EU court opinion leaves Facebook more exposed over privacy

FILE - This March 29, 2018 file photo shows the Facebook logo on screens at the Nasdaq MarketSite, in New York's Times Square.  Any EU country's privacy watchdog can take legal action against companies like Facebook over cross-border violations of the bloc's strict privacy rules, an adviser to the European Union's top court said Wednesday Jan. 13, 2021.  (AP Photo/Richard Drew, File)
FILE - This March 29, 2018 file photo shows the Facebook logo on screens at the Nasdaq MarketSite, in New York's Times Square. Any EU country's privacy watchdog can take legal action against companies like Facebook over cross-border violations of the bloc's strict privacy rules, an adviser to the European Union's top court said Wednesday Jan. 13, 2021. (AP Photo/Richard Drew, File) (AP)

LONDON – Any EU country can take legal action against companies like Facebook over cross-border violations of data privacy rules, not just the main regulator in charge of the company, a top court adviser said Wednesday.

The preliminary opinion is part of a long-running legal battle between Facebook and Belgium's data protection authority over the company's use of cookies to track the behavior of internet users, even those who weren't members of the social network.

The advice from the European Court of Justice’s Advocate General Michal Bobek potentially paves the way for an onslaught of fresh data privacy cases across the EU, experts said.

The opinion, which is often followed by the court, comes ahead of a formal decision by the ECJ's judges expected later this year.

Facebook argues that the Belgian watchdog, which launched the case in 2015, no longer has jurisdiction after the EU's strict General Data Protection Regulation took effect in 2018. The company says that under GDPR, only one national data protection authority has the power to handle legal cases involving cross-border data complaints - a system known as “one-stop shop." In Facebook's case, it's the Data Protection Commission in Ireland, where the company's European headquarters is based.

"The lead data protection authority cannot be deemed as the sole enforcer of the GDPR in cross-border situations, and must, in compliance with the relevant rules and time limits provided for by the GDPR, closely cooperate with the other data protection authorities concerned," the opinion said.

Facebook interpreted it as a victory.

“We are pleased that the Advocate General has reaffirmed the value and principles of the one-stop-shop mechanism, which was introduced to ensure the efficient and consistent application of GDPR,” said Associate General Counsel Jack Gilbert. "We await the Court’s final verdict.”