Business

A Facebook case in Belgium could open the floodgates for GDPR privacy suits

Our mission to make business better is fueled by readers like you. To enjoy unlimited access to our journalism, subscribe today.

Although Europe’s tough General Data Protection Regulation (GDPR) has been in place for nearly three years now, it was only a few weeks ago that its main enforcer for most big U.S. tech firms—the Irish privacy watchdog—issued its first big fine to one of them: a paltry $548,000 that Twitter has to pay over a 2019 data breach.

No surprise there, as Ireland’s Data Protection Commissioner is notoriously underfunded and slow-moving.

However, in a separate case involving Facebook and Belgium, one of the EU’s top legal experts issued an opinion Wednesday that could presage a change in how effectively the GDPR—which allows fines that could run into billions of euros—is enforced. If the Court of Justice of the European Union (CJEU) follows his advice, Big Tech could find itself facing more lawsuits, and perhaps more fines.

According to Advocate General Michal Bobek, a senior legal advisor to the CJEU, the national privacy authorities in any EU country can sometimes take action against a company, even if the firm has its main EU office elsewhere in the bloc.

If the court agrees (and it usually does agree with the advice of its advocate general) then that could change how companies must interpret a crucial part of the GDPR—the so-called one-stop-shop mechanism. This is the part that has saddled the under-resourced Irish regulator with overseeing giants such as Facebook, Google, Twitter and Oracle, because their EU headquarters are in Ireland.

Also Wednesday, Europe’s longest-running and perhaps most important tech privacy case—also involving Facebook—began heading for a resolution after the Irish watchdog agreed to stop dragging it out.

Harmony disturbed

It’s important to remember that the GDPR, which was agreed in 2016 and put into force two years later, was largely intended to harmonize a headache-inducingly fragmented regulatory landscape for companies operating in Europe. Each country previously got to interpret EU privacy law in its own way, and it wasn’t entirely clear which watchdog could investigate which company.

The confusion was exemplified in the long-running case that led to Wednesday’s Bobek opinion.

In 2015, the Belgian privacy authority told Facebook to stop tracking Belgian users (even those without Facebook accounts) with cookies left on their devices, and via hidden tracking tools on websites using Facebook’s social plugins. A Belgian court agreed with the regulator, but Facebook won an appeal on the basis that its EU HQ is in Dublin, so only the Irish watchdog should have jurisdiction over its European activities.

In early 2018, just before the GDPR came into effect, another court then overturned that ruling, ordering Facebook to stop collecting data on its Belgian users or face fines. Facebook then appealed that ruling, saying the newly-introduced GDPR now definitely meant only the Irish regulator could take it to court.

That’s when the Belgian Court of Appeal asked the CJEU to please clear up the jurisdictional dispute. (Snarled up in this issue, the Belgian court has not yet ruled on the merits of the privacy watchdog’s case.)

No “sole enforcer”

In his opinion, Advocate General Bobek confirmed that the lead data protection authority (Ireland in this case) is generally the one that gets to go after companies for GDPR breaches, and that the whole point of the GDPR’s one-stop-shop mechanism was to make life simpler for companies.

However, Bobek said the lead regulator is “not the sole enforcer of the GDPR in cross-border situations.” In some GDPR cases where data-processing involves multiple countries, he said, any EU country’s privacy regulator can go to their national courts—these situations may include cases where “urgent measures” need to be taken to protect the rights of people in the EU due to the lead regulator’s “inertia”, or where the lead regulator has decided not to handle the case.

Facebook cautiously greeted Bobek’s opinion, though really only the first part.

“We are pleased that the Advocate General has reaffirmed the value and principles of the one-stop-shop mechanism, which was introduced to ensure the efficient and consistent application of GDPR,” Facebook associate general counsel Jack Gilbert said in an emailed statement. “We await the Court’s final verdict.”

The Belgian watchdog is also “pleased to see that the Advocate General confirms that in principle data protection authorities can bring proceedings before their national courts,” chairman David Stevens said in a statement.

Noting that the GDPR still allows individuals to launch complaints on their home turf rather than having to go to the authorities in the country where a company is headquartered—an expensive and daunting proposition—Stevens added: “If data subjects can go to court to defend their rights, data protection authorities should also be able to do this on their behalf in certain exceptional cases.”

The CJEU’s final ruling is likely to arrive sometime later this year.

Schrems case

The Irish regulator’s most prominent privacy case is the one launched against Facebook more than seven years ago, by the Austrian lawyer and activist Max Schrems.

The case, in which Schrems wants Facebook to suspend transfers of his data to the U.S. due to surveillance fears, has so far led the CJEU to nullify multiple U.S.-EU data-sharing agreements, but it hasn’t actually stopped Facebook from sending EU users’ data across the Atlantic.

That’s because, per the CJEU’s most recent ruling in July last year, it is now up to the Irish authority to make the call on suspending Facebook’s data flows, bearing in mind that U.S. laws don’t give Schrems the data protection he must have under EU law. But the watchdog then paused the proceedings so it could launch a new probe against Facebook—a move opposed by both the social network and Schrems, its nemesis.

Schrems sued the Irish privacy regulator, and the hearing would have been held in the Irish High Court on Wednesday—but, in the morning, the Austrian announced the two had reached a settlement.

The regulator will now “swiftly” bring the existing Facebook case to an end, Schrems said. The authority itself had not responded to a request for comment at the time of writing.

More must-read tech coverage from Fortune: