DPA can investigate even if it’s not the lead data supervisor under GDPR
The European Court of Justice has affirmed that in certain circumstances, a National Data protection Authorities (DPA) can investigate a case even if it is not the lead data supervisor under the General Data Protection Regulation (GDPR).
The GDPR has a one-stop-shop mechanism under wherein businesses operating in more than one European Union market would need to deal with only one ‘lead’ data protection authority. The lead data protection authority is usually the state where the businesses have their headquarters.
Article 56 of GDPR
Article 56 of the GDPR says that the supervisory authority of the main establishment of the data controller or processor shall be competent to act as a lead supervisory authority.
In contrast, a supervisory authority which is not a lead supervisory authority, shall handle a complaint lodged with it with the lead supervisory authority.
The CJEU ruling
The CJEU said:
Under certain conditions, a national supervisory authority may exercise its power to bring any alleged infringement of the GDPR before a court of a member state, even though that authority is not the lead supervisory authority,”
However, the mechanism soon became a bottleneck since a few DPAs have most of the cases. Notably, states such as Ireland and Luxembourg have most of the businesses’ headquarters, due to low corporate tax rates. This results in a delayed enforcement of GDPR, which is something that favors big tech. Ireland is also seen as ‘too soft‘ with GDPR enforcement. Several national DPAs have also complained about the long time that the Irish DPA takes to decide cases.
Belgium vs. Facebook
The ruling comes in the backdrop of a tussle between Belgium’s DPA and Facebook. Back in February, 2018, Judges in Belgium had ruled that Facebook contravened privacy laws by deploying technology such as cookies and social plug-ins to track internet users, even if they didn’t have a Facebook account.
The issue pertains to ‘invisible tracking’ of users, using cookies, pixels, and social plug-ins, even when they are not using Facebook. Facebook had initially argued that the Belgian DPA, which brought them to courts, had no jurisdiction over its European business, which was headquartered in Ireland. Facebook was ultimately unable to sufficiently show as to how it tracked digital activity of users and non-users. The judges decided that Facebook’s use of cookies violates European privacy laws.
Change in the enforcement of GDPR
Consequent to the ruling, businesses could face more scrutiny. However, tech lobbying group CCIA said that the ruling could lead to inconsistent, fragmented, and uncertain enforcement.
Do subscribe to our Telegram channel for more resources and discussions on technology law and news. To receive weekly updates, don’t forget to subscribe to our Newsletter.