Data protection regulators in any European country can bring privacy complaints against Facebook, even though it regulated in Ireland, according to an opinion by the European Court of Justice.
Advocate general, Michal Bobek, found that under Europe’s General Data Protection Regulation (GDPR), any of the EU’s 27 states can bring privacy actions against the social media company.
The opinion, which is non-binding, could lead to an increase in the number of enforcement actions taken against Facebook and other companies that process personal data, if it is adopted by the Court of Justice of the European Union (CJEU).
The court said in a statement that, “the data protection authority in the state where a data controller or processor has its main EU establishment has a general competence to start court proceedings for GDPR infringements in relation to cross-border data processing”.
“The other national data protection authorities concerned are nevertheless entitled to commence such proceedings in their respective member state in situations where the GDPR specifically allows them to do so,” the court said.
Bobek issued the opinion following an attempt by the Belgian data protection regulator to bring enforcement proceedings against Facebook in Belgium.
The Belgian regulator sought an order to prevent Facebook using cookies, plug-ins and pixels to track Belgian citizens across the internet and to restrict the “excessive” collection of their personal data.
Facebook Belgium argued that since GDPR came into force the Belgian data protection regulator no longer had the jurisdiction to take enforcement action against it.
The social media company claimed that, given that its main centre of operations in Europe is in Dublin, only the Irish Data Protection Commissioner (DPC) had the right to bring proceedings against Facebook over its cross-border data processing.
The advocate general found, in response to questions from Belgium’s court of appeal, that although the lead data protection authority has a “general competence” over cross border data processing, this does not prevent regulators in other countries from taking enforcement action.
“The lead data protection authority cannot be deemed as the sole enforcer of GDPR in cross-border situations,” the court said in a statement.
The decision, if upheld by the European Court of Justice, could lead to new claims against Facebook and other technology companies.
The Irish Data Protection Commissioner has been responsible for pursing data protection complaints against large technology companies, including US big-tech companies, with European HQ in Ireland.
The DPC has initiated 83 inquiries, including 27 cross-border inquiries since 2018. Of these, 11 of the cross-border inquiries were into Facebook.
Concerns have been raised about whether the Irish DPC has sufficient resources to enforce data protection effectively.
Read more about Facebook and Privacy
Facebook pays record fine after breaching users’ privacy, following settlements with Federal Trade Commission and Securities and Exchange Commission
Irish privacy watchdog orders Facebook to suspend transfers of European citizens’ data to the US after Schrems II ruling that Europeans have no effective way to challenge American government surveillance