LONDON — Facebook and other U.S. tech giants could face a flurry of new cases in Europe regarding data privacy, after a top court said that any regulator in the region should be able to bring about new proceedings.
The EU implemented its General Data Protection Regulation in 2018, which gives citizens a greater say over how their data is used. In this context, any privacy complaints against Facebook, for instance, would be sent to Ireland’s Data Protection Commissioner given that the company’s European headquarters are in Dublin.
However, the advocate general of the European Court of Justice said Wednesday that privacy complaints do not necessarily have to be taken to the domestic regulator — thus opening the door for more investigations over data concerns in different EU nations.
“Make no mistake the impact of this opinion if upheld by the court is far reaching as it would give equal right to any of the 27 data protection commissioners across Europe to take action for a breach of the rules,” Cillian Kieran, CEO of privacy company Ethyca, told CNBC via email.
“The consequences are significant given that there are certainly countries within Europe with a much more proactive stance on strong enforcement of the GDPR,” Kieran also said, adding that “this will likely result in a larger number of investigations for businesses across markets.”
The opinion issued on Wednesday comes after a Belgian court ruled in 2015 that Facebook breached privacy rules for monitoring internet users’ browsing history whether they were signed up to the platform or not.
Facebook argued that only courts in Ireland could rule on the company’s practices given the location of its headquarters. The Belgian Data Protection Authority then asked the ECJ to clarify the legal situation.
“The GDPR permits the data protection authority of a Member State to bring proceedings before a court of that State for an alleged infringement of the GDPR with respect to cross-border data processing, despite it not being the lead data protection authority entrusted with a general power to commence such proceedings,” the ECJ’s advocate general said on Wednesday.
The advocate’s opinion is not binding, but is taken into consideration by ECJ judges, who are due to give a ruling on the case at a later stage.
“We are pleased that the Advocate General has reaffirmed the value and principles of the one-stop-shop mechanism, which was introduced to ensure the efficient and consistent application of GDPR. We await the Court’s final verdict,” Jack Gilbert, associate general counsel at Facebook, told CNBC via email on Wednesday.
The one-stop-shop mechanism refers to the cooperation between the data protection authorities in the case of cross-border processing.
Concerns over data protection have grown in recent years in the wake of different scandals. This includes the Cambridge Analytica-Facebook saga that emerged in 2018, where users’ data was being used to try to influence the outcome of elections.