by Rocco Panetta
Big tech is under the scrutiny of European authorities. After taking action with incredible timing on the WhatsApp affair, the Italian Data Protection Authority (the “Garante”) recently ordered the blocking of the social network TikTok, and subsequently opened a file on two other platforms. Further up north in Europe, while the Norwegian Data Protection Authority (Datatilsynet) announced that it might impose a fine of 100 million Norwegian kroner (about 10 million euro) on a dating app, the Irish Data Protection Commission, according to some rumours, seems ready to impose a significant fine of up to 50 million euro.
This is very important news and is probably only the tip of an iceberg that will slowly emerge in the coming months. That is why I think it is important to shed some light on some of the aspects of privacy law involved in these events and on the “weapons” in the hands of the European authorities, which are not limited to sanctions but include instruments that could have even more deterrent power.
GDPR and foreign companies
Very commonly, large internet platforms are based in the United States or China. This circumstance alone does not rule out the obligation to comply with European privacy legislation and to escape the consequent sanctions in the event of non-compliance. The General Data Protection Regulation (GDPR), in fact, innovating with respect to the previous legislative framework, provides that a data controller (or a data processor) that is not established in the European Union must comply with the rules of the Regulation if it processes personal data of data subjects located in the EU, when the processing activities concern the offering of goods or services to such data subjects in the EU or the monitoring of their behaviour to the extent that such behaviour takes place within the EU (the reference is to Article 3.2 of the GDPR, enriched by recitals 23 and 24).
The amount of the sanctions
The Norwegian Supervisory Authority has decided to propose a fine of approximately EUR 9 million. This is based on the provisions of the GDPR, which – after requiring supervisory authorities to ensure that the administrative fines imposed are effective, proportionate and dissuasive in each individual case (Article 83.1) – provides that the amount of such fines, taking into account the criteria given by the Regulation itself (Article 83. 2), can be up to 10 million euros, or for companies, up to 2% of the total annual worldwide turnover in the preceding business year, whichever is the greater, for a number of infringements (Article 83.4), with the values rising to 20 million and 4% for others (Article 83.5).
The emergency procedure
Taking the Tik Tok case as a reference, with the decision of the last 22nd January, the Garante has ordered “[…] the measure of the provisional limitation of the processing, prohibiting the further processing of the data of the users who are on the Italian territory for whom there is no absolute certainty of the age and, consequently, of the respect of the provisions connected to the age verification requirement”, fixing the deadline of the measure at 15th February. This is an intervention adopted in compliance with the discipline set out by the GDPR, where national authorities are allowed to derogate from the ordinary mechanisms and procedures in cases of particular urgency (Art. 66: In exceptional circumstances, where a supervisory authority concerned considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, it may, by way of derogation from the consistency mechanism referred to in Articles 63, 64 and 65 or the procedure referred to in Article 60, immediately adopt provisional measures intended to produce legal effects on its own territory with a specified period of validity which shall not exceed three months).
I would like to conclude with a broader consideration inspired by the succession of events in recent months. The impression is that the actions of the authorities – first and foremost the Italian one, but also the Irish one, whose activism is long overdue – are aligning themselves on common guidelines. This is an important sign, which suggests that we can expect further moves in the short term – perhaps even by other authorities – in the chess game on the overwhelming power of big tech. As of today, it is difficult to predict the outcome of the various initiatives on the tables of the authorities. However, another interesting fact emerges: the European authorities are starting to make full use of the legal arsenal offered to them by the GDPR.
The issue of effective enforcement at the international level in the case of sanctions imposed on multinationals not established in the territory of the European Union remains open. In this regard, I would like to recall that enforcement does not only take place through the imposition of administrative fines, but also through executive orders to block processing operations and therefore the related databases and, in the case of online activities and websites, also through the blocking of such sites. I believe that the risk of blocking processing operations is a much greater deterrent than the imposition of fines.
This article was originally published in Italian on Agenda Digitale.