ECJ: Cross Border GDPR Complaints May be Allowed in any EU Member States

The European Court of Justice is considering issuing a ruling that will allow a complaint in relation to the General Data Protection Regulation (GDPR) to be heard by the the data protection authority in any European Union Member State, as opposed to only being heard by the data protection authority in the Member State where the subject of the complaint is based.

This has arisen following the issuing, by the Advocate General of the European Court of Justice, of an opinion such a GDPR complaint against the social media platform Facebook can be heard any of the national data protection authorities across the European Union and not just managed by the Irish Data Protection Commissioner, where it is based. This is contrary to existing legislation, which states that against GDPR complaints submitted against Facebook by any European citizens must be sent to the Irish Data Protection Commissioner for consideration.

The opinion that was issued by the Advocate General states that, in specific situations, it is feasible for all national data protection authorities or judiciaries to deal with such a data privacy complaint. This is the result of a legal action taken in Belgium by Facebook which argued against the power of the Belgian data protection regulator could take action against a number of Facebook companies in relation some GDPR complaints.

The background of that case is that, in September 2015, a request was send to the Belgian regulator that sought to prevent Facebook INC, Facebook Ireland Ltd and Facebook Belgium from using  cookies on the computing devices of domain and third party website browsers in Belgium without first receiving their expressed consent. The complaint referred to the tracking of activities by Facebook using cookies saved on “social plug-ins” regardless of whether or not they were Facebook account holders social media network.

Following a ruling by the Belgian regulator that all personal data obtained by Facebook from Belgian internet users via cookies and social plugins be deleted, Facebook began court proceeding arguing that the Belgian regulator had no power to make such a decision as it must by managed by the Irish regulator. As the Belgian judiciary could only deal with complaints against Facebook Belgium. the Belgian court of appeal sought clarity from the ECJ to ascertain if the GDPR actually prevented a national data protection authority from taking court action.

If this ruling is approved by the ECJ in a final court judgment, it could result in a rush of GDPR complaints against tech giants in other EU member states as the complaints would not need to be channeled through the Irish regulator. The ruling referred to the current situation and said that the process, where cases are managed by by one lead regulator and not the 27 EU Member State regulators, was put in place to prevent “costly, burdensome and time-consuming for those operators, and an inevitable source of uncertainty and conflicts for them and their customers.”

Despite this, EU citizens and regulators do have the power to submit GDPR complaints to their own national courts in situations where the GDPR specifically gives them this powerand “even where the lead data protection authority is the data protection authority of another Member State”.

In his ruling Mr Bobek said that the lead data protection authority cannot be thought of as the only enforcer of the GDPR in cross-border complaints and it must work with the other data protection authorities to ensure that everything is dealt with satisfactorily.

Judges of the ECJ are now starting deliberations in this case, with judgment to be given later and the opinion expressed by the Advocate General is not binding.