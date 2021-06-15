



A long-term privacy battle between the Belgian data protection agency and Facebook (over the latter snooping web users using online trackers such as pixels and social plugins) is in a ruling by the European Supreme Court today. I arrived. Cross-border proceedings against tech giants are being filed in the region.

The Court of Justice of the European Union said that in certain circumstances, national DPA can take action without being the primary data supervisor under the General Data Protection Regulation (GDPR) One Stop Shop Mechanism (OSS). I affirmed. — Opens the possibility of a Watchdog proceeding in a member state that is not the main regulator of a particular company but believes that local agencies need to act urgently.

OSS was included in the GDPR with the idea of ​​simplifying the enforcement of companies operating in multiple EU markets. This only requires direct interaction with one “major” data protection agency. However, this mechanism has been criticized for contributing to the bottleneck effect that multiple GDPR complaints are piled up on the desks of several DPA’s (especially Ireland and Luxembourg) — EU accession attracting a large number of multinationals. Country (usually for tax reasons, such as Ireland’s 12.5% ​​corporate tax rate).

Therefore, the implementation of the EU’s major data protection regime for tech giants has been hampered by the perception of “forum shopping.” As a result, a small number of EU DPAs (inevitably limited) resources provided by governments. The resulting bottleneck appears to be useful for companies that are behind in implementing the GDPR.

It is no exaggeration to say that some EUDPAs are considered more active in enforcing Block’s privacy rules than others, and Ireland is not included in them. (However, he defends the pace of investigation and enforcement records, stating that due diligence needs to be done to ensure decisions to confront legal issues.)

In fact, Ireland has been criticized for the length of time it took to investigate (especially) GDPR complaints. Procedural issues (whether to investigate the complaint or not) And for its execution record against the tech giant, so far, $ 550,000 issued to Twitter, published late last year. The penalty is limited to one.

The Irish Data Protection Commission (DPC) initially wanted to impose a lower fine on Twitter, but other EU DPAs challenged the decision and were forced to raise the penalty slightly. It was.

Currently, numerous proceedings remain on the DPC desk, including major complaints against Facebook and Google. These are now over 3 years old.

This has led the Commission to intervene in Ireland’s perceived omissions and demand action. For now, EU executives have restricted intervention to a few words that essentially encourage Ireland to continue working in a hurry.

The CJEU’s ruling today eases some of the obstruction to GDPR enforcement by allowing the country’s DPA to take on the baton to sue users’ rights when major agencies are not responding to complaints. There is a possibility.

However, according to Luca Tosoni, a researcher at the Norwegian Center for Computer Law Research at the University of Oslo, the ruling does not appear to completely unblock the OSS mechanism. CJEU Legal Officer in previous opinion on this case.

“The court essentially confirmed the views expressed by the lawyer in his opinion. Under the GDPR one-stop shop system, non-major data protection agencies are big only to a very limited extent. Enforcement measures can be initiated against tech companies, including in emergencies, “he told TechCrunch.

“But unfortunately, the court’s ruling does not elaborate on the criteria that should be followed to assess the urgency of enforcement measures, especially if the court does not act swiftly on the part of the sovereign authorities. It does not explicitly support the lawyer’s view that it may justify the adoption of interim emergency measures by data protection authorities, so this important point remains partially unclear. Further proceedings may be required to clarify this issue.

“Therefore, it is unlikely that today’s ruling will completely resolve the” Irish problem. ” “

Article 56 of the GDPR states that lead-free DPA will take action at the national level if there are complaints related to issues that have a substantial impact only on users under their jurisdiction and they believe they need to act urgently. Is recognized. I don’t have a lead authority). Therefore, it looks pretty narrow.

One recent example of lead-free DPA intervention is the Italian DPA emergency action against TikTok. This is related to the safety of children on the platform after the death of a local girl who was reported to have participated in the platform challenge.

“The authorities want to take a stand-alone approach to the (judicial) enforcement of the GDPR without cooperating with other authorities. It cannot be in harmony with the wording or spirit of that regulation.” One will run. A paragraph of today’s decision emphasizing the court’s view that the GDPR requires careful and balanced collaboration between DPA.

The ruling discusses the “risk” of under-enforcement of the GDPR in detail, but the CJEU has raised concerns and it is time for the court to determine whether such concerns affect regulation. I think it’s too early. it’s not.

“However, [under-enforcement were to] If evidenced by facts and firm debate, I will close the court to the gaps that may appear in the protection of the fundamental rights guaranteed by the Charter and their effective enforcement by the competent regulators. I don’t think, “said CJEU. on. “Still, whether it is a matter of interpretation in accordance with the Charter of the provisions of the secondary law, the issue of the validity of the relevant provisions, or even the section of the secondary law document is a matter of another case. is.”

Although the ruling is narrow, at least it blocked the Belgian DPA’s long-term proceedings against Facebook’s non-user tracking via cookies and social plugins, which was the route to refer questions to the CJEU beyond the scope of OSS. It may be canceled.

The court also states that a Belgian court will determine whether the DPA intervention meets the GDPR’s criteria for initiating such a procedure.

Facebook was contacted for comment on the CJEU decision and welcomed the decision.

In a statement, Facebook Associate General Counsel Jack Gilbert emphasized the importance of the CJEU in supporting the value and principles of the one-stop shop mechanism and ensuring the efficient and consistent application of the GDPR across the EU. I’m glad I did. ..

