The EU Court of Justice ruled that a national regulator may exercise its power in regards to privacy orders, “even though that authority is not the lead supervisory authority with regard to that processing.”
This tests the limits of the EU’s one-stop-shop system, which was set up in May, 2018, and puts privacy orders in the hands of the leading watchdog in a company’s chosen European base.
The EU’s General Data Protection Regulation gives these data regulators the strength to fine companies up to 4 per cent of their earnings.
In Facebook’s case, Ireland is its chosen base, and therefore the only data protection regulator that can wield this power.
Judges “upheld the value and principles of the one-stop-shop mechanism, and highlighted its importance in ensuring the efficient and consistent application of GDPR across the EU,” according to Jack Gilbert, Facebook’s associate general counsel, despite the loosened powers.
The one-stop-shop system requires “close, sincere and effective cooperation between those authorities, in order to ensure consistent and homogeneous protection of the rules for the protection of personal data, and thus preserve its effectiveness,” the court said.
The case was brought by the Belgian data protection watchdog, who attempted to stop Facebook from tracking users without their consent. Facebook baulked at the order, claiming that only the Irish watchdog can make this order.
This ruling overturns that.
The Belgian authority said it “will now analyse the judgment to better understand its impact on its ongoing case before the Brussels Court of Appeal.”