All EU states can take data protection cases against Facebook: European Court of Justice

All EU states can take data protection cases against Facebook: European Court of Justice

Even though it regulated in Ireland, data protection regulators in any European country can bring privacy complaints against Facebook, opined the European Court of Justice.

Advocate General Michal Bobek found that, under the Europe Union (EU's)'s General Data Protection Regulation (GDPR), any of the EU's 27 states can bring privacy actions against the social media company.

The opinion, if adopted by the Court of Justice of the European Union (CJEU) could lead to a rise in the number of enforcement actions taken against Facebook and other companies that process personal data.

The court said in a statement: "The data protection authority in the state where a data controller or processor has its main EU establishment has a general competence to start court proceedings for GDPR infringements in relation to cross-border data processing. The other national data protection authorities concerned are nevertheless entitled to commence such proceedings in their respective member state in situations where the GDPR specifically allows them to do so."

The opinion was issued after the Belgian data protection regulator tried to bring enforcement proceedings against Facebook in Belgium.

The Belgian regulator sought an order to prevent Facebook from using cookies, plug-ins and pixels to track its citizens across the internet and to restrict the "excessive" collection of their personal data.

According to Facebook Belgium, since GDPR came into force, the Belgian data protection regulator no longer had the jurisdiction to take enforcement action against it. The social media company further argued that since its main centre of operations in Europe is in Dublin, only the Irish Data Protection Commissioner (DPC) had the right to bring proceedings against Facebook over its cross-border data processing.

However, the Advocate General in response to questions from Belgium's Court Of Appeal stated that although the lead data protection authority has a "general competence" over cross-border data processing, this does not prevent regulators in other countries from taking enforcement action.

"The lead data protection authority cannot be deemed as the sole enforcer of GDPR in cross-border situations," the court said in a statement.

The decision, if upheld by the European Court of Justice, could lead to new claims against Facebook and other technology companies.

The Irish Data Protection Commissioner is the authority responsible for pursing data protection complaints against large technology companies, including US big tech companies, with European Headquarters in Ireland.