European court opinion strengthens role of national data supervisors in Facebook case
The Belgian Data Protection Authority, (formerly Privacy Commission), commenced proceedings against Facebook in 2015 for the unlawful collection of browsing information without valid consent. The Brussels Court found that the case was within its jurisdiction and ordered Facebook to cease certain activities. This was challenged by Facebook, who argued that the new ‘one-stop-shop’ mechanism of the GDPR (General Data Protection Regulation) means that cross-border processing should be dealt with by the lead supervisory authority – in this instance the Irish Data Protection Commission, as the main Facebook HQ in the European Union is in Ireland (Facebook Ireland Ltd).
The EU’s Advocate General Michal Bobek agreed that the lead supervisor does have a general competence over cross-border data processing — and by implication other data protection authorities have more limited power to commence judicial proceedings, however he also found that there were situations where national data protection authorities could intervene.
It isn’t difficult to fathom his concerns. Anyone who has followed the litigation of Max Schrems over the last years in Ireland against Facebook’s EU-US data transfers would not be impressed by the less than exemplary performance of the supervisor and the Irish court system. It was serendipitous that on the same day that this opinion was published, the Irish Data Protection Commission finally settled its 7.5 year battle with Schrems.
The AG sees the potential danger of companies choosing their main place of establishment on the basis of the national regulator, with countries with less active or under-resourced regulators being preferred, as a type of regulatory arbitrage. He adds that though consistency was to be welcomed there was a danger that “collective responsibility could lead to collective irresponsibility and, ultimately, inertia”.