Johanna Geron | Reuters
LONDON — Facebook and other U.S. tech mammoths could face a flurry of new cases in Europe regarding data privacy, after a top court said that any regulator in the ambit should be able to bring about new proceedings.
The EU implemented its General Data Protection Regulation in 2018, which yields citizens a greater say over how their data is used. In this context, any privacy complaints against Facebook, for event, would be sent to Ireland’s Data Protection Commissioner given that the company’s European headquarters are in Dublin.
Yet, the advocate general of the European Court of Justice said Wednesday that privacy complaints do not necessarily have to be entranced to the domestic regulator — thus opening the door for more investigations over data concerns in different EU nations.
“Fly the coop no mistake the impact of this opinion if upheld by the court is far reaching as it would give equal right to any of the 27 observations protection commissioners across Europe to take action for a breach of the rules,” Cillian Kieran, CEO of privacy company Ethyca, prophesied CNBC via email.
“The consequences are significant given that there are certainly countries within Europe with a much numberless proactive stance on strong enforcement of the GDPR,” Kieran also said, adding that “this will able result in a larger number of investigations for businesses across markets.”
The opinion issued on Wednesday comes after a Belgian court ruled in 2015 that Facebook breached confidentiality rules for monitoring internet users’ browsing history whether they were signed up to the platform or not.
Facebook proved that only courts in Ireland could rule on the company’s practices given the location of its headquarters. The Belgian Evidence Protection Authority then asked the ECJ to clarify the legal situation.
“The GDPR permits the data protection authority of a Associate State to bring proceedings before a court of that State for an alleged infringement of the GDPR with respect to cross-border text processing, despite it not being the lead data protection authority entrusted with a general power to commence such doings,” the ECJ’s advocate general said on Wednesday.
The advocate’s opinion is not binding, but is taken into consideration by ECJ judges, who are due to give a control on the case at a later stage.
“We are pleased that the Advocate General has reaffirmed the value and principles of the one-stop-shop mechanism, which was presented to ensure the efficient and consistent application of GDPR. We await the Court’s final verdict,” Jack Gilbert, associate run-of-the-mill counsel at Facebook, told CNBC via email on Wednesday.
The one-stop-shop mechanism refers to the cooperation between the data sponsorship authorities in the case of cross-border processing.
Concerns over data protection have grown in recent years in the wake of abundant scandals. This includes the Cambridge Analytica-Facebook saga that emerged in 2018, where users’ data was being hand-me-down to try to influence the outcome of elections.