Watchdogs across EU should be allowed to challenge Facebook, EU court adviser says

By Philip Blenkinsop

BRUSSELS (Reuters) – The adviser to the EU’s top court has issued a recommendation to allow data protection agencies in any EU country to take legal action against Facebook or any other tech firm even if their regional headquarters are in a different EU state.

The recommendation was issued after Facebook sought to rebuff Belgium’s privacy regulator in a data case by saying its European Union headquarters were in Dublin and so Ireland was the lead authority in the EU for the U.S. social media giant.

Advocate-General Michal Bobek, the adviser to the Court of Justice of the European Union, recommended that the data protection agency in any EU country should be able to take legal action in various situations even if they were not the lead authority.

If the recommendation is followed, it could prompt action by national agencies in the 27-member EU against other U.S. tech companies, such as Google, Twitter and Apple, which also have their EU headquarters in Ireland.

Facebook did not provide an immediate comment.

EU judges often follow advocate-general opinions but do not have to. They usually deliver a ruling in two to four months.

Belgium’s regulator sought to stop Facebook gathering data on the browsing behaviour of Belgian users to show them targeted advertising without their valid consent. The regulator said this took place even if the user did not have a Facebook account.

Facebook challenged this on the basis that the Irish privacy watchdog is the lead authority for Facebook.

Bobek said the lead authority had a general competence over cross-border data processing and the power of other authorities to start legal proceedings was curtailed in cross-border cases based on the “one-stop-shop” mechanism enshrined in EU rules.

But he said the lead authority needed to cooperate closely with other data protection authorities, which he said could still bring cases to their courts.

EU privacy rules, known as the General Data Protection Regulation (GDPR), give leeway for other national privacy regulators to rule on violations limited to a specific country. France and Germany have already done this.

(Reporting by Philip Blenkinsop; Editing by Edmund Blair)