European officials are increasing the pressure on Silicon Valley’s behemoths once again.
The European Union’s top court ruled on Tuesday that tech giants that are primarily regulated by privacy officials in one EU country can still face legal action from privacy officials in other EU countries. The decision opens the door to more litigation against Big Tech by European data watchdogs at the country level.
Separately, Apple (AAPL) and Google (GOOGLdominance )’s in mobile operating systems, app stores, and web browsers is being investigated by the UK’s antitrust regulator.
The announcements are the latest in a series of government challenges to Big Tech on both sides of the Atlantic, where regulators and policymakers have added to US policymakers’ efforts to rein in large, dominant platforms.
According to the UK’s Competition and Markets Authority (CMA), the two companies’ dominance in mobile ecosystems could lead to higher app and digital advertising prices, as well as less innovation and competition.
“Apple and Google control the major gateways through which people download apps or browse the web on their mobiles — whether they want to shop, play games, stream music or watch TV,” said CMA chief executive Andrea Coscelli in a statement. “We’re looking into whether this could be creating problems for consumers and the businesses that want to reach people through their phones.”
A request for comment from Apple was not immediately returned. In a statement, Google said its Android operating system “provides people with more choice than any other mobile platform in deciding which apps they use, and enables thousands of developers and manufacturers to build successful businesses. We welcome the CMA’s efforts to understand the details and differences between platforms before designing new rules.”
The CMA is already investigating Apple’s App Store and Google’s new web-based tracking proposals, but according to Coscelli, the new initiative is much broader.
The CMA established a Digital Markets Unit in April in preparation to regulate large tech platforms once new laws granting it that authority are passed by Parliament. The newly announced investigation, according to Coscelli, is intended to provide the new unit with the evidence it needs to “hit the ground running” once its powers are established.
Meanwhile, the European Court of Justice’s ruling on Tuesday could expose Facebook to more legal risk (FB).
Despite being primarily regulated by Irish data protection authorities, the Court stated that Facebook could be held liable in Belgium for alleged violations of the EU’s data privacy law, known as GDPR. A lower court must determine that Belgian data authorities followed all other GDPR procedures properly, and that the enforcement occurred under one of the exceptions that allows another EU country to intervene, the Court added, in order to successfully prosecute an alleged violation.
The original complaint, filed by Belgian officials in 2015, claimed that Facebook had improperly collected and used the data of Belgian citizens. Because Facebook’s European headquarters are in Ireland, Facebook was able to persuade a Belgian appellate court that the country’s data regulator lacked jurisdiction in that case.
The Court of Justice ruling effectively overturns that decision, allowing other countries to sue not only Facebook but also other tech giants based in Ireland, such as Apple, Google, and Twitter, for alleged privacy law violations.
The EU’s privacy law allows companies to be regulated by a “lead supervisory authority” for data stored in the same country as their main establishment or regional headquarters, thanks to a mechanism known as “one-stop shop.” The mechanism is designed to make oversight easier. However, the law allows other member countries’ privacy agencies to bypass the lead authority in “urgent” situations and when all of the users affected by a case live only in that country, according to the Court.
Facebook issued a statement applauding the Court’s decision, which it described as “reaffirming the dominant role of lead data authorities and the ability of other privacy regulators to step in only in exceptional circumstances under the law.”
In a statement, Jack Gilbert, an associate general counsel at Facebook, said, “We are pleased that the CJEU has upheld the value and principles of the one-stop-shop mechanism, and highlighted its importance in ensuring the efficient and consistent application of GDPR across the EU.”