Privacy

CJEU ruling could open big tech to more privacy litigation in Europe

Comment

A long running privacy fight between Belgium’s data protection authority and Facebook — over the latter’s use of online trackers like pixels and social plug-ins to snoop on web users — has culminated in a ruling by Europe’s top court today that could have wider significance on how cross-border cases against tech giants are enforced in the region.

The Court of Justice of the European Union has affirmed that, in certain circumstances, national DPAs can pursue action even when they are not the lead data supervisor under the General Data Protection Regulation (GDPR)’s one-stop-shop mechanism (OSS) — opening up the possibility of litigation by watchdogs in Member States which aren’t the lead regulator for a particular company but where the local agency believes there is an urgent need to act.

The OSS was included in the GDPR with the idea of simplifying enforcement for businesses operating in more than one EU market — which would only need to deal directly with one ‘lead’ data protection authority. However the mechanism has been criticized for contributing to a bottleneck effect whereby multiple GDPR complaints are stacking up on the desks of a couple of DPAs (most notably Ireland and Luxembourg) — EU Member States which attract large numbers of multinationals (typically for tax reasons, such as Ireland’s 12.5% corporate tax rate).

Enforcement of the EU’s flagship data protection regime against tech giant has thus been hampered by a perception of ‘forum shopping’ — whereby a handful of EU DPAs have a disproportionately large number of major, cross-border cases to deal with vs the (inevitably limited) resources provided for them by their national governments. The resulting bottleneck looks convenient for those companies that face delayed GDPR enforcement.

Lack of big tech GDPR decisions looms large in EU watchdog’s annual report

Some EU DPAs are also considered more active in enforcement of the bloc’s privacy rules than others — and it’s fair to say that Ireland is not among them. (Albeit, it defends the pace of its investigations and enforcement record by saying that it must do due diligence to ensure decisions stand up to any legal challenges.)

Indeed, Ireland has been criticized for (among other things) the length of time it’s taken to investigate GDPR complaints; for procedural issues (how it’s gone about investigating or indeed not investigating complaints); and for its enforcement record against tech giants — which to date is limited to just one $550k penalty issued against Twitter issued at the end of last year.

The Irish Data Protection Commission (DPC) had originally wanted to give Twitter an even lower fine but other EU DPAs disputed its draft decision — forcing it to increase the penalty slightly.

As it stands, scores of cases remain open on the DPC’s desk, including major complaints against Facebook and Google — which are now over three years old.

This has led to calls for the Commission to step in and take action over Ireland’s perceived inaction. Although, for now, the EU’s executive has limited its intervention to a few words urging Ireland to, essentially, hurry up and get on with the job.

GDPR’s two-year review flags lack of ‘vigorous’ enforcement

Today’s CJEU ruling may alleviate a little of the blockage around GDPR enforcement — in some narrow situations — by enabling national DPAs to take up the baton to litigate over users’ rights when a lead agency isn’t acting on complaints.

However the ruling does not look set to completely unblock the OSS mechanism, per Luca Tosoni, a research fellow at the Norwegian Research Center for Computers and Law at the University of Oslo who has been following the case closely — and whose work was cited by the CJEU’s advocate general in an earlier opinion on the case.

“The Court has essentially confirmed the views that the Advocate General had expressed in his opinion: Under the GDPR’ one-stop-shop system, those data protection authorities that are not the ‘lead authority’ may start enforcement actions against big tech companies only in very limited circumstances, including in case of urgency,” he told TechCrunch.

“However, unfortunately, the Court’s ruling does not elaborate on the criteria to be followed to assess the urgency of an enforcement action. In particular, the Court has not expressly seconded the advocate general’s view that a failure to act promptly from the part of the lead authority may justify the adoption of interim urgent measures by other data protection authorities. Thus, this important point remains partially unclear, and further litigation might be necessary to clarify this issue.

“Therefore, today’s ruling is unlikely to completely settle the ‘Irish issue’.”

Article 56 of the GDPR allows for non-lead DPAs to pursue action at a national level in the case of complaints that relate to an issue that substantially affects only users under their jurisdiction, and where they believe there is a need to act urgently (as a lead authority has not). So it does seem fairly narrow.

One recent example of a non-lead DPA intervention is the Italian DPA’s emergency action against TikTok — related to child safety on the platform after the death of a local girl who had been reported to have participated in a challenge on the platform.

“An authority’s wish to adopt a ‘go-it-alone’ approach… with regard to the (judicial) enforcement of the GDPR, without cooperating with the other authorities, cannot be reconciled with either the letter or the spirit of that regulation,” runs one paragraph of today’s judgement, underlining the court’s view that the GDPR requires careful and balanced joint-working between DPAs.

The ruling does go into some detailed discussion of the “dangers” of under-enforcement of the GDPR — as the concern was raised with the CJEU — but the court takes the view that it’s too soon to say whether such a concern affects the regulation or not.

“If, however, [under-enforcement were to] be evidenced by facts and robust arguments – then I do not believe that the Court would turn a blind eye to any gap which might thereby emerge in the protection of fundamental rights guaranteed by the Charter and their effective enforcement by the competent regulators,” the CJEU goes on. “Whether that would then still be an issue for a Charter-conform interpretation of provisions of secondary law, or an issue of validity of the relevant provisions, or even sections of a secondary law instrument, is a question for another case.”

The ruling, while narrow, may at least unblock the Belgian DPA’s long-running litigation against Facebook’s tracking of non-users via cookies and social plug-ins which was the route for the referral of questions over the scope of the OSS to the CJEU.

Although the court also notes that it will be for a Belgian court to determine whether the DPA’s intervention meets the GDPR’s bar for starting such proceedings or not.

Contacted for comment on the CJEU judgement, Facebook welcomed the ruling.

“We are pleased that the CJEU has upheld the value and principles of the one-stop-shop mechanism, and highlighted its importance in ensuring the efficient and consistent application of GDPR across the EU,” said Jack Gilbert, associate general counsel at Facebook in a statement.

In Europe, Facebook’s data law buffer looks to be on borrowed time

Facebook’s tracking of non-users ruled illegal again

Facebook Faces Privacy Lawsuit From Belgian Watchdog

More TechCrunch

When the founders of Sagetap, Sahil Khanna and Kevin Hughes, started working at early-stage enterprise software startups, they were surprised to find that the companies they worked at were trying…

Deal Dive: Sagetap looks to bring enterprise software sales into the 21st century

Keeping up with an industry as fast-moving as AI is a tall order. So until an AI can do it for you, here’s a handy roundup of recent stories in the world…

This Week in AI: OpenAI moves away from safety

After Apple loosened its App Store guidelines to permit game emulators, the retro game emulator Delta — an app 10 years in the making — hit the top of the…

Adobe comes after indie game emulator Delta for copying its logo

Meta is once again taking on its competitors by developing a feature that borrows concepts from others — in this case, BeReal and Snapchat. The company is developing a feature…

Meta’s latest experiment borrows from BeReal’s and Snapchat’s core ideas

Welcome to Startups Weekly! We’ve been drowning in AI news this week, with Google’s I/O setting the pace. And Elon Musk rages against the machine.

Startups Weekly: It’s the dawning of the age of AI — plus,  Musk is raging against the machine

IndieBio’s Bay Area incubator is about to debut its 15th cohort of biotech startups. We took special note of a few, which were making some major, bordering on ludicrous, claims…

IndieBio’s SF incubator lineup is making some wild biotech promises

YouTube TV has announced that its multiview feature for watching four streams at once is now available on Android phones and tablets. The Android launch comes two months after YouTube…

YouTube TV’s ‘multiview’ feature is now available on Android phones and tablets

Featured Article

Two Santa Cruz students uncover security bug that could let millions do their laundry for free

CSC ServiceWorks provides laundry machines to thousands of residential homes and universities, but the company ignored requests to fix a security bug.

22 hours ago
Two Santa Cruz students uncover security bug that could let millions do their laundry for free

OpenAI’s Superalignment team, responsible for developing ways to govern and steer “superintelligent” AI systems, was promised 20% of the company’s compute resources, according to a person from that team. But…

OpenAI created a team to control ‘superintelligent’ AI — then let it wither, source says

TechCrunch Disrupt 2024 is just around the corner, and the buzz is palpable. But what if we told you there’s a chance for you to not just attend, but also…

Harness the TechCrunch Effect: Host a Side Event at Disrupt 2024

Decks are all about telling a compelling story and Goodcarbon does a good job on that front. But there’s important information missing too.

Pitch Deck Teardown: Goodcarbon’s $5.5M seed deck

Slack is making it difficult for its customers if they want the company to stop using its data for model training.

Slack under attack over sneaky AI training policy

A Texas-based company that provides health insurance and benefit plans disclosed a data breach affecting almost 2.5 million people, some of whom had their Social Security number stolen. WebTPA said…

Healthcare company WebTPA discloses breach affecting 2.5 million people

Featured Article

Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Microsoft won’t be facing antitrust scrutiny in the U.K. over its recent investment into French AI startup Mistral AI.

1 day ago
Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Ember has partnered with HSBC in the U.K. so that the bank’s business customers can access Ember’s services from their online accounts.

Embedded finance is still trendy as accounting automation startup Ember partners with HSBC UK

Kudos uses AI to figure out consumer spending habits so it can then provide more personalized financial advice, like maximizing rewards and utilizing credit effectively.

Kudos lands $10M for an AI smart wallet that picks the best credit card for purchases

The EU’s warning comes after Microsoft failed to respond to a legally binding request for information that focused on its generative AI tools.

EU warns Microsoft it could be fined billions over missing GenAI risk info

The prospects for troubled banking-as-a-service startup Synapse have gone from bad to worse this week after a United States Trustee filed an emergency motion on Wednesday.  The trustee is asking…

A US Trustee wants troubled fintech Synapse to be liquidated via Chapter 7 bankruptcy, cites ‘gross mismanagement’

U.K.-based Seraphim Space is spinning up its 13th accelerator program, with nine participating companies working on a range of tech from propulsion to in-space manufacturing and space situational awareness. The…

Seraphim’s latest space accelerator welcomes nine companies

OpenAI has reached a deal with Reddit to use the social news site’s data for training AI models. In a blog post on OpenAI’s press relations site, the company said…

OpenAI inks deal to train AI on Reddit data

X users will now be able to discover posts from new Communities that are trending directly from an Explore tab within the section.

X pushes more users to Communities

For Mark Zuckerberg’s 40th birthday, his wife got him a photoshoot. Zuckerberg gives the camera a sly smile as he sits amid a carefully crafted re-creation of his childhood bedroom.…

Mark Zuckerberg’s makeover: Midlife crisis or carefully crafted rebrand?

Strava announced a slew of features, including AI to weed out leaderboard cheats, a new ‘family’ subscription plan, dark mode and more.

Strava taps AI to weed out leaderboard cheats, unveils ‘family’ plan, dark mode and more

We all fall down sometimes. Astronauts are no exception. You need to be in peak physical condition for space travel, but bulky space suits and lower gravity levels can be…

Astronauts fall over. Robotic limbs can help them back up.

Microsoft will launch its custom Cobalt 100 chips to customers as a public preview at its Build conference next week, TechCrunch has learned. In an analyst briefing ahead of Build,…

Microsoft’s custom Cobalt chips will come to Azure next week

What a wild week for transportation news! It was a smorgasbord of news that seemed to touch every sector and theme in transportation.

Tesla keeps cutting jobs and the feds probe Waymo

Sony Music Group has sent letters to more than 700 tech companies and music streaming services to warn them not to use its music to train AI without explicit permission.…

Sony Music warns tech companies over ‘unauthorized’ use of its content to train AI

Winston Chi, Butter’s founder and CEO, told TechCrunch that “most parties, including our investors and us, are making money” from the exit.

GrubMarket buys Butter to give its food distribution tech an AI boost

The investor lawsuit is related to Bolt securing a $30 million personal loan to Ryan Breslow, which was later defaulted on.

Bolt founder Ryan Breslow wants to settle an investor lawsuit by returning $37 million worth of shares

Meta, the parent company of Facebook, launched an enterprise version of the prominent social network in 2015. It always seemed like a stretch for a company built on a consumer…

With the end of Workplace, it’s fair to wonder if Meta was ever serious about the enterprise