Subscriber OnlyTechnology

ECJ lays down a challenge to Ireland's Data Protection Commission

Properly functioning one-stop shop is good policy – both for Big Tech and EU citizens

In a decision that upheld the Belgian regulator’s right to pursue Facebook over the use of tracking cookies imposed on Belgians, the ECJ said national action fell within GDPR’s scope. File photography: Getty
In a decision that upheld the Belgian regulator’s right to pursue Facebook over the use of tracking cookies imposed on Belgians, the ECJ said national action fell within GDPR’s scope. File photography: Getty

If you're a multinational company, this has not been a good regulatory week in the EU. But for the rest of us, it might be a win – depending on what Ireland does.

In an important decision on Tuesday, the European Court of Justice (ECJ) declared that national data protection regulators may pursue some cases against companies without having to defer to the lead regulator, the authority in the country where the company has its EU headquarters.

Justices stated the company must have a significant association with the other state, and that national regulators should initially at least, engage with the lead regulator. But, in a decision that upheld the Belgian regulator's right to pursue Facebook over the use of tracking cookies imposed on Belgians, the ECJ said national action fell within GDPR's scope.

For most of the big technology and social media multinationals, which overwhelmingly have chosen Ireland as their EU headquarters, their lead regulator is the Irish Data Protection Commission (DPC).

READ MORE

Multinationals by and large have wanted to be regulated from Ireland. Contrary to some popular theories, this is not because they wish to persuade the Government or the DPC to barely regulate them at all. It’s because Ireland has always been seen as a relatively stable business and political environment, balancing out Boston and Berlin, as the saying goes.

However, Ireland could and should opt to provide a global model for a brave, tough, rigorous regulatory environment. In short, it could, and should, see regulation as an effective way to address the huge power imbalance between big business and individuals, especially in the era of big data exploitation and surveillance capitalism, where individual data is a (too) valuable business asset.

Ireland could act swiftly (leaving any doubts to be adjudicated by the ECJ, as in this Belgian case), and impose meaningful fines – GDPR allows for punishments of up to 4 per cent of global turnover.

And still, companies would keep their EU bases here. Because strong but stable regulation is far preferable to unpredictable, uncertain, sometimes openly hostile regulatory and political EU environments.

The alternatives within Europe – as many court cases have shown – can be far more volatile. Again, this is a key reason why companies have always based themselves here.

Incidentally, it’s also why Big Tech would far prefer a federal privacy law in the US similar to GDPR, even if harsher than the few existing state laws, because a federal law would offer clarity, stability and more certainty for US operations. Of course, they’ll all lobby for a weak federal law, but they’d prefer a tough devil they know than lots of unknowns.

That’s why companies will not be happy with the ECJ’s decision this week.

It reintroduces regulatory uncertainty. It also goes against one of the assumed main tenets of GDPR, the “one-stop shop” mechanism of having a single, lead national regulator to whom complaints are channelled. The one-stop shop was designed to smooth out the significant business friction and costs of dealing with multiple regulatory domains.

Fines have been slaps

For over a year, frustration and anger within several EU national regulators has been ramping up against the DPC, some of it spilling over into an unusual and damaging public venting of grievances. Several have argued that investigations in Ireland are taking far too long, decisions on major cases have not been forthcoming, proposed or imposed fines have been slaps, but not significant interventions. The ECJ decision now allows for national regulators to act with greater independence, which is less desirable than a more unified implementation of the GDPR.

The key to resolving this lies with Ireland. This week, the ECJ has emphasised that a foundation of the GDPR is mutual engagement and, ideally, consensus between the EU bloc’s national regulators. Their press statement makes this clear.

“[The one-stop shop] mechanism requires close, sincere and effective cooperation between those authorities, in order to ensure consistent and homogeneous protection of the rules for the protection of personal data, and thus preserve its effectiveness,” it states.

A significant number of national regulators have made it clear they want and expect Ireland to do a better job of utilising GDPR’s tools for ensuring its effectiveness: faster case determinations, significant fines and a firm implementation of GDPR against companies for which even multimillion euro fines are little more than a mild nip to the ankle.

Ireland can listen and take the lead, wielding GDPR as its provisions allow.

But if If Ireland fails to exercise its regulatory power to act swiftly and decisively, oversight will – with the ECJ’s tacit nod – continue to fragment into unwanted, piecemeal national actions, or perhaps pass to a pan-EU body. If the former, the ultimate beneficiaries will be not be the EU’s citizens, but its lawyers.