National data protection authorities can in specific cases bring cases against tech giants even if they are not considered the lead authority under EU law, a top EU lawyer said on Wednesday.
The Belgian privacy commission since 2018, known as the Belgian Data Protection Authority brought a case against Facebook in 2015 for collecting data through internet plug-ins and cookies from people who have an account on the platform and those who do not.
This, the agency submits and goes against Belgian law.
But Facebook argues that under EU privacy rules, the General Data Protection Regulation (GDPR) only a so-called lead authority can bring cases to court.
In this instance, it maintains that only the Irish data protection authority is allowed to do so, as Facebook’s main establishment in the EU is in Ireland and its data are being processed there.
Advocate-General Michal Bobek on Wednesday argued that while the data protection authority where a company has its main establishment is generally responsible for bringing cases to court, other data protection authorities still have the right to begin proceedings when the GDPR specifically allows them to do so.
In order to bring proceedings against a data processing company, local data protection authorities would have to fulfill one of the four criteria.
“The authorities would have to “act outside the material scope of the GDPR, investigate cross-border data processing carried out by public authorities in the public interest, in the exercise of official authority or by controllers not established in the Union.
“Adopt urgent measures, or intervene following the lead data protection authority having decided not to handle a case,’’ Bobek found, according to a press release.
The lawyer’s opinion is non-binding.