naito8 - stock.adobe.com

All EU states can take data protection cases against Facebook, says EU court

An opinion from the European Court of Justice has the potential to lead to a flood of privacy complaints against Facebook if upheld

Data protection regulators in any European country can bring privacy complaints against Facebook, even though it regulated in Ireland, according to an opinion by the European Court of Justice.

Advocate general Michal Bobek found that, under the Europe Union (EU’s)’s General Data Protection Regulation (GDPR), any of the EU’s 27 states can bring privacy actions against the social media company.

The opinion, which is non-binding, could lead to an increase in the number of enforcement actions taken against Facebook and other companies that process personal data if it is adopted by the Court of Justice of the European Union (CJEU).

The court said in a statement: “The data protection authority in the state where a data controller or processor has its main EU establishment has a general competence to start court proceedings for GDPR infringements in relation to cross-border data processing.

“The other national data protection authorities concerned are nevertheless entitled to commence such proceedings in their respective member state in situations where the GDPR specifically allows them to do so.”

Bobek issued the opinion following an attempt by the Belgian data protection regulator to bring enforcement proceedings against Facebook in Belgium.

The Belgian regulator sought an order to prevent Facebook using cookies, plug-ins and pixels to track Belgian citizens across the internet and to restrict the “excessive” collection of their personal data.

Facebook Belgium argued that since GDPR came into force, the Belgian data protection regulator no longer had the jurisdiction to take enforcement action against it.

The social media company claimed that, given that its main centre of operations in Europe is in Dublin, only the Irish Data Protection Commissioner (DPC) had the right to bring proceedings against Facebook over its cross-border data processing.

The advocate general found, in response to questions from Belgium’s court of appeal, that although the lead data protection authority has a “general competence” over cross-border data processing, this does not prevent regulators in other countries from taking enforcement action.

“The lead data protection authority cannot be deemed as the sole enforcer of GDPR in cross-border situations,” the court said in a statement.

The decision, if upheld by the European Court of Justice, could lead to new claims against Facebook and other technology companies.

The Irish Data Protection Commissioner has been responsible for pursing data protection complaints  against large technology companies, including US big tech companies, with European HQ in Ireland.

The DPC has initiated 83 inquiries, including 27 cross-border inquiries since 2018. Out of these, 11 of the cross-border inquiries were into Facebook.

Concerns have been raised about whether the Irish DPC has sufficient resources to enforce data protection effectively.

Read more about Facebook and Privacy

Read more on Privacy and data protection