Members of the European Union can now, under certain circumstances, pursue General Data Protection Regulation (GDPR) violations in court without having to use the "one stop shop" mechanism of the regulation.
The decision, rendered on Tuesday by the Court of Justice of the European Union, opens major tech firms such as Facebook
"Under certain conditions, a national supervisory authority may exercise its power to bring any alleged infringement of the GDPR before a court of a Member State, even though that authority is not the lead supervisory authority with regard to that processing," the decision said.
Essentially, the decision allows regulators from any EU member to investigate privacy violations even if that regulator isn't the one primarily responsible for that company. The decision originates from a case between Belgium and Facebook, in which the latter argued that punitive actions taken by Belgian authorities were not applicable because Ireland's data regulator was their primary supervising authority.
The CJEU's decision is a sound rejection of Facebook's argument, but it shouldn't be treated as a total dismissal of the "one stop shop" system either. The CJEU itself specifically noted in its decision that there were instances where authorities couldn't cross lines to pursue violations and that the "one stop shop" was still in place.
Facebook, for its part in the case, has accepted the CJEU's ruling. The company, which has been continually locked in legal battles worldwide over its handling of private information, acknowledged that there were exceptions to the GDPR and framework and said that it felt the decision still upheld the values of the original regulation.
There are plenty of critics of the decision, too, however. The Computer and Communications Industry Association noted that it feared the possibility of inconsistent enforcement of the GDPR.
- https://curia.europa.eu/jcms/upload/docs/application/pdf/2021-06/cp210103en.pdf
- https://www.complianceweek.com/gdpr/cjeu-ruling-opens-facebook-others-to-greater-gdpr-liability/30484.article
- https://news.bloomberglaw.com/privacy-and-data-security/european-court-ruling-opens-door-for-privacy-action-ramp-up
- https://www.euractiv.com/section/data-protection/news/eu-court-gdpr-cross-border-cases-not-limited-to-leading-authority/