Europe's top court ruled on Tuesday that national privacy regulators could pursue investigations into big tech companies, even if they aren't the lead regulator for that company -- in specific circumstances.
Until now, regulators have been bound by Europe's one-stop-shop rule, which means only the regulator in the country where the company has its European headquarters may bring GDPR enforcements against those companies. Tuesday's decision doesn't signal an end to the one-stop-shop rule, but it does introduce greater flexibility to become involved in privacy cases when regulators take umbrage with tech companies' handling of cross-border data processing.
At the heart of the ruling by the Court of Justice of the European Union is a long-running attempt by the Belgian privacy regulator to prevent Facebook from using cookies and other tracking tools to follow Belgian citizens around the web. Belgium has been pursuing the case since 2015, predating the introduction of GDPR, Europe's strict privacy regulation, which came into force in 2018.
Facebook has long argued that it isn't answerable to the Belgian regulator, as it has its headquarters in Ireland. But Tuesday's ruling indicates that the court upholds the right of EU member states to bring GDPR enforcements against companies that fall outside of their one-stop-shop jurisdiction, if specific criteria are met.
"Under certain conditions, a national supervisory authority may exercise its power to bring any alleged infringement of the GDPR before a court of a Member State, even though that authority is not the lead supervisory authority with regard to that processing," said the ruling.
Facebook took the ruling in stride.
"We are pleased that the CJEU has upheld the value and principles of the one-stop-shop mechanism, and highlighted its importance in ensuring the efficient and consistent application of GDPR across the EU," said Jack Gilbert, associate general counsel at Facebook in a statement.
The ruling could open the door for more privacy cases to be brought against big tech companies, and for more fines and other penalties to be issued against them. (GDPR fines can be as much as 4% of a company's global turnover.)
It could also be seen as a blow to Ireland, which is the lead regulator for many of the biggest Silicon Valley tech companies, including Google and Apple. The Irish regulator has been criticized for not acting fast enough on GDPR complaints, and the ruling could allow other EU countries to jump in and bring pursue the companies themselves -- again, if they meet the requirements set out by the court. But likewise, it could allow the Irish regulator to bring cases against companies headquartered elsewhere in the EU.