LUXEMBOURG (CN) — The European Union faced some tough questions as it defended Facebook at the EU high court Monday, in a case over which country’s data-protection agency can go after the social media giant.
The Court of Justice of the European Union heard arguments Monday on whether Belgium can go after social media giant Facebook for data privacy violations. The Belgian Data Protection Authority wants Facebook to stop tracking Belgians via cookies, but both the EU and Facebook argued the agency doesn’t have the right to do so.
“Companies should only have to defend themselves against the lead investigator,” Facebook lawyer Dirk van Liedekerke told the 17-judge-panel separated by Plexiglas dividers as a protection measure against Covid-19 transmission.
Under the EU’s General Data Protection Regulation (GDPR) and its one-stop-shop policy, the lead on complaints against Facebook must be taken by the Irish Data Protection Commission because Facebook’s European headquarters are in Ireland. The 2016 law governs data protection and privacy in the EU and requires companies to disclose what data they collect, how they use that data and to delete data within a timely fashion.
The Brussels Court of Appeal referred the case to the EU high court in 2019 after the Belgian privacy watchdog brought a legal complaint against Facebook to stop the Silicon Valley-based tech giant from tracking people who visited a facebook.com domain or a third-party website. Facebook had been collecting data even on people who did not have a Facebook account.
Representing the Belgian government, Ruben Roex told the court the Belgian authorities had tried to work together with their Irish counterparts but were unsuccessful.
“The GDPR does not say anywhere that the lead authority has exclusive competence and that the non-lead authority may not go to court,” he argued.
But European Commission representative Herke Kranenborg noted the point of the GDPR “was to create a lead supervisory authority,” and that allowing any of the political and economic union’s 27-member states to bring complaints in their national courts would unduly burden tech companies doing business in the EU. Roex disagreed.
“This will not lead to a rush on the courts. These cases are very expensive,” Roex argued.
Kranenborg also defended the one-stop-shop policy, pointing out that privacy advocate Max Schrems had successfully brought several cases against Facebook before the court, via the Irish Data Protection Commission.
Facebook has been forced to defend itself before the court on several occasions in the past few years. The court struck down a data-sharing agreement between the United States and the EU earlier this year, in a case known as Schrems II, in a case involving Facebook data. That ruling follows a 2015 ruling, known as Schrems I, that invalidated the previous agreement. In 2019, the court also held that countries could force Facebook to remove content from its platform worldwide, rather than merely within national borders.
Schrems’ repeated legal tangling with Facebook led Advocate General Michal Bobek of the Czech Republic to retort from the bench, “And Max Schrems is an example of an average consumer?”
As an adviser to the court, Bobek will write an opinion on the case to be issued Dec. 17. The court follows the legal reasoning of its magistrates around 80% of the time.
The court is expected to issue its ruling early next year.