In an opinion issued to the European Court of Justice, the Advocate General of the Court stated that according to current legislation, any data protection authority in the European Union can take action against a breach of the privacy legislation enforced by that authority, even if the entity alleged to have contravened the legislation is located in another Member State.
The opinion was given in connection with a dispute about Facebook’s alleged breach of German privacy legislation. Facebook argued that since its headquarters in Ireland are responsible for its data processing activities in the European Union, Germany’s privacy authorities lack jurisdiction over its actions and only the Irish data protection authorities have the power to review its activities.
While the opinions of the General Counsel are not binding on the European Court of Justice, the Court tends to follow them in the majority of cases.
This opinion, if indeed followed by the European Court of Justice, is of significant importance, as it could lead to a barrage of enforcement measures against Facebook and similar structured internet multinationals.
However, it should be noted, Europe’s new General Data Protection Regulation (GDPR) has instituted the concept of the lead supervisory authority in the jurisdiction of the data controller or data processor’s main establishment, in an attempt to limit the need to deal with such a multitude of data protection authorities across the European Union; although it should be noted that the GDPR does not block entirely the other authorities.