Data protection authorities in any European Union member state can pursue privacy complaints against Facebook even though it is based in Ireland, the European Court of Justice has said.
If upheld, the advocate general’s opinion, issued on Wednesday, would mean any of the 27 member states’ data authorities could take action against the social media giant headquartered in Dublin, potentially unleashing a flood of complaints against big tech companies.
Ireland’s data protection authority has, until now, been considered responsible for pursuing complaints against multinationals headquartered in the State, a situation that has led to criticism across the EU that the office is under-resourced for the task.
"The data protection authority in the state where a data controller or processor has its main EU establishment has a general competence to start court proceedings for GDPR infringements in relation to cross-border data processing," the court said in a statement.
“The other national data protection authorities concerned are nevertheless entitled to commence such proceedings in their respective member state in situations where the GDPR specifically allows them to do so.”
The proceedings arose after Belgium’s data protection authority took a case against Facebook, asking the company to stop placing certain cookies on Belgian users’ devices without consent, to cease excessive data collection, and to delete certain data it had collected.
In the case currently before the Belgian court of appeal, Facebook had argued that only Ireland's Data Protection Commission was empowered to pursue the company for such infringements as its European headquarters is there.
But this has been contradicted by the opinion given by the court's advocate general, Michal Bobek.
“The advocate general stresses that the lead data protection authority cannot be deemed as the sole enforcer of the GDPR in cross-border situations and must, in compliance with the relevant rules and time limits provided for by the GDPR, closely co-operate with the other data protection authorities concerned,” the court said in a statement.
“GDPR permits the data protection authority of a member state to bring proceedings before a court of that state for an alleged infringement of the GDPR with respect to cross-border data processing, despite it not being the lead data protection authority entrusted with a general power to commence such proceedings,” it added.
The opinion is not binding; the court’s judges are now starting their deliberations and will give judgment on the issue at a later date.
In response, Facebook said it awaited the final verdict.
“We are pleased that the advocate general has reaffirmed the value and principles of the one-stop-shop mechanism, which was introduced to ensure the efficient and consistent application of GDPR. We await the court’s final verdict,” said Jack Gilbert, associate general counsel at Facebook.