Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

EU Court Opinion Leaves Facebook More Exposed Over Privacy

Any EU country can take legal action against companies like Facebook over cross-border violations of data privacy rules, not just the main regulator in charge of the company, a top court adviser said Wednesday.

Any EU country can take legal action against companies like Facebook over cross-border violations of data privacy rules, not just the main regulator in charge of the company, a top court adviser said Wednesday.

The preliminary opinion is part of a long-running legal battle between Facebook and Belgium’s data protection authority over the company’s use of cookies to track the behavior of internet users, even those who weren’t members of the social network.

The advice from the European Court of Justice’s Advocate General Michal Bobek potentially paves the way for an onslaught of fresh data privacy cases across the EU, experts said.

The opinion, which is often followed by the court, comes ahead of a formal decision by the ECJ’s judges expected later this year.

Facebook argues that the Belgian watchdog, which launched the case in 2015, no longer has jurisdiction after the EU’s strict General Data Protection Regulation took effect in 2018. The company says that under GDPR, only one national data protection authority has the power to handle legal cases involving cross-border data complaints – a system known as “one-stop shop.” In Facebook’s case, it’s the Data Protection Commission in Ireland, where the company’s European headquarters is based.

“The lead data protection authority cannot be deemed as the sole enforcer of the GDPR in cross-border situations, and must, in compliance with the relevant rules and time limits provided for by the GDPR, closely cooperate with the other data protection authorities concerned,” the opinion said.

Facebook interpreted it as a victory.

“We are pleased that the Advocate General has reaffirmed the value and principles of the one-stop-shop mechanism, which was introduced to ensure the efficient and consistent application of GDPR,” said Associate General Counsel Jack Gilbert. “We await the Court’s final verdict.”

Privacy advocates and experts, however, said the advice could change how data privacy cases are handled, by taking the pressure off a single watchdog.

Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties, said Bobek is signalling that Ireland’s privacy watchdog “can no longer use its status as lead authority for Google, Facebook, etc. to hold up enforcement of the GDPR across the EU.”

The Irish watchdog has faced criticism for not dealing quickly enough with a rising pile of cross-border data privacy cases involving big tech companies since GDPR took effect. It issued its first such penalty to Twitter last month, fining it for a security breach, but still has about two dozen more to go.

Businesses could also face a bigger compliance burden responding to more privacy cases in multiple EU markets, because it would be easier for people to file complaints to their local privacy watchdog, said Cillian Kieran, CEO of privacy compliance startup Ethyca.

Related: Facebook Criticizes Apple Privacy Policy in Newspaper Ads

Related: Canada Fines Facebook Over Misleading Privacy Claims

Related: Facebook Says EU Antitrust Probe Invades Employee Privacy

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.