LONDON – Facebook and other US technology giants could face a range of new data privacy cases in Europe after a high court said any regulator in the region should be able to file new lawsuits.
The EU implemented its General Data Protection Regulation in 2018, giving citizens more control over how their data is used. In this context, privacy complaints against Facebook, for example, would be sent to the Irish Data Protection Commissioner, as the company’s European headquarters are located in Dublin.
However, the Advocate General of the European Court of Justice said on Wednesday that privacy complaints do not necessarily have to be filed with the domestic regulator, opening the door for more investigations into data issues in various EU countries.
“Make no mistake about the impact of this opinion, if upheld by the court, as it would give equal rights to each of the 27 data protection commissioners in Europe to take action for a breach of the rules,” said Cillian Kieran, CEO of privacy company Ethyca, told CNBC via email.
“The implications are significant, as there are certainly countries in Europe with a much more proactive attitude towards strong GDPR enforcement,” Kieran also said, adding that “this will likely result in a greater number of studies for companies across different markets. “
The advice released Wednesday comes after a Belgian court ruled in 2015 that Facebook has violated privacy rules to track the browsing history of internet users, regardless of whether they have logged into the platform or not.
Facebook argued that only courts in Ireland could rule on the company’s practices, given the location of its headquarters. The Belgian Data Protection Authority subsequently asked the CJEU for clarification of the legal situation.
“ The GDPR allows the data protection authority of a Member State to bring proceedings in a court of that state for an alleged breach of the GDPR in relation to cross-border data processing, even though it is not the lead data protection authority in charge of a general the power to initiate such a procedure, “the Advocate General of the Court of Justice said on Wednesday.
The lawyer’s opinion is not binding, but is taken into consideration by the judges of the Court of Justice, who will decide the case at a later stage.
“We are pleased that the Solicitor General has confirmed the value and principles of the one-stop-shop mechanism, which was put in place to ensure the efficient and consistent application of the GDPR. We await the final judgment of the court,” Jack Gilbert, associate general counsel on Facebook, told CNBC via email Wednesday.
The one-stop-shop mechanism refers to the cooperation between the data protection authorities in case of cross-border processing.
Concerns about data protection have increased in recent years as a result of several scandals. This includes the Cambridge Analytica Facebook saga that emerged in 2018, using users’ data to influence election results.