LUXEMBOURG: Any country in the EU can press Facebook and other online companies on the bloc's data privacy rules, not just the one where the firm is registered, Europe's top court ruled on Tuesday.
Such legal action, however, can only happen "under certain conditions" the European Court of Justice (ECJ) said, under a general "one-stop shop" principle which gives prime responsibility in such matters to data supervisory authorities in the registering member state.
The ruling shot down a challenge from Facebook in a case dating back to 2015, in which a Belgian court took up a data-protection issue against the US internet giant. Facebook had argued the case should only be decided in Ireland, where its EU operations are based.
The ECJ noted that the case pre-dated the 2018 entry into force of the EU's data privacy laws, called GDPR or General Data Protection Regulation.
But, importantly, it also held that the GDPR "authorises, under certain conditions, a supervisory authority of a Member State to exercise its power to bring any alleged infringement... before a court of that State" where cross-border data processing is involved.
A GDPR cooperation requirement meant that a "lead supervisory authority may not ignore the views of the other supervisory authorities," which can raise objections that would block "at least temporarily" the lead authority's decisions, it said.
Facebook, in a statement giving its reaction, focused on the limited scope for such actions happening.
"We are pleased that the CJEU (ECJ) has upheld the value and principles of the one-stop-shop mechanism, and highlighted its importance in ensuring the efficient and consistent application of GDPR across the EU," it said.