The ECJ has given national data protection supervisory authorities more power against large Internet companies.
The judgment shows that they have so far largely enjoyed the freedom of fools.
+
Google.jpg
© Justin Tallis / AFP
On Tuesday, the European Court of Justice (ECJ) in Luxembourg published a ruling on the General Data Protection Regulation (GDPR): In the future, national data protection authorities will be able to take action against violations by companies in exceptional cases, even if their headquarters are in another country. The verdict could hit companies like Facebook and Google hard. The GDPR is a powerful tool for protecting private data, but so far some of the largest data processors have been able to protect themselves from sanctions by hiding behind a data protection authority.
So far, the data protection situation has been clearly regulated. Strictly according to the market location principle, only the supervisory authority in whose sphere of activity the European headquarters of a company is located was responsible. For example, if a German citizen has a data protection complaint against Facebook, he or she must submit it to the Irish data protection authority DPC (Data Protection Commission). Like Google and Microsoft, Facebook appreciates favorable conditions in the island state, such as a low corporate tax.
But Ireland also seems to offer locational advantages in the context of the General Data Protection Regulation: "If you as a citizen have a data protection complaint against Facebook, you are lost, as things are at the moment," explains Marco Blocher, lawyer at the European data protection association Noyb (none of your business ). He criticizes the way the Irish agency works: "It is sometimes extremely absurd how long proceedings take at the DPC."
Blocher explains: “In January 2019, we submitted several complaints to the DPC, including against Apple Music and YouTube. They have not yet been decided. "This is not even a matter of complex content:" In the case of Apple, it was a simple violation of the obligation to provide information. The DPC took a year and a half to bring this complaint to Apple's attention. Normally, the entire process should only take weeks to months. "As a non-governmental organization made up of specialized lawyers, we can of course stay on the ball, but it is so impossible for normal citizens to enforce their rights, the DPC acts like a black hole here," explains Blocher.
This makes legal violations profitable: "It is cheaper for companies to collect and sell unlawful data and to pay the - so far hardly existing - fines instead of adhering to the rules of data protection", criticizes Blocher. But not only private organizations like Noyb, but also Christof Stein, spokesman for the Federal Commissioner for Data Protection and Freedom of Information, sees the situation critically: "The Irish data protection supervisory authority has around 200 cross-border proceedings from Germany, of which only a very small number have so far been decided." the hands of the German authorities were tied. As recently as last week, the European Data Protection Committee confirmed to our newspaper that the national authorities - including the DPC - acted “completely independently” on such issues.
The problem is the “irritating self-image” of the Irish data protection authority, as Marco Blocher finds.
For Helen Dixon, the head of the DPC, the GDPR passage to deal with a complaint is not a call for action.
"Dixon means with reference to Irish law that you can open proceedings and close without a decision," says the data lawyer.
Despite several inquiries, the DPC itself was not available for comment.
The same thing happened to the EU Committee on Civil Liberties, Justice and Home Affairs (LIBE).
The latter summoned Dixon to a hearing in March on the allegations mentioned.
Andrea Jelinek, head of the European Data Protection Committee and Max Schrems, chairman of Noyb, should appear next to her.
Dixon, who preferred to be heard on her own, called this approach “inappropriate” and “perverse” and canceled her participation.
The EU is currently countering this refusal with great legal pressure. Only at the end of May did the European Parliament adopt a resolution calling on the EU Commission to initiate infringement proceedings against Ireland. The ECJ ruling on Tuesday hits the same line. Because it makes it clear that the European judges will no longer tolerate delays in proceedings by individual authorities. It is true that it is fundamentally the task of the lead authority to decide whether the conduct of a company violates the General Data Protection Regulation. However, you cannot make a decision on your own, but must work “loyally and effectively” with the other supervisory authorities concerned.
Despite all the criticism, the lone fighter DPC is currently fighting a process with Facebook.
Because, contrary to their habits, the authority banned Facebook from transferring European user data to the USA on the basis of a ruling from July last year and was thus groundbreaking.
List of rubric lists: © Justin Tallis / AFP
