A Dutch consumer advocacy group is suing the country’s privacy regulator over a two-year wait for action on a complaint against Google, arguing there are flaws in the European system for handling data privacy and security cases involving multinationals that operate in many countries.
The lawsuit highlights growing dissatisfaction among consumers, privacy advocates and some regulators about the way complaints against large companies are handled by the data protection authority in the country where the company has its European headquarters, no matter where the complaints originated. This so-called one-stop shop rule in the European Union’s 2018 General Data Protection Regulation has led to a backlog of cases in a small number of countries such as Ireland.
“It’s all taking too long,” said Gerard Spierenburg, a spokesman for the Consumentenbond. The group filed its lawsuit in November.
Privacy regulators say the system benefits companies, freeing them from facing investigations by different authorities in the 27-member union, potentially for the same violation.
While the GDPR’s one-stop shop was designed to streamline interactions between companies and regulators, it has caused bottlenecks and frustration. The Irish regulator’s decision to fine Twitter Inc. €450,000 ($546,000) in December was delayed several months because of disputes with regulators in other EU countries, which wanted a larger penalty. The Hamburg authority, for instance, recommended a fine between €7 million and €22 million. The violation was related to a security hole that Twitter disclosed in January 2019.
With its lawsuit, the Consumentenbond wants the Netherlands court system to require the local data protection authority to investigate a privacy complaint filed in 2018 against Google. The complaint alleges that Alphabet Inc.’s Google violated the GDPR by collecting Android phone users’ location data through settings that steer consumers toward sharing more information.
A Google spokesman said the company changed how it collects location data in the last year, such as by introducing a setting that automatically deletes location history at time limits set by the user. He said Google is cooperating with the Irish regulator, which opened an investigation in February.
The Irish regulator said at the time that it had received multiple complaints from across Europe about Google related to the same issue. The regulator didn’t respond to a request for comment.
The Dutch consumer group says it wants the regulator there to step in and speed up the process. The Dutch authority updates the consumer group every few months on the case, but doesn’t provide much detail, Mr. Spierenburg said. “Nobody will tell us anything,” he said. No court date has been set, he said.
A spokesman for the Dutch data protection authority said the office isn’t authorized to investigate in the Google case. “It does indeed take a long time before the Consumers’ Association gets a definite answer in this Google case,” the spokesman said, referring to the Consumentenbond. “That’s frustrating, we think so, too.”
The spokesman said that Ireland has many large tech companies and the Irish and Dutch regulators both have a limited number of employees to handle complaints.
Other privacy advocates have attempted to bypass the potentially lengthy GDPR process by filing lawsuits in courts, instead of issuing complaints to privacy authorities, and by lodging complaints under an older EU privacy law that doesn’t require authorities to forward certain cases to their counterparts in another country.
Long investigations in European privacy cases, especially ones involving large multinationals, are inevitable under the GDPR, said Jeroen Terstegge, a partner at the Netherlands-based consulting firm Privacy Management Partners Coöperatie UA.
An alternative could be creating a pan-European regulator to take cases involving multiple countries, as Germany’s federal data protection commission proposed last year, but such a system has gained little traction with EU officials, he said.
It can be complex and expensive for an organization or individual to interact with investigators in a different country who oversee their complaints, said Ernani Cerasaro, a legal officer at the European Consumer Organization, a nonprofit group based in Brussels. They may need to understand legal procedures that differ between EU countries and would need to hire a foreign lawyer to help and communicate with the regulator in a local language, he added.
“It’s frustrating,” Mr. Cerasaro said, adding that regulators should push their counterparts who take on a complaint to speed up the process.
Write to Catherine Stupp at Catherine.Stupp@wsj.com
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
Appeared in the January 8, 2021, print edition as ‘Dutch Lawsuit Seeks Quicker Resolution in Google Case.’