The regulatory world just became notably more uncertain for the big technology companies that have chosen to base their EU headquarters in Ireland. Until now, one significant consequence of their choice has been to acquire the Irish Data Protection Commission (DPC) as lead regulator for any General Data Protection Regulation (GDPR) related violations.
Under a GDPR mechanism known as the one-stop shop, even if a concern arose in another EU state and a citizen filed a complaint with their own national data protection authority (DPA), the complaint would be passed on to the regulator in the state in which the company has its European base. The original intention was to streamline and expedite the complaint process, and afford regulatory stability to the businesses operating in multiple EU markets.
In application, the one-stop shop approach gave considerable regulatory responsibility and global visibility to the Irish DPC Helen Dixon, because so many large internet, technology and social multinationals have an Irish base.
But on Tuesday, the European Court of Justice (ECJ) – Europe’s highest court – issued a decision that limits the one-stop shop, allowing certain issues – in this case, a complaint against Facebook’s Belgian operations over the way it uses tracking cookies – to be considered by the regulator in the home country of the complainant.
This doesn’t allow a regulatory free for all. The court said that the potential violations must have taken place in the country handling the issue, and that a national regulator has an obligation to engage first with the lead regulator for a company – which will often be the Irish DPC.
But if a national regulator is not satisfied with the response of the DPC here, that national regulator can undertake its own investigation and action.
The decision is a slap for the Irish DPC, explicitly allowing other regulators to circumvent the office here and its previously-assumed lone authority. Notably, the opinion comes after months of growing tensions between the Irish DPC and other national regulators, who have complained, sometimes openly, about the length of investigations here and what they’ve seen as the too-limited size and extent of the fines and other remedies imposed on powerful and wealthy multinationals by the DPC.
Though Facebook’s public response was to emphasise the decision’s validation of the GDPR, in reality no multinational anywhere in the EU will be happy with this sudden turn. They will feel – rightly – that they are now far more exposed to the varying laws and national implementations of the GDPR across the EU bloc, as well as regulators and courts that have been far more hostile in its interpretation than Ireland.