Data protection regulators in any European country can file privacy complaints against Facebook, even though it is regulated in Ireland, according to an opinion of the Court of Justice of the European Union.
Counsel General Michal Bobek found that under Europe’s General Data Protection Regulation (GDPR), any of the 27 EU states can take privacy action against the social media company.
The ruling, which is not binding, could lead to an increase in the number of enforcement actions against Facebook and other companies that process personal data, if adopted by the Court of Justice of the European Union (CJEU).
The court said in a statement that “the data protection authority in the state where a data controller or processor has its main establishment in the EU has a general competence to initiate legal proceedings for breaches of GDPR in relation to data processing. cross-border ”.
“The other national data protection authorities concerned have, however, the right to initiate such proceedings in their respective member states in situations where the GDPR specifically allows them to do so,” the court said.
Bobek issued the opinion following an attempt by the Belgian data protection regulator to initiate enforcement proceedings against Facebook in Belgium.
The Belgian regulator sought an order to prevent Facebook from using cookies, plugins and pixels to track Belgian citizens across the Internet and restrict the “excessive” collection of their personal data.
Facebook Belgium argued that since the GDPR came into force, the Belgian data protection regulator no longer had jurisdiction to take legal action against it.
The social media company claimed that since its main hub in Europe is in Dublin, only the Irish Data Protection Commissioner (DPC) had the right to take action against Facebook for its cross-border data processing.
The Advocate General found, in response to questions from the Belgian court of appeal, that although the lead data protection authority has “general jurisdiction” over cross-border data processing, this does not prevent regulators in other countries from taking action coercive.
“The lead data protection authority cannot be seen as the only one tasked with enforcing the GDPR in cross-border situations,” the court said in a statement.
The decision, if upheld by the Court of Justice of the European Union, could lead to new claims against Facebook and other tech companies.
The Irish Data Protection Commissioner has been responsible for processing data protection complaints against large technology companies, including large US technology companies, with European headquarters in Ireland.
The DPC has initiated 83 inquiries, including 27 cross-border inquiries since 2018. Of these, 11 of the cross-border inquiries were conducted on Facebook.
Concerns have been raised as to whether the Irish DPC has sufficient resources to effectively enforce data protection.
Read more about Facebook and privacy
Long read: Facebook promised privacy to its users and then quietly abandoned its promises in search of profit. Now he faces antitrust regulation
Facebook pays a record fine after violating user privacy, following settlements with the Federal Trade Commission and the Securities and Exchange Commission
The Irish privacy watchdog orders Facebook to suspend data transfers from European citizens to the US.