Is the GDPR finally going to get some teeth?

Posted on Jan 19, 2021 by Glyn Moody

The GDPR is a powerful, far-reaching piece of legislation, but one whose full potential the EU data protection authorities have so far failed to realize. Research from DLA Piper shows that fines totalling 272.5 million euros (about $332.4 million) have been imposed since the GDPR came into operation in May 2018. Given the size of online companies handling personal data, that’s pretty small beer.

One reason is that the Irish Data Protection Commission (DPC) has a backlog of important GDPR cases. The Irish DPC finds itself in this position because of the way that the GDPR works: when there are privacy problems, the cases are brought by the data protection authority of the EU nation in which the company concerned is based. For most leading Internet companies, that’s Ireland. One person who has been struggling with Ireland’s inability to finalize cases is the privacy activist Max Schrems. He’s been battling the DPC for years, trying to get the agency to investigate Facebook’s transatlantic transfers of personal data. It finally looks as if Schrems has obtained this:

The DPC has agreed with Max Schrems’ demand to swiftly end a 7.5 year battle over EU-US data transfers by Facebook and come to a decision on Facebook’s EU-US data flows. This only came after a Judicial Review against the DPC was filed by Mr Schrems.

The Irish DPC’s decision to deal with Facebook is hardly enough on its own to energize the GDPR. After all, it took Schrems years of legal battles to get to this point, and it’s not clear if the DPC will now start to move more quickly on all its other high-profile cases. That makes the other recent development all-the-more significant. It concerns a GDPR case in Belgium that this blog wrote about in May 2017. Back then, the Belgian Privacy Commission said:

Facebook continues to act in non-compliance with both Belgian and EU data protection law as regards the tracking of both users and non-users of Facebook through cookies, social plug-ins and pixels. In particular the legal requirements regarding consent, fairness, transparency and proportionality are not met, amongst others due to the shortcomings in the information that Facebook communicates todata subjects and the inadequacy of the choices that Facebook offers data subjects.

When the GDPR came fully into force in May 2018, Facebook argued that Belgium no longer had jurisdiction, because the company’s European headquarters were based in Ireland. According to Facebook, this meant that only the Irish DPC could take action against it. This raised an important question: could the data protection authority in one countriy use the GDPR against a company located in another EU nation? Because the implications are so important, the Belgian court asked the EU’s top legal body, the Court of Justice of the European Union (CJEU), to rule on the matter.

The CJEU itself has not yet given its judgment. But as is usually the case, one of the CJEU’s Advocates General – a kind of independent legal advisor to the court – has given his views. Advocate General Michal Bobek first of all finds that the lead data protection authority – that is, the one in the home country of the company in question – has a “general competence over cross-border data processing, including the commencement of judicial proceedings for the breach of the GDPR, and, by implication, the other data protection authorities concerned enjoy a more limited power to act in that regard.” He points out that this was one of the GDPR’s innovations, designed to address the fragmented way that the previous EU data protection law was implemented. However, Bobek also noted that there was scope within the GDPR’s rules for other data protection authorities to take legal action:

the Advocate General considers that the GDPR permits the data protection authority of a Member State to bring proceedings before a court of that State for an alleged infringement of the GDPR with respect to cross-border data processing, despite it not being the lead data protection authority entrusted with a general power to commence such proceedings, provided that it does so in the situations where the GDPR specifically confers upon it competences to this end and according to the corresponding procedures set out in the GDPR.

It’s important to emphasize that this is only the Advocate General’s opinion, and that the CJEU may disagree. However, in general, they are relatively closely aligned, so it is quite likely that the court will follow Bobek’s logic. If it does so, it could have a dramatic impact on the enforcement of the GDPR. It would mean that potentially any EU data protection authority could start legal actions as a result of cross-border data processing by a company, wherever the latter had its EU headquarters. Given that companies like Facebook and Google operate in all of the EU’s 27 nations, that means 26 more data protection authorities would gain at least some power to take action directly against them. In practice, what this means is that Ireland’s DPC and its backlog of cases could be circumvented. Companies like Facebook and Google could no longer carry on with their possibly illegal activities by taking advantage of the fact that it could be years before the overstretched DPC ever issued any ruling or fines.

Although it is by no means certain that things will play out in this way, at least there is now a way forward for the GDPR and its enforcement. We’ll find out in a few months’ time whether the CJEU wants data protection law in the EU to have teeth or not.

Featured image by dozenist.