “assume” its responsibilities to avoid companies engaging in “forum shopping,” in which they seek jurisdictions that have the weakest enforcement. The "one-stop shop" system requires “sincere and effective cooperation between the lead supervisory authority and the other supervisory authorities concerned,” the court said. They also said that non-lead authorities must also cooperate and stay vigilant about the lead supervisor’s actions. eschew essential dialogue, and sincere and effective cooperation, with the other supervisory authorities concerned.” Without making a specific reference to the Irish authority, the EU judges did state that lead authorities can’t operate in a vacuum and must cooperate with other authorities.ĮU judges emphasized that “the lead supervisory authority cannot, in the exercise of its competences. In the EU court decision on Facebook, there was also an implicit criticism of the Irish DPC. Authorities in France, Spain, Germany and Belgium are under pressure from privacy advocates to investigate tech giants such as Facebook, Amazon and Google, but the Irish DPC has a monopoly on running those probes. "It's been years and years, and none of the investigations into the likes of Facebook or Google have got anywhere at all," Cox said.Įuropean DPAs have been increasingly chafing under the constraints of the "one-stop shop" mechanism. "There has been a lot of pent-up frustration about the Irish DPC,” which has so far imposed only one GDPR fine on a Big Tech company, namely Twitter. "I do think there'd be more action," Cox said. The Irish DPC is seen by critics as woefully understaffed and resourced to tackle the job as the de facto data protection regulator for the bloc. Procedures are new, and building up evidence, allowing companies the right to defend themselves, is a time-consuming process. The reality is that these investigations are extremely complex. The expectation was that the landmark GDPR - much feared by US tech companies - would usher in a wave of multibillion-dollar fines against Big Tech. Some authorities are openly critical that the Irish Data Protection Commission has wrapped up very few cases, more than three years since the GDPR took effect in May 2018. The GDPR’s "one-stop shop" system has come under sharp criticism by members of the European Parliament and data protection authorities, particularly in Germany. Most of them have their EU establishment in Ireland. That includes the most serious complaints against US tech giants, whose business models affect citizens across the EU. The "one-stop shop" mechanism requires cross-border cases under the GDPR to be led by the authority where the company in question has its EU headquarters. However, these probes must follow the procedures in the GDPR, which provide for exceptions to allow non-lead supervisors to take on companies that don’t have their headquarters in those countries. While the EU court confirmed that the "one-stop shop" mechanism is still intact, it did give non-lead DPAs the go-ahead to pursue investigations. The court stressed that the lead authority is still in charge, but both the lead and other national authorities have a duty to work together to ensure the protection of privacy rights. The ruling is significant because it’s the first time the EU court described how authorities that aren’t the “lead” supervisor for companies - the country where they have their headquarters - can investigate and pursue companies in national courts. ![]() "Certain data protection authorities - and I'm thinking in particular the French, Spanish and Belgian - will be looking to do whatever they can now," after the EU court ruling, Emily Cox, a partner at Stewarts Law in London, said in an interview with MLex. The EU Court of Justice ruled on Tuesday that Belgium's Data Protection Authority can continue to investigate Facebook for alleged violations of the General Data Protection Regulation regarding "cookies". National data protection watchdogs in the EU will be emboldened to pursue Big Tech companies after the bloc’s highest court confirmed their investigative powers that are enshrined in EU and national data protection laws.
0 Comments
Leave a Reply. |