Data protection authorities in all EU countries can start proceedings for private data breaches against Facebook even if the company is based in Ireland, advocate general Michal Bobek advised the European Court of Justice on Wednesday.
In the case of Facebook, the data protection authority of Ireland is responsible at first place for pursuing procedures over breaches of EU data protection law, Bobek's opinion suggested.
But the legal reasoning also pointed out that “the lead data protection authority cannot be deemed as the sole enforcer of the GDPR in cross-border situations and must (…) closely cooperate with the other data protection authorities concerned.”
It means that any EU country’s relevant authority can challenge Facebook or other companies for not respecting the EU’s General Data Protection Regulation (GDPR) if their citizens or entities are concerned.
In 2015, Belgium started a procedure against Facebook for applying authorized cookies at Belgian users’ profiles.
Being headquartered in Ireland, Facebook argued that it was only the country’s data protection authority which could take such complaints.
The advocate general rejected this reasoning.
The advocate general’s assessment is not legally binding for the EU Court, but the judges follow the advice in the overwhelming majority of the cases.
If the final ruling upholds Bobek’s opinion, relevant authorities may start cases against social media platforms all over the bloc.