The European Court of Justice (ECJ) has ruled that privacy complaints against US tech giants do not only have to be taken to the Irish Data Protection Commissioner but instead can be handled by any of the national data protection authorities across the EU.
Until now privacy complaints against Facebook by any European citizens have had to be referred to Helen Dixon, the Irish DPC, because Facebook's European headquarters are in Ireland.
However, the ECJ has ruled that, in certain circumstances, any national regulator or national court can handle a data privacy complaint.
The judgment could lead to a flood of complaints against tech giants in other member states as the complaints would not need to be channeled through the Irish regulator.
But it could also lead to other EU privacy regulators challenging any ruling the Irish regulator makes on a large tech multinational headquartered in Ireland.
The original case was referred to the ECJ by a Belgian court after Facebook challenged the idea that the Belgian data protection regulator could take action against a number of Facebook companies over privacy complaints.
In September 2015, the Belgian regulator requested that Facebook INC, Facebook Ireland Ltd, and Facebook Belgium be ordered to stop placing cookies on the devices of internet users in Belgium without their consent when they browse a web page in the Facebook.com domain, or when they end up on a third-party website.
Users had complained Facebook was tracking their activities using cookies stored on so-called "social plugins" even if they were not members of the social media network.
The Belgian regulator also requested the destruction of all personal data obtained by Facebook from Belgian internet users via cookies and social plugins.
In court proceedings Facebook argued the Belgian regulator did not have the competence to hear the complaints over cross-border data processing as they should properly be dealt with by the Irish regulator.
When the case went to the Belgian court of appeal its scope was limited to Facebook Belgium as judges had ruled they had no jurisdiction over Facebook INC and Facebook Ireland Ltd.
However, the Belgian court of appeal then asked the ECJ if the GDPR actually prevented a national data protection authority from taking court action.
Today, the ECJ ruled that under certain conditions, national data protection agencies can bring a privacy infringement case to a local court, even if the lead supervisory authority is in Ireland, as is the case with Facebook and other global tech giants.
Consumer groups have welcomed the ruling.
"This is a positive development in the bid to have our privacy respected regardless of where the company is established in the EU," said Monique Goyens, director general of the European Consumer Organisation (BEUC).
"Given the existing bottlenecks in the GDPR cross-border enforcement system, all national authorities must be able, under certain conditions, to proactively take matters into their own hands and use their full powers when our rights are trampled on.
"Most Big Tech companies are based in Ireland, and it should not be up to that country's authority alone to protect 500 million consumers in the EU, especially if it does not rise to the challenge."
The GDPR provides for one "lead supervisor" to investigate complaints of cross-border data privacy infringements, so long as that data protection agency engages in "sincere and effective cooperation" with its counterpart agencies across the EU.
However, the ECJ today ruled that so long as the GDPR confers competence on national data supervisors then they can also act in the case of an infringement of personal data which has crossed any EU borders.
The ECJ said that the lead supervisory authority - in Facebook’s case Helen Dixon - "may not ignore the views of the other supervisory authorities".
The court held that if another EU data protection authority raised a "relevant and reasoned objection" then that could block, on a temporary basis, any decision the Irish regulator (in this case) might make.