Data Protection & Privacy

DPA can investigate even if it’s not the lead data supervisor under GDPR

The European Court of Justice has affirmed that in certain circumstances, a National Data protection Authorities (DPA) can investigate a case even if it is not the lead data supervisor under the General Data Protection Regulation (GDPR).

The GDPR has a one-stop-shop mechanism under wherein businesses operating in more than one European Union market would need to deal with only one ‘lead’ data protection authority. The lead data protection authority is usually the state where the businesses have their headquarters.

Article 56 of GDPR

Article 56 of the GDPR says that the supervisory authority of the main establishment of the data controller or processor shall be competent to act as a lead supervisory authority.

In contrast, a supervisory authority which is not a lead supervisory authority, shall handle a complaint lodged with it with the lead supervisory authority.

The CJEU ruling

The CJEU said:

Under certain conditions, a national supervisory authority may exercise its power to bring any alleged infringement of the GDPR before a court of a member state, even though that authority is not the lead supervisory authority,”

However, the mechanism soon became a bottleneck since a few DPAs have most of the cases. Notably, states such as Ireland and Luxembourg have most of the businesses’ headquarters, due to low corporate tax rates. This results in a delayed enforcement of GDPR, which is something that favors big tech. Ireland is also seen as ‘too soft‘ with GDPR enforcement. Several national DPAs have also complained about the long time that the Irish DPA takes to decide cases.

Belgium vs. Facebook

The ruling comes in the backdrop of a tussle between Belgium’s DPA and Facebook. Back in February, 2018, Judges in Belgium had ruled that Facebook contravened privacy laws by deploying technology such as cookies and social plug-ins to track internet users, even if they didn’t have a Facebook account.

The issue pertains to ‘invisible tracking’ of users, using cookies, pixels, and social plug-ins, even when they are not using Facebook. Facebook had initially argued that the Belgian DPA, which brought them to courts, had no jurisdiction over its European business, which was headquartered in Ireland. Facebook was ultimately unable to sufficiently show as to how it tracked digital activity of users and non-users. The judges decided that Facebook’s use of cookies violates European privacy laws.

Change in the enforcement of GDPR

Consequent to the ruling, businesses could face more scrutiny. However, tech lobbying group CCIA said that the ruling could lead to inconsistent, fragmented, and uncertain enforcement.

Do subscribe to our Telegram channel for more resources and discussions on technology law and news. To receive weekly updates, don’t forget to subscribe to our Newsletter.

Rohit Ranjan Praveer

Rohit is a practicing advocate at Delhi. Beginning as a tech enthusiast, Rohit always had a keen interest in computer forensics and information security. Building upon these fundamentals, he has undertaken extensive research on various techno-legal topics and continues his pursuit pass on valuable information to the masses, with a zeal to build something that outlasts him.​

Share your thoughts!

This site uses Akismet to reduce spam. Learn how your comment data is processed.