LONDON – Facebook and other U.S. tech giants may face a flurry of new cases in Europe regarding data privacy, after a court of first instance said any regulator in the region should be able to open new cases.
The EU implemented its General Data Protection Regulation in 2018, which gives citizens a greater say in how their data is used. In this context, any privacy complaint against Facebook, for example, would be sent to the Irish Data Protection Commissioner, since the company’s European headquarters is in Dublin.
However, the European Court of Justice’s attorney general said on Wednesday that privacy complaints do not necessarily need to be brought to the domestic regulator – thus opening the door for further investigations on data issues in different EU countries.
“Make no mistake, the impact of this opinion, if upheld by the court, is far-reaching, as it would give any of the 27 data protection commissioners across Europe the right to take action in the event of a breach of the rules,” Cillian Kieran, CEO of privacy firm Ethyca, told CNBC by email.
“The consequences are significant, given that there are certainly countries in Europe with a much more proactive stance in the strict application of the GDPR,” said Kieran, adding that “this is likely to result in more investigations for companies in all markets” .
The opinion issued on Wednesday comes after a Belgian court ruled in 2015 that Facebook violated the privacy rules to monitor the browsing history of internet users, whether they are registered on the platform or not.
Facebook argued that only courts in Ireland could judge the company’s practices, given the location of its headquarters. The Belgian Data Protection Authority then asked the ECJ to clarify the legal situation.
“The GDPR allows the data protection authority of a Member State to bring proceedings before a court in that State for an alleged breach of the GDPR with respect to cross-border data processing, although it is not the primary data protection authority in charge of a general being able to initiate such procedures, “said the ECJ’s attorney general on Wednesday.
The lawyer’s opinion is not binding, but it is taken into account by the ECJ judges, who are expected to decide the case at a later stage.
“We are pleased that the Advocate General has reaffirmed the value and principles of the one-stop mechanism, which was introduced to ensure the efficient and consistent application of the GDPR. We look forward to the Court’s final verdict,” Jack Gilbert, associate general counsel on Facebook , he told CNBC by email on Wednesday.
The one-stop-shop mechanism refers to cooperation between data protection authorities in case of cross-border processing.
Concerns about data protection have increased in recent years, in the wake of several scandals. This includes the Cambridge Analytica-Facebook saga that emerged in 2018, where user data was being used to try to influence the outcome of the elections.