All member states should be allowed to bring privacy complaints against companies, regardless of where they are headquartered, an adviser to the EU’s high court concluded Wednesday.
LUXEMBOURG (CN) — Ireland may be home to Facebook’s European headquarters, but that doesn’t make the Irish Data Protection Commission the only body able to go after the social media giant, a magistrate for the EU’s top court said Tuesday.
The case was referred to the European Court of Justice by the Hof van beroep, the Belgian appeals court, after the Belgian privacy watchdog, the Data Protection Agency, sued Facebook over the company’s use of trackers to follow nonusers online.
Under the EU’s General Data Protection Regulation (GDPR) and its one-stop-shop policy, the lead on complaints against the social media giant must be taken by the Irish Data Protection Commission because Facebook’s European headquarters are in Ireland. The 2016 law governs data protection and privacy in the EU and requires companies to disclose what data they collect, how they use that data and to delete data within a timely fashion.
The 2016 law governs data protection and privacy in the EU and requires companies to disclose what data they collect, how they use that data and to delete data within a timely fashion.
Advocate General Michal Bobek found Wednesday that EU data privacy legislation allows any country to bring complaints against tech companies under the union’s data privacy regulations, regardless of where the company is headquartered.
“In sum, the provisions of the GDPR do not include any general bar for other supervisory authorities, especially SACs, to start proceedings against potential infringements of data protection rules,” Bobek wrote. “On the contrary, various situations in which they are empowered to do so are expressly envisaged in the GDPR, or follow impliedly from it.”
While Bobek’s opinion for the Luxembourg-based court is nonbinding, the court follows the legal reasoning of its magistrates in about 80% of cases.
During a hearing in October, Belgium argued that it had tried to work with Ireland to Facebook to stop tracking internet users via the facebook.com domain or third party sites, but Dublin was unwilling to move forward.
The European Commission, the EU’s executive body, opposes the move, claiming it would lead to a flood of complaints against companies through the 27 member states of the political and economic union.
“There is no shortage of potential thorny issues. Practical experience might, one day, reveal genuine problems with the quality or even the level of legal protection inherent in the new system. However, at present, any such issues remain at the level of conjecture. At this stage, and certainly in these proceedings, no elements have been submitted to the Court which point to any actual issues in that regard,” Bobek found.
Facebook has been forced to defend itself before the court on several occasions in the past few years. The court struck down a data-sharing agreement between the United States and the EU earlier this year, in a case known as Schrems II, in a case involving Facebook data. That ruling follows a 2015 ruling, known as Schrems I, that invalidated the previous agreement. In 2019, the court also held that countries could force Facebook to remove content from its platform worldwide, rather than merely within national borders. The company did respond to a request for comment.
The court is expected to issue its ruling in the case later this year.