The European Union’s top court is set to weigh in Tuesday on whether a privacy regulator in one country can sanction a company if its headquarters is in another country. A go-ahead would potentially open firms up to more penalties.
A ruling due in a case between
and the Belgian data protection authority could impact any company that does business in any of the 27 EU countries. If the European Court of Justice rules that the Belgian regulator can pursue a court case against Facebook, whose European headquarters is in Ireland, authorities across the bloc will be able to sanction companies in their own national courts. Facebook has argued against the prospect.
Under a provision known as the one-stop-shop rule in the 2018 General Data Protection Regulation, companies are overseen by the national data regulator in the EU country where their European headquarters is located. That means authorities in the other 26 member countries generally don’t levy fines or orders about data-handling practices against companies outside their jurisdiction, and companies interact with their local regulator, not with all 27. However, some authorities have used methods such as drawing on other laws for privacy fines, or using emergency measures in the GDPR, to go after firms beyond their geographic boundaries.
“The one-stop-shop mechanism doesn’t work as smoothly as it should work,” said Hielke Hijmans, who oversees fines and sanctions for the Belgian data protection authority. The method requires regulators to hand off complaints to their counterparts in other countries, which can involve bureaucratic legwork and take a long time, he added.
Plus, in cases when there may be public concern over a significant data breach, for instance, regulators are under pressure to investigate wrongdoing instead of waiting for another authority to do so, Mr. Hijmans said.
If the EU judges allow regulators to take companies to court, doing so would still be a lengthy and expensive option, he said. European privacy authorities generally issue sanctions through regulatory procedures, not courts.
An adviser to the EU court published a nonbinding opinion in January stating that regulators can bring companies to court in GDPR cases that affect people in their jurisdiction, regardless of the location of their headquarters. Judges at the EU’s top court consider the adviser’s opinion and their final ruling often follows the recommendation.
A Facebook spokesman declined to comment.
Many companies say the provision simplifies their compliance with the GDPR.
Without the one-stop-shop, companies might be subject to conflicting decisions from regulators in different countries, said Lorena Marciano, privacy officer for Europe at Cisco Systems Inc. “As a multinational, what do I do, do I change my approach in each member state? That’s not feasible,” she said.
But tensions have been brewing over some European privacy regulators’ speed in investigating GDPR complaints. Critics say the one-stop-shop funnels a high number of cases to a small group of regulators who take a long time to issue decisions. The Irish regulator’s office, which is responsible for overseeing several large multinationals, has said it didn’t receive appropriate budget increases to investigate the high number of complaints it receives.
“We’re at a turning point. We can’t simply continue as things have been,” said David Martin, senior legal officer at the European Consumer Organisation, a Brussels-based advocacy group representing consumer watchdog bodies from EU countries.
The consumer group has needed to hire a lawyer to navigate local administrative rules when complaints are sent to other countries, Mr. Martin said. “It’s about protecting 500 million consumers. You can’t rely on one single authority,” he said referring to the population of the EU.
Johannes Caspar, the privacy regulator in Hamburg, Germany, used an emergency measure in the GDPR in May to issue a three-month ban on Facebook’s collection of WhatsApp user data from Germany.
The order was issued days before a May 15 deadline set by Facebook for its users to accept new privacy terms about how WhatsApp shares data with the company. Mr. Caspar said in a statement last month that Facebook couldn’t legally draw consent for the new policy because users had to agree to the terms to continue using WhatsApp, and the company could use individuals’ data for marketing purposes.
Mr. Caspar said he has since applied for an extension of the ban with the European Data Protection Board, the umbrella group of EU regulators. The one-stop-shop has “massive deficits” and has “led to two-speed data protection enforcement” between regulators who issue fines after regular investigations and those who drag out bureaucratic procedures for years, Mr. Caspar said in an email.
Barry Cook, group data protection officer for VFS Global, a technology provider for government visa services, said companies might choose to establish their headquarters in a country whose regulator is known to be less rigorous if the court determines that regulators can only pursue companies based in their jurisdiction.
“The downside of this is it leads to a race to the bottom, which really weakens the whole concept of the GDPR,” Mr. Cook said.
VFS, officially called VF Worldwide Holdings Ltd, previously had its European base in the U.K. and is in the process of relocating to another EU country, which Mr. Cook declined to name, since the U.K. left the EU last year.
Write to Catherine Stupp at Catherine.Stupp@wsj.com
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8