The Advocate General of the European Court of Justice has issued an opinion that a privacy complaint against the US tech giant Facebook does not only have to be taken to the Irish Data Protection Commissioner but instead can be handled by any of the national data protection authorities across the European Union.
Until now, privacy complaints against Facebook by any European citizens have had to be referred to Helen Dixon, the Irish Data Protection Commissioner, because Facebook's European headquarters are in Ireland.
However, an ECJ's advocate general has held that, in certain circumstances, any national regulator or national court can handle a data privacy complaint.
If upheld by a final court judgment, it could lead to a flood of complaints against tech giants in other member states as the complaints would not need to be channeled through the Irish regulator.
The case was referred to the ECJ by a Belgian court after Facebook challenged the idea that the Belgian data protection regulator could take action against a number of Facebook companies over privacy complaints.
In September 2015, the Belgian regulator requested that Facebook INC, Facebook Ireland Ltd and Facebook Belgium be ordered to stop placing cookies on the devices of internet users in Belgium without their consent when they browse a web page in the Facebook.com domain, or when they end up on a third party website.
Users had complained that Facebook was tracking their activities using cookies stored on so-called "social plug-ins" even if they were not members of the social media network.
The Belgian regulator also requested the destruction of all personal data obtained by Facebook from Belgian internet users via cookies and social plugins.
In court proceedings, Facebook argued the Belgian regulator did not have the competence to hear the complaints over cross-border data processing as they should properly be dealt with by the Irish regulator.
When the case went to the Belgian court of appeal its scope was limited to Facebook Belgium as judges had rules they had no jurisdiction over Facebook INC and Facebook Ireland Ltd.
However, the Belgian court of appeal then asked the ECJ if the GDPR actually prevented a national data protection authority from taking court action.
Advocate General Michal Bobek acknowledged that the Irish regulator had a general competence over cross-border data complaints since the idea of a one-stop-shop was at the heart of the GDPR system.
The ability for privacy cases to be taken by one lead regulator, as opposed to 27 regulators, was to avoid a situation that would be "costly, burdensome and time-consuming for those operators, and an inevitable source of uncertainty and conflicts for them and their customers," the court said in a statement.
However, citizens and regulators were still permitted to take complaints to their own national courts in situations where the GDPR specifically allowed them to do so, and "even where the lead data protection authority is the data protection authority of another Member State".
Mr Bobek stressed that the lead data protection authority cannot be deemed as the sole enforcer of the GDPR in cross-border situations and must closely cooperate with the other data protection authorities that are concerned.
The opinion of the Advocate General is not binding and judges of the court are now beginning deliberations in this case, with judgment to be given at a later date.