Facebook and Belgium’s privacy watchdog sparred on Monday (5 October) at Europe’s top court over which data protection authority has the power to police the U.S. social media giant in a case that could escalate its privacy fights across the EU.
The case also has the potential to unleash a flood of investigations by national agencies in the 27-country bloc into other U.S. tech companies such as Alphabet’s Google, Twitter and Apple.
The case before the Court of Justice of the European Union (CJEU) came after a Belgian court sought guidance on Facebook’s challenge against the territorial competence of the Belgian regulator’s bid to stop the company from tracking users in Belgium through cookies stored in Facebook’s social plug-ins, regardless of whether they have an account or not.
Under landmark EU privacy rules known as the General Data Protection Regulation (GDPR) and its one-stop-shop mechanism, the Irish privacy authority is the lead authority for Facebook as the company’s European head office is based in Ireland.
Google, Twitter and Apple also have their European headquarters in Ireland. GDPR, however, allows some leeway for other national privacy regulators to rule on violations limited to a specific country, which France and Germany have done.
Facebook’s lawyer Dirk Van Liedekerke argued for the merits of the one-stop-shop mechanism.
“This would prevent any judicial fragmentation. GDPR is intended to put an end to where data controllers would have to deal with any number of supervisory authorities,” he told the court.
“We cannot allow rules of competences to be sidestepped by national authorities in national courts. The risk would be huge, risk of cases before the courts.”
The European Commission, which backs Facebook, said it was important to have a tool that ensures consistency in applying GDPR rules across the bloc.
The Belgian data protection authority (DPA), which has the support of the Polish and Belgian governments, said GDPR rules allow for some leeway for national agencies to act in their own country.
“GDPR does not say anywhere that the lead authority has exclusive competence and that the non-lead authority may not go to court,” DPA lawyer Rubin Roex said.
Court President Koen Lenaerts said there could be a problem if national watchdogs were not allowed to fight for their citizens, which in turn would force people to file private lawsuits.
The CJEU will also have to decide whether GDPR rules apply in this case, which dated back to 2015 before the EU framework was adopted in 2016 and came into force in 2018.
CJEU court adviser Michal Bobek will issue his non-binding opinion on Dec. 17, followed by the court judgment in about six months.
The Irish watchdog has opened cases into Facebook, Facebook-owned Instagram and WhatsApp as well as Twitter, Apple, Verizon Media, Microsoft-owned LinkedIn and U.S. digital advertiser Quantcast.
The case is C-645/19 Facebook Ireland & Others.