The European Union’s top court ruled Tuesday that tech giants regulated by privacy officials primarily in one EU country can still face legal action by privacy officials based in another member country. The ruling opens the door to more litigation against Big Tech by country-level European data watchdogs.
Separately, the UK’s antitrust regulator said Tuesday it is investigating Apple (AAPL) and Google (GOOGL)‘s dominance in mobile operating systems, app stores and web browsers.
The announcements mark the latest governmental challenges to Big Tech across the Atlantic, where scrutiny by regulators and policymakers have added to US policymakers’ own efforts to rein in large, dominant platforms.
The UK’s Competition and Markets Authority (CMA) said the two companies’ power in mobile ecosystems could be leading to higher prices in apps and digital advertising, as well as potentially reduced innovation and less competition.
“Apple and Google control the major gateways through which people download apps or browse the web on their mobiles — whether they want to shop, play games, stream music or watch TV,” said CMA chief executive Andrea Coscelli in a statement. “We’re looking into whether this could be creating problems for consumers and the businesses that want to reach people through their phones.”
Apple didn’t immediately respond to a request for comment. In a statement, Google said its Android operating system “provides people with more choice than any other mobile platform in deciding which apps they use, and enables thousands of developers and manufacturers to build successful businesses. We welcome the CMA’s efforts to understand the details and differences between platforms before designing new rules.”
The CMA is already looking into Apple’s App Store and Google’s new web-based tracking proposals, but Coscelli said the new initiative is much broader.
In April, the CMA established a Digital Markets Unit in preparation to regulate large tech platforms once Parliament passes new laws granting it that authority. Coscelli said the newly announced investigation is intended to give the new unit the evidence it needs to “hit the ground running” when its powers are finally established.
Tuesday’s ruling by the European Court of Justice, meanwhile, could create greater legal exposure for Facebook (FB).
Despite being primarily regulated by Irish data protection authorities, Facebook may still be held liable in Belgium for alleged violations of Europe’s data privacy law, known as GDPR, the Court said. In order to successfully prosecute an alleged violation, the Court added, a lower court must determine that Belgian data authorities appropriately followed all other procedures laid out in GDPR, and that the enforcement occurred under one of the exceptions that permits another EU country to intervene.
The original case, brought by Belgian officials in 2015, alleged that Facebook had collected and used the data of Belgian citizens without their consent. Facebook successfully appealed the outcome of that case, persuading a Belgian appellate court that the country’s data regulator lacked jurisdiction because Facebook’s European headquarters is in Ireland.
The Court of Justice ruling effectively reverses that finding, giving other countries a potential avenue to sue not just Facebook for alleged privacy law violations, but also other tech giants based in Ireland, including Apple, Google and Twitter.
Under a mechanism known as “one-stop shop,” the EU’s privacy law allows companies to be regulated by a “lead supervisory authority” for data based in the same country as the companies’ main establishment or regional headquarters. The mechanism is intended to streamline oversight. But the law also allows privacy agencies of other member countries to circumvent the lead authority in “urgent” situations and when all the users affected by a case live only within that country, the Court said.
In a statement, Facebook welcomed what it described as the Court’s decision reaffirming the dominant role of lead data authorities and the ability of other privacy regulators to step in only in exceptional scenarios under the law.
“We are pleased that the CJEU has upheld the value and principles of the one-stop-shop mechanism, and highlighted its importance in ensuring the efficient and consistent application of GDPR across the EU,” said Jack Gilbert, an associate general counsel at Facebook, in a statement.