LONDON – Facebook and other U.S. tech giants could face a wave of new cases in Europe over data privacy, after a high court said any regulator in the region should be able to ” initiate new procedures.
The EU implemented its General Data Protection Regulation in 2018, which gives citizens a greater voice in how their data is used. In this context, any privacy complaints against Facebook, for example, would be referred to the Irish Data Protection Commissioner given that the company’s European headquarters are in Dublin.
However, the Advocate General of the European Court of Justice said on Wednesday that privacy complaints did not necessarily have to be lodged with the national regulator – thus opening the door to more investigations into data issues in different EU countries.
“Make no mistake, the impact of this opinion if upheld by the court is far-reaching, as it would give the same right to any of the 27 data protection commissioners across Europe from take action for rule violation, “Cillian Kieran, CEO of Privacy Company Ethyca, told CNBC by email.
“The consequences are significant given that there are certainly countries in Europe with a much more proactive stance on the strict enforcement of the GDPR,” Kieran also said, adding that “this will likely lead to more investigations. for companies in all markets “.
The opinion issued on Wednesday comes after a Belgian court ruled in 2015 that Facebook had violated privacy rules to monitor the browsing history of Internet users, whether or not they are subscribed to the platform.
Facebook argued that only Irish courts could rule on the company’s practices given the location of its headquarters. The Belgian Data Protection Authority then asked the ECJ to clarify the legal situation.
“The GDPR allows the data protection authority of a member state to bring an action in a court of that state for an alleged violation of the GDPR in relation to cross-border data processing, although it is not the ‘main data protection authority with the power to initiate such proceedings,’ said the Advocate General of the ECJ on Wednesday.
The lawyer’s opinion is not binding, but is taken into consideration by the judges of the ECJ, who must rule on the case at a later stage.
“We are pleased that the Advocate General has reaffirmed the value and principles of the Single Window Mechanism, which has been put in place to ensure the effective and consistent application of the GDPR. We await the final verdict of the Court,” Jack Gilbert, associate general counsel on Facebook, told CNBC on Wednesday via email.
The one-stop-shop mechanism refers to cooperation between data protection authorities in the event of cross-border processing.
Concerns about data protection have increased in recent years following various scandals. This includes the Cambridge Analytica-Facebook saga that emerged in 2018, where user data was used in an attempt to influence the outcome of the election.