LONDON – Any EU country can take legal action against companies like Facebook over cross-border violations of data privacy rules, not just the main regulator in charge of the company, a top court adviser said Wednesday.
The advice from the European Court of Justice’s Advocate General Michal Bobek potentially paves the way for an onslaught of fresh data privacy cases across the EU, experts said.
The opinion, which is often followed by the court, comes ahead of a formal decision by the ECJ's judges expected later this year.
Facebook argues that the Belgian watchdog, which launched the case in 2015, no longer has jurisdiction after the EU's strict General Data Protection Regulation took effect in 2018. The company says that under GDPR, only one national data protection authority has the power to handle legal cases involving cross-border data complaints - a system known as “one-stop shop." In Facebook's case, it's the Data Protection Commission in Ireland, where the company's European headquarters is based.
"The lead data protection authority cannot be deemed as the sole enforcer of the GDPR in cross-border situations, and must, in compliance with the relevant rules and time limits provided for by the GDPR, closely cooperate with the other data protection authorities concerned," the opinion said.
Facebook interpreted it as a victory.
“We are pleased that the Advocate General has reaffirmed the value and principles of the one-stop-shop mechanism, which was introduced to ensure the efficient and consistent application of GDPR,” said Associate General Counsel Jack Gilbert. "We await the Court’s final verdict.”