Data protection agencies across the EU should be allowed to pursue legal action against big tech companies over privacy issues, an advisor to the European Court of Justice (ECJ) has said.
The recommendation comes after Belgium’s regulator tried to stop Facebook from gathering users' data on browsing behaviour for advertising purposes without their consent.
The watchdog says this happened even when some Belgian users didn't have a Facebook account, in a long-running legal battle which began in 2015.
Facebook has argued that the Belgian watchdog does not jurisdiction to bring a legal case under the EU's strict General Data Protection Regulation (GDPR). The company says that as a result of GDPR, only one national data protection authority is allowed to handle data privacy cases involving cross-border complaints.
Since Facebook's European headquarters are based in Dublin, the company says that they should only be answerable to the Irish Data Protection Commission.
The so-called "one-stop-shop" mechanism has been criticised for allowing a backlog of data privacy cases in Ireland involving big tech companies such as Facebook and Google.
But in an opinion on Wednesday, the ECJ's advocate general, Michal Bobek, recommended otherwise.
"The lead data protection authority cannot be deemed as the sole enforcer of the GDPR in cross-border situations, and must, in compliance with the relevant rules and time limits provided for by the GDPR, closely cooperate with the other data protection authorities concerned," said Bobek.
The court isn't bound by this opinion. But in the majority of cases judges tend to follow such recommendations.
The advice paves the way for an onslaught of fresh data privacy cases across the EU's 27 member states, taking the pressure of a single "lead" authority and giving other national data privacy watchdogs more of a pro-active role.
"Instead of a one-stop-shop, this would now become a 27-state regulator body," said Cillian Kieran, co-founder and CEO of Ethyca.
"Some countries other than Ireland have a stronger will to better prosecute and fine big tech companies more aggressively."
Kieran also told Euronews that other businesses now faced challenges in complying with wider data privacy regulations across the bloc, with multiple languages and jurisdictions.
"A smaller business that might run afoul by accident of data privacy regulations could face having to handle investigations in multiple states across Europe rather than in one single market
This compounds the legal efforts of those smaller businesses that are already struggling to comply with data privacy regulations."
Euronews has contacted Facebook for a statement in response to the recommendations.