Connect with us

Belgium

European court opinion strengthens role of national data supervisors in Facebook case

SHARE:

Published

on

We use your sign-up to provide content in ways you've consented to and to improve our understanding of you. You can unsubscribe at any time.

Today (13 January) Court of Justice of the European Union (CJEU) Advocate General Bobek published his opinion on whether a national data protection authority can start proceedings against a company, in this case Facebook, for failing to protect users’ data, even if it is not the lead supervisory authority (LSA).

The Belgian Data Protection Authority, (formerly Privacy Commission), commenced proceedings against Facebook in 2015 for the unlawful collection of browsing information without valid consent. The Brussels Court found that the case was within its jurisdiction and ordered Facebook to cease certain activities. This was challenged by Facebook, who argued that the new ‘one-stop-shop’ mechanism of the GDPR (General Data Protection Regulation) means that cross-border processing should be dealt with by the lead supervisory authority – in this instance the Irish Data Protection Commission, as the main Facebook HQ in the European Union is in Ireland (Facebook Ireland Ltd).

The EU’s Advocate General Michal Bobek agreed that the lead supervisor does have a general competence over cross-border data processing - and by implication other data protection authorities have more limited power to commence judicial proceedings, however he also found that there were situations where national data protection authorities could intervene.

One of the Advocate General’s (AG) main concerns appeared to be the danger of “under-enforcement” of the GDPR. The AG argues that the LSA should be seen more as a primus inter pares, but that national supervisors do not renounce their ability to act in a suspected infringement in every instance. The current governance relies on cooperation to ensure consistency in application.

It isn’t difficult to fathom his concerns. Anyone who has followed the litigation of Max Schrems over the last years in Ireland against Facebook’s EU-US data transfers would not be impressed by the less than exemplary performance of the supervisor and the Irish court system. It was serendipitous that on the same day that this opinion was published, the Irish Data Protection Commission finally settled its 7.5 year battle with Schrems.

The AG sees the potential danger of companies choosing their main place of establishment on the basis of the national regulator, with countries with less active or under-resourced regulators being preferred, as a type of regulatory arbitrage. He adds that though consistency was to be welcomed there was a danger that “collective responsibility could lead to collective irresponsibility and, ultimately, inertia”.

Advertisement

Share this article:

EU Reporter publishes articles from a variety of outside sources which express a wide range of viewpoints. The positions taken in these articles are not necessarily those of EU Reporter.

Trending