Facebook’s run-ins with EU privacy regulators may escalate as Europe’s top court next week weighs arguments from the Belgian data protection watchdog that it should have the power to go after the U.S. social media giant for breaches in Belgium.
If the Luxembourg-based Court of Justice of the European Union (CJEU) backs the Belgian authority (DPA), it could embolden national agencies in the 27-country bloc to take action against companies such as Alphabet’s Google, Twitter and Apple.
Under landmark EU privacy rules known as the General Data Protection Regulation (GDPR) and its one-stop-shop mechanism, the Irish privacy authority is the lead authority for Facebook as the company’s European head office is based in Ireland.
Google, Twitter and Apple also have their European headquarters in Ireland.
GDPR, however, allows some leeway for other national privacy regulators to rule on violations limited to a specific country, which France and Germany have done.
The case before the CJEU on Oct. 5 came after a Belgian court sought guidance on Facebook’s challenge against the territorial competence of the Belgian regulator’s bid to stop the company from tracking users in Belgium through cookies stored in Facebook’s social plug-ins, regardless of whether they have an account or not.
Facebook said there are merits to EU’s rules in designating a lead supervisory authority for cross-border privacy issues.
“All businesses that operate across the EU who are subject to GDPR can benefit from this one-stop-shop mechanism; it allows companies of all sizes to understand their legal responsibilities and respond quickly to regulators,” Jack Gilbert, Facebook associate general counsel, said in an email.
The Belgian data authority said the issue was simple.
“The question is whether or not the one-stop-shop mechanism under the GDPR is exhaustive or leaves some room for local DPAs such as the Belgian DPA to enforce, in particular by bringing court proceedings before a national judge,” spokeswoman Aurélie Waeterinckx said.
The CJEU will also have to decide whether GDPR rules apply in this case which dated back to 2015 before the EU framework was adopted in 2016 and came into force in 2018.
The Irish watchdog has opened cases into Facebook, Facebook-owned Instagram and WhatsApp as well as Twitter, Apple, Verizon Media, Microsoft-owned LinkedIn and U.S. digital advertiser Quantcast.
The case is C-645/19 Facebook Ireland & Others.