LONDON – Facebook and other US technology giants could face a series of new cases in Europe over data privacy, after a higher court said any regulator in the region should be able to initiate new proceedings.
The EU implemented its General Data Protection Regulation in 2018, which gives citizens a greater opinion on how their data is used. In this context, any privacy complaint against Facebook, for example, would be sent to the Irish Data Protection Commissioner, as the company’s European headquarters are in Dublin.
However, the Advocate General of the European Court of Justice said on Wednesday that privacy complaints do not necessarily have to go to the national regulator, thus opening the door to further investigations into data problems in different EU countries.
“Make no mistake about the impact of this opinion if the court’s confirmation is far-reaching, as it would give the same right to any of the 27 data protection commissioners across Europe to take action to breach the rules,” he said. say Cillian Kieran, CEO of privacy company Ethyca, told CNBC by email.
“The consequences are important given that there are certainly countries in Europe with a much more proactive stance on the strong implementation of the RGPD,” Kieran also said, adding that “this is likely to lead to more research. for companies in all markets “.
The opinion issued on Wednesday comes after a Belgian court ruled in 2015 that Facebook breached privacy rules to monitor the browsing history of Internet users whether or not they were registered on the platform.
Facebook argued that only Irish courts could rule on the company’s practices given the location of its headquarters. The Belgian Data Protection Authority then asked the ECJ to clarify the legal situation.
“The GDPR allows the data protection authority of a Member State to initiate proceedings before a court of that State for an alleged infringement of the GDPR with respect to cross-border data processing, even though it is not the authority main data protection officer confident of being able to initiate these proceedings, “the ECJ’s attorney general said on Wednesday.
The opinion of the defender is not binding, but is taken into account by the judges of the CJEU, who must issue a decision on the case at a later stage.
“We are pleased that the Advocate General has reaffirmed the value and principles of the one-stop shop mechanism, which was introduced to ensure the efficient and consistent implementation of the RGPD. We look forward to the Court’s final verdict,” said Jack Gilbert, a lawyer. general associated with Facebook, told CNBC by email Wednesday.
The one-stop shop mechanism refers to cooperation between data protection authorities in case of cross-border processing.
Concern for data protection has grown in recent years as a result of various scandals. This includes the Cambridge Analytica-Facebook saga that emerged in 2018, where user data was used to try to influence the outcome of the election.