Authorities can initiate proceedings against Facebook in any EU country

According to Advocate General Michal Bobek, data protection authorities will in future be able to punish violations of Facebook in every EU member state. The expert believes that the fact that the group has its European headquarters in Dublin is irrelevant.

Facebook has its European headquarters in Ireland.  If the advocate general's opinion prevails, the tech group is threatened with more proceedings in other countries.

GAccording to an important EU expert, cross-border proceedings for violations of the General Data Protection Regulation may not only be initiated by those data protection authorities in which the company concerned has its EU headquarters. According to the Advocate General of the European Court of Justice, Michal Bobek, on Wednesday in Luxembourg (case C-645/19), the GDPR, which has been in effect since May 2018, provides that in certain situations the authorities that are not in charge can also act.

The background to this is a dispute over the processing of personal data by Facebook in Belgium. Facebook Belgium claims, citing the GDPR, that the national data protection authority is not responsible. Rather, the EU rules stipulate that the data protection authority of the country in which the main office of Facebook in the EU is responsible – i.e. the Irish one. A Belgian court therefore wanted to know from the ECJ whether the GDPR actually prevented other data protection authorities from bringing legal proceedings against violations of the GDPR in cross-border data processing in their country.

Intervention in urgent matters

Advocate General Bobek now underlined the “general competence” of the lead data protection authority in such cases. The other data protection authorities would consequently have less powers. Under certain circumstances, however, the non-lead authorities could also initiate proceedings for cross-border data processing. As a reason for this, Bobak cited particular urgency or the fact that the lead authority had decided not to deal with the case.

The GDPR regulates the processing of personal data in the EU, for example by companies, organizations or associations. This should give users back sovereignty over their data.

The opinion is not binding for the ECJ judges, but they often follow the position of the advocate general. A judgment should be made in the coming months. The Belgian court then has to rule on the specific case.